ADF Security : Custom Permission

Hi ,
I have a requirement to authorize the user based on role and instance ( category he selected).
I think we can create custom permission for this and put the logic to check instance (category) for the current role in implies(Permission perm) method. And then , declaratively assign this permission to ADF BC layer, binding layer and view layer.
But I am not sure if this is the right approach.
Can somebody please point me to some examples or documentation on how to approach this ?
This thread How to approach authorization taking data into account (?) also talks about this scenario.
Regards
Aradhana

Similar Messages

How to define permission in ADF Security programmatically

Hi
I try to develop an application in ADF and I need to declare Application-Role, Permission, Principal programmatically and store them in policy store.
I found an example in chapter 19 of E10043-12 but it just creates Application-Role!! . I need know how can I detect my TaskFlow, PageDefination and other resources of my application at RunTime to protect them after deployment through a custom security console. In other word i try to find a way in which i store my pageDef or TaskFlow name in database or detect them programmatically in runtime and Grant Permission to my users or enterprise role for access/denied to my application pages, TaskFlow and also if possible entities and their attributes.
[link to chapet 19 of E10043-12|http://docs.oracle.com/cd/E23943_01/core.1111/e10043/intregrating.htm#BABECICC]
Thank you so much

Hi,
you can configure WLS to use the database as the policy store, which then means that you write permissions to the database infrastructure. However, you should be able to update the default file based policy store or OID based store as well
For database OPSS store See: http://docs.oracle.com/cd/E15586_01/core.1111/e10043/cfgauthr.htm#CHDHAIBJ
I am not sure if OPSS supports direct updates to the policy tables. Here's a blog post of how to update policies with WLST scropts: http://enterprisesecurityinjava.blogspot.de/2010/03/ok-more-details-here.html
Bottom line is that this is less a ADF Security question than a general WLS/OPSS question of how to administer policies using a custom interface. For this you can use WLS MBeans and WLST script, which is my understanding.
Frank

Jdev 10.1.3.1 "ADF Security": Application without a custom login page?

Hi,
We are trying to develop an application using "ADF security", which means we can give permissions to certain roles based on "Binding Container", "Iterator Binding", "Method Action Binding" and "Attribute-level Binding".
After reading the document -- "Oracle® Containers for J2EE Security Guide 10g (10.1.3.1.0) B28957-01" that Frank pointed out. We have a question:
Can we develop an ADF application without creating a custom login page? Right now we've followed the security guide and modified the configuration files. But when we run the application, we get the "user null" error message. The reason is clear because we do not have a login page. On the security guide, it says that it is possible to use the oracle default login module. But it does not say how. Does anyone have any idea?
Thanks,
Annie

Brenden,
Thank you so much for the reply. This is our code in the web.xml:
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>default</realm-name>
</login-config>
We are using HTTP basic Authentication. This technique worked for the container-managed security. The browser default login page pops up when the end users try to log into a secured JSP. But here we want to use "ADF security" to set up "Iterator binding" and "Attribute level binding" security. The browser default login page does NOT show up. Instead we get the "user null" error message.
If you have detailed step on how to select HTTP Basic Authentication, it would be very helpful to us. Or if you know any document has the detail.
regards,
Annie

How to store Custom principal in Oracle ADF security Framework

Hi guys, hope somebody will help me out.
I am facing the following issue, i need to have a custom principal instance after oracle adf security frame work does authenticate and authorize user.
My custom principal instance should have per say addition attribute, say clientId. I am using Jdeveloper 11.1.2.4 and i setup weblogic to use ReadOnlySQLAuthenticator(it does most of desired functionality).
As far as i get it, i would have to implement a custom provider to have a chance to implement a custom LoginModule, so i can set it up to use my custom principal, am i right ? and i am not sure how ReadOnlySQLAuthenticatorImpl that i chose in weblogic is bound to
DBMSAtnLoginModuleImpl (i mean how does it knows what LoginModule should it use) and if i can , how can i make ReadOnlySQLAuthenticatorImpl use my custom LoginModule.
Sorry if i violated forum rules.

and i am not sure how ReadOnlySQLAuthenticatorImpl that i chose in weblogic is bound to
DBMSAtnLoginModuleImpl (i mean how does it knows what LoginModule should it use)
This info is returned by getLoginModuleConfiguration(): AuthenticationProvider (BEA WebLogic Server 10.0 API Reference)
Dario

