ADF Security Design Question

Similar Messages

• Wireless Authentication/Security Design questions

  Wireless newbie here...I was required to quicky stand up a wireless deployment at a new warehouse/office building. I have the basic network up and working. My remote AP's have associated with the 2106 in the main office and users can associate and authenticate with the 1130G AP's and can access the office network. I did the basic configs and am now looking to tighten up security. My questions are as follows:
  1) The user clients are Dell Laptops with integrated wireless. They authenticate using LEAP..how do I migrate to EAP or do I need to. I have a Cisco ACS doing RADIUS authentication now.
  2) Should I be using some kind of supplicant client on the laptops?
  3) How do I filter mac's so rogue AP's and rogue clients cant try and associate.
  4) Am I correct in assuming the connections between the 1130 AP's and 2106 are secured and if so do I need to tweak anything to tighten them up?
  5) I have an AP in the main office building that I want to setup to detect rogue AP's. Do I have it associate as a regular AP and push some kind of policy to turn it into a detector?
  I have attached a diagram to help explain. Any help would be appreciated.
  v/r
  Chad

  1. LEAP is a form of EAP, so you must already have something terminating your EAP sessions. The WLC can do this to some extent, or ACS. Which one you chose will be based upon your requirements for manageability, scalability and feature-richness. I would suggest that PEAP-MSCHAPv2 provides a good balance of usability and security, and is significantly better than LEAP.
  2. No, stick with Windows XP SP2 supplicant. This can be configured using domain policy (2k3 SP1 or better) and is pretty good. Just make sure your laptops have new Intel drivers on them. Dell in particular have been quite bad with sending out old drivers in the builds.
  3. MAC authentication is now lergely regarded as a waste of time. It is so easy to spoof a MAC address it's ridiculous, and it's a fair amount of work for the admin(s).
  4. The LWAPP tunnel encrypts all management / config / security related traffic between the AP and WLC, while user data is simply encapsulated in LWAPP, so it can potentially be read if packets are captured.
  5. All APs will do rogue detection, don't really need to have dedicated APs unless you're REALLY paranoid. Main benefit is quicker detection, but drawback is that the 'detector' AP won't serve clients.
  Regards,
  Richard

• Security Design Question Role/ code

  Hi ,
       we are developing a J2EE based application. I've a dilemma
  and couldn;t deceide on which security method to use.
       i. Role based ( using descriptor)
       ii. Code based ( hard coding secruity in program)
  All help appreciated and thanx !
  Venki

  Thanks Cameron, we've figured out our way , sorry for late response.
  Venki
  Cameron Purdy wrote:
  If you can get away with simple role-based security, do it. Depending on how
  complex and configurable the security has to be, you are better off going
  with a specialized security solution. We always suggest Entegrity's
  AssureAccess 2.0 product since they are a partner of ours ;-).
  Peace,
  Cameron Purdy
  Tangosol, Inc.
  Clustering Weblogic? You're either using Coherence, or you should be!
  Download a Tangosol Coherence eval today at http://www.tangosol.com/
  "Venki Seshaadri" <[email protected]> wrote in message
  news:[email protected]..
  Hi ,
  we are developing a J2EE based application. I've a dilemma
  and couldn;t deceide on which security method to use.
  i. Role based ( using descriptor)
  ii. Code based ( hard coding secruity in program)
  All help appreciated and thanx !
  Venki

• ADF Security Authorization question

  For whatever reason, it seems to be not working for me. Well, I will try to test it a non_SRDemo environment.
  By the way, what is the connects what is set in dialog permisssions and the updateable value? Isn't there something in the code that I can check?
  Thanks

  Hi,
  there is no connection in code. An attribute that has a read-only permission is set to updateable = false, which then is accessible via EL.
  Just go for the non SRDemo testcase. It will give either you a solution or me a workspace to reproduce the non-working case
  Frank

• JDEV 10.1.3.1 "ADF security" questions

  Hi,
  We have a couple of questions about ADF security. Hope someone knows something about it. Any help is deeply appreciated. Jdeveloper version we use is 10.1.3.1.
  1. Using the ADF security to develop the application, can we deploy it to the IAS and switch to LDAP (OID) or we are obligated to use system-jazn-data.xml on IAS as well? If we have to use system-jazn-data.xml on IAS, do we need to copy the exact system-jazn-data.xml file to IAS embeddedoc4j/config directory? Any other configurations we need to do?
  2. I read some documents that say it is prefered to use LDAP(OID) and
  that's what we really want on the IAS. So if the answer for question 1 is we
  have to use system-jazn-data.xml, does oracle have any plan for the future to
  change it? I guess my question is will that be possible for us to develope the
  app using system-jazn-data.xml on the developer's station (for testing
  purpose) and later on we can convert it LDAP (OID) when we deploy it on IAS.
  Thanks,
  Annie
  Message was edited by:
  user447669

