An Overview of Sun ONE Portal Server

By Sanjeev Agarwal, Srikanth Ramakrishna, and Jim Mendelsohn, October 7, 2003  
This paper champions the value of portals, defines a portal, and describes how to capitalize on it in a system architecture. In particular, it describes how to use Sun ONE Portal Server to integrate portals with IT networks.
The Value of Portals
Efficient lookup of resources is a major challenge that faces information and service networks. Remember: Just because data can be found is no guarantee that users will consistently find them. Currently, three schemes tackle that challenge:
  • Bookmarks -- These are actually inadequate because finding the resources precedes bookmark setups.
  • Web search -- By and large, the effectiveness of Web search depends on the users' knowledge. Previously, most users flocked to sites that contained links to a multitude of related resources, sometimes called link farms, to browse for pointers. Enterprises have since established portals to satisfy the overwhelming desire for "one-stop shopping."
  • Portals -- To deliver much more value than mere link farms, you can integrate Web-based applications and services into portals to make available services that are easier to navigate and access. An integrated search capability on the portal enhances information retrieval. Also, with single sign-on (SSO) offered by portal server software, users need not remember multiple IDs and passwords that would otherwise be required for authentication into the various facets in nonportals.
Portal servers connect people with the pertinent resources and are the obvious choice for information and service delivery.
Definition of a Portal
A portal is a doorway to a set of resources that an enterprise offers to its customers. For some consumer portals, those resources include the entire World Wide Web. For most enterprise portals, the resources include information and applications that are specific to the relationship between the enterprises and their customers.
More and more, IT managers and developers are integrating new services into their portals, most notably the following:
  • Wireless access
  • Secure remote access
  • Knowledge management
  • Real-time collaboration, such as instant messaging and chat rooms
Portal servers provide the ideal platform for integrating and managing those services. With Sun ONE Portal Server, part of the Sun ONE architecture (see FIGURE 1), you can locate, connect, aggregate, present, communicate, personalize, and deliver content. Rather than providing these services, Sun ONE Portal Server functions as the mechanism by which a user interface is associated with Web services and applications.
FIGURE 1 Sun ONE Architecture

You can run Sun ONE Portal Server on Sun ONE Application Server, Sun ONE Web Server, or the application servers from BEA and IBM.
For developers, a portal is a system layer for deploying services and identifying who can access them. It allows reconfigurations--migrations, upgrades, and such--without extensive reengineering. For users, a portal is a secure and flexible Web site from which they can access services and applications.
In a typical organization, HTML programmers build the desktop; Java technology developers build portal channels; system administrators assemble the portal with the desktop, containers, and channels, as well as assign roles and grant access to users of the services offered by the enterprise.
Sun ONE Portal Server Core Functionality
This section describes the infrastructure of Sun ONE Portal Server, the servers on which the product and its components are deployed, and the key services offered by Sun ONE Portal Server.
Infrastructure and Deployment
Establishing a portal with Sun ONE Portal Server and an identity policy involves the use of the following:
  • Sun ONE Identity Server , which helps manage secure access to Web-based resources by providing access management, identity administration, and directory services.
  • Sun ONE Directory Server , which provides the primary configuration and user profile data repository for Sun ONE Portal Server. A directory that complies with the Lightweight Directory Access Protocol (LDAP), Sun ONE Directory Server is implemented on an extensible, open schema.
  • Sun ONE Web Server , which supports Java servlet and JavaServer Pages (JSP) technologies to generate content.
  • Java 2 Platform, Standard Edition (J2SE) technology , which provides the Java Runtime Environment (JRE) for all Java software in Sun ONE Portal Server and its underlying components.
FIGURE 2 illustrates the portal infrastructure.
FIGURE 2 The Portal Infrastructure

