ADF Security against database?

I am working with JDeveloper 10.1.3.4 on a project which uses adf/bc and adf faces/jsf 1.1; the application is deploying to iAS 10.1.3.4 and is hooked as a mid-tier instance via SSO to an infra iAS instance on another machine.
How do you change ADF Security to reference a database table to find out settings for page/iterator/attribute security settings?
Most of the existing code in this environment is Web Pl/sql toolkit and portal work. I am adding ADF apps. They would like to control what the different roles have access to via the database...hence this question.
Normally with ADF Security you use an editor in JDeveloper which you can access from within the page def file in the structure pane within JDeveloper; I think this changes system-jazn.xml. If you, instead, want these settings to be located within a database table, what do you have to do?
In my initial research I am thinking somehow I must create an override for ADFPermission.getContext() somehow...but I have not figured out if that is right or not yet.
It may just be easier to re-invent the wheel: just do things programmatically using Java; but there is a lot of structure inherant in ADF Security that I would be reproducing if I go that route, I think.
Anybody have any ideas?
I am continuing to research this issue, but I think this is an unusual use-case; so I am not expecting to find this answer anywhere in particular. Maybe somebody knows this off the top of their head.

Right, Frank; I mostly meant that it would help me learn more about the subject of J2EE permissions. Vik has pointed me in the direction of the Sun Java Forums for more information on this topic, which I will hopefully get a chance to pursue.
Thank you for getting back to me. Thank you again, also, for all your work on custom login modules; I have used that work of yours several times professionally. It is just that this client I am working with now is satisfied with their SSO/LDAP setup...they just want to store permissions in the database also.

Similar Messages

ADF security and database

Hi all,
I am implementing ADF security on my application and I came across the following Documents:
1- http://www.oracle.com/technology/products/jdev/howtos/1013/adfsecurity/adfsecurity_10132.html
2-http://www.oracle.com/technology/products/jdev/howtos/1013/oc4jjaas/oc4j_jaas_login_module.htm
and I have a few of questions :
1- in ADF security, the edit authorization options in the PageDef reads the roles (gorups) stored on the system-jazn-data.xml file. If my roles are stored on the Database how can I read them?
2- In the first document it is said " If the role name in web.xml matches a group name in system-jazn-data.xml, no further mapping is required. If the names do not match, then the web.xml role name needs to be mapped to the name in the system-jazn-data.xml using the orion-application.xml file. ". Can I do the mapping between the system-jazn-data.xml and the Database?
3-When I assign ADF security permissions on PageDefs, It will be stored in the app-jazn-data.xml file. Can I store/read those permissions from the Database and no the app-jazn-data.xml file or at least can I do some kind of mapping between the Database and this file?
thanks in advance,
Ahmad Esbita

Hi albertpi,
Thanks for you response. This is our first ADF application.
We are planning to impliment the security as mentioned above.
We can configure the LDAP users in Weblogic server.
We have a page with multiple tables which need to be shown based on the User roles.
These roles we are planning to define in the table.
1. I need to show list of users from my LDAP Users on the ADF UI to assign the roles.
2. We will be defining our list of roles in a database table, which not sure whether they need to map to ADF application security roles.
Data in table will be something like this.
User Role
Admin Tab1
Admin Tab2
Admin Tab3
User1 Tab1
User2 Tab2
User2 Tab3
Once the User is logged in we will read this table to show/hide the respective tabs.
Can you tell us are we in right path, if yes How to achieve this.
Thanks,
Satya

ADF Security from Database Table

I have two database tables one holding username and password and other username and role.
I want to secure my ADF application based on this. I have already gone through the following link ->
http://www.oracle.com/technology/products/jdev/howtos/1013/oc4jjaas/oc4j_jaas_login_module.htm
But, after configuring all the things for embedded J2EE server also I am finding some problem. It's not trying to connect with the database.
If any other links or sample projects, you can mention that will be helpful for understanding.

Hi,
check the data source name that you use with the LoginModule. Use Enterprise Manager in OC4J to verify that the data source can connect to the database. If not, change the data source's connection information. This most likely is your problem.
Frank

ADF Security against external source

HI. I want to manage my users and roles in the custom table in Oracle DB, but still use all security features of ADF. I mean I will not define user and roles in ADF, but ADF will be able to authenticate against my table and populate all security attributes (e.g #{securityContext.userName}) . Can it be done?