[Solved] ADF Security permission error

Hi,
I have used ADF Security to authorize access on SRTutorial sample application but I get an error: 'JBO-35108: No permission for action: executeWithParams'. There is not an 'Edit Authorization' context menu item for this method, so how can I set permissions for it?
Thanks,
Saeed
Message was edited by:
Saeed Shafieian

Hi Frank and Saeed,
i get the same error (JBO-35108) like Saeed. The only difference is that the error occurs in my own application (not in SRDemo, i didn't tested this). Is there any workaround or bugfix available, or is waiting for a newer JDeveloper version the only solution?
Solves JDeveloper11g the problem?
Originial error message (in german):
Fehler
JBO-35108: Keine Berechtigung für Aktion: executeWithParams.
My JDeveloper version:
Studio Edition Version 10.1.3.2.0.4066
What means 'RMT'?
TNX in advance
hobbes

Creating a WebCenter Application with PageCutomizable and ADF Security

I created a Webcenter App in Jdev 11.1.1.2.0 with webcenter extension.
I have 2 JSPX files.
One called mainTemplate.jspx
- contains header, footer in ADF and a center facet.
One called Welcome.jspx created from mainTemplate
- contains page customizable > panel customizable > layout customizable > various custom panel configs.
ADF security is configured with BASIC, authentication only. Because form authentication seems harder to get working.
We have one weblogic user, and currently deploy to the integrated WLS, although we'll deploy out to a full server once security/composer is working.
The problem is, when we run the Welcome.jspx, and because we added a reference to a logged in var, it requests http login fine.
We then refresh the page and see that we are indeed logged in as 'weblogic'.
Is weblogic a special user? should I create a new one? Is there any setup required on the Integrated WLS to get this working?
However when we click on 'add Content' using the composer we get a permission error.
+<RegistrationConfigurator><handleError> Server Exception during PPR, #1+
javax.el.ELException: oracle.adf.view.page.editor.security.ComposerSecurityException: You do not have permission to edit the page
+     at com.sun.el.parser.AstValue.invoke(AstValue.java:161)+
+...+
Caused by: oracle.adf.view.page.editor.security.ComposerSecurityException: You do not have permission to edit the page
+     at oracle.adfinternal.view.page.editor.bean.DialogBean.setDialogHelp(DialogBean.java:129)+
+     at oracle.adfinternal.view.page.editor.bean.DialogBean.showResourceCatalog(DialogBean.java:356)+
+     at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)+
+...+
I tried using the Customization allowed var in the property inspector, but could not map 'allowed by' to a user or role that my setup would recognise. The doco specifies 'admin' which does not work for me.
In my catalog I have a WCM portlet taskflow, which will require its own permissions.
I tried enabling permissions for the test-all role to all of my pages/taskflows, leaving just the 'view' permission to the anonymous role.
I also tried authentication/authorization profiles, and building my own jspx login/error pages, but no luck there either, the login button doesn't seem to tirgger my java doLogin class, even though I set the binding on the button using the method expression builder to the bean method.
*note: I didn't try the welcome/login/error page auto create as they generate html files, I created JSFs with full UI in there. Am I required to use those html types instead of jspx? I found that the redirection worked by appending the jspx reference with '/faces/Login.jspx'. The problem seemed to have been somewhere else.
If we have any Webcenter Composer / Security gurus out there, help would be greatly appreciated.
Our main goal is to create a Webcenter App which has security/composer/navigation and a catalog with WCM/Siebel portlets similar to the Avitek demo without using WC Spaces.
Thanks.
Thanks.
Edited by: Guillaume_Davies_SC on Apr 20, 2010 7:28 PM

When you want to achieve this you need to configure ADF security with basic authentication & authorization. THe authorization is the part that takes care of what a user may and may not do in an application. Authentication is just the log in part.
When you have configured your application for authorization as well, you have to create roles and groups.
You will also have to set the authorization of your pages. Open a jsxp and in the design or source view, right click and "edit authorization". You then have to add roles to your pages and define their rights. Then you can set the authorization for edit,cuustomize,personlise,view,...
Hope this helps.

