ADF Security Authorization question

For whatever reason, it seems to be not working for me. Well, I will try to test it a non_SRDemo environment.
By the way, what is the connects what is set in dialog permisssions and the updateable value? Isn't there something in the code that I can check?
Thanks

Hi,
there is no connection in code. An attribute that has a read-only permission is set to updateable = false, which then is accessible via EL.
Just go for the non SRDemo testcase. It will give either you a solution or me a workspace to reproduce the non-working case
Frank

Similar Messages

JDev11 R.1. ADF Security Authorization

Hi,
I would like to know if it might be possible to use authenticatication via RDBMS authentication provider of Weblogic App. Server and ADF Security Authorization together in a JDev 11 application?. I am reading documentation and it says that; 'ADF Security relies on the jazn-data.xml file for the policy store whether you are using the XML-based identity store or the LDAP identity store. One could define roles and its access rights in jazn-data.xml and might expect authentication and isUserInRole services coming from the authentication service without defining users (role members) at design time. Is it or will it be possible in future?
Best Regards.

Hi
I think it is too early and I don't know if they will ever build this. ( because they also have to support other app servers). Is RDBMS authentication provider of Weblogic App. Server a JAAS implementation?
in TP4 you had a db login module , don't know if this is supported in 11g production.
jps-config.xml
<serviceInstance provider="jaas.login.provider" name="testlogin">
<description>Sample LoginModule</description>
<property value="oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule" name="loginModuleClassName"/>
<property value="REQUIRED" name="jaas.login.controlFlag"/>
<property value="ovs_user" name="table"/>
<property value="jdbc/OVSDS" name="data_source_name"/>
<property value="role_name" name="groupMembershipGroupFieldName"/>
<property value="password" name="passwordField"/>
<property value="ovs_user_role_view" name="groupMembershipTableName"/>
<property value="role_name" name="usernameField"/>
<property value="role_name" name="pw_encoding_class"/>
<property value="oracle.security.jazn.login.module.db.util.DBLoginModuleMD5Encoder" name="groupMembershipGroupFieldName"/>
</serviceInstance>
<serviceInstance provider="jaas.login.provider" name="oracledb.loginmodule">
<property value="true" name="debug"/>
<property value="true" name="addAllRoles"/>
<property value="passwd" name="passwordField"/>
<property value="role_name" name="groupMembershipGroupFieldName"/>
<property value="jdbc/authschemaDS" name="data_source_name"/>
<property value="REQUIRED" name="jaas.login.controlFlag"/>
<property value="application_roles" name="groupMembershipTableName"/>
<property value="oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule" name="loginModuleClassName"/>
<property value="FINEST" name="log.level"/>
<property value="username" name="usernameField"/>
<property value="application_users" name="table"/>
<property value="username" name="user_pk_column"/>
<property value="username" name="roles_fk_column"/>
<property value="tolower" name="casing"/>
<property value="oracle.security.jazn.login.module.db.util.DBLoginModuleClearTextEncoder" name="pw_encoding_class"/>
</serviceInstance>
thanks Edwin
Edited by: biemond on Oct 19, 2008 10:50 AM

ADF Security Authorization

As it's written in Oracle® Application Development Framework Developer’s Guide For Forms/4GL Developers B25947-01 I created file adf-config.xml file like this
<?xml version="1.0" encoding="windows-1252" ?>
<adf-config xmlns:xsi=" http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation=" http://xmlns.oracle.com/adf/config
../../../../../bc4jrt/src/oracle/adf/share/config/schema/config.xsd"
xmlns=" http://xmlns.oracle.com/adf/config "
xmlns:sec=" http://xmlns.oracle.com/adf/security/config ">
<sec:adf-config-child xmlns=" http://xmlns.oracle.com/adf/security/config ">
<JaasSecurityContext
     initialContextFactoryClass="oracle.adf.share.security.JAASInitialContextFactory"
     authorizationEnforce="true"
     jaasProviderClass="oracle.adf.share.security.providers.jazn.JAZNSecurity Context" >
</JaasSecurityContext>
</sec:adf-config-child>
</adf-config>
Assigned permissions to my roles in Authorization editior on iterators etc.. But it did get any effect.
All roles have full access to iterators!
ADFContext.getCurrent().getSecurityContext().isAuthorizationEnabled() returns false

Hi,
here's the adf-config file from my woking app
<?xml version="1.0" encoding="windows-1252" ?>
<adf-config xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://xmlns.oracle.com/adf/config ../../../../../bc4jrt/src/oracle/adf/share/config/schema/config.xsd"
xmlns="http://xmlns.oracle.com/adf/config"
xmlns:sec="http://xmlns.oracle.com/adf/security/config">
<sec:adf-config-child xmlns="http://xmlns.oracle.com/adf/security/config">
<JaasSecurityContext initialContextFactoryClass="oracle.adf.share.security.JAASInitialContextFactory"
jaasProviderClass="oracle.adf.share.security.providers.jazn.JAZNSecurityContext"
authorizationEnforce="true"/>
</sec:adf-config-child>
</adf-config>
Note that I don't use debug but run it from JDeveloper and the security settings are enforced. Did you set up the web.xml file - in other words, are you able to authenticate?
Frank

ADF Security Design Question

Hi All,
I am developing an ADF web application. The security design is such that user authentication is mapped to database users. The design I see several pros and cons
1) Different database users means I cannot take advantage of connection pooling.
2) The architect argues SQL querying can be controlled at database level for each user.
I have never been involved in such a web application. Can anybody please guide me if this is the way to go for ADF web application, any other pros and cons. The database is Oracle 11g. I still believe that application security should not be tied to the database security.
Worst case if I have to go with this design, How to implement ADF security using database users.
Thanks