I think I found the problem not the solution.
First of all I do see in WL the user "test" and group "EnterpriseAdmin".
And of course "EnterpriseAdmin". assigned to "test" user.
But after I run the login page I go back to WL I see that "EnterpriseAdmin" group was unassigned from "test" user!!!!!
If I assign in again (after the application is loaded , but before I click the login button) I can use the application as I designed it (access the page which is protected by EnterpriseAdmin)
But at some point the following error message appears in the Jdeveloper console
[Another instance of application Sec3 is running on the server. JDeveloper will redeploy the application.]
[Running application Sec3 on Server Instance IntegratedWebLogicServer...]
[07:09:59 AM] Web Module ViewControllerWebApp.war recognized in project ViewController.jpr
[07:09:59 AM] ---- Deployment started. ----
[07:09:59 AM] Target platform is (Weblogic 10.3).
[07:09:59 AM] Retrieving existing application information
[07:09:59 AM] Running dependency analysis...
[07:09:59 AM] Deploying 2 profiles...
[07:10:00 AM] Wrote Web Application Module to C:\Users\mshapira04\AppData\Roaming\JDeveloper\system11.1.2.3.39.62.76.1\o.j2ee\drs\Sec3\ViewControllerWebApp.war
[07:10:00 AM] Wrote Enterprise Application Module to C:\Users\mshapira04\AppData\Roaming\JDeveloper\system11.1.2.3.39.62.76.1\o.j2ee\drs\Sec3
[07:10:00 AM] Redeploying Application...
<FeatureUtils> <_resolveFeatures> Ignoring feature-dependency on feature "AdfDvtCommon". No such feature exists.
<FeatureUtils> <_resolveFeatures> Ignoring feature-dependency on feature "AdfDvtCommon". No such feature exists.
<FeatureUtils> <_resolveFeatures> Ignoring feature-dependency on feature "DvtDiagram". No such feature exists.
[07:10:09 AM] Application Redeployed Successfully.
[07:10:09 AM] The following URL context root(s) were defined and can be used as a starting point to test your application:
[07:10:09 AM] http://10.15.8.180:7501/Sec3-ViewController-context-root
[07:10:09 AM] Uploading jazn-data roles.
[07:10:09 AM] Removing existing group "EnterpriseAdmin".
[07:10:09 AM] Creating group for role "EnterpriseAdmin".
[07:10:09 AM] Elapsed time for deployment: 10 seconds
[07:10:09 AM] ---- Deployment finished. ----
Run startup time: 9784 ms.
[Application Sec3 deployed to Server Instance IntegratedWebLogicServer]
Target URL -- http://127.0.0.1:7501/Sec3-ViewController-context-root/login.html
<Aug 28, 2013 7:10:16 AM EDT> <Warning> <Socket> <BEA-000449> <Closing socket as no data read from it on 127.0.0.1:65,365 during the configured idle timeout of 5 secs>
<Aug 28, 2013 7:10:16 AM EDT> <Warning> <Socket> <BEA-000449> <Closing socket as no data read from it on 127.0.0.1:65,362 during the configured idle timeout of 5 secs>
<Aug 28, 2013 7:10:16 AM EDT> <Warning> <Socket> <BEA-000449> <Closing socket as no data read from it on 127.0.0.1:65,361 during the configured idle timeout of 5 secs>
<Aug 28, 2013 7:10:16 AM EDT> <Warning> <Socket> <BEA-000449> <Closing socket as no data read from it on 127.0.0.1:65,366 during the configured idle timeout of 5 secs>
<Aug 28, 2013 7:10:16 AM EDT> <Warning> <Socket> <BEA-000449> <Closing socket as no data read from it on 127.0.0.1:65,363 during the configured idle timeout of 5 secs>
<Aug 28, 2013 7:10:16 AM EDT> <Warning> <Socket> <BEA-000449> <Closing socket as no data read from it on 127.0.0.1:65,364 during the configured idle timeout of 5 secs>
<Aug 28, 2013 7:11:09 AM EDT> <Error> <Console> <BEA-240003> <Console encountered the following error weblogic.security.providers.authentication.DBMSSQLAuthenticatorDelegateException: [Security:090279]Error listing users *
at weblogic.security.providers.authentication.DBMSSQLReadOnlyAuthenticatorDelegateImpl.listUsers(DBMSSQLReadOnlyAuthenticatorDelegateImpl.java:368)
at weblogic.security.providers.authentication.ReadOnlySQLAuthenticatorImpl.listUsers(ReadOnlySQLAuthenticatorImpl.java:117)
at weblogic.security.providers.authentication.SQLAuthenticatorMBeanImpl.listUsers(SQLAuthenticatorMBeanImpl.java:281)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at weblogic.management.jmx.modelmbean.WLSModelMBean.invoke(WLSModelMBean.java:437)
at com.sun.jmx.interceptor.DefaultMBeanServerInterceptor.invoke(DefaultMBeanServerInterceptor.java:836)
at com.sun.jmx.mbeanserver.JmxMBeanServer.invoke(JmxMBeanServer.java:761)
at weblogic.management.jmx.mbeanserver.WLSMBeanServerInterceptorBase$16.run(WLSMBeanServerInterceptorBase.java:449)
at java.security.AccessController.doPrivileged(Native Method)
at weblogic.management.jmx.mbeanserver.WLSMBeanServerInterceptorBase.invoke(WLSMBeanServerInterceptorBase.java:447)
at weblogic.management.mbeanservers.internal.JMXContextInterceptor.invoke(JMXContextInterceptor.java:263)
at weblogic.management.jmx.mbeanserver.WLSMBeanServerInterceptorBase$16.run(WLSMBeanServerInterceptorBase.java:449)
at java.security.AccessController.doPrivileged(Native Method)
at weblogic.management.jmx.mbeanserver.WLSMBeanServerInterceptorBase.invoke(WLSMBeanServerInterceptorBase.java:447)
at weblogic.management.mbeanservers.internal.SecurityInterceptor.invoke(SecurityInterceptor.java:444)
at weblogic.management.jmx.mbeanserver.WLSMBeanServer.invoke(WLSMBeanServer.java:323)
at weblogic.management.mbeanservers.internal.JMXConnectorSubjectForwarder$11$1.run(JMXConnectorSubjectForwarder.java:663)
at java.security.AccessController.doPrivileged(Native Method)
at weblogic.management.mbeanservers.internal.JMXConnectorSubjectForwarder$11.run(JMXConnectorSubjectForwarder.java:661)
at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:363)
at weblogic.management.mbeanservers.internal.JMXConnectorSubjectForwarder.invoke(JMXConnectorSubjectForwarder.java:654)
at javax.management.remote.rmi.RMIConnectionImpl.doOperation(RMIConnectionImpl.java:1427)
at javax.management.remote.rmi.RMIConnectionImpl.access$200(RMIConnectionImpl.java:72)
at javax.management.remote.rmi.RMIConnectionImpl$PrivilegedOperation.run(RMIConnectionImpl.java:1265)
at java.security.AccessController.doPrivileged(Native Method)
at javax.management.remote.rmi.RMIConnectionImpl.doPrivilegedOperation(RMIConnectionImpl.java:1367)
at javax.management.remote.rmi.RMIConnectionImpl.invoke(RMIConnectionImpl.java:788)
at javax.management.remote.rmi.RMIConnectionImpl_WLSkel.invoke(Unknown Source)
at weblogic.rmi.internal.ServerRequest.sendReceive(ServerRequest.java:174)
at weblogic.rmi.internal.BasicRemoteRef.invoke(BasicRemoteRef.java:222)
at javax.management.remote.rmi.RMIConnectionImpl_1035_WLStub.invoke(Unknown Source)
at javax.management.remote.rmi.RMIConnector$RemoteMBeanServerConnection.invoke(RMIConnector.java:993)
at weblogic.management.jmx.MBeanServerInvocationHandler.doInvoke(MBeanServerInvocationHandler.java:544)
at weblogic.management.jmx.MBeanServerInvocationHandler.invoke(MBeanServerInvocationHandler.java:380)
at $Proxy168.listUsers(Unknown Source)
at com.bea.console.utils.security.UserUtils.getUsers(UserUtils.java:78)