ADF Security, Task Flow as a region in a page resource grant

JDeveloper 12c (12.1.2); Application uses ADF form based security, external LDAP provider (Active Directory)
After sign-in page (upon successful authentication/authorization) user is forwarded to a page that executes VO method prior to render. I am new to task flow concept and am told to achieve this like:
- create bounded task flow, with method call activity (execute exposed AM method that calls VO method, runs custom SQL) and view activity as page fragment.
- then drop the above task flow into a page as a region
In ADF security setup, I gave resource grant task-flow to certain application role. Started the application, login and got 403 error. Then went back and gave resource grant 'view' to the actual page that contains task flow. It worked fine.
So the question is, when protecting application (implemented with task flows) with ADF security, I thought it is enough to grant those task flows to whatever application roles (groups) and inherently any page that uses that task flow(s) (as a region) will be protected?
From this test, it seems that I have to assign each page (that has task flow as a region) to application roles individually?

Hi,
any page that is contained in a bounded task flow is protected by the task flow permission grant, this is correct. If this is not what you see, please file a bug with support or send me a simple reproducible test case please. My mail address (replace all < name > with the described symbol.
frank <dot> nimphius <at> oracle <dot> com
The test case will need to be in a ZIP file nemaed to "unzip" and should be able for me to run stand alone (please no database scripts to run prior to try the test case)
Frank

Oracle ADF Security

Dear All,
we have created some good number of Custom ResourcePermissions in our Oracle ADF 11g Application. we are trying to refer the permissions with wildcard character in jazn-data.xml. The same worked well for taskflows.
Is there anyway that we can implement wildcard character in custom resource Permissions ?
we are calling hasPermission() API to check whether permission exists or not. Currently this method returns false when we configured the resource name in wildcard character.
For example, actual key - a.b.c.menu
wild card character we are referring for this key is a.*.*.menu . The hasPermission() returns false for this case.
Regards
Deivee

Hi,
more an OPSS question than ADF Security. Anyway, the answer is
"No wildcard use is supported in a resource permission."
See: The OPSS Policy Model - 11g Release 1 (11.1.1)
Frank

Oracle ADF security integration with Oracle E-Business Suite SDK JAAS

I have an Oracle ADF 11.1.2.2 application that is using ADF security for authentication and authorization.
When we deploy this application to our JDeveloper integrated weblogic server, we utilize the security setting of "Custom" and use weblogic users and roles to map to the ADF application roles. In that environment our security is working properly.
I have a Weblogic 10.3.5 standalone server that has the ADF runtime installed as well as the Oracle E-Business Suite SDK JAAS implementation installed.
When I deploy the Oracle ADF application to the standalone weblogic server, I am directed to the JAAS login page when I attempt to access any JSF page (including those that I have granted View access through the anonymous-role. Does the Oracle ADF anonymous-role work (allow for anonymous page access) when JAAS security is handled by the Oracle E-Business Suite SDK JAAS implementation?
Per the SDK instructions, when we install the Oracle ADF deployment on Weblogic we have selected "DD only" for our security setting. We have defined enterprise roles in the Oracle ADF security setup (jazn-data.xml) that are assigned the appropriate application roles. Those enterprise roles have the same name (i.e. UMX|YOURROLE) as the E-Business Suite roles that are assigned to our test users. When we login with an E-Business Suite user / password we are receiving an error:
Error 401--Unauthorized
From RFC 2068 Hypertext Transfer Protocol -- HTTP/1.1:
10.4.2 401 Unauthorized
Any thoughts on why that would be?
Thanks
Dan