  Hi,
  1)
  can we deploy it to the IAS and switch to LDAP (OID)
  yes.
  If we have to use system-jazn-data.xml on IAS, do we need to copy the exact system-jazn-data.xml file to IAS embeddedoc4j/config directory?
  No. Only make suere the users and user goup exist and copy the JAAS Permissions added by ADF security
  2) There exist a migration utility to upload ADF Security permissions from syste-jazn-data.xml to OID. It is explained in teh OC4J security guide (chapter 7) whih comes with the Oracle Application Serber 10.1.3.1
  Frank

• ADF Security set up - step by step tutorial - quick question

  Hi
  We have standalone WLS running and we have configured our ADF app security enabled in JDeveloper.
  It appears that there are manual steps needed to setup on WLS or EM for users and groups in order for JDev
  1- we're still unclear on what steps needed to setup on standalone WLS to get embedded LDAP or OID to match up with the users and application roles defined in JDeveloper.
  We, using the ADF Security wizard have added users and application roles.
  2- How do we get jazn-data.xml merged or converted to system-jazn-data.xml in standalone WLS ? Is that a manual copy merge ?
  3- Is there one tutorial that would show and explain all the pieces needed to get ADF security working beginning from JDev configurations all the way to standalone WLS configuration ?
  4- Which do we use to configure users and groups ? WebLogic console or Enterprise Manager ? It appears that there are 2 ways of doing it
  We apologise for wrong ideas if you think we are wrong in security configurations.

  Hi,
  +1- we're still unclear on what steps needed to setup on standalone WLS to get embedded LDAP or OID to match up with the users and application roles defined in JDeveloper.+
  We, using the ADF Security wizard have added users and application roles.
  Only application roles are deployed to a stand alone WLS server (as it probably runs in production mode). So the enterprise role names (WLS groups) need to exist on WLS. This can be through manual creation using the integrated LDAP or OID, database or whatever your identity management system is. If a group name doesn't match the enterprise role name you chose in JDeveloper, you can use weblogic.xml to map the names. This can also be done using Enterprise Manager (which I think usually is preferred for production systems)
  +2- How do we get jazn-data.xml merged or converted to system-jazn-data.xml in standalone WLS ? Is that a manual copy merge ?+
  For security reasons, production WLS configurations only allow application roles and permissions to be automatically copied into the system-jazn-data.xml file. Users and user groups are not allowed to be copied as it would have a risk that developer deploy a backdoor into a server which then can be used by unauthorized users. As mentioned in 1), you need to provide user groups and users through your identity management system. If this is LDAP in WLS then you use the WLS console to create these. Also note that if your application uses a Java EE datasource, this needs to be configured on the stand alone server. Same here, credentials cannot be deployed to a stand alone server
  +3- Is there one tutorial that would show and explain all the pieces needed to get ADF security working beginning from JDev configurations all the way to standalone WLS configuration ?+
  There are 4 recordings about ADF Security here: http://www.oracle.com/technetwork/developer-tools/adf/learnmore/adfinsider-093342.html (just search for ADF Application Security and watch the 4 sessions in a row)
  +4- Which do we use to configure users and groups ? WebLogic console or Enterprise Manager ? It appears that there are 2 ways of doing it+
  If WLS LDAP is your identity store, you use the WLS console. All of ADF Security configuration beyond user and group provisioning is in Enterprise Manager
  Frank