at com.bea.console.actions.security.users.UserTableAction.getCollection(UserTableAction.java:100)
at com.bea.console.actions.security.ManagementBaseTableAction.execute(ManagementBaseTableAction.java:82)
at org.apache.struts.action.RequestProcessor.processActionPerform(RequestProcessor.java:431)
at org.apache.beehive.netui.pageflow.PageFlowRequestProcessor.access$201(PageFlowRequestProcessor.java:97)
at org.apache.beehive.netui.pageflow.PageFlowRequestProcessor$ActionRunner.execute(PageFlowRequestProcessor.java:2044)
at org.apache.beehive.netui.pageflow.interceptor.action.internal.ActionInterceptors.wrapAction(ActionInterceptors.java:91)
at org.apache.beehive.netui.pageflow.PageFlowRequestProcessor.processActionPerform(PageFlowRequestProcessor.java:2116)
at com.bea.console.internal.ConsolePageFlowRequestProcessor.processActionPerform(ConsolePageFlowRequestProcessor.java:261)
at org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:236)
at org.apache.beehive.netui.pageflow.PageFlowRequestProcessor.processInternal(PageFlowRequestProcessor.java:556)
at org.apache.beehive.netui.pageflow.PageFlowRequestProcessor.process(PageFlowRequestProcessor.java:853)
at org.apache.beehive.netui.pageflow.AutoRegisterActionServlet.process(AutoRegisterActionServlet.java:631)
at org.apache.beehive.netui.pageflow.PageFlowActionServlet.process(PageFlowActionServlet.java:158)
at com.bea.console.internal.ConsoleActionServlet.process(ConsoleActionServlet.java:262)
at org.apache.struts.action.ActionServlet.doGet(ActionServlet.java:414)
at com.bea.console.internal.ConsoleActionServlet.doGet(ConsoleActionServlet.java:134)
at org.apache.beehive.netui.pageflow.PageFlowUtils.strutsLookup(PageFlowUtils.java:1199)
at com.bea.portlet.adapter.scopedcontent.ScopedContentCommonSupport.executeAction(ScopedContentCommonSupport.java:686)
at com.bea.portlet.adapter.scopedcontent.ScopedContentCommonSupport.renderInternal(ScopedContentCommonSupport.java:266)
at com.bea.portlet.adapter.scopedcontent.StrutsStubImpl.render(StrutsStubImpl.java:107)
at com.bea.netuix.servlets.controls.content.NetuiContent.preRender(NetuiContent.java:292)
at com.bea.netuix.nf.ControlLifecycle$6.visit(ControlLifecycle.java:428)
at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:727)
at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739)
at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739)
at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739)
at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739)
at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739)
at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739)
at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739)
at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739)
at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739)
at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739)
at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739)
at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739)
at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739)
at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739)
at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739)
at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739)
at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739)
at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739)
at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739)
at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739)
at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739)
at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739)
at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739)
at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739)
at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739)
at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739)
at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739)
at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739)
at com.bea.netuix.nf.ControlTreeWalker.walkRecursivePreRender(ControlTreeWalker.java:739)
at com.bea.netuix.nf.ControlTreeWalker.walk(ControlTreeWalker.java:146)
at com.bea.netuix.nf.Lifecycle.processLifecycles(Lifecycle.java:395)
at com.bea.netuix.nf.Lifecycle.processLifecycles(Lifecycle.java:361)
at com.bea.netuix.nf.Lifecycle.runOutbound(Lifecycle.java:208)
at com.bea.netuix.nf.Lifecycle.run(Lifecycle.java:162)
at com.bea.netuix.servlets.manager.UIServlet.runLifecycle(UIServlet.java:388)
at com.bea.netuix.servlets.manager.UIServlet.doPost(UIServlet.java:258)
at com.bea.netuix.servlets.manager.UIServlet.doGet(UIServlet.java:211)
at com.bea.netuix.servlets.manager.UIServlet.service(UIServlet.java:196)
at com.bea.netuix.servlets.manager.SingleFileServlet.service(SingleFileServlet.java:251)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:820)
at com.bea.console.utils.MBeanUtilsInitSingleFileServlet.service(MBeanUtilsInitSingleFileServlet.java:47)
at weblogic.servlet.AsyncInitServlet.service(AsyncInitServlet.java:130)
at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:227)
at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:125)
at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:300)
at weblogic.servlet.internal.TailFilter.doFilter(TailFilter.java:26)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
at weblogic.servlet.internal.RequestEventsFilter.doFilter(RequestEventsFilter.java:27)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.wrapRun(WebAppServletContext.java:3715)
at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3681)
at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:120)
at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2277)
at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2183)
at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1454)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:209)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:178)
Caused by: java.sql.SQLException: TBDI18N: Connection was not found for null
at weblogic.security.providers.authentication.DBMSDatabaseConnectionPoolImpl.getRawConnection(DBMSDatabaseConnectionPoolImpl.java:136)
at weblogic.security.providers.authentication.DBMSSQLDatabaseConnectionPoolImpl.checkoutConnection(DBMSSQLDatabaseConnectionPoolImpl.java:25)
at weblogic.security.providers.authentication.DBMSSQLReadOnlyAuthenticatorDelegateImpl.getReadOnlyConnection(DBMSSQLReadOnlyAuthenticatorDelegateImpl.java:570)
at weblogic.security.providers.authentication.DBMSSQLReadOnlyAuthenticatorDelegateImpl.listUsers(DBMSSQLReadOnlyAuthenticatorDelegateImpl.java:346)
... 119 more
>
It says something about listing the users, so I checked my "SQL List Users:" statement and it should be just fine:
SELECT username FROM jhs_users WHERE username LIKE ?
If fact I double checked all SQL statement that list something in the provider and they are all fine
I have to remind that my application is empty and all pages (login , error , welcome) are autogenerated
Thank you for you help. Can you see the problem?

