Chapter 2. Architecture guidelines and technology options 83
Credential Vault
The WebSphere Portal Credential Service and Credential Vault provides a
mechanism for storing external application credentials.
Typically, authentication with stored credentials to external applications is
conducted as the credentials (username or password) differ from the user’s
WebSphere Portal credentials. The credential vault is essentially a way of storing
usernames and passwords, which can be programmatically retrieved and used in
tactical authentications.
The WebSphere Portal Credential Service and Credential Vault also provide a
mechanism that assists a portlet in retrieving one of several representations of a
user's authenticated identity, which can then be passed to DB2 Content Manager
Library Server for authentication purposes.
2.6 Authorization
Authorization is the process of determining whether a user has access to
resources based on the access policies applied. If the resource is protected, the
user will first be authenticated to determine their identity, then check the
privileges defined for the requested resource.
In this section we will describe authorization mechanisms provided by
WebSphere Portal and DB2 Content Manager. In addition, we will explore
integration options when used together and with external products such as Tivoli
Access Manager.
Note: This is uni-directional SSO, with the authentication domain only
covering WebSphere Portal and the portlet application access via the Java
API for DB2 Content Manager. A user authenticating with the DB2 Content
Manager eClient will still need to authenticate when accessing WebSphere
Portal.
Note: The implementation of this approach is clumsy when using a shared
user registry. In this instance a user has only one username and password,
but is required to manually enter those details in a credential vault slot. The
details in this slot are then used to authenticate the user during the Java API
based requests to DB2 Content Manager from WebSphere Portal.
84 Document Management Using WebSphere Portal V5.0.2 and DB2 Content Manager V8.2
2.6.1 WebSphere Portal authorization
WebSphere Portal administrators configure access to portal resources (for
example, pages, portlets) by assigning users or groups to access roles. The
application supports fine-grained access control over resources and users can
interact with (view, edit, manage etc) only those resources for which they have
appropriate access rights (for example, role based content and services).
When rendering a resource, WebSphere Portal verifies that the user has
appropriate rights to use the requested resource. Access rights are administered
through the User Group Permissions and Resource Permissions portlets and
stored in the WebSphere Portal database by default (application specific).
Other than the requirement for a successful authentication, authorization is
independent of WebSphere Application Server or any custom authentication
proxy. WebSphere Application Server protects servlets and enterprise beans, but
WebSphere Portal protects its own internal resources, such as pages and
portlets.
In WebSphere Portal V5.0, access control is based on roles. A role combines a
set of permissions with a specific WebSphere Portal resource. This set of
permissions is called a role type. You can assign roles on virtual resources and
on resource instances. Resource instances are specific resources, such as a
single portlet or page. Virtual resources are a unique resource type that have two
functions:
They protect sensitive operations that affect the entire portal or specific
concepts in the portal. For example, the XML configuration interface virtual
resource protects the ability to execute scripts through that XML configuration
interface.
They are parent resources for all resource instances. Role assignments on
the Web Modules virtual resource permit access to all Web modules in the
portal.
2.6.2 DB2 Content Manager authorization
In DB2 Content Manager, each user is granted a set of privileges that define the
maximum possible authorizations (application specific operations) a user can
perform. The user’s effective access rights will never exceed the user defined
privileges.
Note: Additional information can be found on WebSphere Portal InfoCenter
which is also available on the following Web page:
http://publib.boulder.ibm.com/pvc/wp/502/ent/en/InfoCenter/index.html

Get Document Management Using WebSphere Portal V5.0.2 and DB2 Content Manager V8.2 now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.