Open source portal software controls security

A hallmark of the open source software community is the opportunity for IT executives to get close to developers and influence product development. Goodwill Industries International helped drive the security overhaul of the new version of open source Liferay portal software, expected to be announced the week of April 10.

Liferay Portal 4.0 lets individual users, groups and guests have portlet-level permissions. Administrators can set or restrict access to portlets and portlet objects, as well as delegate access authority to others.

“Not only did we add the security component, we rewrote every piece to hook into that security mechanism,” says Brian Chan, founder and chief software architect of Liferay. “Before, it was set based on roles, and how you defined a role had to be customized between different implementations. Now every object in the system has a set of permissions, and you can manage all that through the GUI.”

Those features are critical to Goodwill, which runs job training and career services for people with disabilities, those on welfare and others in need. Liferay Portal 4.0 gives Goodwill more sophisticated control of security settings than was available in earlier versions, says Steve Bergman, chief information officer at the Rockville, Md.-based nonprofit organization. “We can assign security rights to individuals or put them into security groups so they have access to components that are appropriate for their activities in the portal.”

IT staff also can delegate administrative tasks to local Goodwill locations so managers in the field can control their own group’s access privileges, says Michael Shollenberger, program manager at Goodwill.

Key to the overhaul is that Liferay didn’t sacrifice the stability or performance of the application in the redesign of the security framework, Shollenberger says. “It’s tough when you build an application and then need to revisit the granularity of the security model,” he says. But Liferay managed to overhaul the security framework without degrading performance or sacrificing stability of the product, he says.

Opting for open source

Goodwill started designing its portal, known as MyGoodwill, about two years ago. “There was a need within Goodwill to find a way to help the organization collaborate and share best practices,” Bergman says.

The organization considered commercial, off-the-shelf portal products as well as open-source products when it started searching for a portal platform. “We knew we wanted to head down the Java path, based on our internal capabilities and our team’s expertise. But we didn’t know that we wanted to go open source,” Bergman says. After fleshing out its business plan and doing a cost-benefit analysis, Goodwill settled on Liferay.

“Our implementation costs — to get the application up and running and do the initial integration — are easily a third of what it would have cost us had we gone with [an off-the-shelf] product,” Bergman says.

Not having to pay for software licenses let Goodwill dedicate more funds to integrating the portal platform with its back-end systems, including its Microsoft SQL Server database, e-mail system, and online training applications from Saba.

Six months after its initial deployment, MyGoodwill has about 6,000 active users and Goodwill is rolling it out to larger parts of the organization on a controlled basis. The portal is designed to accommodate as many as 100,000 users, Shollenberger says.

Using open source software for a mission-critical application is new to Goodwill. “I looked at this as an option a couple of years ago, but I just didn’t feel like the industry was mature enough back then,” Bergman says. But the open source community has grown and matured a lot in the last two years, he says.

“To develop an enterprise application of this magnitude in open source was taking a little bit of a leap of faith. But we’ve been very pleased with the effort,” Bergman says.

Goodwill’s experience with Liferay could lead to more open source deployments down the road, he says. “Given this, I don’t look at any new platform without also putting it side-by-side with the open source alternative.”

Standards support

An additional feature in Liferay Portal 4.0 is the ability to post pages and objects with public and private viewing properties; private pages are password-protected. Added taxonomy features in Liferay Portal 4.0 let users create sub-portals within the corporate portal for a company division or branch office.

The portal conforms to the JSR-168 portal API, a standard designed to simplify integration among portal elements. In Version 4.0, Liferay has added support for the JSR-170 standard for content management systems (CMS). “One team could be using one CMS tool, another could be using another CMS tool, but the aggregator — the portal — can contact both of them in a standards-compliant fashion and display the data,” Chan says.

In Version 4.0.1., Liferay plans to add support for a workflow portlet that integrates with the open source Java business process management engine, Chan says.

Liferay offers Professional and Enterprise versions of its portal software. The Enterprise version lets users cluster portlet transactions across multiple servers. Both versions are freely available under an MIT license. Optional support, training and professional services are available from Liferay.