Thanks Juan.
With the debugging options enabled it appears the issue is not an issue with the user / role credentials - it seems like the resource grants from jazn-data.xml are not being reviewed in my standalone weblogic instance EAR deployment:
[JpsAuth] Check Permission
PolicyContext: [TestApp]
Resource/Target: [untitled1PageDef]
Action: [view]
Permission Class: [oracle.adf.share.security.authorization.RegionPermission]
Result: [FAILED]
Evaluator: [ACC]
Failed ProtectionDomain:ClassLoader=sun.misc.Launcher$AppClassLoader@13f5d07
CodeSource=file:/app/oracle/product/Middleware/oracle_common/modules/oracle.adf.share_11.1.1/adf-share-support.jar
Principals=total 2 of principals(
1. JpsPrincipal: oracle.security.jps.internal.core.principals.JpsAnonymousUserImpl "anonymous" GUID=null DN=null
2. JpsPrincipal: oracle.security.jps.internal.core.principals.JpsAnonymousRoleImpl "anonymous-role" GUID=null DN=null)
When I access the same page from my integrated weblogic server I see:
[JpsAuth] Check Permission
PolicyContext: [TestApp]
Resource/Target: [untitled1PageDef]
Action: [view]
Permission Class: [oracle.adf.share.security.authorization.RegionPermission]
Result: [FAILED]
Evaluator: [ACC]
Failed ProtectionDomain:ClassLoader=sun.misc.Launcher$AppClassLoader@13f5d07
CodeSource=file:/app/oracle/product/Middleware/oracle_common/modules/oracle.adf.share_11.1.1/adf-share-support.jar
Principals=total 2 of principals(
1. JpsPrincipal: oracle.security.jps.internal.core.principals.JpsAnonymousUserImpl "anonymous" GUID=null DN=null
2. JpsPrincipal: oracle.security.jps.internal.core.principals.JpsAnonymousRoleImpl "anonymous-role" GUID=null DN=null)
When I review my EAR - I do see jazn-data.xml at:
/META-INF/jazn-data.xml
I will review the system-jazn-data.xml to see if the policy information has been migrated properly as part of the EAR deployment.
Thanks.
-Dan

GOTCHA's with Setting up ADF Security with JDev 11.1.1.6.0

If you're getting into ADF security, you're probably going to want to get rid of that ugly default login.html page. I mean, it gets the job done, but we want something a little better. And if you want something a little better and you're using JDev 11.1.1.6.0, it behooves you to read this post!
First off, get acquainted with these four posts. All good stuff. They'll walk you through the 1st half of what you need to know. Y'know, the non-Gotcha half.
http://one-size-doesnt-fit-all.blogspot.com/2010/07/adf-security-revisited-again-again.html
http://myadfnotebook.blogspot.com/2011/11/adf-security-basics.html
http://andrejusb.blogspot.com/2010/11/things-you-must-know-about-adf-faces.html
http://java2go.blogspot.com/2010/12/creating-centered-page-layout-using-adf.html
Are you getting either of the following errors?
<CodebasePolicyHandler> <migrateDeploymentPolicies> Migration of codebase policy failed. Reason: {0}.
oracle.security.jps.JpsException: java.lang.IllegalArgumentException: oracle.security.jps.internal.core.principals.JpsAnonymousRoleImpl
Error 500--Internal Server Error
java.lang.RuntimeException: Cannot find FacesContextI'll show you where they're coming from. Follow along.
1) Create a new application.
2) Create three .jspx pages called login, error, and welcome.
3) Generate PageDef files for them by right-clicking on the file and selecting "Go To PageDefinition". You'll want these so that you may apply security against them.
4) Right-Click on your Application and select Secure->Configure ADF Security
5) ADF Authentication and Authorization -> Form Based Authentication (Use the search symbol to select your created login and error pages. Should be something like "/faces/login.jspx") -> No Automatic Grants -> Finish
Right-Click your welcome.jspx and select run. You'll get this error before your web page opens up in your browser and then proceeds to wig out.
<CodebasePolicyHandler> <migrateDeploymentPolicies> Migration of codebase policy failed. Reason: {0}.
oracle.security.jps.JpsException: java.lang.IllegalArgumentException: oracle.security.jps.internal.core.principals.JpsAnonymousRoleImplThat just won't do. Let's fix it, shall we?
6) Open your newly JDev created jazn-data.xml file. It's located in the Application Resources panel (usually located by Data Controls and your Projects expandable panels)
7) Resource Grants -> Resource Type (Web Page dropdown) -> error page should have a key symbol by it. Delete the anonymous role in the "Granted To" column. Now click the green button to add an Application Role. Huh, there's TWO of them? How bout that? Looks like we're going to have to delete some XML code!
8) Click the Source tab on the bottom of the page to open up the XML View. You'll see the following piece of erroneous code. Erroneous, I say!
<policy-store>
    <applications>
      <application>
        <name>SecurityError</name>
        <app-roles>
          // Hello, I'm the app role that has sucked away two hours of your life that you can never, ever get back
          <app-role>
            <name>anonymous-role</name>
            <class>oracle.security.jps.internal.core.principals.JpsAnonymousRoleImpl</class>
            <display-name>anonymous-role</display-name>
          </app-role>
         // Whew, the end of that app role
        </app-roles>
        <jazn-policy>
          <grant>9) You're going to want to delete that app role XML
10) Go back into your jazn-data.xml file and create some users. For example, bob and jane. Create an Enterprise role called "admin". Put bob and jane as members into this Enterprise role. Create an Application role called managers. Map managers to your Enterprise role admin.
11) Go back to the Resource Grants tab -> Resource Type (Web Page) and delete any "Granted To" authorizations that may assigned to any of the pages. Assigned a "Granted To" application role of "anonymous-role" to the error and login pages. Assign "managers" to welcome.
12) Run your welcome page. Yay, the error is gone. How sweet it is.
Now you want to refactor/move your login and error page somewhere else? Great, just right-click and select factor. Refactor to some place like /public_html/jspx/<your login page>.jspx. Re-run your welcome page.
// You fool!
Error 404--Not Found
From RFC 2068 Hypertext Transfer Protocol -- HTTP/1.1:
10.4.5 404 Not FoundThat's not so good. Let's fix that.
1) Open up web.xml. It's located at ViewController/WEB-INF/web.xml.
2) Click the security tab and you'll see Form-Based Authentication with a login page and error page. Click that Search glass and locate your new file. Do the same for the error page. You should see something like "/jspx/login.jspx" come back.
3) Re-run your welcome page.
// Suckered AGAIN!
Error 500--Internal Server Error
java.lang.RuntimeException: Cannot find FacesContextThis is a tricky one. The search icon brings back a faulty address. Since we're using a .jspx page, it needs to be "/faces/jspx/login.jspx". Repeat for the error page. Re-run your welcome.jspx.
Ahh!! Now THAT's how we do it in Kingsport!
Finally, a custom .jspx login works. Now what are you doing here? Shouldn't you be playing some Diablo 3?
Will