I blogged a use case for using Proxy Authentication with JPA here http://blogs.oracle.com/olaf/2010/04/using_oracle_proxy_authenticat.html. (Being a sample it includes a setter for user name, but a case with a JAAS Subject and Principal is easily adaptable).
I'll dig out an ADF BC example and blog about it, too.
--olaf

Implementing authorization using Oralce ADF security

Hi,
We have successfully deployed a Jdev (10.1.3) ADFBC application to IAS with the authentication and part of the authorization.
Now we want to use another level of granularity to allow object instance access control based on Java Permissins using JAAS. Like "binding container", "iterator binding", "attribute binding" and "methodAction binding".
We tried to follow the "Oracle Application Development Framework Developer's Guide", chapter 30. Everything went well until we got to 30.7.2--Setting authorization on ADF binding Containers, list 3. "The Authorization Editor shows the pre-defined permissions for the binding container, along with the principles (roles and users) as defined by your resource provider". The roles and users we defined in our web.xml or jaza-data.xml do not show up in the authorization editor.
The SRDemoADFBC does not use this technique. Anybody has any idea how to do this?
Remember Frank said he was working on an end-to-end ADF security application and it could be ready by the end of this year. Is it ready yet?
Thank you,
Annie

Hi Vinod,
In my post, I present it as a best practice to have a one to one mapping of application roles and enterprise roles though it is not required. If you have 10 application roles you should create 10 enterprise roles, but again this is not required. For testing, you could create only one enterprise role, then make that role as member to all your application roles.
To simplify the case you can do the following STEPS:
In jazn.xml:
1) Let say in jazn.xml you have the following 5 application roles:
<li>ApplicationRole1
<li>ApplicationRole2
<li>ApplicationRole3
<li>ApplicationRole4
<li>ApplicationRole5
2) Still in jazn.xml, create one Enterprise Role "EnterpriseAdmin".
3) Make the"EnterpriseAdmin" as member of the 5 application roles above.
In weblogic console:
4) Go to the User and Groups page of myrealm (Home >Summary of Security Realms >myrealm >Users and Groups).
5) Create a new group named "EnterpriseAdmin" and instead of the Default Authenticator, set the authenticator to the name of SQLAuthenticator that you have created.
6) Create a user in the SQLAuthenticator and make it a member of the "EnterpriseAdmin".
7) Run your secured application in JDeveloper and login with the user credentials that you created in step#6.
Regards,
Pino

ADF security removes applied authorizations

hi,
I created a mockup page containing only panelPage inside a form. In page definition I edited authorization so that role roleA has all privileges on the page as well as roles roleB and roleC (both roleB and roleC are sub-roles of role roleA as defined in system-jazn-data.xml).
After I finished configuring ADF security I saved all and compiled the project. Then I re-opened the page definition, clicked on Edit Authorization to check if authorizations are still there, but they were gone!?
I tried several times but each time ADF security settings magically gets removed.
I think the reason is that some of the roles are sub-roles of another role. Is there a workaround?

it seems that if you try to configure ADF security for a role which has another role as a member ADF security goes into a state where the only way out is to completely delete original roles and then re-configure but this time with no roles as members of other roles. I wonder if this feature (roles as members of other roles) will be supported in ADF security and in which version of Jdev. I am using 10.1.3.2

JDEV 10.1.3.1 "ADF security" questions

Hi,
We have a couple of questions about ADF security. Hope someone knows something about it. Any help is deeply appreciated. Jdeveloper version we use is 10.1.3.1.
1. Using the ADF security to develop the application, can we deploy it to the IAS and switch to LDAP (OID) or we are obligated to use system-jazn-data.xml on IAS as well? If we have to use system-jazn-data.xml on IAS, do we need to copy the exact system-jazn-data.xml file to IAS embeddedoc4j/config directory? Any other configurations we need to do?
2. I read some documents that say it is prefered to use LDAP(OID) and
that's what we really want on the IAS. So if the answer for question 1 is we
have to use system-jazn-data.xml, does oracle have any plan for the future to
change it? I guess my question is will that be possible for us to develope the
app using system-jazn-data.xml on the developer's station (for testing
purpose) and later on we can convert it LDAP (OID) when we deploy it on IAS.
Thanks,
Annie
Message was edited by:
user447669

Hi,
1)
can we deploy it to the IAS and switch to LDAP (OID)
yes.
If we have to use system-jazn-data.xml on IAS, do we need to copy the exact system-jazn-data.xml file to IAS embeddedoc4j/config directory?
No. Only make suere the users and user goup exist and copy the JAAS Permissions added by ADF security
2) There exist a migration utility to upload ADF Security permissions from syste-jazn-data.xml to OID. It is explained in teh OC4J security guide (chapter 7) whih comes with the Oracle Application Serber 10.1.3.1
Frank

ADF Security set up - step by step tutorial - quick question

Hi
We have standalone WLS running and we have configured our ADF app security enabled in JDeveloper.
It appears that there are manual steps needed to setup on WLS or EM for users and groups in order for JDev
1- we're still unclear on what steps needed to setup on standalone WLS to get embedded LDAP or OID to match up with the users and application roles defined in JDeveloper.
We, using the ADF Security wizard have added users and application roles.
2- How do we get jazn-data.xml merged or converted to system-jazn-data.xml in standalone WLS ? Is that a manual copy merge ?
3- Is there one tutorial that would show and explain all the pieces needed to get ADF security working beginning from JDev configurations all the way to standalone WLS configuration ?
4- Which do we use to configure users and groups ? WebLogic console or Enterprise Manager ? It appears that there are 2 ways of doing it
We apologise for wrong ideas if you think we are wrong in security configurations.

