Follow Us on Twitter

Weblogic web application container security part 2 ADF Security

by Edwin Biemond on February 1, 2010 · 17 comments

In Part 1, I already blogged about the standard web container security but If you use ADF then you have an other option: ADF Security. With ADF Security you can protect your JSP or JSPX pages just like the default container security but ADF Security can do more like protecting your Task Flows ( fragments), Anonymous support, retrieve all the user roles, can create user and roles in Weblogic when it is in development mode.

Start the ADF Security wizard ( located in the Application menu / secure )

I choose for this blog for ADF Authentication and Authorization,  so I can also explain how authorization is done in ADF.

This will enable security in your ADF Web application.

When we take a look at what the ADF Security wizard did in your web application, we can see that in the web.xml an adfAuthentication servlet, security-constraint , security-role and a login-config element is added.

<?xml version = '1.0' encoding = 'windows-1252'?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" version="2.5" xmlns="http://java.sun.com/xml/ns/javaee">
    <description>Empty web.xml file for Web Application</description>
    <servlet>
        <servlet-name>adfAuthentication</servlet-name>
        <servlet-class>oracle.adf.share.security.authentication.AuthenticationServlet</servlet-class>
        <init-param>
            <param-name>success_url</param-name>
            <param-value>/main.jspx</param-value>
        </init-param>
        <load-on-startup>1</load-on-startup>
    </servlet>
    <security-constraint>
        <web-resource-collection>
            <web-resource-name>adfAuthentication</web-resource-name>
            <url-pattern>/adfAuthentication</url-pattern>
        </web-resource-collection>
        <auth-constraint>
            <role-name>valid-users</role-name>
        </auth-constraint>
    </security-constraint>
    <security-role>
        <role-name>valid-users</role-name>
    </security-role>
    <login-config>
        <auth-method>BASIC</auth-method>
        <realm-name>myrealm</realm-name>
    </login-config>
</web-app>

JDeveloper also creates an weblogic.xml deployment descriptor where it maps the default Weblogic users group to the valid-users container security role. For ADF Security we don’t ever need to change these files. Off course you can add extra Weblogic groups in the weblogic.xml ( you also need to add a security-role in the web.xml, else you will get a deployment error ) but ADF Security can’t use these roles for the JSP / JSPX pages or Task Flows ( fragments ). Off course you still can use these roles in the ADF isUserInRole method. ( ADFContext.getCurrent().getSecurityContext().isUserInRole(role) ) So when you have Weblogic groups which are not needed by ADF Security but you still want to use them in your application then you can add them to the weblogic.xml / web.xml.

Application Users
For the Authentication part we need to have some user accounts. When you have your own Authenticator provider then you can skip this part. When your Weblogic server is in development mode (Test ) then you can add your own test users in JAZN editor. Go to Application menu / Secure / Users

Here we can add our own test users. The next time you deploy your web application, it will add these users to the DefaultAuthenticator provider.

This will work in development but in production you probably have a LDAP ( OID or AD ) or SQL Authenticator which contains your application users. If so we need to change the control flag of the DefaultAuthenticator and your own Authenticator to Sufficient else your user acounts need to be in both Authenticators.


Enterprise Roles
The user part is ready and we can define the Enterprise roles. These roles matches with the Weblogic Groups. We can add these roles in the Application menu / secure / Groups.

Add a new Role and add the testusers as members of this role. When the Weblogic server is in Development mode then these Roles will be automatically be created in the Weblogic DefaultAuthenticator provider.

We can disable the automatic user / group migration by disable this User and Group property in the Configure Security Deployment. ( Application menu / secure )


Application Roles
The next part is defining the applications roles and map these application roles to the enterprise roles. To add these roles go to the application menu / secure / application roles.

Add a new application role and select the right enterprise role as member of this role. ( this is necessary when you want to protect your application resources with a specific Weblogic group )

Application Policies
The last part is defining the security policies on the Task Flows and JSP / JSPX pages ( pages need to have a Page Definition ) and add these policies to the Applications Roles. Go to the Application menu / secure / Application policies.

We can now select an application page ( which has a pagedef) and add an application role to this page. Default the view permission is already selected, this is the minimal security policy. The authenticated-role and the anonymous-role roles are the default application roles, when you only use these roles then you don’t need to define enterprise or application roles and are user accounts enough.

