Permission access to Administration Console

Administration Console of WebCenter Portal always is accesible through /admin URL.

During the Page Template building, developers usually gives the following piece of code for accessing the Administration Console (taken from the default template):

 

Administration Console Link
Default Administration Console Link

 

Checking rendered attribute you can see next restrictions:

  • #{attrs.showAdmin}: Is a Page Template attribute set by default to #{securityContext.authenticated}. It means that all authenticated users can see the link.
  • #{attrs.isAdminPage}: By default is false. The admin.jspx page override this attribute as follow <f:attribute name="isAdminPage" value="true"/> to change the default value in the Page Template.

Imagine next scenario: Only Administrator users can see Administration Console.

Usually developers change it as follow:

 

EL Expression that restrict Administration Link rendering
EL Expression restrict Admin page

 

As you can see, it has now restricted access to the administration console using #{WCSecurityContext.userInAppRole ['Administrator']}. This means that only users with the admin role can see the link. This doesn't mean that other users can access the Administration Console. When type next URL http://[host]:[port]//admin access to the console without problems or restrictions.

Rendered property are useful for hiding components visually. However, sometimes requires more work securize components to make them absolutely secured.

For the administration page, should be applied security to pageDefinition. To secure this page (located in the main library of the WebCenter Portal Framework) go to the jazn-data.xml file and follow next steps:

  1. Go to Resource Grants tab and select Web Page as Resource Type.

     

    3
    Resource Grants -> Web Page

     

  2. Administration page is inside of ADF Library. Select Show web pages imported from ADF Libraries to display it.

     

    jazn-data -> Show Web Pages from ADF JAR Libraries
    Show Web Pages from ADF JAR Libraries

     

  3. Select the admin page. As you can see, authenticated-role is assigned to that page. Remove this role and assign Administrator role.

     

    jazn-data -> Change Admin Page to Administrator Role
    Change Admin Page grants

     

  4. Run WebCenter Portal Appication and login with a non-administrator user. Trying to access /admin you will be unauthorized.

     

    Unauthorized access to Administration Console
    Unauthorized access to Administration Console

     

References:Thread of OTN WebCenter Poral Forum

  

Copyright © 2018 All rights reserved

Companies