Ha :-)
Point being good summaries like yours tend to get lost on the forums because of the volume of posts. With a blog people have the chance to subscribe to your posts so it's just a better vehicle all round for posting content to help others.
I highly recommend writing blogs even if it's for scratch notes, because you'll learn a lot in structuring your thoughts. It's also a really good way to get noticed in the community because bloggers stand out.
But your call, no pressure of course ;-)
CM.

How to integrate a SSO based in cookie with ADF Security

At work they asked me to integrate a existing SSO based in cookie with the new ADF + Jdeveloper 11g + WLS. After google for days and read a lot of blogs and official documentation I've made a custom LoginModule. I made it very simple, it's just an "if" inside the login() function with the username, if the username is "john" I put to the Subject some Principals. My steps are:
1- Create a new app based on "Fusion application" template.
2- Make a new ADF Taskflow with only one view inside (the entry point of the taskflow). The jspx only contains a welcome message.
3- Run the ADF Security wizard, all the steps with the default option, I don't change anything.
4- Put some users and some roles in jazn-data.xml, and maping them to an application role. Then I grant permissions to the application role to view the previous task flow.
At this point everything is ok. I run the taskflow and a basic login popup prompts me to write my username and password. Now I try to remove everything useless for me, like idstore, credentials, anonymous, etc. I only want a LoginModule that get the HttpRequest and passes it to an already done class that returns a true/false depending if the cookie is correct or not but, as I said before, my LoginModule is so simple now and even didn't try to do something more complicated than an if. The steps I try are:
in jps-config.xml
5- Remove idstore.xml and credentials.
6- (loginmodule tab) Make a new login module, and put here my class. The class is in the ViewController project and JDeveloper find it navigating through the heriarchy, so I have visibility. I put REQUIRE flag, add all roles and debug mode.
7- In the security context unmark the idstore.loginmodule and mark myLoginModule. Also delete the anonymous security context.
All that I got until now is a 500 error (Internal server error - Authorization Exception). Sometimes (the close i've ever been to do something correct) the browser ask me for user/password but then only recognizes the users that already are in WLS (idstore from previous tests), but NOT the "john" user that is inside my custom LoginModule. Even more, if I run the WLS from JDeveloper 11g in debug mode, the runtime never stops at breakpoints inside my custom login module. It seems that my LoginModule isn't deployed or I made some error maping the roles.
So, my questions are:
- I'm in the good way? If I want an authentication based in cookie/httprequest I have to do a custom LoginModule? My goal is to do a re-usable code, and re-use the code that my co-workers have done. They have a class that with only the HttpRequest determines if a user is logged or not.
- If I'm in the good way... how can I put my custom LoginModule in the WLS? I tried to search something in the Administration Panel (localhost:7101/console) but I did'nt find nothing.
- In case I'd got the custom LoginModule working fine in WLS... how can I get a HttpRequest from a LoginModule and avoid the username/password dialog? I've to make a filter and pass it to the my LoginModule? If it's correct... how?
I don't post my code because is so simple, it's based on DBTableLoginModule but without all the database access code.
Thanks to all!
P.D.: If this message isn't in the correct forum, I'm sorry. Feel free to move it.
P.D.2: Sorry about my english, I'm spanish. I know i've to practise a lot :)