• Creating a WebCenter Application with PageCutomizable and ADF Security

  I created a Webcenter App in Jdev 11.1.1.2.0 with webcenter extension.
  I have 2 JSPX files.
  One called mainTemplate.jspx
  - contains header, footer in ADF and a center facet.
  One called Welcome.jspx created from mainTemplate
  - contains page customizable > panel customizable > layout customizable > various custom panel configs.
  ADF security is configured with BASIC, authentication only. Because form authentication seems harder to get working.
  We have one weblogic user, and currently deploy to the integrated WLS, although we'll deploy out to a full server once security/composer is working.
  The problem is, when we run the Welcome.jspx, and because we added a reference to a logged in var, it requests http login fine.
  We then refresh the page and see that we are indeed logged in as 'weblogic'.
  Is weblogic a special user? should I create a new one? Is there any setup required on the Integrated WLS to get this working?
  However when we click on 'add Content' using the composer we get a permission error.
  +<RegistrationConfigurator><handleError> Server Exception during PPR, #1+
  javax.el.ELException: oracle.adf.view.page.editor.security.ComposerSecurityException: You do not have permission to edit the page
  +     at com.sun.el.parser.AstValue.invoke(AstValue.java:161)+
  +...+
  Caused by: oracle.adf.view.page.editor.security.ComposerSecurityException: You do not have permission to edit the page
  +     at oracle.adfinternal.view.page.editor.bean.DialogBean.setDialogHelp(DialogBean.java:129)+
  +     at oracle.adfinternal.view.page.editor.bean.DialogBean.showResourceCatalog(DialogBean.java:356)+
  +     at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)+
  +...+
  I tried using the Customization allowed var in the property inspector, but could not map 'allowed by' to a user or role that my setup would recognise. The doco specifies 'admin' which does not work for me.
  In my catalog I have a WCM portlet taskflow, which will require its own permissions.
  I tried enabling permissions for the test-all role to all of my pages/taskflows, leaving just the 'view' permission to the anonymous role.
  I also tried authentication/authorization profiles, and building my own jspx login/error pages, but no luck there either, the login button doesn't seem to tirgger my java doLogin class, even though I set the binding on the button using the method expression builder to the bean method.
  *note: I didn't try the welcome/login/error page auto create as they generate html files, I created JSFs with full UI in there. Am I required to use those html types instead of jspx? I found that the redirection worked by appending the jspx reference with '/faces/Login.jspx'. The problem seemed to have been somewhere else.
  If we have any Webcenter Composer / Security gurus out there, help would be greatly appreciated.
  Our main goal is to create a Webcenter App which has security/composer/navigation and a catalog with WCM/Siebel portlets similar to the Avitek demo without using WC Spaces.
  Thanks.
  Thanks.
  Edited by: Guillaume_Davies_SC on Apr 20, 2010 7:28 PM

  When you want to achieve this you need to configure ADF security with basic authentication & authorization. THe authorization is the part that takes care of what a user may and may not do in an application. Authentication is just the log in part.
  When you have configured your application for authorization as well, you have to create roles and groups.
  You will also have to set the authorization of your pages. Open a jsxp and in the design or source view, right click and "edit authorization". You then have to add roles to your pages and define their rights. Then you can set the authorization for edit,cuustomize,personlise,view,...
  Hope this helps.

• ADF security : How to get fnd_users list in weblogic server

  Hi All,
  I have a question related to ADF security.
  I am able to apply ADF security to the application, where users information and roles are defined in jazn.xml file.
  On deployment, users/ roles information is being successfully ported to weblogic server.
  But my requirement is to fetch users information from fnd_users table. If you have any idea as how to get the fnd_users data to weblogic, please reply.
  Thanks,
  Randhir

  Thanks John.
  I went through the link and got steps for authentication with fnd_users.
  I have one more question on this.
  Do I need to enable jazn.xml for implementing security or only the steps given in this link is sufficient?
  Since roles are also stored into fnd table, how to secure the taskflow? (roles are not defined in jazn.xml)

• How to integrate a SSO based in cookie with ADF Security

  At work they asked me to integrate a existing SSO based in cookie with the new ADF + Jdeveloper 11g + WLS. After google for days and read a lot of blogs and official documentation I've made a custom LoginModule. I made it very simple, it's just an "if" inside the login() function with the username, if the username is "john" I put to the Subject some Principals. My steps are:
  1- Create a new app based on "Fusion application" template.
  2- Make a new ADF Taskflow with only one view inside (the entry point of the taskflow). The jspx only contains a welcome message.
  3- Run the ADF Security wizard, all the steps with the default option, I don't change anything.
  4- Put some users and some roles in jazn-data.xml, and maping them to an application role. Then I grant permissions to the application role to view the previous task flow.
  At this point everything is ok. I run the taskflow and a basic login popup prompts me to write my username and password. Now I try to remove everything useless for me, like idstore, credentials, anonymous, etc. I only want a LoginModule that get the HttpRequest and passes it to an already done class that returns a true/false depending if the cookie is correct or not but, as I said before, my LoginModule is so simple now and even didn't try to do something more complicated than an if. The steps I try are:
  in jps-config.xml
  5- Remove idstore.xml and credentials.
  6- (loginmodule tab) Make a new login module, and put here my class. The class is in the ViewController project and JDeveloper find it navigating through the heriarchy, so I have visibility. I put REQUIRE flag, add all roles and debug mode.
  7- In the security context unmark the idstore.loginmodule and mark myLoginModule. Also delete the anonymous security context.
  All that I got until now is a 500 error (Internal server error - Authorization Exception). Sometimes (the close i've ever been to do something correct) the browser ask me for user/password but then only recognizes the users that already are in WLS (idstore from previous tests), but NOT the "john" user that is inside my custom LoginModule. Even more, if I run the WLS from JDeveloper 11g in debug mode, the runtime never stops at breakpoints inside my custom login module. It seems that my LoginModule isn't deployed or I made some error maping the roles.
  So, my questions are:
  - I'm in the good way? If I want an authentication based in cookie/httprequest I have to do a custom LoginModule? My goal is to do a re-usable code, and re-use the code that my co-workers have done. They have a class that with only the HttpRequest determines if a user is logged or not.
  - If I'm in the good way... how can I put my custom LoginModule in the WLS? I tried to search something in the Administration Panel (localhost:7101/console) but I did'nt find nothing.
  - In case I'd got the custom LoginModule working fine in WLS... how can I get a HttpRequest from a LoginModule and avoid the username/password dialog? I've to make a filter and pass it to the my LoginModule? If it's correct... how?
  I don't post my code because is so simple, it's based on DBTableLoginModule but without all the database access code.
  Thanks to all!
  P.D.: If this message isn't in the correct forum, I'm sorry. Feel free to move it.
  P.D.2: Sorry about my english, I'm spanish. I know i've to practise a lot :)