ADF Security Design Question

Hi All,
I am developing an ADF web application. The security design is such that user authentication is mapped to database users. The design I see several pros and cons
1) Different database users means I cannot take advantage of connection pooling.
2) The architect argues SQL querying can be controlled at database level for each user.
I have never been involved in such a web application. Can anybody please guide me if this is the way to go for ADF web application, any other pros and cons. The database is Oracle 11g. I still believe that application security should not be tied to the database security.
Worst case if I have to go with this design, How to implement ADF security using database users.
Thanks

I blogged a use case for using Proxy Authentication with JPA here http://blogs.oracle.com/olaf/2010/04/using_oracle_proxy_authenticat.html. (Being a sample it includes a setter for user name, but a case with a JAAS Subject and Principal is easily adaptable).
I'll dig out an ADF BC example and blog about it, too.
--olaf

Configuring roles and users (adf security) application context wise.

Dear All,
I referred this tutorial (http://biemond.blogspot.com/2008/12/using-database-tables-as-authentication.html) which shows how to hook up adf security with database schema but at domain level which will be common to all applications in that domain. I want to make it different to each application. (i.e each application will use differene database schema for storing user credientials i.e enterprise roles,application roles and users.)
Can any one please point me to proper way..
Regards,
Santosh
jdev 11.1.1.2.0

Dear Frank,
<i>
Instead you have a single identity management system and have the application policies being different for the applications.Using ADF Security, users and groups can have different privileges in different applications
</i>
suppose i have 3 applications that use adf security, the users will be common to all applications. right..?Roles and group can be different for applications.
application polices means roles and group..?
So how it(application polices) can be made different for applications? is it inbuilt or some configurations needed ?. Can you point me to some blogs or tutorials for more reference.
Bet: Incase i hook up adf security with database schema.
Regards,
Santosh.

How to apply row level security against the database administrator

I would like an advice in applying row level security against the database administrator. We need to prevent DBA from editing data in some table rows or have any indication that data was corrupted.
There is no problem in viewing the data so we considered one way hash function or digital signature which will be stored in the same table, but we see following disadvantages:
HASH - DBA may use the same hash function to update the stored data after he changes the sensitive row.
Digital signature - the is a need to manage and keep the private key in a safe place outside of DB
Is there additional ways to achieve the aim?

Does VPD helps to prevent from DBA to edit/view a data in specific rows?Yes.
If I correctly understand, DBA has full access to security policy used by VPD to control the access and can grant himself privileges that I don't want.You can to define which users can be exempt of the politics, for the context or by Grant EXEMPT.
This includes DBAs.
The simple fact of being DBA doesn't guarantee the exemption.
Everything goes to depend of the VPD config.

ADF Security : identity store : tables in a SQL database

hi
The documentation says "ADF Security is built on top of the Oracle Platform Security Services (OPSS) architecture, which itself is well-integrated with Oracle WebLogic Server. ".
As such, ADF Security provides abstractions, also abstraction from an identity store (the repository of user identities and login credentials).
If my identity store is a set of custom tables in a SQL database, what are the Oracle supported options to use that identity store for an ADF application using ADF Security?
(Please refer to related documentation if possible.)
many thanks
Jan Vervecken

Thanks for your reply John.
John Stegeman wrote:
... To your questions to Frank - I'd answer "yes." ...Thanks for the confirmation.
... The specific points of the documentation that I found helpful were [url http://download.oracle.com/docs/cd/E21764_01/core.1111/e10043/underjps.htm#BABHCGGG]this picture and the discussion on identity management [url http://download.oracle.com/docs/cd/E21764_01/core.1111/e10043/addlsecfea.htm#CFHGBDEG]here. ...
The "Identity Management" section you refer to says ...
"... The domain administrator must configure the domain authenticator (with the Administration Console), update identities (enterprise users and groups) in the environment, as appropriate, and map application roles to enterprise users and groups (with Fusion Middleware Control). ..."
... which brings us to the context for the "general" question I asked in this thread:
I am trying to understand the "... This is not a supported usecase (use enterprise role from the DB, and add the enterprise role to approle). ..." feedback that I got in the context of my question in forum thread
"OPSS : addMembersToApplicationRole : The search for role failed"
at OPSS : addMembersToApplicationRole : The search for role failed
(Please post in that thread if you want to give feedback on that "use-case".)
regards
Jan