Hi,
+1- we're still unclear on what steps needed to setup on standalone WLS to get embedded LDAP or OID to match up with the users and application roles defined in JDeveloper.+
We, using the ADF Security wizard have added users and application roles.
Only application roles are deployed to a stand alone WLS server (as it probably runs in production mode). So the enterprise role names (WLS groups) need to exist on WLS. This can be through manual creation using the integrated LDAP or OID, database or whatever your identity management system is. If a group name doesn't match the enterprise role name you chose in JDeveloper, you can use weblogic.xml to map the names. This can also be done using Enterprise Manager (which I think usually is preferred for production systems)
+2- How do we get jazn-data.xml merged or converted to system-jazn-data.xml in standalone WLS ? Is that a manual copy merge ?+
For security reasons, production WLS configurations only allow application roles and permissions to be automatically copied into the system-jazn-data.xml file. Users and user groups are not allowed to be copied as it would have a risk that developer deploy a backdoor into a server which then can be used by unauthorized users. As mentioned in 1), you need to provide user groups and users through your identity management system. If this is LDAP in WLS then you use the WLS console to create these. Also note that if your application uses a Java EE datasource, this needs to be configured on the stand alone server. Same here, credentials cannot be deployed to a stand alone server
+3- Is there one tutorial that would show and explain all the pieces needed to get ADF security working beginning from JDev configurations all the way to standalone WLS configuration ?+
There are 4 recordings about ADF Security here: http://www.oracle.com/technetwork/developer-tools/adf/learnmore/adfinsider-093342.html (just search for ADF Application Security and watch the 4 sessions in a row)
+4- Which do we use to configure users and groups ? WebLogic console or Enterprise Manager ? It appears that there are 2 ways of doing it+
If WLS LDAP is your identity store, you use the WLS console. All of ADF Security configuration beyond user and group provisioning is in Enterprise Manager
Frank

How to integrate a SSO based in cookie with ADF Security

At work they asked me to integrate a existing SSO based in cookie with the new ADF + Jdeveloper 11g + WLS. After google for days and read a lot of blogs and official documentation I've made a custom LoginModule. I made it very simple, it's just an "if" inside the login() function with the username, if the username is "john" I put to the Subject some Principals. My steps are:
1- Create a new app based on "Fusion application" template.
2- Make a new ADF Taskflow with only one view inside (the entry point of the taskflow). The jspx only contains a welcome message.
3- Run the ADF Security wizard, all the steps with the default option, I don't change anything.
4- Put some users and some roles in jazn-data.xml, and maping them to an application role. Then I grant permissions to the application role to view the previous task flow.
At this point everything is ok. I run the taskflow and a basic login popup prompts me to write my username and password. Now I try to remove everything useless for me, like idstore, credentials, anonymous, etc. I only want a LoginModule that get the HttpRequest and passes it to an already done class that returns a true/false depending if the cookie is correct or not but, as I said before, my LoginModule is so simple now and even didn't try to do something more complicated than an if. The steps I try are:
in jps-config.xml
5- Remove idstore.xml and credentials.
6- (loginmodule tab) Make a new login module, and put here my class. The class is in the ViewController project and JDeveloper find it navigating through the heriarchy, so I have visibility. I put REQUIRE flag, add all roles and debug mode.
7- In the security context unmark the idstore.loginmodule and mark myLoginModule. Also delete the anonymous security context.
All that I got until now is a 500 error (Internal server error - Authorization Exception). Sometimes (the close i've ever been to do something correct) the browser ask me for user/password but then only recognizes the users that already are in WLS (idstore from previous tests), but NOT the "john" user that is inside my custom LoginModule. Even more, if I run the WLS from JDeveloper 11g in debug mode, the runtime never stops at breakpoints inside my custom login module. It seems that my LoginModule isn't deployed or I made some error maping the roles.
So, my questions are:
- I'm in the good way? If I want an authentication based in cookie/httprequest I have to do a custom LoginModule? My goal is to do a re-usable code, and re-use the code that my co-workers have done. They have a class that with only the HttpRequest determines if a user is logged or not.
- If I'm in the good way... how can I put my custom LoginModule in the WLS? I tried to search something in the Administration Panel (localhost:7101/console) but I did'nt find nothing.
- In case I'd got the custom LoginModule working fine in WLS... how can I get a HttpRequest from a LoginModule and avoid the username/password dialog? I've to make a filter and pass it to the my LoginModule? If it's correct... how?
I don't post my code because is so simple, it's based on DBTableLoginModule but without all the database access code.
Thanks to all!
P.D.: If this message isn't in the correct forum, I'm sorry. Feel free to move it.
P.D.2: Sorry about my english, I'm spanish. I know i've to practise a lot :)

Hi Frank,
Thanks a lot for your answer. Just one more easy question: what I need to do is a custom Authentication Module (which will read the cookie)? If only you can point me to the correct chapter of the WLS documentation I'll be very pleased.
In future releases of JDeveloper will be easier to do this kind of things related to security?
Riveck

ADF Security, Task Flow as a region in a page resource grant

JDeveloper 12c (12.1.2); Application uses ADF form based security, external LDAP provider (Active Directory)
After sign-in page (upon successful authentication/authorization) user is forwarded to a page that executes VO method prior to render. I am new to task flow concept and am told to achieve this like:
- create bounded task flow, with method call activity (execute exposed AM method that calls VO method, runs custom SQL) and view activity as page fragment.
- then drop the above task flow into a page as a region
In ADF security setup, I gave resource grant task-flow to certain application role. Started the application, login and got 403 error. Then went back and gave resource grant 'view' to the actual page that contains task flow. It worked fine.
So the question is, when protecting application (implemented with task flows) with ADF security, I thought it is enough to grant those task flows to whatever application roles (groups) and inherently any page that uses that task flow(s) (as a region) will be protected?
From this test, it seems that I have to assign each page (that has task flow as a region) to application roles individually?