  Hi Frank,
  Thanks a lot for your answer. Just one more easy question: what I need to do is a custom Authentication Module (which will read the cookie)? If only you can point me to the correct chapter of the WLS documentation I'll be very pleased.
  In future releases of JDeveloper will be easier to do this kind of things related to security?
  Riveck

• Jdev 10.1.3.1 "ADF Security": Application without a custom login page?

  Hi,
  We are trying to develop an application using "ADF security", which means we can give permissions to certain roles based on "Binding Container", "Iterator Binding", "Method Action Binding" and "Attribute-level Binding".
  After reading the document -- "Oracle® Containers for J2EE Security Guide 10g (10.1.3.1.0) B28957-01" that Frank pointed out. We have a question:
  Can we develop an ADF application without creating a custom login page? Right now we've followed the security guide and modified the configuration files. But when we run the application, we get the "user null" error message. The reason is clear because we do not have a login page. On the security guide, it says that it is possible to use the oracle default login module. But it does not say how. Does anyone have any idea?
  Thanks,
  Annie

  Brenden,
  Thank you so much for the reply. This is our code in the web.xml:
  <login-config>
  <auth-method>BASIC</auth-method>
  <realm-name>default</realm-name>
  </login-config>
  We are using HTTP basic Authentication. This technique worked for the container-managed security. The browser default login page pops up when the end users try to log into a secured JSP. But here we want to use "ADF security" to set up "Iterator binding" and "Attribute level binding" security. The browser default login page does NOT show up. Instead we get the "user null" error message.
  If you have detailed step on how to select HTTP Basic Authentication, it would be very helpful to us. Or if you know any document has the detail.
  regards,
  Annie

• How to handle multiple SSO in ADF Security Framework

  Hello All,
  I have a question about ADF security with multiple SSO provider.
  What I am trying to achieve:
  Assume there are SSO provider A, B and C. Each provider will grant a different role to the ADF application (A grant Admin, B grant Business Manager, C grant Configuration Manager). Sign out from the ADF application will log all the SSO out at the same time.
  What I know:
  Each SSO will need to have information about the role it provides. I will also need to write code like the following: (modified from an old answer from Frank Nimphius before)
      try {
          IdentityStore idstore = JpsCommonUtil.getValidIdStore("idstore.xml.provider").getIdmStore(); //Need to get the specific IDM store based on the SSO the user is using.
          try {
              UserManager userManager = idstore.getUserManager();
              RoleManager roleManager = idstore.getRoleManager();
              Role role = idstore.searchRole(Role.SCOPE_APPLICATION,idmRole); //Again, idmRole based on which SSO the user is using.
                  // create user
                  //TODO check for empty username and password
                  User user = userManager.getUser(SecurityContext.getUserName()); //the user may already login from another SSO.
                  if (user == null)
                      user = userManager.createUser(this.username,this.password.toCharArray());
                  roleManager.grantRole(role,user.getPrincipal());
              } catch (IMException e) {
                  // TODO
          } catch (JpsException e) {
              // TODO
          return null;
  }Also a logout code like this
        doLogout()
           if(A) logoutFromA(user);
           if(B) logoutFromB(user);
           if(C) logoutFromC(user);
        } My Question:
  Would the code above handle what I described? Also, how do I set the SecurityContext for ADF security - Or the grantRole automatically does that for me?

