WebCenter Portal Security

person Bijeshfolder_openOracle, PS3, WebCenterlocal_offer, access_time July 1, 2011

In the default WebCenter Portal generated by JDeveloper, anonymous-role is granted “view” privilege on the home page. This may not always be desirable. The portal may not have any public content to put on the home page. In my current project, the entire portal has to be secured and available only to authenticated users. You would imagine this is a straight-forward thing to achieve but it’s not.

To turn off access to home page, I edited the page hierarchy and removed the grants assigned to anonymous-role. Now, when the user attempts to access /faces/oracle/webcenter/portalapp/pages/home.jspx, the user gets redirected correctly to the login page. However, if the user were to use the pretty url /pages_home the server throws a 404 error (perhaps an incorrectly flagged 403?) and the user is left with a very unhelpful error page. The trouble with this is that the user may choose to bookmark after his/her initial login and that bookmark will invariably point at the pretty URL.

There is also another side-effect to this. When the user hits logout, webcenter redirects the user to the current page after logout. Given that faces-config.xml contains a “logout_success” navigation case, I imagined that changing this to point at, say, the login page would work. Alas no. The only way to make this work was to change the Logout link to a goLink with the destination set to “adfAuthentication?logout=true&end_url=\faces\oracle\webcenter\portalapp\pages\login.jspx”.

Oh and this is w.r.t WebCenter 11.1.1.5.

Update: Thanks to Andrejus for an excellent workaround. His technique to solve the Session time-out problem can be applied here too.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>