Hi,
any page that is contained in a bounded task flow is protected by the task flow permission grant, this is correct. If this is not what you see, please file a bug with support or send me a simple reproducible test case please. My mail address (replace all < name > with the described symbol.
frank <dot> nimphius <at> oracle <dot> com
The test case will need to be in a ZIP file nemaed to "unzip" and should be able for me to run stand alone (please no database scripts to run prior to try the test case)
Frank

Process of login with ADF security

Hi,
I was looking at how to implement the process of Login with the ADF security using JDev 11g and I feel very good...
My question is if it is possible to use this tool in case of use a container as Tomcat 6.x or JBoss. If it is possible to use ADF security for these containers, what should be configured to work?

Hi,
ok, I'd like to use authorization with ADF security, but as you say it is not possible in Tomcat. well, but could implement it, if there must be 3 users with different roles of the little system that I want to develop. Any idea?. There maybe a small example with user roles to use without authorization of ADF security?.

ADF Security to J2EE Container Managed Security Problems

Hi al!
I had ADF security enabled in my application. I've added roles and users to embedded OC4J Server Preferences..., configured authorization using pageDefs... (following the Introduction to ADF Security in JDeveloper 10.1.3.2 howto).
For the sake of friendlier user and roles management I decided to go to 2EE Container Managed Security (I want application manager in production environment to be able to manage users in only one place, not in DB table and extra for web app). I followed Frank Nimphius's Database Authentication and Authorization in J2EE Container Managed Security article.
Now I have some problems. I removed users and roles from embedded OC4J Server Preferences... (I believe this are used only for ADF security, am I right?). I can log to application with admin user account (app index page doesn't have any binds and even pageDef), but when trying to access admin pages I get 401 Unauthorized page.
What am I doing wrong, probably I've forgotten something? I'm a bit confused now with users and roles settings and ADF and container managed security.
Part of my web.xml file:
<servlet>
<servlet-name>adfAuthentication</servlet-name>
<servlet-class>oracle.adf.share.security.authentication.AuthenticationServlet</servlet-class>
<init-param>
<param-name>success_url</param-name>
<param-value>/faces/app/index.jspx</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>adfAuthentication</servlet-name>
<url-pattern>/adfAuthentication/*</url-pattern>
</servlet-mapping>
<security-role>
<description>Admins</description>
<role-name>admin_role</role-name>
</security-role>
<security-role>
<description>Users</description>
<role-name>user_role</role-name>
</security-role>
<security-role>
<role-name>oc4j-administrators</role-name>
</security-role>
<security-constraint>
<web-resource-collection>
<web-resource-name>AllAdmins</web-resource-name>
<url-pattern>faces/admin/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>admin_role</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>AllUsers</web-resource-name>
<url-pattern>faces/app/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>user_role</role-name>
<role-name>admin_role</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>adfAuthentication</web-resource-name>
<url-pattern>/adfAuthentication</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>oc4j-administrators</role-name>
<role-name>user_role</role-name>
<role-name>admin_role</role-name>
</auth-constraint>
</security-constraint>
Do I have to remove this adfAuthentication tags?
I know I've made things a bit complicated for me now and for anyone to help, but I hope I will get at least some pointers what to do now and maybe some explanation about roles in container managed security? Is it enaugh to have security constraints and roles defined in web.xml file or they have to be defined somewhere else also (beside the database)?
Thank you in advance!
Bye
PS
Maybe stack trace after login:
FINE: LoginConfigProvider.ctr: lmm=[LoginModuleManager: jznCfg=[JAZNConfig null], appConfigEntries={oracle.security.jazn.oc4j.CertificateAuthenticator=[javax.security.auth.login.AppConfigurationEntry@3625d0], oracle.security.jazn.tools.Admintool=[javax.security.auth.login.AppConfigurationEntry@eca6e7], oracle.security.jazn.oc4j.WebCoreIDSSOAuthenticator=[javax.security.auth.login.AppConfigurationEntry@c1c7c4], oracle.security.jazn.oc4j.DigestAuthenticator=[javax.security.auth.login.AppConfigurationEntry@221f81], oracle.security.wss.jaas.SAMLAuthManager=[javax.security.auth.login.AppConfigurationEntry@426e05], oracle.security.jazn.oc4j.JAZNUserManager=[javax.security.auth.login.AppConfigurationEntry@145240a], current-workspace-app=[javax.security.auth.login.AppConfigurationEntry@4120aa], oracle.security.wss.jaas.JAASAuthManager=[javax.security.auth.login.AppConfigurationEntry@1c78f98]}]
24.8.2007 10:17:19 oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule initialize
FINE: [DBTableOraDataSourceLoginModule] option data_source_name = jdbc/TESTDbDS
24.8.2007 10:17:19 oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule initialize
FINE: [DBTableOraDataSourceLoginModule] option table = APPLICATION_USER
24.8.2007 10:17:19 oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule initialize
FINE: [DBTableOraDataSourceLoginModule] option groupMembershipTableName = APPLICATION_ROLE
24.8.2007 10:17:19 oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule initialize
FINE: [DBTableOraDataSourceLoginModule] option usernameField = USR_EMAIL
24.8.2007 10:17:19 oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule initialize
FINE: [DBTableOraDataSourceLoginModule] option passwordField = USR_PSW
24.8.2007 10:17:19 oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule initialize
FINE: [DBTableOraDataSourceLoginModule] option groupMembershipGroupFieldName = ROLE_NAME
24.8.2007 10:17:19 oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule initialize
FINE: [DBTableOraDataSourceLoginModule] option user_pk_column = USR_EMAIL
24.8.2007 10:17:19 oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule initialize
FINE: [DBTableOraDataSourceLoginModule] option roles_fk_column = USR_EMAIL
24.8.2007 10:17:19 oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule initialize
FINE: [DBTableOraDataSourceLoginModule] option pw_encoding_class = null
24.8.2007 10:17:19 oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule initialize
FINE: [DBTableOraDataSourceLoginModule] option realm_column = null
24.8.2007 10:17:19 oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule initialize
FINE: [DBTableOraDataSourceLoginModule] option application_realm = null
24.8.2007 10:17:19 oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule initialize
FINE: [DBTableOraDataSourceLoginModule] option casing = toupper
24.8.2007 10:17:19 oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule login
FINE: [DBTableOraDataSourceLoginModule]login called on DBTableLoginModule
24.8.2007 10:17:19 oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule login
FINE: [DBTableOraDataSourceLoginModule]Calling callbackhandler ...
24.8.2007 10:17:19 oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule login
FINE: [DBTableOraDataSourceLoginModule]Username returned by callback = admin
24.8.2007 10:17:19 oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule login
FINE: [DBTableOraDataSourceLoginModule]Username changed to case as defined by toupper to ADMIN
24.8.2007 10:17:19 oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule performDbAuthentication
FINE: [DBTableOraDataSourceLoginModule]User query string: select USR_EMAIL,USR_PSW from APPLICATION_USER where USR_EMAIL= (?)
24.8.2007 10:17:19 oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule performDbAuthentication
FINE: [DBTableOraDataSourceLoginModule]User primary key value found = ADMIN
24.8.2007 10:17:19 oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule performDbAuthentication
FINE: [DBTableOraDataSourceLoginModule]Password encoded by: oracle.security.jazn.login.module.db.util.DBLoginModuleClearTextEncoder
24.8.2007 10:17:19 oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule performDbAuthentication
FINE: [DBTableOraDataSourceLoginModule]User ADMIN authenticated successfully
24.8.2007 10:17:19 oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule performDbAuthentication
FINE: [DBTableOraDataSourceLoginModule]Roles query string: select ROLE_NAME from APPLICATION_ROLE where USR_EMAIL= (?)
24.8.2007 10:17:19 oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule performDbAuthentication
FINE: [DBTableOraDataSourceLoginModule]DBUser Principal Name: ADMIN
24.8.2007 10:17:19 oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule performDbAuthentication
FINE: [DBTableOraDataSourceLoginModule]DBRole Principal Name: admin_role
24.8.2007 10:17:19 oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule login
FINE: [DBTableOraDataSourceLoginModule]Logon Successful = true
24.8.2007 10:17:19 oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule commit
FINE: [DBTableOraDataSourceLoginModule]Subject contains 0 Principals before auth
24.8.2007 10:17:19 oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule commit
FINE: [DBTableOraDataSourceLoginModule]Local LM commit succeeded
24.8.2007 10:17:19 oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule commit
FINE: [DBTableOraDataSourceLoginModule]Subject contains 2 Principals after auth
24.8.2007 10:17:19 oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule commit
FINE: [DBTableOraDataSourceLoginModule]Cleaning internal state!