  Hello Sudipto,
  Yeah, I had watched that tutorial, it is pretty helpful on getting 1 SSO working with the ADF security.
  I am confused when there is multiple provider - do I setup the web gate so that "http://myapp:7777/LoginViaA" point to SSO Provider A, "http://myapp:7777/LoginViaB" point to SSO Provider B and so forth? **Note: the login/username can be different on different SSO provider.
  In that case, I will still need to set the value in SecurityContext to say "This current user login as [email protected] via SSO A and [email protected] via SSO B", or is there some other way to handle this?
  Thanks,
  Louis

• ADF Security, Task Flow as a region in a page resource grant

  JDeveloper 12c (12.1.2); Application uses ADF form based security, external LDAP provider (Active Directory)
  After sign-in page (upon successful authentication/authorization) user is forwarded to a page that executes VO method prior to render. I am new to task flow concept and am told to achieve this like:
  - create bounded task flow, with method call activity (execute exposed AM method that calls VO method, runs custom SQL) and view activity as page fragment.
  - then drop the above task flow into a page as a region
  In ADF security setup, I gave resource grant task-flow to certain application role. Started the application, login and got 403 error. Then went back and gave resource grant 'view' to the actual page that contains task flow. It worked fine.
  So the question is, when protecting application (implemented with task flows) with ADF security, I thought it is enough to grant those task flows to whatever application roles (groups) and inherently any page that uses that task flow(s) (as a region) will be protected?
  From this test, it seems that I have to assign each page (that has task flow as a region) to application roles individually?

  Hi,
  any page that is contained in a bounded task flow is protected  by the task flow permission grant, this is correct. If this is not what you see, please file a bug with support or send me a simple reproducible test case please. My mail address (replace all < name > with the described symbol.
  frank <dot> nimphius <at> oracle <dot> com
  The test case will need to be in a ZIP file nemaed to "unzip" and should be able for me to run stand alone (please no database scripts to run prior to try the test case)
  Frank

• ADF Security Customization

  Hi All,
  I have unique requirement of creation of users, roles and policies.
  In my project i need to create users and roles dynamically other than from EM console or Jdeveloper i.e from front end. The data will flow through a BPEL process and the users, roles and policies have to be created.
  How to create these users in "system-jazn.xml" dynamically?
  Weblogic - 11g (11.1.1)
  Please let me know in case of any additional information required..
  Reagrds
  Surya

  Hi,
  its not an ADF Security question but OPSS (Oracle Platform Security Services), which is the owner of that file. However, this blog entry shows you how to use the OPSS API to access the Role Manager and User Manager in OPSS to do what you want
  http://fusionsecurity.blogspot.com/2009/07/opss-sample-application.html
  Frank

• Migrating ADF Security to WLS using OID

  I have seen a number of posts on this forum regarding deploying an application which has ADF Security enabled to a stand-alone WebLogic server, but none of them seem to address the following.
  I have an application in JDeveloper which uses an XML-based identity store and policy store. I have a stand-alone WLS which is connected to OID. I am trying to migrate the credential store and policy store to the OID configured for my stand-alone WLS. The various blogs and OTN articles mentioned frequently in this forum regarding ADF Security address configuring OID in WLS, as well as how to migrate security to XML-based providers on WLS. However, I have not seen any information on how to migrate security to OID in WLS. I have a few questions in particular:
  1) JDeveloper online help has limited information for modifying the jps-config.xml to have a destination context, service instance, and service provider for LDAP (OID). It has configuration parameters for &ldquo;JpsFarmName&rdquo; and &ldquo;JpsRootNodeName&rdquo;. What are these used for, and what should the values be?
  2) Does the jps-config.xml file need to be modified in WLS (i.e. &lt;Domain&gt;/config/oracle/jps-config.xml)? Is this file even used at runtime by WLS?
  3) How does WLS know to use OID for obtaining credential, identity, and policy information instead of system-jazn-data?
  Any information on this topic would be very appreciated!
  Thanks,
  Erick