Hi Frank,
Thanks a lot for your answer. Just one more easy question: what I need to do is a custom Authentication Module (which will read the cookie)? If only you can point me to the correct chapter of the WLS documentation I'll be very pleased.
In future releases of JDeveloper will be easier to do this kind of things related to security?
Riveck

ADF Security Wizzard

All,
the ADF Security Wizzard adds the following line to my jsp-config.xml which results in an exception as soon as a BC4J-connection is opened:
jsp-config.xml:
<property value="doasprivileged" name="oracle.security.jps.jaas.mode"/>
exception:
oracle.adf.share.security.ADFSecurityRuntimeException: Unable to fetch JpsUser principal from the current subject Betreff:
     Principal: DBUserPrincipal: test
     Principal: [JpsAuthenticatedRoleImpl: authenticated-role]
     at oracle.adf.share.security.providers.jps.CSFCredentialStore.extractJpsUser(CSFCredentialStore.java:824)
     at oracle.adf.share.security.providers.jps.CSFCredentialStore.getUserPrincipal(CSFCredentialStore.java:804)
     at oracle.adf.share.security.providers.jps.CSFCredentialStore.fetchCredential(CSFCredentialStore.java:320)
     at oracle.adf.share.security.credentialstore.CredentialStore.fetchCredential(CredentialStore.java:108)
     at oracle.adf.share.jndi.CredentialStoreHelper.fetchCredential(CredentialStoreHelper.java:93)
     at oracle.adf.share.jndi.ReferenceStoreHelper.loadCredentials(ReferenceStoreHelper.java:812)
     at oracle.adf.share.jndi.ReferenceStoreHelper.createReference(ReferenceStoreHelper.java:579)
     at oracle.adf.share.jndi.ReferenceStoreHelper.getReferencesMapEx(ReferenceStoreHelper.java:329)
     at oracle.adf.share.jndi.ContextImpl.load(ContextImpl.java:661)
     at oracle.adf.share.jndi.ContextImpl.init(ContextImpl.java:335)
     at oracle.adf.share.jndi.ContextImpl.<init>(ContextImpl.java:81)
     at oracle.adf.share.jndi.InitialContextFactoryImpl.getInitialContext(InitialContextFactoryImpl.java:15)
     at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:667)
     at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:247)
     at javax.naming.InitialContext.init(InitialContext.java:223)
[2008-06-04T18:52:34.941+02:00] [adf] [WARNING] [] [share.jndi.ReferenceStoreHelper] [tid: 12] [ecid: 0000HdKVbj000000000000000002g6lsq000000003,0] [APP: current-workspace-app] Incomplete connection information
[2008-06-04T18:52:53.984+02:00] [adf] [WARNING] [] [controller.faces.lifecycle.FacesPageLifecycle] [tid: 12] [ecid: 0000HdKVbj000000000000000002g6lsq000000003,0] [APP: current-workspace-app] ADFc: Error while opening JDBC connection.[[
oracle.jbo.DMLException: JBO-26061: Error while opening JDBC connection.
     at oracle.jbo.server.ConnectionPool.createConnection(ConnectionPool.java:253)
     at oracle.jbo.server.ConnectionPool.instantiateResource(ConnectionPool.java:168)
     at oracle.jbo.pool.ResourcePool.createResource(ResourcePool.java:545)
     at oracle.jbo.pool.ResourcePool.useResource(ResourcePool.java:327)
     at oracle.jbo.server.ConnectionPool.getConnectionInternal(ConnectionPool.java:104)
     at oracle.jbo.server.ConnectionPool.getConnection(ConnectionPool.java:70)
     at oracle.jbo.server.ConnectionPoolManagerImpl.getConnection(ConnectionPoolManagerImpl.java:56)
     at oracle.jbo.server.DBTransactionImpl.establishNewConnection(DBTransactionImpl.java:997)
     at oracle.jbo.server.DBTransactionImpl.initTransaction(DBTransactionImpl.java:1253)
     at oracle.jbo.server.DBTransactionImpl.initTxn(DBTransactionImpl.java:6397)
Wizzard Settings:
enforce authorization
redirect upon successful authentification
no identity store
enable credential store
no policy store
no anonymous provider
custom login module with some settings
form-based Authentification
Cheers
Andy

