In Part 1, I already blogged about the standard web container security but If you use ADF then you have an other option: ADF Security. With ADF Security you can protect your JSP or JSPX pages just like the default container security but ADF Security can do more like protecting your Task Flows ( fragments), Anonymous support, retrieve all the user roles, can create user and roles in Weblogic when it is in development mode.
Start the ADF Security wizard ( located in the Application menu / secure )
I choose for this blog for ADF Authentication and Authorization, so I can also explain how authorization is done in ADF.
This will enable security in your ADF Web application.
When we take a look at what the ADF Security wizard did in your web application, we can see that in the web.xml an adfAuthentication servlet, security-constraint , security-role and a login-config element is added.
<?xml version = '1.0' encoding = 'windows-1252'?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" version="2.5" xmlns="http://java.sun.com/xml/ns/javaee">
<description>Empty web.xml file for Web Application</description>
<servlet>
<servlet-name>adfAuthentication</servlet-name>
<servlet-class>oracle.adf.share.security.authentication.AuthenticationServlet</servlet-class>
<init-param>
<param-name>success_url</param-name>
<param-value>/main.jspx</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
<security-constraint>
<web-resource-collection>
<web-resource-name>adfAuthentication</web-resource-name>
<url-pattern>/adfAuthentication</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>valid-users</role-name>
</auth-constraint>
</security-constraint>
<security-role>
<role-name>valid-users</role-name>
</security-role>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>myrealm</realm-name>
</login-config>
</web-app>
JDeveloper also creates an weblogic.xml deployment descriptor where it maps the default Weblogic users group to the valid-users container security role. For ADF Security we don’t ever need to change these files. Off course you can add extra Weblogic groups in the weblogic.xml ( you also need to add a security-role in the web.xml, else you will get a deployment error ) but ADF Security can’t use these roles for the JSP / JSPX pages or Task Flows ( fragments ). Off course you still can use these roles in the ADF isUserInRole method. ( ADFContext.getCurrent().getSecurityContext().isUserInRole(role) ) So when you have Weblogic groups which are not needed by ADF Security but you still want to use them in your application then you can add them to the weblogic.xml / web.xml.
Application Users
For the Authentication part we need to have some user accounts. When you have your own Authenticator provider then you can skip this part. When your Weblogic server is in development mode (Test ) then you can add your own test users in JAZN editor. Go to Application menu / Secure / Users
Here we can add our own test users. The next time you deploy your web application, it will add these users to the DefaultAuthenticator provider.
This will work in development but in production you probably have a LDAP ( OID or AD ) or SQL Authenticator which contains your application users. If so we need to change the control flag of the DefaultAuthenticator and your own Authenticator to Sufficient else your user acounts need to be in both Authenticators.
Enterprise Roles
The user part is ready and we can define the Enterprise roles. These roles matches with the Weblogic Groups. We can add these roles in the Application menu / secure / Groups.
Add a new Role and add the testusers as members of this role. When the Weblogic server is in Development mode then these Roles will be automatically be created in the Weblogic DefaultAuthenticator provider.
We can disable the automatic user / group migration by disable this User and Group property in the Configure Security Deployment. ( Application menu / secure )
Application Roles
The next part is defining the applications roles and map these application roles to the enterprise roles. To add these roles go to the application menu / secure / application roles.
Add a new application role and select the right enterprise role as member of this role. ( this is necessary when you want to protect your application resources with a specific Weblogic group )
Application Policies
The last part is defining the security policies on the Task Flows and JSP / JSPX pages ( pages need to have a Page Definition ) and add these policies to the Applications Roles. Go to the Application menu / secure / Application policies.
We can now select an application page ( which has a pagedef) and add an application role to this page. Default the view permission is already selected, this is the minimal security policy. The authenticated-role and the anonymous-role roles are the default application roles, when you only use these roles then you don’t need to define enterprise or application roles and are user accounts enough.