  Hi,
  I am using migrateSecurityStore for policy migration from xml to OID.
  migrateSecurityStore(type="policyStore",configFile="t2p-policies.xml",src="XMLsourceContext",dst="LDAPdestinationContext")
  when I run above command I am getting following error.
  Jul 9, 2009 11:00:08 AM oracle.security.jps.internal.config.util.BootstrapConfig
  urationUtil getCredentialFromBootstrapWallet
  SEVERE: Cannot get credential. Reason java.security.PrivilegedActionException: o
  racle.security.jps.service.credstore.CredStoreException.
  COMMAND FAILED due to an unknown reason, Check the stack trace for details
  Traceback (innermost last):
  File "<console>", line 1, in ?
  File "D:\JDEVST~2\JDEVEL~1\common\wlst\jpsWlstCmd.py", line 780, in migrateSec
  urityStore
  File "D:\JDEVST~2\JDEVEL~1\common\wlst\jpsWlstCmd.py", line 752, in migrateSec
  urityStoreImpl
  at oracle.security.jps.internal.policystore.ldap.LdapPolicyStore.<init>(
  LdapPolicyStore.java:230)
  at oracle.security.jps.internal.policystore.ldap.LdapPolicyStoreProvider
  .getInstance(LdapPolicyStoreProvider.java:108)
  at oracle.security.jps.internal.policystore.ldap.LdapPolicyStoreProvider
  .getInstance(LdapPolicyStoreProvider.java:55)
  at oracle.security.jps.internal.core.runtime.ContextFactoryImpl.findServ
  iceInstance(ContextFactoryImpl.java:139)
  at oracle.security.jps.internal.core.runtime.DelegatingContextFactoryImp
  l.findServiceInstance(DelegatingContextFactoryImpl.java:61)
  at oracle.security.jps.internal.core.runtime.ContextFactoryImpl.getConte
  xt(ContextFactoryImpl.java:170)
  at oracle.security.jps.internal.core.runtime.ContextFactoryImpl.getConte
  xt(ContextFactoryImpl.java:206)
  at oracle.security.jps.internal.core.runtime.JpsContextFactoryImpl.getCo
  ntextFromConfig(JpsContextFactoryImpl.java:171)
  at oracle.security.jps.internal.tools.utility.util.JpsHelper.getContextF
  romConfigObj(JpsHelper.java:115)
  at oracle.security.jps.internal.tools.utility.mgrs.JpsPolicyAPIManager.g
  etPolicyStoreForDestination(JpsPolicyAPIManager.java:157)
  at oracle.security.jps.internal.tools.utility.destination.apibased.JpsDs
  tPolicy.<init>(JpsDstPolicy.java:186)
  at oracle.security.jps.internal.tools.utility.destination.JpsInitializer
  Dst.getDestinations(JpsInitializerDst.java:82)
  at oracle.security.jps.internal.tools.utility.JpsUtility.<init>(JpsUtili
  ty.java:63)
  at oracle.security.jps.internal.tools.utility.JpsUtilMigrationPolicyImpl
  .migrateAllPolicyData(JpsUtilMigrationPolicyImpl.java:234)
  at oracle.security.jps.tools.utility.JpsUtilMigrationTool.executeCommand
  (JpsUtilMigrationTool.java:167)
  at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
  at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.
  java:39)
  at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcces
  sorImpl.java:25)
  at java.lang.reflect.Method.invoke(Method.java:597)
  oracle.security.jps.JpsRuntimeException: oracle.security.jps.JpsRuntimeException
  : Cannot read the default policy store.
  thanks and regards
  KishoreM