You deploy Sun ONE Portal Server on separate nodes (hardware servers):
  • Core portal node -- The server on which you install Sun ONE Portal Server, Sun ONE Web Server, and Sun ONE Identity Server. You can also install the Sun ONE Portal Server search component on this node, if desired.
  • Search node -- Optional. The server on which you install the Sun ONE Portal Server search component. Alternatively, to optimize performance, scalability, and availability, install this component on its own server.
  • Gateway node -- Optional. The server, usually a nonportal one because the gateway often resides in the DMZ, on which you install the Secure Remote Access gateway component.
  • Directory server -- The server on which you install Sun ONE Directory Server. An alternative location is the core portal node.
  • Other servers -- Those servers, for example, for mail and other files, that provide backend support, data, and applications to portal users.
Key Attributes
Five key attributes in Sun ONE Portal Server contribute to its ability to create and manage productive, secure, and cost-effective portals:
  • SSO -- SSO means consolidated access: Users need sign on only once to be authenticated for the entire portal. For enterprises, SSO accords flexibility to add services, including Web services.
  • Enhanced security -- The authentication and authorization services can enforce fine-grained policy rules. Authentication methods can vary for different user groups and thus ensure a secure yet flexible portal.
  • Secure search -- The search engine can deliver secure content according to user roles. It can also retrieve from documents specific passages that match the search criteria.
  • Delegated administration -- Delegation of portal administration to internal or external parties results in cost savings and reductions of support bottlenecks.
  • Single administrative console -- The Administrative Console, capable of functioning across portals, administers the portal, search, identity, and directory services.
Services and Capabilities
A robust portal server like Sun ONE Portal Server provides many essential services and capabilities, including identity management, aggregation, presentation, and so forth. Here's a synopsis of the functionalities:
  • Identity Management -- This is a centralized mechanism for controlling policy, including role-based content delivery and multiple-role support. You can establish user roles through an identity server, then deliver content to each of those users according to their privileges.
  • Aggregation -- You can group applications and content into containers and makes them available by access policy. You can aggregate content and services, including Web or non-Web applications and services.
  • Presentation -- To enhance appearance and ease of use, you can create a common look and feel for the portal, for example, by standardizing the fonts and layout.
  • Personalization -- You can change skins, themes, tabs, and the channel layout, hence customizing how and where to access content and services on a portal.
  • Customization -- You can customize the "flow," the way in which you navigate the channels, tabs, and functions of the portal. Additionally, you can modify the desktop: the shape, size, and number of columns and channels.
  • Communication and Collaboration -- These are the services for messaging, instant messaging, calendar utilities, task lists, and files.
  • Authentication and SSO -- Multilevel security and authentication chaining can severely restrict access to sensitive areas and allow simple authentication for areas that require only minimal security. For sensitive areas, you can even configure different authentication types (LDAP, RADIUS, Secure ID, and client-side certificates) and multiple types of authentication (LDAP and client-side certificates).
    SSO is achieved through the interaction between Sun ONE Identity Server and Web agents (authentication plug-ins).
  • Search -- The search engine builds the metadata resource and updates it by crawlers. From the search client, you can search against the metadata and browse the metadata taxonomy.
  • Secure Remote Access and Mobile Access -- Through secure remote access, you can access content and services from outside the firewall over HTTP or other protocols, such as IMAP, MAPI, FTP, and Telnet. Hence, Sun ONE Portal Server provides virtual private network (VPN)-like capabilities that require no client-side software and encryption with multiple ciphers, including such highly secure types as 3DES and RC4.

  • Most typically, secure remote access is through a portal gateway with a two-tier configuration, whereby the gateway sits in the DMZ and connects to Sun ONE Portal Server in the intranet. The gateway provides a netlet component, which opens a tunnel from remote computers to Sun ONE Portal Server. You can then perform various functions, from running a thick SAP client to accessing intranets.
    Through mobile access, you can present the portal on multiple mobile devices, such as laptop computers and cell phones. You can also specify which elements of the portal (for example, email or applications) are received on the mobile devices.
  • Content Management -- The integrated content management system (CMS) occurs through channels to the content it manages and the CMS itself.
  • Administration -- You can define the policy, presentation, and channels by user, organization, and role. Additionally, you can specify administrators with restricted or global privileges. That way, users can also be pseudo--administrators and manage their own accounts--register, update personal profiles, and so forth.
Sun ONE Portal Server Features and Related Tools
Sun ONE Portal Server offers numerous features, notably the security-related ones that uphold the safety and integrity of data and that manage access control.
Authentication and Access Control
To provide an interface for managing objects, policies, and services with Sun ONE Directory Server, Sun ONE Portal Server makes use of the administrative capabilities in iPlanet Directory Server Access Management Edition (iDSAME).
Access Policy and Agents
An access policy is a set of rules that define the roles or groups that can access a particular set of Web resources. To create such a policy, you specify its name and the allow-deny mode, including specific constraints, if any, and then assign the policy to a group, subgroup, or individual.
Sun ONE Identity Server supports two types of agents:
  • Access agents -- You install these agents on Sun ONE Web Server, one per server, to protect resources. You create a URL access policy with Sun ONE Identity Server for each of the resources you want to protect.
  • J2EE agents -- These agents are servlet filters. You configure them with your application and deploy them on Web and application servers that comply with Java Servlet API 2.3 .
For details, see: As an example, following is the procedure for granting access of a site to a role:
  1. From the Policy Management interface at the Sun ONE Portal Server Administration Console, create a URL policy.