Web pages security policies overview
And the Task Flows overview
In the managed bean or JSF code we can retrieve or validate the ADF Security properties, here are some examples
// print the roles of the current user
for ( String role : ADFContext.getCurrent().getSecurityContext().getUserRoles() ) {
System.out.println("role "+role);
}
// get the ADF security context and test if the user has the role users
SecurityContext sec = ADFContext.getCurrent().getSecurityContext();
if ( sec.isUserInRole("users") ) {
}
// is the user valid
public boolean isAuthenticated() {
return ADFContext.getCurrent().getSecurityContext().isAuthenticated();
}
// return the user
public String getCurrentUser() {
return ADFContext.getCurrent().getSecurityContext().getUserName();
}
or use it in an EL expression for example in a rendered or disable attribute of a JSF component
#{securityContext.regionViewable['pageDefs.MainPageDef.xml']} or use #{securityContext.userInRole['admin']}
Whitehorses is specialized in succesfully implementing Oracle SOA solutions: BPEL, OSB, WebLogic & BPM
{ 7 comments… read them below or add one }
Hi Edwin!
I’m a beginner in Jdeveloper and ADF 11g. Please, give me some help.
We use Active Directory authentication at my firm. I want develop a web application with ADF 11g, but I don’t want use ADF security. How can I achive AD authentication from this web application
Please send some tip to my email
thanks
Gabor
Hi Gabor,
Ok why don’t you want to use ADF securtity, are you not using Weblogic. then I can understand it. else just configure a ldap security provider and activate ADF security for authentication only , voila.
if you still want to do it yourself then you need to make your own login module (jaas) which does all the ldap handling . Take a look at this article. http://www.theserverside.com/tt/articles/article.tss?l=Pramati-JAAS
thanks
Hi Edwin,
More on this topic – http://andrejusb.blogspot.com/2009/01/practical-adf-security-deployment-on.html
Andrejus
Hi Edwin,
I followed ur post using jdeveloper 11.1.2 and faced the following problem
I have user1 and group1 in my AD and want to use user1 to log in my application
I success configured AD with my weblogic then create enterprise role and give it the suitable permissions on the application pages
when I tried to log in using user1 the operation is failed with the following error “Error 401–Unauthorized”
do I have to use weblogic console to add user1 to group1?
help pls
Hi,
If you add security on the page and possible fragments to a role / group then the user should belong to this group. Or you can use the internal role authenticated . With this only the user password must match. Else you need to add user to the right group / role in AD.
And Make sure every authentication providers is on sufficient control flag.
Good luck
Hi
We have an application implemented with ADF security.But Once user login with user credentials,we have set documents which are more secured.in order to view those documents user has to enter his credentials again in a pop up window.Once user enter the credentials again how can we validate the user name and password (i,e whether user has enterd right user name and password).we can check the user name with “ADFContext.getCurrent().getSecurityContext().getUserName(); “.But how can we check password is the right password.
Thanks
Baji
Hi Edwin,
I am facing following issue
i created one custom authenticatior and configured in WSL srver (my custom authenticator will authenticate the user from webservices)
and returning success
if (username.length( ) > 0) {
// user authenticated with webservice
} else {
// No Username, so anonymous access is being attempted
}
loginSucceeded = true;
principalsBeforeCommit.add(new WLSUserImpl(username));
//add grous base don webservice response say Manager
principalsBeforeCommit.add(new WLSGroupImpl(“Manager”));
return loginSucceeded;
when i trid to run webcenter portal application jspx login with following code
FacesContext fctx = FacesContext.getCurrentInstance();
HttpServletRequest request =
(HttpServletRequest)fctx.getExternalContext().getRequest();
HttpServletResponse response =
(HttpServletResponse)fctx.getExternalContext().getResponse();
int authSuccess =
ServletAuthentication.login(userName.getValue().toString(),
password.getValue().toString(),
request, response);
System.out.println(“just check…”+authSuccess+” “+ServletAuthentication.AUTHENTICATED);
if (authSuccess == ServletAuthentication.AUTHENTICATED) {
System.out.println(“user authenticated success……..”);
if (request.isUserInRole(“dddddddd”))
;
Subject mySubject;
mySubject = Security.getCurrentSubject();
mySubject.getPrincipals().add(new WLSGroupImpl(“Manager”));
} else {
System.out.println(“user authenticated fail……..”);
}
i got authentication got seccess..
and in jdeveloper folloing error occured
< User Principal could not be found for authenticated user.>
< Failed to get user name>
< WARN_NO_USERS_PATTERN
oracle.security.idm.ObjectNotFoundException: No User found matching the criteria
< An error is encountered while retrieving the policies or permissions.>
<
java.lang.RuntimeException: User Principal could not be found for authenticated user.
please help on this, what could be the reason for these errors as i am also not able to get username in from securityContext Object.
Thanks
Ganesh
{ 1 trackback }