Hi there!
I have another question about this. I've modified a bit DBRolePrincipal class to see what's going on. At the beginning of the equals(Object another) method I added this lines:
log("method equals start",0);
log("another type = " + another.getClass(), 0);
if (another instanceof Principal)
Principal mine = (Principal)another;
log("Principal mine.getName() = " + mine.getName(), 0);
The result is this output (after navigating to page that gives 401 forbidden):
07/10/12 08:38:36 [DBRolePrincipal] method equals start
07/10/12 08:38:36 [DBRolePrincipal] another type = class oracle.security.jazn.oc4j.JAZNUserAdaptor
07/10/12 08:38:36 [DBRolePrincipal] Principal mine.getName() = admin_user
07/10/12 08:38:36 [DBRolePrincipal] method equals start
07/10/12 08:38:36 [DBRolePrincipal] another type = class oracle.adf.share.security.authentication.ADFRolePrincipal
07/10/12 08:38:36 [DBRolePrincipal] Principal mine.getName() = anyone
07/10/12 08:38:36 [DBRolePrincipal] method equals start
07/10/12 08:38:36 [DBRolePrincipal] another type = class oracle.security.jazn.oc4j.JAZNUserAdaptor
07/10/12 08:38:36 [DBRolePrincipal] Principal mine.getName() = admin_user
07/10/12 08:38:36 [DBRolePrincipal] method equals start
07/10/12 08:38:36 [DBRolePrincipal] another type = class oracle.adf.share.security.authentication.ADFRolePrincipal
07/10/12 08:38:36 [DBRolePrincipal] Principal mine.getName() = anyone
07/10/12 08:38:36 [DBRolePrincipal] method equals start
07/10/12 08:38:36 [DBRolePrincipal] another type = class oracle.security.jazn.oc4j.JAZNUserAdaptor
07/10/12 08:38:36 [DBRolePrincipal] Principal mine.getName() = admin_user
07/10/12 08:38:36 [DBRolePrincipal] method equals start
07/10/12 08:38:36 [DBRolePrincipal] another type = class oracle.adf.share.security.authentication.ADFRolePrincipal
07/10/12 08:38:36 [DBRolePrincipal] Principal mine.getName() = anyone
07/10/12 08:38:36 [DBRolePrincipal] method equals start
07/10/12 08:38:36 [DBRolePrincipal] another type = class oracle.security.jazn.oc4j.JAZNUserAdaptor
07/10/12 08:38:36 [DBRolePrincipal] Principal mine.getName() = admin_user
07/10/12 08:38:36 [DBRolePrincipal] method equals start
07/10/12 08:38:36 [DBRolePrincipal] another type = class oracle.adf.share.security.authentication.ADFRolePrincipal
07/10/12 08:38:36 [DBRolePrincipal] Principal mine.getName() = anyone
07/10/12 08:38:36 [DBRolePrincipal] method equals start
07/10/12 08:38:36 [DBRolePrincipal] another type = class oracle.security.jazn.oc4j.JAZNUserAdaptor
07/10/12 08:38:36 [DBRolePrincipal] Principal mine.getName() = admin_user
07/10/12 08:38:36 [DBRolePrincipal] method equals start
07/10/12 08:38:36 [DBRolePrincipal] another type = class oracle.adf.share.security.authentication.ADFRolePrincipal
07/10/12 08:38:36 [DBRolePrincipal] Principal mine.getName() = anyone
07/10/12 08:38:36 [DBRolePrincipal] method equals start
07/10/12 08:38:36 [DBRolePrincipal] another type = class oracle.security.jazn.oc4j.JAZNUserAdaptor
07/10/12 08:38:36 [DBRolePrincipal] Principal mine.getName() = admin_user
07/10/12 08:38:36 [DBRolePrincipal] method equals start
07/10/12 08:38:36 [DBRolePrincipal] another type = class oracle.adf.share.security.authentication.ADFRolePrincipal
07/10/12 08:38:36 [DBRolePrincipal] Principal mine.getName() = anyone
07/10/12 08:38:36 [DBRolePrincipal] method equals start
07/10/12 08:38:36 [DBRolePrincipal] another type = class oracle.security.jazn.oc4j.JAZNUserAdaptor
07/10/12 08:38:36 [DBRolePrincipal] Principal mine.getName() = admin_user
07/10/12 08:38:36 [DBRolePrincipal] method equals start
07/10/12 08:38:36 [DBRolePrincipal] another type = class oracle.adf.share.security.authentication.ADFRolePrincipal
07/10/12 08:38:36 [DBRolePrincipal] Principal mine.getName() = anyone
Why is the name of ADFRolePrincipal always anyone? When I sign in with this user the output says:
07/10/12 08:46:09 [DBTableOraDatasourceLoginModule] User query string: select USERNAME,PASSWORD from ACTIVE_APP_USER_V where USERNAME= (?)
07/10/12 08:46:09 [DBTableOraDatasourceLoginModule] User primary key value found = admin_user
07/10/12 08:46:09 [DBTableOraDatasourceLoginModule] Password encoded by: oracle.sample.dbloginmodule.util.DBLoginModuleCearTextEncoder
07/10/12 08:46:09 [DBTableOraDatasourceLoginModule] User admin_user authenticated successfully
07/10/12 08:46:09 [DBTableOraDatasourceLoginModule] Roles query string: select ROLE_NAME from ACTIVE_APP_ROLE_V where USERNAME= (?)
07/10/12 08:46:09 [DBTableOraDatasourceLoginModule] DBRole Principal Name: admin_role
07/10/12 08:46:09 [DBTableOraDatasourceLoginModule] DBUser Principal Name: admin_user
07/10/12 08:46:09 [DBTableOraDatasourceLoginModule] Logon Successful = true
07/10/12 08:46:09 [DBTableOraDatasourceLoginModule] Subject contains 0 Principals before auth
07/10/12 08:46:09 [DBUserPrincipal] method equals start
07/10/12 08:46:09 [DBUserPrincipal] another type = class oracle.sample.dbloginmodule.principals.DBRolePrincipal
07/10/12 08:46:09 [DBTableOraDatasourceLoginModule] Local LM commit succeeded
07/10/12 08:46:09 [DBTableOraDatasourceLoginModule] Subject contains 2 Principals after auth
07/10/12 08:46:09 [DBTableOraDatasourceLoginModule] Cleaning internal state!
Frank, if you haven't given up on this issue yet could you please try to explain this to me? Why doesn't admin_role principal never get compared in [equals[/i] method?
Thank you!
BB