    Specify the policy name, the URL, and the allow-deny mode.
  3. Assign the policy to a role or group from the User Management interface.

    Bear in mind these rules:
    • If you assign a policy to a role, the policy attributes are available to all the individuals who assume that role. For example, you can name a role management.
    • If you assign a policy to a group, the policy attributes are available to all the individuals in that group. For example, you can name a group engineering.
  5. Install the iDSAME URL Policy Agent on Sun ONE Web Server and configure the the agent to use Sun ONE Identify Server.
Authentication Mechanisms

Authentication takes place before access is granted. The criteria that authenticate a particular user are based on the authentication service configured for each group in the Sun ONE Portal Server enterprise. By default, Sun ONE Portal Server uses LDAP directory authentication. Also available on Sun ONE Identity Server are several plug-in solutions, listed in TABLE 1.

TABLE 1 Authentication Modules
Anonymous authentication
Enables login as an anonymous user. Can be limited to specific types of access, suchas read-only and search functions. You cannot customize your desktop whenlogged in as an anonymous user.
Certificate-based authentication
Identifies and authenticates users by means of personal digital certificates (PDC). You can configure a PDC to require a match against one that's stored in Sun ONEDirectory Server and verification against a Certificate Revocation List.
LDAP directory authentication
Requires authentication with a user name and password stored in the directory server.
Membership authentication
Enables creation of a registered account and personalization without the aid of anadministrator. Implemented like personalized sites, such as or
RADIUS server authentication
Performs a two-step process that requires you to configure the RADIUS server and then to register and enable the RADIUS authentication service. You can configureSun ONE Identity Server to work with a RADIUS server. Useful for legacy RADIUSservers used for authentication.
SafeWord authentication
Authenticates requests to Secure Computing's SafeWord or SafeWordPremierAccess authentication servers, with the client portion provided by Sun ONEIdentity Server. The SafeWord server can reside on the same system as Sun ONEIdentity Server or on a separate system.
UNIX authentication
Processes authentication requests against UNIX user IDs and passwords known tothe operating system on which Sun ONE Identity Server is installed. Uses anauthentication "helper," a separate process that runs with the Sun ONE IdentityServer process and helps Sun ONE Identify Server validate the user names andpasswords from the authentication mechanism in the operating system.
Each time an authenticated user attempts to access a protected page, the iDSAME API for the SSO API checks the authentication credentials to determine whether that user has permission to access the page. Afterwards, either access is granted or the user is prompted to reauthenticate.
Process Flow: Access Requests and SSO
The flow of a request to access a site proceeds as follows:
  1. The requester enters the URL on the browser.
  3. The request is dispatched to Sun ONE Web Server, which then calls the iDSAME URL Policy Agent of the server the requester would like to access.
  5. The agent checks whether the resource is restricted.
    By default, all the resources of a Web server are restricted. To lift the restrictions, you must revise the settings in the agent configuration file.
  7. Either of these scenarios then occurs:
    • In the case of no restrictions, the agent grants access to the requester.
    • In the case of restrictions, the agent checks whether the requester has been authenticated by Sun ONE Identity Server. If so, the agent grants access to the requester. Otherwise, the agent displays the login page.
  9. After login, the agent obtains a list of the resources that the requester is allowed to access from Sun ONE Identity Server.

  10. Either of these scenarios then occurs:
    • If the requested URL matches one on the resource list, the agent forwards the request to Sun ONE Web Server, which then serves the page to the requester.
    • Otherwise, the agent notifies Sun ONE Web Server to display a page with a message that access is denied.
APIs and Customization Tools

Sun ONE Portal Server is open and extensible; channels are customizable through APIs. Channel grouping, layout, and navigation of the portal can be customized from the Administrative Console.