Database Security against 'connect internal'

Hi Dba's
Is there any way to set up a password authentication while connecting as
oracle(unix)user during 'connect internal' connection?. The reason is though oracle owner password can be kept properly, still the system admin(unix)can still use su (unix)command to become oracle user and connect to oracle without validating password.
What is the best way to set up a password by which the password will be validated during the connection time.
Please note ....!!!! Creation of exclusive password file, changes in init parameters everything has been tried.
Hence, looking for any better solution.
Regards
_RamV
null

There certainly is a need for securing your database from administrators. The idea that you MUST trust your dba or your sys admins is no longer a reasonable one. Just to give you an example, let's say a government stores its most confidential secrets in an Oracle database. Trusting the dba is not an option in this situation.
This certainly is an exterme case, but there certainly are many, many other situations that have similar requirements. I'm not sure that everyone's medical records should be available to the dba just because he's in charge of doing backups. The truth of the matter is that many, many dbas are kids straight out of college or independent consultants. This is this way in every industry, including the medical and banking industry.
There are solutions that alleviate the problem, but they are not as good as they should be. For Oracle there are encryption solutions (www.appsecinc.com) that help you prevent dbas from reading the data, but they do not help prevent the data from being destroyed. A good backup plan can help alleviate this problem.
Other possible solutions include setting up good policies that include seperation of duties and the use of a change management department. For a more thorough discourse on security policies for Oracle, check out the Oracle Security Handbook (http://www.amazon.com/exec/obidos/ASIN/0072133252/qid%3D998406055/107-7202182-0758137).
HTH,
[email protected]

ADF Security

Dear All;
I am new to ADF security, my target is to create a web application, with authentication through a login page, and session tracking through out the users session, i used to do this all in code, the JSP way, where i check the session in every page, to check that there is a logged in user, i read the forum based authentication, and i thought it could make things faster, and more secure for me, i did a login page and an error page where the username and password are validated against a table called user and added refrence to these pages to the web.xml properties, and then from adf security of the main menu page i selected to enforce authentication and gave it the URL for the login, and error page, only when i run this page, i am getting a can not find faces config file, i am sure something is missing, the tutorial i have discusses validation through the ADF administration page, i want to validate throught the database,
Links for tutorials, or any information would be highly appreciated
thank you all in advance
regards
Halim

Did you put something like
     <application>
          <name>current-workspace-app</name>
          <login-modules>
               <login-module>
                    <class>YOUR_CLASS</class>
                    <control-flag>required</control-flag>
                    <options>
                         <option>
                              <name>data_source_name</name>
                              <value>YOUR_DS_NAME</value>
                         </option>
                         <option>
                              <name>roles_fk_column</name>
                              <value>VALUE</value>
                         </option>
                         <option>
                              <name>user_pk_column</name>
                              <value>VALUE</value>
                         </option>
                         <option>
                              <name>user_table</name>
                              <value>VALUE</value>
                         </option>
                         <option>
                              <name>roles_column</name>
                              <value>VALUE</value>
                         </option>
                         <option>
                              <name>roles_table</name>
                              <value>VALUE</value>
                         </option>
                         <option>
                              <name>username_column</name>
                              <value>VALUE</value>
                         </option>
                         <option>
                              <name>password_column</name>
                              <value>VALUE</value>
                         </option>
                    </options>
               </login-module>
          </login-modules>
     </application>
to the <jazn-loginconfig> part in system-jazn-data.xml file in your JDEVHOME/jdev\system\oracle.j2ee.10.1.3.41.57\embedded-oc4j\config\ folder. Plus, you should check if your encoding the passwords, ...
As I said, we're using custom loginModule, I'm not sure for DBTableOraDataSourceLoginModule. Verify you've done everything from the tutorial.
BB