ADF security and database

Hi all,
I am implementing ADF security on my application and I came across the following Documents:
1- http://www.oracle.com/technology/products/jdev/howtos/1013/adfsecurity/adfsecurity_10132.html
2-http://www.oracle.com/technology/products/jdev/howtos/1013/oc4jjaas/oc4j_jaas_login_module.htm
and I have a few of questions :
1- in ADF security, the edit authorization options in the PageDef reads the roles (gorups) stored on the system-jazn-data.xml file. If my roles are stored on the Database how can I read them?
2- In the first document it is said " If the role name in web.xml matches a group name in system-jazn-data.xml, no further mapping is required. If the names do not match, then the web.xml role name needs to be mapped to the name in the system-jazn-data.xml using the orion-application.xml file. ". Can I do the mapping between the system-jazn-data.xml and the Database?
3-When I assign ADF security permissions on PageDefs, It will be stored in the app-jazn-data.xml file. Can I store/read those permissions from the Database and no the app-jazn-data.xml file or at least can I do some kind of mapping between the Database and this file?
thanks in advance,
Ahmad Esbita

Hi albertpi,
Thanks for you response. This is our first ADF application.
We are planning to impliment the security as mentioned above.
We can configure the LDAP users in Weblogic server.
We have a page with multiple tables which need to be shown based on the User roles.
These roles we are planning to define in the table.
1. I need to show list of users from my LDAP Users on the ADF UI to assign the roles.
2. We will be defining our list of roles in a database table, which not sure whether they need to map to ADF application security roles.
Data in table will be something like this.
User Role
Admin Tab1
Admin Tab2
Admin Tab3
User1 Tab1
User2 Tab2
User2 Tab3
Once the User is logged in we will read this table to show/hide the respective tabs.
Can you tell us are we in right path, if yes How to achieve this.
Thanks,
Satya