• Adf security with upper case user results in 500-internal server error

  Hello
  JDev 11.1.1.0.2, Integrated WLS
  I'v set up ADF security as explained in the documentation.
  The only difference being that the role test-all has been removed.
  I have one user 'paul' with a password of 'password'
  I have one application role 'myrole'
  'paul' is a member of 'myrole'
  I have one unbounded task flow with one view (view1).
  Via the janz-data.xml 'View1' has been granted to 'myrole' (view action)
  When running View1 I get the login.html page which is correct.
  The fun starts when playing around with the user/password.
  If I login with 'paul' and 'password' view1 is display, this is correct
  If I login with an unknown user or an incorrect password Windows Explorer 7 shows a generic HTTP 403 error page and not the error.html
  If I login with 'PAUL' and 'password' (or Paul, or any mixed cased version of Paul with the correct password) I get the following stack trace :
  oracle.adf.controller.security.AuthorizationException: ADFC-0619: Echec de la vérification des autorisations : '/view1.jspx' 'VIEW'.
       at oracle.adf.controller.internal.security.AuthorizationEnforcer.handleFailure(AuthorizationEnforcer.java:145)
       at oracle.adf.controller.internal.security.AuthorizationEnforcer.checkPermission(AuthorizationEnforcer.java:124)
       at oracle.adfinternal.controller.state.ControllerState.initializeUrl(ControllerState.java:639)
       at oracle.adfinternal.controller.state.ControllerState.synchronizeStatePart2(ControllerState.java:449)
       at oracle.adfinternal.controller.application.SyncNavigationStateListener.afterPhase(SyncNavigationStateListener.java:44)
       at oracle.adfinternal.controller.lifecycle.ADFLifecycleImpl$PagePhaseListenerWrapper.afterPhase(ADFLifecycleImpl.java:529)
       at oracle.adfinternal.controller.lifecycle.LifecycleImpl.internalDispatchAfterEvent(LifecycleImpl.java:118)
       at oracle.adfinternal.controller.lifecycle.LifecycleImpl.dispatchAfterPagePhaseEvent(LifecycleImpl.java:166)
       at oracle.adfinternal.controller.faces.lifecycle.ADFPhaseListener$PhaseInvokerImpl.dispatchAfterPagePhaseEvent(ADFPhaseListener.java:122)
       at oracle.adfinternal.controller.faces.lifecycle.ADFPhaseListener.afterPhase(ADFPhaseListener.java:68)
       at oracle.adfinternal.controller.faces.lifecycle.ADFLifecyclePhaseListener.afterPhase(ADFLifecyclePhaseListener.java:51)
       at oracle.adfinternal.view.faces.lifecycle.LifecycleImpl._executePhase(LifecycleImpl.java:354)
       at oracle.adfinternal.view.faces.lifecycle.LifecycleImpl.execute(LifecycleImpl.java:175)
       at javax.faces.webapp.FacesServlet.service(FacesServlet.java:265)
       at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:227)
       at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:125)
       at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:292)
       at weblogic.servlet.internal.TailFilter.doFilter(TailFilter.java:26)
       at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:42)
       at oracle.adf.model.servlet.ADFBindingFilter.doFilter(ADFBindingFilter.java:181)
       at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:42)
       at oracle.adfinternal.view.faces.webapp.rich.RegistrationFilter.doFilter(RegistrationFilter.java:85)
       at org.apache.myfaces.trinidadinternal.webapp.TrinidadFilterImpl$FilterListChain.doFilter(TrinidadFilterImpl.java:279)
       at org.apache.myfaces.trinidadinternal.webapp.TrinidadFilterImpl._invokeDoFilter(TrinidadFilterImpl.java:239)
       at org.apache.myfaces.trinidadinternal.webapp.TrinidadFilterImpl._doFilterImpl(TrinidadFilterImpl.java:196)
       at org.apache.myfaces.trinidadinternal.webapp.TrinidadFilterImpl.doFilter(TrinidadFilterImpl.java:139)
       at org.apache.myfaces.trinidad.webapp.TrinidadFilter.doFilter(TrinidadFilter.java:92)
       at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:42)
       at oracle.security.jps.wls.JpsWlsFilter$1.run(JpsWlsFilter.java:85)
       at java.security.AccessController.doPrivileged(Native Method)
       at oracle.security.jps.util.JpsSubject.doAsPrivileged(JpsSubject.java:257)
       at oracle.security.jps.wls.JpsWlsSubjectResolver.runJaasMode(JpsWlsSubjectResolver.java:250)
       at oracle.security.jps.wls.JpsWlsFilter.doFilter(JpsWlsFilter.java:100)
       at oracle.security.jps.ee.http.JpsFilter.doFilter(JpsFilter.java:65)
       at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:42)
       at weblogic.servlet.internal.RequestEventsFilter.doFilter(RequestEventsFilter.java:27)
       at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:42)
       at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3496)
       at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
       at weblogic.security.service.SecurityManager.runAs(Unknown Source)
       at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2180)
       at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2086)
       at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1406)
       at weblogic.work.ExecuteThread.execute(ExecuteThread.java:201)
       at weblogic.work.ExecuteThread.run(ExecuteThread.java:173)
  The questions are :
  - Why do I get the generic HTTP 403 error instead of the error.html (its not the end of the world but I would like to understand) ?
  - Why do I get the error 500 if the case of the username is incorrect but the password is correct ?
  Best Regards
  Paul