hi,
if you delete this line
<property value="doasprivileged" name="oracle.security.jps.jaas.mode"/>
in the jsp-config.xml you can at least use your application with authentication but authorization doesn't work b/c the subject does not contain the principals:
ADFContext.getCurrent().getSecurityContext().getUserRoles();
returns an empty String[].
Is there a workaround?
Cheers Andy

Error While Login ADF Security Sample Application

Hi All,
Jdevloper Version : 11.1.1.5.0
we are Creating ADF Login Application contains login.jspx and main.jspx pages.
we define ADF Security on this Sample Application.
when we provide valid credentials to login(username and password) it shows Error:
Error 404--Not Found
From RFC 2068 Hypertext Transfer Protocol -- HTTP/1.1:
10.4.5 404 Not Found
The server has not found anything matching the Request-URI. No indication is given of whether the condition is temporary or permanent.
If the server does not wish to make this information available to the client, the status code 403 (Forbidden) can be used instead.
The 410 (Gone) status code SHOULD be used if the server knows, through some internally configurable mechanism,
that an old resource is permanently unavailable and has no forwarding address.
ManagedBean(BackingbeanScope) doLogin():
         public String doLogin() {
        String un = _userName;
        byte[] pw = _password.getBytes();
        FacesContext ctx = FacesContext.getCurrentInstance();
        HttpServletRequest request =(HttpServletRequest)ctx.getExternalContext().getRequest();
        try {
            Subject subject =Authentication.login(new URLCallbackHandler(un, pw));
            weblogic.servlet.security.ServletAuthentication.runAs(subject,request);
            String loginUrl = "/adfAuthentication?success_url=/faces/main.jspx";
            HttpServletResponse response =(HttpServletResponse)ctx.getExternalContext().getResponse();
            RequestDispatcher dispatcher =request.getRequestDispatcher(loginUrl);
     ctx.responseComplete();
    catch (FailedLoginException fle)
                FacesMessage msg =new FacesMessage(FacesMessage.SEVERITY_ERROR, "Incorrect Username or Password", "An incorrect Username or Password was specified");
                ctx.addMessage(null, msg);
        return null;
In ADF Security We Define :
User : admin1
Enterprise Role : ManagerGroup(added user admin1 to this EnterpriseRole)
Application Role : Manager
Resource Grants : Resource Type : Web Page
                           login page
                          main page - Granted Role(Manager)
jazn-data.xml file
<?xml version = '1.0' encoding = 'UTF-8' standalone = 'yes'?>
<jazn-data xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
           xsi:noNamespaceSchemaLocation="http://xmlns.oracle.com/oracleas/schema/jazn-data-11_0.xsd">
<jazn-realm default="jazn.com">
    <realm>
      <name>jazn.com</name>
      <users>
        <user>
          <name>admmin1</name>
          <display-name>admmin1</display-name>
          <credentials>{903}y2I4TDwMavn90VxJJfPfgxtBsRnF0qiaMoxzP93XF74=</credentials>
        </user>
      </users>
      <roles>
        <role>
          <name>ManagerGroup</name>
          <display-name>ManagerGroup</display-name>
          <members>
            <member>
              <type>user</type>
              <name>admmin1</name>
            </member>
          </members>
        </role>
      </roles>
    </realm>
</jazn-realm>
<policy-store>
    <applications>
      <application>
        <name>ADFLogin</name>
        <app-roles>
          <app-role>
            <name>Manager</name>
            <class>oracle.security.jps.service.policystore.ApplicationRole</class>
            <display-name>Manager</display-name>
            <members>
              <member>
                <name>ManagerGroup</name>
                <class>oracle.security.jps.internal.core.principals.JpsXmlEnterpriseRoleImpl</class>
              </member>
            </members>
          </app-role>
        </app-roles>
        <jazn-policy>
          <grant>
            <grantee>
              <principals>
                <principal>
                  <name>Manager</name>
                  <class>oracle.security.jps.service.policystore.ApplicationRole</class>
                </principal>
              </principals>
            </grantee>
            <permissions>
              <permission>
                <class>oracle.adf.share.security.authorization.RegionPermission</class>
                <name>multiofonds.adf.common.view.pageDefs.mainPageDef</name>
                <actions>view</actions>
              </permission>
            </permissions>
          </grant>
        </jazn-policy>
      </application>
    </applications>
</policy-store>
</jazn-data>
Please help us how to resolve it.
Thanks,
kumar