[SOLVED] ADF Security: No success with DBTableOraDataSourceLoginModule

Hi,
because do not have success to implement simple ADF Security to my application for weeks I try it again with this post.
Hopefully someone who was already successful with this issue can give me the hint, missing step or something else.
I have read many forum posts, blogs and documentation (10.x) but because ADF security has been changed from 10g to 11g I'm never sure if a documented step from 10g is necessary for 11g also.
I also posted my problem to posts with similar problems but no response :-(
I use 11g, TP4.
My Requirement:
=============
- user accounts and roles are stored within database tables
- roles are not used (every user has the same rights) but stored in the database table
- Custom Login-Page (jspx)
- At login ADF Security only needs to check if the entered user/password is stored in the database table (no password encryption is used at the moment)
Steps I have done:
ADF Security wizard:
================
Step 1: Enforce Authorization NOT checked (Also tried to CHECK this checkbox)
Redirect upon sucessfull Authentication CHECKED
generate Default CHECKED
Step 2: No identity store CHECKED
Step 3: Enable Credital Store CHECKED
Step 4: No Policy Store CHECKED
Step 5: Enable Anonymous Provider
Step 6: Manage Login Modules --> Add "oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule"
Name = oracledb.loginmodule
Login Control Flag = Required
Log Level = fine
--> Add "oracledb.loginmodule" as the only "Selected login module"
Step 7: Form-Based Authentication
Generate default is CHECKED
Step 8: WebResources: allPages
Selected Roles: valid-users
Step 9: FINISH Wizard
Then I edit jps-config.xml manually. Here the actual content:
=============================================================
<serviceInstance provider="jaas.login.provider"
name="oracledb.loginmodule">
<property value="true" name="debug"/>
<property value="REQUIRED" name="jaas.login.controlFlag"/>
<property value="true" name="addAllRoles"/>
<property value="oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule"
name="loginModuleClassName"/>
<property value="FINE" name="log.level"/>
<property value="jdbc/TLS-BOBDS" name="data_source_name"/>
<property value="passwort" name="passwordField"/>
<property value="rol_rolle" name="groupMembershipGroupFieldName"/>
<property value="bediener_rollen" name="groupMembershipTableName"/>
<property value="user_kennung" name="usernameField"/>
<property value="bediener" name="table"/>
<property value="persnr" name="user_pk_column"/>
<property value="bed_persnr" name="roles_fk_column"/>
<property value="toupper" name="casing"/>
</serviceInstance>
====================================
Then I start the application. Re-direction to the login-page works fine.
I enter username/password and press submit --> Following error occures in OC4J log:
===================
WARNUNG: TLS-BOB-ViewController-webapp: error encountered during authentication
java.util.MissingResourceException: Can't find resource for bundle oracle.security.jps.internal.common.resources.common.CommonResources, key JPS-02575
     at java.util.ResourceBundle.getObject(ResourceBundle.java:325)
     at java.util.ResourceBundle.getObject(ResourceBundle.java:322)
     at java.util.ResourceBundle.getString(ResourceBundle.java:285)
     at oracle.security.jps.util.JpsBundle.getString(JpsBundle.java:133)
     at oracle.security.jps.internal.idstore.xml.idm.IdmXmlIdentityStore.searchUser(IdmXmlIdentityStore.java:424)
     at oracle.security.jps.internal.idstore.xml.idm.IdmXmlIdentityStore.searchUser(IdmXmlIdentityStore.java:401)
     at oracle.security.jps.internal.idstore.xml.idm.IdmXmlIdentityStore.searchUser(IdmXmlIdentityStore.java:99)
     at oracle.security.jps.fmw.JpsUserManager.getUserFromIdmStore(JpsUserManager.java:1109)
     at oracle.security.jps.fmw.JpsUserManager.getUser(JpsUserManager.java:1022)
     at com.evermind.security.IndirectUserManager.getUser(IndirectUserManager.java:90)
     at com.evermind.security.IndirectUserManager.getUser(IndirectUserManager.java:90)
     at com.evermind.server.http.EvermindHttpServletRequest.getUserPrincipalInternal(EvermindHttpServletRequest.java:3927)
     at com.evermind.server.http.HttpApplication.checkAuthenticationAndAuthorize(HttpApplication.java:6965)
     at com.evermind.server.http.HttpApplication.getRequestDispatcher(HttpApplication.java:3350)
     at com.evermind.server.http.HttpRequestHandler.doResolveRequestDispatcher(HttpRequestHandler.java:1005)
     at com.evermind.server.http.HttpRequestHandler.doProcessRequest(HttpRequestHandler.java:822)
     at com.evermind.server.http.HttpRequestHandler.processRequest(HttpRequestHandler.java:658)
     at com.evermind.server.http.HttpRequestHandler.processRequest(HttpRequestHandler.java:626)
     at com.evermind.server.http.HttpRequestHandler.serveOneRequest(HttpRequestHandler.java:417)
     at com.evermind.server.http.HttpRequestHandler.run(HttpRequestHandler.java:189)
     at com.evermind.server.http.HttpRequestHandler.run(HttpRequestHandler.java:163)
     at oracle.oc4j.network.ServerSocketReadHandler$ClientRunnable.run(ServerSocketReadHandler.java:275)
     at oracle.oc4j.network.ServerSocketAcceptHandler.procClientSocket(ServerSocketAcceptHandler.java:237)
     at oracle.oc4j.network.ServerSocketAcceptHandler.access$800(ServerSocketAcceptHandler.java:29)
     at oracle.oc4j.network.ServerSocketAcceptHandler$AcceptHandlerHorse.run(ServerSocketAcceptHandler.java:877)
     at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:650)
     at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:675)
     at java.lang.Thread.run(Thread.java:595)
==================================================
My questions:
=============
1) Are there additional steps necessary to implement ADF Security for my requirements ?
2) If yes, which? Which files I have to edit manually after ADF security wizard has been finished?
Any help is warmly welcome !
regards
Peter

Hello
Many thanks to CP and Andre who gave the missing hints in this tread:
OC4J 11g and JAZN
The property custom.provider mentioned by cp was the "missing link" --> now it works.
BUT "Nobody knows the trouble I've seen ..." !
I made dozens of trials with the same application and always similar (strange) results.
When I CHECK "enforce Authorization" in the ADF security wizard then
the redirection to the Login Page does NOT work (reason is unclear for me)
If I UNCHECK "enforce Authorization" in the ADF security wizard then
the redirection to the login page works fine BUT the redirect upon succesful Authentication doesn't work.
--> In this case following code is missing in web.xml
=====================
<servlet>
<servlet-name>adfAuthentication</servlet-name>
<servlet-class>oracle.adf.share.security.authentication.AuthenticationServlet</servlet-class>
<init-param>
<param-name>success_url</param-name>
<param-value>welcome.jsp</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
=================================
I think (but not 100%) that SOMETIMES the propertie "<property value="true" name="custom.provider"/>" has been created by the ADF security wizard.
SOMETIMES I was not able to create the default welcome.jsp with the ADF Security Wizard, ....
Maybe someone can reproduce this behaviour and fills a bug.
regards
Peter