  Nope nothing in there that looks out of place...
  Here's the contents of the web.xml file ..
  <?xml version = '1.0' encoding = 'windows-1252'?>
  <web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" version="2.5" xmlns="http://java.sun.com/xml/ns/javaee">
  <description>Empty web.xml file for Web Application</description>
  <context-param>
  <param-name>javax.faces.STATE_SAVING_METHOD</param-name>
  <param-value>client</param-value>
  </context-param>
  <context-param>
  <description>If this parameter is true, there will be an automatic check of the modification date of your JSPs, and saved state will be discarded when JSP's change. It will also automatically check if your skinning css files have changed without you having to restart the server. This makes development easier, but adds overhead. For this reason this parameter should be set to false when your application is deployed.</description>
  <param-name>org.apache.myfaces.trinidad.CHECK_FILE_MODIFICATION</param-name>
  <param-value>false</param-value>
  </context-param>
  <context-param>
  <description>Whether the 'Generated by...' comment at the bottom of ADF Faces HTML pages should contain version number information.</description>
  <param-name>oracle.adf.view.rich.versionString.HIDDEN</param-name>
  <param-value>false</param-value>
  </context-param>
  <filter>
  <filter-name>JpsFilter</filter-name>
  <filter-class>oracle.security.jps.ee.http.JpsFilter</filter-class>
  <init-param>
  <param-name>enable.anonymous</param-name>
  <param-value>true</param-value>
  </init-param>
  <init-param>
  <param-name>remove.anonymous.role</param-name>
  <param-value>false</param-value>
  </init-param>
  <init-param>
  <param-name>addAllRoles</param-name>
  <param-value>true</param-value>
  </init-param>
  <init-param>
  <param-name>jaas.mode</param-name>
  <param-value>doasprivileged</param-value>
  </init-param>
  </filter>
  <filter>
  <filter-name>trinidad</filter-name>
  <filter-class>org.apache.myfaces.trinidad.webapp.TrinidadFilter</filter-class>
  </filter>
  <filter>
  <filter-name>adfBindings</filter-name>
  <filter-class>oracle.adf.model.servlet.ADFBindingFilter</filter-class>
  </filter>
  <filter-mapping>
  <filter-name>JpsFilter</filter-name>
  <servlet-name>Faces Servlet</servlet-name>
  <dispatcher>FORWARD</dispatcher>
  <dispatcher>REQUEST</dispatcher>
  <dispatcher>INCLUDE</dispatcher>
  </filter-mapping>
  <filter-mapping>
  <filter-name>trinidad</filter-name>
  <servlet-name>Faces Servlet</servlet-name>
  <dispatcher>FORWARD</dispatcher>
  <dispatcher>REQUEST</dispatcher>
  </filter-mapping>
  <filter-mapping>
  <filter-name>adfBindings</filter-name>
  <servlet-name>Faces Servlet</servlet-name>
  <dispatcher>FORWARD</dispatcher>
  <dispatcher>REQUEST</dispatcher>
  </filter-mapping>
  <servlet>
  <servlet-name>Faces Servlet</servlet-name>
  <servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
  <load-on-startup>1</load-on-startup>
  </servlet>
  <servlet>
  <servlet-name>resources</servlet-name>
  <servlet-class>org.apache.myfaces.trinidad.webapp.ResourceServlet</servlet-class>
  </servlet>
  <servlet>
  <servlet-name>adfAuthentication</servlet-name>
  <servlet-class>oracle.adf.share.security.authentication.AuthenticationServlet</servlet-class>
  <load-on-startup>1</load-on-startup>
  </servlet>
  <servlet-mapping>
  <servlet-name>Faces Servlet</servlet-name>
  <url-pattern>/faces/*</url-pattern>
  </servlet-mapping>
  <servlet-mapping>
  <servlet-name>resources</servlet-name>
  <url-pattern>/adf/*</url-pattern>
  </servlet-mapping>
  <servlet-mapping>
  <servlet-name>resources</servlet-name>
  <url-pattern>/afr/*</url-pattern>
  </servlet-mapping>
  <servlet-mapping>
  <servlet-name>adfAuthentication</servlet-name>
  <url-pattern>/adfAuthentication/*</url-pattern>
  </servlet-mapping>
  <session-config>
  <session-timeout>35</session-timeout>
  </session-config>
  <mime-mapping>
  <extension>html</extension>
  <mime-type>text/html</mime-type>
  </mime-mapping>
  <mime-mapping>
  <extension>txt</extension>
  <mime-type>text/plain</mime-type>
  </mime-mapping>
  <security-constraint>
  <web-resource-collection>
  <web-resource-name>adfAuthentication</web-resource-name>
  <url-pattern>/adfAuthentication</url-pattern>
  </web-resource-collection>
  <auth-constraint>
  <role-name>valid-users</role-name>
  </auth-constraint>
  </security-constraint>
  <login-config>
  <auth-method>FORM</auth-method>
  <form-login-config>
  <form-login-page>/login.html</form-login-page>
  <form-error-page>/error.html</form-error-page>
  </form-login-config>
  </login-config>
  <security-role>
  <role-name>valid-users</role-name>
  </security-role>
  </web-app>
  Regards
  Paul