How WebLogic Portal Uses the WebLogic Server Security Framework

When you build portal applications, you secure them using authentication (Who are you?) and authorization (What can you access?).
Authentication - WebLogic Portal uses WebLogic Server for login authentication, whether you are using only WebLogic Server‘s default LDAP user store, one or more external authentication providers configured for use with WebLogic Server, or both. The WebLogic Portal user and group management framework communicates with multiple authentication providers through WebLogic Server for basic user and group operations.
See:Using Multiple Authentication Providers in Portal Development |Implementing Authentication
Authorization - WebLogic Portal has its own authorization framework that lets you define roles for who can access which portal resources. You can define delegated administration roles for your portal administrators, and you can define entitlement roles for visitors to your portals. When a portal administrator logs in to the WebLogic Administration portal, the administrator sees only the areas he can administer. When a visitor logs in to a portal, the visitor sees only the books, pages, and portlets to which he is entitled.
See:Delegated Administration Overview |Overview of Visitor Entitlements
The following illustration shows authentication and authorization in more detail.

In this example, three authentication providers are being used by WebLogic Server: an OpenLDAP provider, an RDBMS (relational database) provider, and WebLogic Server‘s default LDAP provider. The two external authentication provider servers are running, and they have been added to WebLogic Server as authentication providers in the WebLogic Server Administration Console.
1
The user logging in is authenticated against all available authentication providers. Moe belongs to the RDBMS authentication provider and can log in successfully (unless authentication is set to "REQUIRED" on more than one provider).
2
On successful login to a portal, WebLogic Portal uses its DefaultRoleMapper to see if the user belongs to any delegated administration and visitor entitlement roles, and the user is granted access to only the resources he is allowed to access. The role called "manager" is defined so that anyone belonging to the group called "managerGroup" is part of that role. The HR portlet is set up so that only members of the "manager" role can view it.
If you are using more than the LDAP authentication provider supplied by WebLogic Server, seeUsing Multiple Authentication Providers in Portal Development.
Related Topics
Implementing Authentication
Feedback or Suggestions? |Show in Table of Contents
http://e-docs.bea.com/workshop/docs81/doc/en/portal/security/sspiWlp.html
Version: 2006.0314.123656
_xyz