Web pages security policies overview

And the Task Flows overview

In the managed bean or JSF code we can retrieve or validate the ADF Security properties, here are some examples

// print the roles of the current user
for ( String role : ADFContext.getCurrent().getSecurityContext().getUserRoles() ) {
   System.out.println("role "+role);
}

// get the ADF security context and test if the user has the role users
SecurityContext sec = ADFContext.getCurrent().getSecurityContext();
if ( sec.isUserInRole("users") ) {
}
// is the user valid
public boolean isAuthenticated() {
 return ADFContext.getCurrent().getSecurityContext().isAuthenticated();
}
// return the user
public String getCurrentUser() {
 return ADFContext.getCurrent().getSecurityContext().getUserName();
}

or use it in an EL expression for example in a rendered or disable attribute of a JSF component
#{securityContext.regionViewable[‘pageDefs.MainPageDef.xml’]} or use #{securityContext.userInRole[‘admin’]}

Weblogic web application container security part 2 ADF Security, 4.2 out of 5 based on 5 ratings
Ratings:
VN:F [1.9.22_1171]
Rating: 4.2/5 (5 votes cast)

{ 16 comments… read them below or add one }

Gergely Gabor February 4, 2010 at 8:51 pm

Hi Edwin!

I’m a beginner in Jdeveloper and ADF 11g. Please, give me some help.
We use Active Directory authentication at my firm. I want develop a web application with ADF 11g, but I don’t want use ADF security. How can I achive AD authentication from this web application

Please send some tip to my email
thanks
Gabor

Reply

Edwin Biemond February 5, 2010 at 5:44 pm

Hi Gabor,

Ok why don’t you want to use ADF securtity, are you not using Weblogic. then I can understand it. else just configure a ldap security provider and activate ADF security for authentication only , voila.

if you still want to do it yourself then you need to make your own login module (jaas) which does all the ldap handling . Take a look at this article. http://www.theserverside.com/tt/articles/article.tss?l=Pramati-JAAS

thanks

Reply

Andrejus March 4, 2010 at 11:19 am
belal July 17, 2011 at 11:57 am

Hi Edwin,
I followed ur post using jdeveloper 11.1.2 and faced the following problem
I have user1 and group1 in my AD and want to use user1 to log in my application
I success configured AD with my weblogic then create enterprise role and give it the suitable permissions on the application pages

when I tried to log in using user1 the operation is failed with the following error “Error 401–Unauthorized”

do I have to use weblogic console to add user1 to group1?
help pls

Reply

Edwin Biemond July 20, 2011 at 12:22 am

Hi,

If you add security on the page and possible fragments to a role / group then the user should belong to this group. Or you can use the internal role authenticated . With this only the user password must match. Else you need to add user to the right group / role in AD.

And Make sure every authentication providers is on sufficient control flag.

Good luck

Reply

Baji January 11, 2012 at 12:32 pm

Hi

We have an application implemented with ADF security.But Once user login with user credentials,we have set documents which are more secured.in order to view those documents user has to enter his credentials again in a pop up window.Once user enter the credentials again how can we validate the user name and password (i,e whether user has enterd right user name and password).we can check the user name with “ADFContext.getCurrent().getSecurityContext().getUserName(); “.But how can we check password is the right password.

Thanks
Baji

Reply

Ganesh January 16, 2012 at 1:23 pm

Hi Edwin,

I am facing following issue

i created one custom authenticatior and configured in WSL srver (my custom authenticator will authenticate the user from webservices)
and returning success
if (username.length( ) > 0) {
// user authenticated with webservice
} else {
// No Username, so anonymous access is being attempted
}
loginSucceeded = true;
principalsBeforeCommit.add(new WLSUserImpl(username));
//add grous base don webservice response say Manager
principalsBeforeCommit.add(new WLSGroupImpl(“Manager”));
return loginSucceeded;

when i trid to run webcenter portal application jspx login with following code

FacesContext fctx = FacesContext.getCurrentInstance();
HttpServletRequest request =
(HttpServletRequest)fctx.getExternalContext().getRequest();
HttpServletResponse response =
(HttpServletResponse)fctx.getExternalContext().getResponse();
int authSuccess =
ServletAuthentication.login(userName.getValue().toString(),
password.getValue().toString(),
request, response);
System.out.println(“just check…”+authSuccess+” “+ServletAuthentication.AUTHENTICATED);
if (authSuccess == ServletAuthentication.AUTHENTICATED) {
System.out.println(“user authenticated success……..”);
if (request.isUserInRole(“dddddddd”))
;
Subject mySubject;
mySubject = Security.getCurrentSubject();
mySubject.getPrincipals().add(new WLSGroupImpl(“Manager”));

} else {
System.out.println(“user authenticated fail……..”);
}

i got authentication got seccess..
and in jdeveloper folloing error occured

< User Principal could not be found for authenticated user.>
< Failed to get user name>
< WARN_NO_USERS_PATTERN
oracle.security.idm.ObjectNotFoundException: No User found matching the criteria

< An error is encountered while retrieving the policies or permissions.>
<
java.lang.RuntimeException: User Principal could not be found for authenticated user.

please help on this, what could be the reason for these errors as i am also not able to get username in from securityContext Object.

