- Whitehorses - http://blog.whitehorses.nl -

Weblogic web application container security part 2 ADF Security

Tweet [1]

In Part 1 [2], I already blogged about the standard web container security but If you use ADF then you have an other option: ADF Security. With ADF Security you can protect your JSP or JSPX pages just like the default container security but ADF Security can do more like protecting your Task Flows ( fragments), Anonymous support, retrieve all the user roles, can create user and roles in Weblogic when it is in development mode.

Start the ADF Security wizard ( located in the Application menu / secure )

[3]

I choose for this blog for ADF Authentication and Authorization,  so I can also explain how authorization is done in ADF.

[4]

This will enable security in your ADF Web application.

When we take a look at what the ADF Security wizard did in your web application, we can see that in the web.xml an adfAuthentication servlet, security-constraint , security-role and a login-config element is added.

<?xml version = '1.0' encoding = 'windows-1252'?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" version="2.5" xmlns="http://java.sun.com/xml/ns/javaee">
    <description>Empty web.xml file for Web Application</description>
    <servlet>
        <servlet-name>adfAuthentication</servlet-name>
        <servlet-class>oracle.adf.share.security.authentication.AuthenticationServlet</servlet-class>
        <init-param>
            <param-name>success_url</param-name>
            <param-value>/main.jspx</param-value>
        </init-param>
        <load-on-startup>1</load-on-startup>
    </servlet>
    <security-constraint>
        <web-resource-collection>
            <web-resource-name>adfAuthentication</web-resource-name>
            <url-pattern>/adfAuthentication</url-pattern>
        </web-resource-collection>
        <auth-constraint>
            <role-name>valid-users</role-name>
        </auth-constraint>
    </security-constraint>
    <security-role>
        <role-name>valid-users</role-name>
    </security-role>
    <login-config>
        <auth-method>BASIC</auth-method>
        <realm-name>myrealm</realm-name>
    </login-config>
</web-app>

JDeveloper also creates an weblogic.xml deployment descriptor where it maps the default Weblogic users group to the valid-users container security role. For ADF Security we don’t ever need to change these files. Off course you can add extra Weblogic groups in the weblogic.xml ( you also need to add a security-role in the web.xml, else you will get a deployment error ) but ADF Security can’t use these roles for the JSP / JSPX pages or Task Flows ( fragments ). Off course you still can use these roles in the ADF isUserInRole method. ( ADFContext.getCurrent().getSecurityContext().isUserInRole(role) ) So when you have Weblogic groups which are not needed by ADF Security but you still want to use them in your application then you can add them to the weblogic.xml / web.xml.

Application Users
For the Authentication part we need to have some user accounts. When you have your own Authenticator provider then you can skip this part. When your Weblogic server is in development mode (Test ) then you can add your own test users in JAZN editor. Go to Application menu / Secure / Users
[5]
Here we can add our own test users. The next time you deploy your web application, it will add these users to the DefaultAuthenticator provider.
[6]
This will work in development but in production you probably have a LDAP ( OID or AD ) or SQL Authenticator which contains your application users. If so we need to change the control flag of the DefaultAuthenticator and your own Authenticator to Sufficient else your user acounts need to be in both Authenticators.
[7]
[8]
Enterprise Roles
The user part is ready and we can define the Enterprise roles. These roles matches with the Weblogic Groups. We can add these roles in the Application menu / secure / Groups.
[9]
Add a new Role and add the testusers as members of this role. When the Weblogic server is in Development mode then these Roles will be automatically be created in the Weblogic DefaultAuthenticator provider.
[10]
We can disable the automatic user / group migration by disable this User and Group property in the Configure Security Deployment. ( Application menu / secure )
[11]
[12]
Application Roles
The next part is defining the applications roles and map these application roles to the enterprise roles. To add these roles go to the application menu / secure / application roles.
[13]
Add a new application role and select the right enterprise role as member of this role. ( this is necessary when you want to protect your application resources with a specific Weblogic group )
[14]
Application Policies
The last part is defining the security policies on the Task Flows and JSP / JSPX pages ( pages need to have a Page Definition ) and add these policies to the Applications Roles. Go to the Application menu / secure / Application policies.
[15]
We can now select an application page ( which has a pagedef) and add an application role to this page. Default the view permission is already selected, this is the minimal security policy. The authenticated-role and the anonymous-role roles are the default application roles, when you only use these roles then you don’t need to define enterprise or application roles and are user accounts enough.
[16]
Web pages security policies overview
[17]
And the Task Flows overview
[18]
In the managed bean or JSF code we can retrieve or validate the ADF Security properties, here are some examples

// print the roles of the current user
for ( String role : ADFContext.getCurrent().getSecurityContext().getUserRoles() ) {
   System.out.println("role "+role);
}

// get the ADF security context and test if the user has the role users
SecurityContext sec = ADFContext.getCurrent().getSecurityContext();
if ( sec.isUserInRole("users") ) {
}
// is the user valid
public boolean isAuthenticated() {
 return ADFContext.getCurrent().getSecurityContext().isAuthenticated();
}
// return the user
public String getCurrentUser() {
 return ADFContext.getCurrent().getSecurityContext().getUserName();
}

or use it in an EL expression for example in a rendered or disable attribute of a JSF component
#{securityContext.regionViewable[‘pageDefs.MainPageDef.xml’]} or use #{securityContext.userInRole[‘admin’]}
[19]