TABLE 2 summarizes the APIs and other means by which you can extend and customize channels.

TABLE 2 API and Other Means for Extending and Customizing Channels
API or Other
Profile API
Creates a channel that reads or writes the attributes of an authenticated user from the directory.
Session API
Creates a channel that reads or writes attributes from session memory.
Logging API
Creates a channel that logs access, administration, and error files to the portal.
Authentication API
Creates custom authentication modules. Out-of-the-box authentication models include LDAP, RADIUS, SecureID, certificate, and UNIX.
Sun ONE Identity Server Software Development Kit (SDK)
Creates custom Web agents.
Custom Provider
Customizes and extends JSP technology, XML, Web services, and URL Scraper Providers.
Custom Desktop (collection of JSPsoftware)
Customizes the look and feel of the desktop.
Developer Tools

The following developer tools provide the samples and environments in which to build and customize channels and key elements of the portal:
  • With Sun ONE Connector Builder , a NetBeans module for Sun ONE Studio, you can build J2EE Connector Architecture (JCA) connectors to applications.
  • Within the Mobile Access Studio IDE, you can build applications that are accessible to both desktop and mobile device browsers. Furthermore, you can download those applications to disconnected devices for synchronization.
  • Sample Portal is an out-of-the-box portal with sample providers, containers, channels, and display profiles. You can modify or extend the sample with the Sun ONE Portal Server tools and accelerate your customization tasks.
Sun ONE Portal Server Sample Desktop
This section introduces the Sun ONE Portal Server components and describes the mapping between Sun ONE Portal Server APIs and the sample desktop.
Overview of Components
Sun ONE Portal Server 6 contains the following key components:


The desktop is a layout that provides the common look and feel of the portal and includes the outer structure of each page and the framework that surrounds each channel. The framework includes banners, headers, footers, tabs, navigation buttons, and such, also login and self-subscription screens.

For more information, see the Sun ONE Portal Server 6 Desktop Customization Guide.

Containers are a desktop division to group channels, content, or applications, and to nest other containers. Sun ONE Portal Server 6 offers four basic containers:
  • Tab containers create tabs on a page. They separate and organize channels into separate pages on a portal.
  • Frame containers implement tabs as HTML frames.
  • Table containers display channels in rows and columns.
  • Single containers enable a channel to assume the size of an entire page. They can be inside either a tab or frame container.

Channels provide access to content, usually an application or a service, on the portal. They are built as instances of the following provider classes:
  • JSPProvider, which generates and executes code from JSP pages
  • URLScraperProvider, which picks up HTML content with HTTP from the Web server and displays it on the portal
  • XMLProvider, which, as a subclass of URLScraperProvider picks up XML content, also with HTTP, and converts the content with eXtensible Stylesheet Language (XSL) into HTML before displaying it
  • SimpleWebServiceProvider, which, also as a subclass of URLScraperProvider, retrieves the WSDL file and communicates with the associated Web service through Simple Object Access Protocol (SOAP)
For details, see the Sun One Portal Server Developer's Guide and the Sun One Portal Server Administrator Guide.

Providers are the Java class files that construct both channels and containers. The channels and containers in Sun ONE Portal Server contain associated providers. Nonetheless, you can extend providers, such as URLScraperProvider, if their APIs are publicly available.

Provider types include leaf building-block providers, content providers, and container building-block providers. In general:
  • Content and applications are generated through channels by means of leaf providers or content providers.
  • Tabs and tables that group channels are created with, respectively, the JSPTabContainer provider and the JSPTableContainer provider.
Administrative Console

The Administrative Console grants administrators and delegated administrators the privileges to do the following:
  • Determine an authentication policy.
  • Create and delete organizations, roles, and users.
  • Specify the desktop layout, channels, and containers available for an organization, a role, or an individual.
Through the console, administrators or delegated administrators create a directory information tree (DIT), with which they can perform these tasks:
  • Create organizations, suborganizations, roles, and users at any node.
  • Establish an authentication policy.
  • Define the portal layout, containers, and channels at and below that node.
The policy information at any given node is contained in a display profile in XML format, which is stored in Sun ONE Identity Server. Users whose policy is made up of multiple display profiles receive a merged display profile, enabling full privileges appropriate to their multiple roles.