GOTCHA's with Setting up ADF Security with JDev 11.1.1.6.0

If you're getting into ADF security, you're probably going to want to get rid of that ugly default login.html page. I mean, it gets the job done, but we want something a little better. And if you want something a little better and you're using JDev 11.1.1.6.0, it behooves you to read this post!
First off, get acquainted with these four posts. All good stuff. They'll walk you through the 1st half of what you need to know. Y'know, the non-Gotcha half.
http://one-size-doesnt-fit-all.blogspot.com/2010/07/adf-security-revisited-again-again.html
http://myadfnotebook.blogspot.com/2011/11/adf-security-basics.html
http://andrejusb.blogspot.com/2010/11/things-you-must-know-about-adf-faces.html
http://java2go.blogspot.com/2010/12/creating-centered-page-layout-using-adf.html
Are you getting either of the following errors?
<CodebasePolicyHandler> <migrateDeploymentPolicies> Migration of codebase policy failed. Reason: {0}.
oracle.security.jps.JpsException: java.lang.IllegalArgumentException: oracle.security.jps.internal.core.principals.JpsAnonymousRoleImpl
Error 500--Internal Server Error
java.lang.RuntimeException: Cannot find FacesContextI'll show you where they're coming from. Follow along.
1) Create a new application.
2) Create three .jspx pages called login, error, and welcome.
3) Generate PageDef files for them by right-clicking on the file and selecting "Go To PageDefinition". You'll want these so that you may apply security against them.
4) Right-Click on your Application and select Secure->Configure ADF Security
5) ADF Authentication and Authorization -> Form Based Authentication (Use the search symbol to select your created login and error pages. Should be something like "/faces/login.jspx") -> No Automatic Grants -> Finish
Right-Click your welcome.jspx and select run. You'll get this error before your web page opens up in your browser and then proceeds to wig out.
<CodebasePolicyHandler> <migrateDeploymentPolicies> Migration of codebase policy failed. Reason: {0}.
oracle.security.jps.JpsException: java.lang.IllegalArgumentException: oracle.security.jps.internal.core.principals.JpsAnonymousRoleImplThat just won't do. Let's fix it, shall we?
6) Open your newly JDev created jazn-data.xml file. It's located in the Application Resources panel (usually located by Data Controls and your Projects expandable panels)
7) Resource Grants -> Resource Type (Web Page dropdown) -> error page should have a key symbol by it. Delete the anonymous role in the "Granted To" column. Now click the green button to add an Application Role. Huh, there's TWO of them? How bout that? Looks like we're going to have to delete some XML code!
8) Click the Source tab on the bottom of the page to open up the XML View. You'll see the following piece of erroneous code. Erroneous, I say!
<policy-store>
    <applications>
      <application>
        <name>SecurityError</name>
        <app-roles>
          // Hello, I'm the app role that has sucked away two hours of your life that you can never, ever get back
          <app-role>
            <name>anonymous-role</name>
            <class>oracle.security.jps.internal.core.principals.JpsAnonymousRoleImpl</class>
            <display-name>anonymous-role</display-name>
          </app-role>
         // Whew, the end of that app role
        </app-roles>
        <jazn-policy>
          <grant>9) You're going to want to delete that app role XML
10) Go back into your jazn-data.xml file and create some users. For example, bob and jane. Create an Enterprise role called "admin". Put bob and jane as members into this Enterprise role. Create an Application role called managers. Map managers to your Enterprise role admin.
11) Go back to the Resource Grants tab -> Resource Type (Web Page) and delete any "Granted To" authorizations that may assigned to any of the pages. Assigned a "Granted To" application role of "anonymous-role" to the error and login pages. Assign "managers" to welcome.
12) Run your welcome page. Yay, the error is gone. How sweet it is.
Now you want to refactor/move your login and error page somewhere else? Great, just right-click and select factor. Refactor to some place like /public_html/jspx/<your login page>.jspx. Re-run your welcome page.
// You fool!
Error 404--Not Found
From RFC 2068 Hypertext Transfer Protocol -- HTTP/1.1:
10.4.5 404 Not FoundThat's not so good. Let's fix that.
1) Open up web.xml. It's located at ViewController/WEB-INF/web.xml.
2) Click the security tab and you'll see Form-Based Authentication with a login page and error page. Click that Search glass and locate your new file. Do the same for the error page. You should see something like "/jspx/login.jspx" come back.
3) Re-run your welcome page.
// Suckered AGAIN!
Error 500--Internal Server Error
java.lang.RuntimeException: Cannot find FacesContextThis is a tricky one. The search icon brings back a faulty address. Since we're using a .jspx page, it needs to be "/faces/jspx/login.jspx". Repeat for the error page. Re-run your welcome.jspx.
Ahh!! Now THAT's how we do it in Kingsport!
Finally, a custom .jspx login works. Now what are you doing here? Shouldn't you be playing some Diablo 3?
Will

Ha :-)
Point being good summaries like yours tend to get lost on the forums because of the volume of posts. With a blog people have the chance to subscribe to your posts so it's just a better vehicle all round for posting content to help others.
I highly recommend writing blogs even if it's for scratch notes, because you'll learn a lot in structuring your thoughts. It's also a really good way to get noticed in the community because bloggers stand out.
But your call, no pressure of course ;-)
CM.

ADF Security Authorization question

Similar Messages

Maybe you are looking for