GOTCHA's with Setting up ADF Security with JDev 11.1.1.6.0

If you're getting into ADF security, you're probably going to want to get rid of that ugly default login.html page. I mean, it gets the job done, but we want something a little better. And if you want something a little better and you're using JDev 11.1.1.6.0, it behooves you to read this post!
First off, get acquainted with these four posts. All good stuff. They'll walk you through the 1st half of what you need to know. Y'know, the non-Gotcha half.
http://one-size-doesnt-fit-all.blogspot.com/2010/07/adf-security-revisited-again-again.html
http://myadfnotebook.blogspot.com/2011/11/adf-security-basics.html
http://andrejusb.blogspot.com/2010/11/things-you-must-know-about-adf-faces.html
http://java2go.blogspot.com/2010/12/creating-centered-page-layout-using-adf.html
Are you getting either of the following errors?
<CodebasePolicyHandler> <migrateDeploymentPolicies> Migration of codebase policy failed. Reason: {0}.
oracle.security.jps.JpsException: java.lang.IllegalArgumentException: oracle.security.jps.internal.core.principals.JpsAnonymousRoleImpl
Error 500--Internal Server Error
java.lang.RuntimeException: Cannot find FacesContextI'll show you where they're coming from. Follow along.
1) Create a new application.
2) Create three .jspx pages called login, error, and welcome.
3) Generate PageDef files for them by right-clicking on the file and selecting "Go To PageDefinition". You'll want these so that you may apply security against them.
4) Right-Click on your Application and select Secure->Configure ADF Security
5) ADF Authentication and Authorization -> Form Based Authentication (Use the search symbol to select your created login and error pages. Should be something like "/faces/login.jspx") -> No Automatic Grants -> Finish
Right-Click your welcome.jspx and select run. You'll get this error before your web page opens up in your browser and then proceeds to wig out.
<CodebasePolicyHandler> <migrateDeploymentPolicies> Migration of codebase policy failed. Reason: {0}.
oracle.security.jps.JpsException: java.lang.IllegalArgumentException: oracle.security.jps.internal.core.principals.JpsAnonymousRoleImplThat just won't do. Let's fix it, shall we?
6) Open your newly JDev created jazn-data.xml file. It's located in the Application Resources panel (usually located by Data Controls and your Projects expandable panels)
7) Resource Grants -> Resource Type (Web Page dropdown) -> error page should have a key symbol by it. Delete the anonymous role in the "Granted To" column. Now click the green button to add an Application Role. Huh, there's TWO of them? How bout that? Looks like we're going to have to delete some XML code!
8) Click the Source tab on the bottom of the page to open up the XML View. You'll see the following piece of erroneous code. Erroneous, I say!
<policy-store>
    <applications>
      <application>
        <name>SecurityError</name>
        <app-roles>
          // Hello, I'm the app role that has sucked away two hours of your life that you can never, ever get back
          <app-role>
            <name>anonymous-role</name>
            <class>oracle.security.jps.internal.core.principals.JpsAnonymousRoleImpl</class>
            <display-name>anonymous-role</display-name>
          </app-role>
         // Whew, the end of that app role
        </app-roles>
        <jazn-policy>
          <grant>9) You're going to want to delete that app role XML
10) Go back into your jazn-data.xml file and create some users. For example, bob and jane. Create an Enterprise role called "admin". Put bob and jane as members into this Enterprise role. Create an Application role called managers. Map managers to your Enterprise role admin.
11) Go back to the Resource Grants tab -> Resource Type (Web Page) and delete any "Granted To" authorizations that may assigned to any of the pages. Assigned a "Granted To" application role of "anonymous-role" to the error and login pages. Assign "managers" to welcome.
12) Run your welcome page. Yay, the error is gone. How sweet it is.
Now you want to refactor/move your login and error page somewhere else? Great, just right-click and select factor. Refactor to some place like /public_html/jspx/<your login page>.jspx. Re-run your welcome page.
// You fool!
Error 404--Not Found
From RFC 2068 Hypertext Transfer Protocol -- HTTP/1.1:
10.4.5 404 Not FoundThat's not so good. Let's fix that.
1) Open up web.xml. It's located at ViewController/WEB-INF/web.xml.
2) Click the security tab and you'll see Form-Based Authentication with a login page and error page. Click that Search glass and locate your new file. Do the same for the error page. You should see something like "/jspx/login.jspx" come back.
3) Re-run your welcome page.
// Suckered AGAIN!
Error 500--Internal Server Error
java.lang.RuntimeException: Cannot find FacesContextThis is a tricky one. The search icon brings back a faulty address. Since we're using a .jspx page, it needs to be "/faces/jspx/login.jspx". Repeat for the error page. Re-run your welcome.jspx.
Ahh!! Now THAT's how we do it in Kingsport!
Finally, a custom .jspx login works. Now what are you doing here? Shouldn't you be playing some Diablo 3?
Will

Ha :-)
Point being good summaries like yours tend to get lost on the forums because of the volume of posts. With a blog people have the chance to subscribe to your posts so it's just a better vehicle all round for posting content to help others.
I highly recommend writing blogs even if it's for scratch notes, because you'll learn a lot in structuring your thoughts. It's also a really good way to get noticed in the community because bloggers stand out.
But your call, no pressure of course ;-)
CM.

Problem with ADF Security / SQL Authenticator after upgrade to 11.1.1.6

Hi,
We have an ADF application built with JDeveloper 11.1.1.2 that's been in production for a couple of years. Now we are in the process of upgrading to 11.1.1.6 so I have upgraded WLS and ADF in a test environment and re-deployed the application there. The application uses users and groups from database using SQL Authenticator configured in WLS. This worked fine in the old version but now after the upgrade we can't log in with credentials from the database. I can log in if I add a user to the default authenticator. We didn't touch any of the authenticator settings or security realm configurations during the upgrade. Both authenticators are marked as SUFFICIENT, as they have always been.
Has something changed in the way SQL Authenticator is used since 11.1.1.2? What could be the problem?
Regards,
Joonas

Answering myself here: after recreating the SQL Authenticator and the ADF Security configuration logins are working again. Don't know where the problem was though.