A best practice in this situation is to check on a running sample e.g. Oracle ADF: Security for Everyone
I guess your resource grants are not set correctly.
Timo

ADF Security not working 401 error

I am having problems with securing my ADF using LDAP after the server I was using was rebuilt and all software re-installed.....
This did work before the rebuild so I am guessing that there are some settings that were no configured after the rebuild.
We are using weblogic and Jdeveloper 11.1.1.6 and When I use the Wizard to secure my app and if I pick "ADF Authentication" I get the login in page and I can log into the application and things work.
I then try to go in and use the "ADF Authentication and Authorization" option and deploy and I get a 401 - Unauthorized error..
It used to work so I am pretty sure I am setting the Enterprise roles / Application Roles etc... correctly but wondered if anyone might be able to point me to what settings might be the issue etc.
Thank you in advance for any assistance.

After turning off ADF security in application - it works.
When ADF security is turned on - it doesn't.
When opening the same application with ADF security on in previous version of JDev - it works again.
Our application uses custom login bean, but it is not even reaching login bean after login form submit (sample is made as http://www.youtube.com/watch?v=mAWBezngA1s)

Web Center app with ADF Security - login problem

I have a custome Oracle Web Center app.
I have a page.html with an embedded login form posting to j_security_check. I've configured the ADF security policies to redirect to a JSPX on successful login.
When I try the correct username/password, I get redirected not to the page I defined in ADF, but to the root page http://127.0.0.1:7101/MyApp-ViewController-context-root/
and i get
Error 403--Forbidden
I've checked the weblogic.xml as per http://andrejusb.blogspot.com/2009/12/solving-error-403-forbidden-in-adf.html, all the required entries are there.
This works fine if i use a Login link with
destination="#{'/adfAuthentication?login=true&end_url=/faces/postLogin.jspx'} "
which redirects to the default login.html and then to the right page. I've copied the form from the default login.html into my master HTML page.
Hope my question is clear. Any suggestions why it is going to the wrong URL after login.
Is there anything specific I should see in the jazn-data.xml or web.xml regarding the post-login URL since i cant see that in either.
P.S. Have been advised to try here when I originally asked this in the WebCenter forum. Web Center app ADF Security - login problem
Edited by: new_to_webcenter on 18-Jan-2011 05:25

Thanks for your response Frank.
The web.xml has
<security-constraint>
<web-resource-collection>
<web-resource-name>adfAuthentication</web-resource-name>
<url-pattern>/adfAuthentication</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>valid-users</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/login.html</form-login-page>
<form-error-page>/error.html</form-error-page>
</form-login-config>
</login-config>
When configuring ADF Security via JDev , I chose "Redirect upon successful authentication" to the Welcome Page
"/faces/postLogin.jspx"
this then adds into web.xml
<servlet>
<servlet-name>adfAuthentication</servlet-name>
<servlet-class>oracle.adf.share.security.authentication.AuthenticationServlet</servlet-class>
<init-param>
<param-name>success_url</param-name>
<param-value>/faces/postLogin.jspx</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
So the sequence which works is:
Login via the '/adfAuthentication?login=true&end_url=/faces/postLogin.jspx' and this redirects to login.html (OOTB form which posts to j_security_check) and then to the postLogin.jspx
I'm trying to do away with a Login link, and trying the simple login form embedded in my page alongwith other content.
So should the form be posting to j_security_check directly or to the adfAuthentication ?

ADF Security : Custom Permission

Similar Messages

Maybe you are looking for