Thanks
Ganesh

Reply

hamed May 3, 2012 at 11:52 am

HI
i want to create client manager
and i want give access to client to defind user in authentication

Reply

mandow May 14, 2012 at 7:34 pm

Hi
I face a problem i configured WLS and it listed all users and groups from Active directory
But i can’t at all to login from my ADF application by my Active directory user and give me
javax.security.auth.login.FailedLoginException: [Security:090304]Authentication Failed
how i can solve this problem to able to login from ADF app by Active directory user

Reply

Rakesh May 25, 2012 at 1:46 pm

Nice blog .

I actually have all my user and roles based on the database tables. I created the weblogic sql authenticator and all my users and groups in my database are visible in the weblogic .

I created the enterprise role in the application with the same name of the group in the weblogic and assigned it as a member for application role. Then i assigned this application role to the page definition under resource grants.

I have a custom log in defined in my application and on successful authentication it moves to the protected page but that i get the myrealm popup asking for username and password and it then says ERROR:401 unauthorized.

Do u know why this is happening?

Thanks.

Reply

Rakesh May 25, 2012 at 3:26 pm

Hi Edwin,
I am using sha hashing algorithm to hash the passwords that are stored to the database. but when i try to create user in through weblogic it is showing error saying [Security:099064]Plaintext password is not allowed and Unable to parse the stored hashed password
Errors must be corrected before proceeding.

but i have defined sha-1 while creating the authentication provider. still it does not seem to use it while creating the password.

Reply

Sam May 29, 2012 at 8:23 am

Hi Ed,

How do u perform logout in this? since its basic authentication we are unable to clear session of the user.. Does the SQL autheticator work with form based authentication ?

Reply

yusuf October 31, 2012 at 5:07 pm

Hi,

Is there a way to get all users with specific role?

Reply

Garima Dubey May 28, 2014 at 4:55 pm

Hi ,
I have been able to configure WLS with MS AD, due I can list all users and groups.
The actual issue is authentication is not accepting any of the users defined in the Active Directory, only the ones I defined in jazn-data.xml,
Can you help me with this?
Thanks in Advance.

Reply

jerry October 14, 2016 at 1:15 am

quiero implementar la seguridad en 12 c, tengo weblogic pero algo me falla al agregar el usuario, me manda a una pantalla que dice.

Error 401–Unauthorized

From RFC 2068 Hypertext Transfer Protocol — HTTP/1.1:

10.4.2 401 Unauthorized

The request requires user authentication. The response MUST include a WWW-Authenticate header field (section 14.46)

Reply

jerry October 14, 2016 at 1:20 am

quiero implementar la seguridad en 12 c, tengo weblogic pero algo me falla al agregar el usuario, me manda a una pantalla que dice.

Error 401 – No autorizado

De RFC 2068 Hypertext Transfer Protocol – HTTP / 1.1 :

10.4.2 401 Unauthorized

La solicitud requiere autenticación de usuario. La respuesta debe incluir un campo de cabecera WWW-Authenticate (sección 14.46) que contiene un desafío aplicable al recurso solicitado. El cliente puede repetir la solicitud con un campo de cabecera de Autorización adecuado (sección 14.8). Si la solicitud ya incluía las credenciales de autorización, entonces la respuesta 401 indica que la autorización ha sido denegada por esas credenciales. Si la respuesta 401 contiene el mismo desafío que la respuesta anterior, y el agente de usuario ya ha intentado al menos una vez la autenticación, el usuario debe ser presentada a la entidad que se le dio en la respuesta, ya que la entidad puede incluir información de diagnóstico relevante. la autenticación de acceso HTTP se explica en la sección 11.

Reply

Leave a Comment

 

{ 1 trackback }

Previous post:

Next post:

About Whitehorses
Company profile
Services
Technology

Whitehorses website

Home page
Whitebooks
Jobs

Follow us
Blog post RSS
Comment RSS
Twitter