How to integrate a SSO based in cookie with ADF Security

At work they asked me to integrate a existing SSO based in cookie with the new ADF + Jdeveloper 11g + WLS. After google for days and read a lot of blogs and official documentation I've made a custom LoginModule. I made it very simple, it's just an "if" inside the login() function with the username, if the username is "john" I put to the Subject some Principals. My steps are:
1- Create a new app based on "Fusion application" template.
2- Make a new ADF Taskflow with only one view inside (the entry point of the taskflow). The jspx only contains a welcome message.
3- Run the ADF Security wizard, all the steps with the default option, I don't change anything.
4- Put some users and some roles in jazn-data.xml, and maping them to an application role. Then I grant permissions to the application role to view the previous task flow.
At this point everything is ok. I run the taskflow and a basic login popup prompts me to write my username and password. Now I try to remove everything useless for me, like idstore, credentials, anonymous, etc. I only want a LoginModule that get the HttpRequest and passes it to an already done class that returns a true/false depending if the cookie is correct or not but, as I said before, my LoginModule is so simple now and even didn't try to do something more complicated than an if. The steps I try are:
in jps-config.xml
5- Remove idstore.xml and credentials.
6- (loginmodule tab) Make a new login module, and put here my class. The class is in the ViewController project and JDeveloper find it navigating through the heriarchy, so I have visibility. I put REQUIRE flag, add all roles and debug mode.
7- In the security context unmark the idstore.loginmodule and mark myLoginModule. Also delete the anonymous security context.
All that I got until now is a 500 error (Internal server error - Authorization Exception). Sometimes (the close i've ever been to do something correct) the browser ask me for user/password but then only recognizes the users that already are in WLS (idstore from previous tests), but NOT the "john" user that is inside my custom LoginModule. Even more, if I run the WLS from JDeveloper 11g in debug mode, the runtime never stops at breakpoints inside my custom login module. It seems that my LoginModule isn't deployed or I made some error maping the roles.
So, my questions are:
- I'm in the good way? If I want an authentication based in cookie/httprequest I have to do a custom LoginModule? My goal is to do a re-usable code, and re-use the code that my co-workers have done. They have a class that with only the HttpRequest determines if a user is logged or not.
- If I'm in the good way... how can I put my custom LoginModule in the WLS? I tried to search something in the Administration Panel (localhost:7101/console) but I did'nt find nothing.
- In case I'd got the custom LoginModule working fine in WLS... how can I get a HttpRequest from a LoginModule and avoid the username/password dialog? I've to make a filter and pass it to the my LoginModule? If it's correct... how?
I don't post my code because is so simple, it's based on DBTableLoginModule but without all the database access code.
Thanks to all!
P.D.: If this message isn't in the correct forum, I'm sorry. Feel free to move it.
P.D.2: Sorry about my english, I'm spanish. I know i've to practise a lot :)

Hi Frank,
Thanks a lot for your answer. Just one more easy question: what I need to do is a custom Authentication Module (which will read the cookie)? If only you can point me to the correct chapter of the WLS documentation I'll be very pleased.
In future releases of JDeveloper will be easier to do this kind of things related to security?
Riveck

ADF Security, Task Flow as a region in a page resource grant

JDeveloper 12c (12.1.2); Application uses ADF form based security, external LDAP provider (Active Directory)
After sign-in page (upon successful authentication/authorization) user is forwarded to a page that executes VO method prior to render. I am new to task flow concept and am told to achieve this like:
- create bounded task flow, with method call activity (execute exposed AM method that calls VO method, runs custom SQL) and view activity as page fragment.
- then drop the above task flow into a page as a region
In ADF security setup, I gave resource grant task-flow to certain application role. Started the application, login and got 403 error. Then went back and gave resource grant 'view' to the actual page that contains task flow. It worked fine.
So the question is, when protecting application (implemented with task flows) with ADF security, I thought it is enough to grant those task flows to whatever application roles (groups) and inherently any page that uses that task flow(s) (as a region) will be protected?
From this test, it seems that I have to assign each page (that has task flow as a region) to application roles individually?

Hi,
any page that is contained in a bounded task flow is protected by the task flow permission grant, this is correct. If this is not what you see, please file a bug with support or send me a simple reproducible test case please. My mail address (replace all < name > with the described symbol.
frank <dot> nimphius <at> oracle <dot> com
The test case will need to be in a ZIP file nemaed to "unzip" and should be able for me to run stand alone (please no database scripts to run prior to try the test case)
Frank