The Rewriter makes all elements of HTML pages function with Sun ONE Portal Server. For example, it rewrites relative URLs of image tags so that the browser requests the images from the correct server.

The Rewriter also functions in the portal gateway. It can, for example, rewrite HTML links to provide access to an internal server.

The Installer installs Sun ONE Portal Server into its proper location and the secure remote access gateway into the DMZ. It can also install and configure Sun ONE Directory Server, Sun ONE Identity Server, and Sun ONE Portal Server onto Sun ONE Web Server, Sun ONE Application Server 7, or application servers from BEA or IBM.
Policy Agents

Policy agents are authentication plug-ins to several containers, including Sun, Apache, IIS, BEA, IBM, and others. The agents are part of Sun ONE Identity Server. For details, see Access Policy and Agents.
Mapping Between Sun ONE Portal Server APIs
Sun ONE Portal Server contains a prebuilt sample desktop that illustrates the use of administrative and programming features. This section discusses the sample desktop and summarizes how that desktop corresponds to the Sun ONE Portal Server concepts and APIs.

FIGURE 3 portrays the desktop channel hierarchy.
FIGURE 3 The Desktop Channel Hierarchy

FIGURE 4 shows the sample desktop.
FIGURE 4 Sample Desktop
The schema of the desktop (FIGURE 3) corresponds to the sample desktop (FIGURE 4) as follows:
Desktop Channel Hierarchy (FIGURE 3)
Sample Desktop (FIGURE 4)
Tab 1
My Front Page
Tab 2
Channel 1
User Information
Channel 2
Sun ONE Information
Channel 3
My Bookmarks
The following table shows which providers generate the sample desktop.
Tabbed View
Generated by
My Front Page, Samples, and Search
Channels on My Front Page
My Front Page
  • User Information channel
  • Sun ONE Information channel
  • My Bookmarks channel
  • Sample JSP channel
  • XML Test channel
  • UserInfoProvider
  • InfoProvider
  • BookmarkProvider
  • JSPProvider
  • XMLProvider
Add-On Products and Other Resources
Here is a description of the optional add-on products and a list of resources for Sun ONE Portal Server 6.
Add-On Products
The following optional add-on products provide additional useful features:

Sun ONE Portal Server, Secure Remote Access -- Safeguards portals and enables remote users to securely access their organization's network and its services on the Web

Sun ONE Portal Server, Mobile Access -- Makes portal content available to mobile users and offers such personalized content and services as email, calendar, address book, news, location-based services, and short message services (SMS)

Sun ONE Portal Server: Personalized Knowledge Pack -- Provides a knowledge management system: a plug-in module to Sun ONE Portal Server for storing, organizing, sharing, and efficiently retrieving documents

Sun ONE Instant Messaging -- Enables instant-messaging, chat-room, and file-sharing capabilities within the Sun ONE Portal Server environment.
FAQs and Related References
Here are related sites, FAQs, and related material on Sun ONE Portal Server:
About the Authors
Sanjeev Agarwal, who joined Sun in March 2001, is a member of the Architecture Support Team and a moderator of the Sun Software Forum. He has been focusing on support efforts for Sun ONE products and the integration of applications with J2EE connectors.

Srikanth Ramakrishna, engineer lead of the Architecture Support Team, joined Sun in January 2002. He's been actively involved in the support and development efforts for the Sun ONE stack, the J2ME platform, Web services, and programming tools. Srikanth also assists ISVs to develop applications on Sun ONE products.

Both Sanjeev and Srikanth are based in Bangalore, India.

Jim Mendelsohn is a New York-based technical writer, speech writer, and essayist who has written extensively for Sun on topics ranging from load balancing and site migration to a nine-part developer's guide to building a Web site.
Rate and Review
Tell us what you think of the content of this page.
Excellent   Good   Fair   Poor  
Your email address (no reply is possible without an address):
Sun Privacy Policy

Note: We are not able to respond to all submitted comments.
Left Curve
Java SDKs and Tools
Right Curve
Left Curve
Java Resources
Right Curve
Java 8 banner (182)