ADF Security: javax.servlet.jsp.JspException: Cannot find FacesContext

Hi,
In my ADF Application, new users are to be allowed to Register by clicking a button in login page. The Application is based on ADF Security Wizard and I have created default pages for Login and Error, so the application's login page is login.html.
Now when I’m trying to navigate to 'NewUserRegistrationPage.jspx' Im getting javax.servlet.jsp.JspException: Cannot find FacesContext error.
I thought the issue might be from calling a .jspx from .html so I created a 'NewLogin.jspx' Page with below code and specified this page in ADF Security Wizard for Login Page.
Please advice me some way of calling the 'newRegistrationpage.jspx' from my login page.
Im using JDeveloper 10.1.3.4.
Page Code:
<?xml version='1.0' encoding='windows-1252'?>
<jsp:root xmlns:jsp="http://java.sun.com/JSP/Page" version="2.0"
xmlns:h="http://java.sun.com/jsf/html"
xmlns:f="http://java.sun.com/jsf/core"
xmlns:af="http://xmlns.oracle.com/adf/faces"
xmlns:afh="http://xmlns.oracle.com/adf/faces/html">
<jsp:output omit-xml-declaration="true" doctype-root-element="HTML"
doctype-system="http://www.w3.org/TR/html4/loose.dtd"
doctype-public="-//W3C//DTD HTML 4.01 Transitional//EN"/>
<jsp:directive.page contentType="text/html;charset=windows-1252"/>
<f:view>
<html>
<head>
<title>Login</title>
</head>
<body><form method="POST" action="j_security_check">
<font face="Verdana" color="Navy">
<table cellspacing="2" cellpadding="3" border="0" align="center">
<tr>
<th>Username:</th>
<td>
<input type="text" name="j_username"/>
</td>
</tr>
<tr>
<th>Password:</th>
<td>
<input type="password" name="j_password"/>
</td>
</tr>
</table>
</font>
<p align="center">
<input type="submit" name="submit" value="Submit"/>
<input type="button" name="" value="Request Password"/>
<input type="button" name="" value="New User Registration"/>
</p>
</form></body>
</html>
</f:view>
</jsp:root>
Error::
javax.servlet.jsp.JspException: Cannot find FacesContext at javax.faces.webapp.UIComponentTag.doStartTag(UIComponentTag.java:427) at com.sun.faces.taglib.jsf_core.ViewTag.doStartTag(ViewTag.java:125) at webpages.REACHLoginPage_jspx._jspService(_REACHLoginPage_jspx.java:47) [WebPages/REACHLoginPage.jspx] at com.orionserver[Oracle Containers for J2EE 10g (10.1.3.4.0) ].http.OrionHttpJspPage.service(OrionHttpJspPage.java:59) at oracle.jsp.runtimev2.JspPageTable.service(JspPageTable.java:462) at oracle.jsp.runtimev2.JspServlet.internalService(JspServlet.java:594) at oracle.jsp.runtimev2.JspServlet.service(JspServlet.java:518) at javax.servlet.http.HttpServlet.service(HttpServlet.java:856) at com.evermind[Oracle Containers for J2EE 10g (10.1.3.4.0) ].server.http.ServletRequestDispatcher.invoke(ServletRequestDispatcher.java:713) at com.evermind[Oracle Containers for J2EE 10g (10.1.3.4.0) ].server.http.ServletRequestDispatcher.forwardInternal(ServletRequestDispatcher.java:370) at com.evermind[Oracle Containers for J2EE 10g (10.1.3.4.0) ].server.http.ServletRequestDispatcher.unprivileged_forward(ServletRequestDispatcher.java:259) at com.evermind[Oracle Containers for J2EE 10g (10.1.3.4.0) ].server.http.ServletRequestDispatcher.access$100(ServletRequestDispatcher.java:51) at com.evermind[Oracle Containers for J2EE 10g (10.1.3.4.0) ].server.http.ServletRequestDispatcher$2.oc4jRun(ServletRequestDispatcher.java:193) at oracle.oc4j.security.OC4JSecurity.doPrivileged(OC4JSecurity.java:284) at com.evermind[Oracle Containers for J2EE 10g (10.1.3.4.0) ].server.http.ServletRequestDispatcher.forward(ServletRequestDispatcher.java:198) at com.evermind[Oracle Containers for J2EE 10g (10.1.3.4.0) ].server.http.FormHttpAuthenticator.reject(FormHttpAuthenticator.java:83) at com.evermind[Oracle Containers for J2EE 10g (10.1.3.4.0) ].server.http.HttpApplication.checkAuthenticationAndAuthorize(HttpApplication.java:6435) at com.evermind[Oracle Containers for J2EE 10g (10.1.3.4.0) ].server.http.HttpApplication.getRequestDispatcher(HttpApplication.java:3030) at com.evermind[Oracle Containers for J2EE 10g (10.1.3.4.0) ].server.http.HttpRequestHandler.doProcessRequest(HttpRequestHandler.java:738) at com.evermind[Oracle Containers for J2EE 10g (10.1.3.4.0) ].server.http.HttpRequestHandler.processRequest(HttpRequestHandler.java:453) at com.evermind[Oracle Containers for J2EE 10g (10.1.3.4.0) ].server.http.HttpRequestHandler.serveOneRequest(HttpRequestHandler.java:221) at com.evermind[Oracle Containers for J2EE 10g (10.1.3.4.0) ].server.http.HttpRequestHandler.run(HttpRequestHandler.java:122) at com.evermind[Oracle Containers for J2EE 10g (10.1.3.4.0) ].server.http.HttpRequestHandler.run(HttpRequestHandler.java:111) at oracle.oc4j.network.ServerSocketReadHandler$SafeRunnable.run(ServerSocketReadHandler.java:260) at oracle.oc4j.network.ServerSocketAcceptHandler.procClientSocket(ServerSocketAcceptHandler.java:234) at oracle.oc4j.network.ServerSocketAcceptHandler.access$700(ServerSocketAcceptHandler.java:29) at oracle.oc4j.network.ServerSocketAcceptHandler$AcceptHandlerHorse.run(ServerSocketAcceptHandler.java:879) at com.evermind[Oracle Containers for J2EE 10g (10.1.3.4.0) ].util.ReleasableResourcePooledExecutor$MyWorker.run(ReleasableResourcePooledExecutor.java:298) at java.lang.Thread.run(Thread.java:595)
Edited by: Manasa Tadi on Jul 1, 2009 11:52 PM

Hi Branislav,
Thanks a lot for your suggestion through which now Im able to navigate to NewRegistration page from login.html.
In my application login.html is under public_html folder where as the NewRegistration page in public_html/WebPages.
Code I used:
New User Registration
But the issue now is, the NewUserRegistrationPage was also under the ADFSecurity, so inorder to navigate to it again the user had to provide authentication. So, I have removed this particular page from Security and it has started to work.
But the issue now I face is something else. In the NewUserRegistrationPage I have a selection to be made by user about the type of user he is and based on the selection he would be navigated to next page, This next page has a VO on it as a 'create form', through which he can directly fill the form and submit his details to database table.
But as I have removed these pages from ADF Security and authentication, the form fields/attributes in the VO are not getting binded, Im getting this Exception:
500 Internal Server Error
javax.faces.el.PropertyNotFoundException: Error testing property 'inputValue' in bean of type null
For testing purpose when I have provided link from application page to NewRegistrationPage the flow is working properly, able to navigate to second page and submit the filled form to database, I think this is working because we have entered the application after providing the login credentials.'
Help in this greatly needed.
Thanks,
Manasa.

ADF Security against database?

Similar Messages

Maybe you are looking for