ADF Security -- permissions dont work as documented in Jdev Article

Similar Messages

• ADF security logout not working

  Hi,
  Using ADF Faces and JDeveloper 11.1.1.1.0 (5407).
  I have a secure ADF application, my login is working fine, however once I attempt to perform a logout using methods indicated in both the Fusion Developer's Guide and various blog posts my application begins to act strangely.
  Using the Forms based authentication I have login.html and error.html setup and working.
  I have a home.jspx (unsecured, no bindings whatsoever) as my landing page, and welcome.jspx as my successful authentication redirect page, both on my adfc-config diagram and with a control flow case 'login' between them.
  In my jazn-data.xml file I have granted the 'authenticated-role' access to the welcome page.
  The web.xml file includes the login.html and error.html files listed.
  The above works, I can login and am successfully redirected to the welcome page with a user account I have specified, and if I use wrong login information I am redirected to error.html.
  Now, I have tried 2 methods to get LOGOUT working properly and both are not working.
  Firstly and most simply I tried using the following on my welcome page:
  <af:commandNavigationItem text="Logout" id="cni1" destination="/adfAuthentication?logout=true&amp;end_url=faces/home.jspx"/>When I click the link, this does redirect me to the home page and there are no warnings/errors in the server log.
  However... when I then click on the Login link on the home page that should prompt me to login again, the home page just flickers and nothing happens. Again no warnings/errors in logs.
  I am then forever stuck on the home page.
  The second method I tried involves using a backing bean, which I have registered in my adfc-config.xml file with 'request' scope.
  On my welcome.jspx:
  <af:commandLink text="Logout" id="gl1" action="#{loginBean.doLogout}"/>My link calls the doLogout() method in my backing bean containing:
    import java.io.IOException;
    import javax.faces.context.ExternalContext;
    import javax.faces.context.FacesContext;
    import javax.servlet.http.HttpServletResponse;
    import javax.servlet.http.HttpSession;
    public String doLogout() throws IOException {
      ExternalContext ectx = FacesContext.getCurrentInstance().getExternalContext();
      HttpServletResponse response = (HttpServletResponse)ectx.getResponse();
      HttpSession session = (HttpSession)ectx.getSession(false);
      session.invalidate();
      response.sendRedirect("home.jspx");
      return null;
    }The application DOES redirect me to home.jspx however I get the following error in the logs:
  java.lang.IllegalStateException: Cannot forward a response that is already committed
       at weblogic.servlet.internal.RequestDispatcherImpl.forward(RequestDispatcherImpl.java:122)
       at com.sun.faces.context.ExternalContextImpl.dispatch(ExternalContextImpl.java:410)
       at org.apache.myfaces.trinidad.context.ExternalContextDecorator.dispatch(ExternalContextDecorator.java:44)
       at org.apache.myfaces.trinidad.context.ExternalContextDecorator.dispatch(ExternalContextDecorator.java:44)
       at org.apache.myfaces.trinidad.context.ExternalContextDecorator.dispatch(ExternalContextDecorator.java:44)
       Truncated. see log file for complete stacktrace
  AND...the same thing happens as with my other attempt, I am stuck on the home page and clicking the login link just flickers the page.
  I feel as if I have followed the Fusion Developer's Guide on how to do this down to a T, however I am not getting a working solution.
  Any help would be greatly appreciated.
  Thankyou,
  Matthew.

  I have had a few developments...
  I found out that after I have been redirected to home.jspx where my Login link just refreshes the page on click... if I instead manually change the end of the URL in the address bar of my browser to /welcome.jspx, then it works...I get prompted to login again. This proves that I am actually being logged out, if I change the URL manually before I click my logout link (calling the logout method) it does not request for me to log in again.
  So it seems that the problem lies with my action reference on my login link.
  <af:commandLink text="Enter" id="cl1" action="login" inlineStyle="font-size:small;"/>the action 'login' works UNTIL i logout, then it does not work anymore...
  Second to this, I tried a different LOGIN method using:
  <af:commandNavigationItem text="Login" id="cni1" inlineStyle="font-size:small; text-decoration:none;"
                                          destination="/adfAuthentication?success_url=faces/welcome.jspx"/>When using this way to login, I can login, logout AND LOG BACK IN successfully...
  However as soon as I click on ANY component that uses a control flow case it just refreshes the page.
  re-proving from the first example that the problem is that control flow cases stop working after a logout.
  so basically, once I log out and then try to navigate a control flow case, the page I am on just refreshes and the navigation does not occur.
  Surely someone now can elaborate on this.
  Regards,
  Matthew.

• ADF security : JAZN-LDAP

  Hi,
  We are working on the development of an application with Oracle ADF (JDev 10.1.3).
  We implemented security with lightweight XML provider and it's working perfectly.
  Next month we will deploy our application and so we will use a LDAP server.
  Is it easy to jump from XML to LDAP?
  Do we just have to select LDAP prodiver in the security wizard and then to map application groups to LDAP groups in the orion-application.xml file?
  With this solution, is it still possible to edit authorizations at design time for pages, iterators, etc ?
  Thanks in advance for your help!

  Hi,
  you didn't read the documentation, do you ? Anyway, the LDAP upload is a bit difference from how you imagine it
  - ADF Security permissions are written to the workspaces' \.adf\META-INF\app-jazn-data.xml file. So in fact you don't change the security settings for your project in JDeveloper. This means it remains for future addition
  - You use a migration utility provided by OC4J Security to create an XLIFF file out of \.adf\META-INF\app-jazn-data.xml
  http://download.oracle.com/docs/cd/B32110_01/web.1013/b28957/configxml.htm#CIHIFGBJ
  - Then you upload this to OID
  Frank

• Adf security with upper case user results in 500-internal server error

  Hello
  JDev 11.1.1.0.2, Integrated WLS
  I'v set up ADF security as explained in the documentation.
  The only difference being that the role test-all has been removed.
  I have one user 'paul' with a password of 'password'
  I have one application role 'myrole'
  'paul' is a member of 'myrole'
  I have one unbounded task flow with one view (view1).
  Via the janz-data.xml 'View1' has been granted to 'myrole' (view action)
  When running View1 I get the login.html page which is correct.
  The fun starts when playing around with the user/password.
  If I login with 'paul' and 'password' view1 is display, this is correct
  If I login with an unknown user or an incorrect password Windows Explorer 7 shows a generic HTTP 403 error page and not the error.html
  If I login with 'PAUL' and 'password' (or Paul, or any mixed cased version of Paul with the correct password) I get the following stack trace :
  oracle.adf.controller.security.AuthorizationException: ADFC-0619: Echec de la vérification des autorisations : '/view1.jspx' 'VIEW'.
       at oracle.adf.controller.internal.security.AuthorizationEnforcer.handleFailure(AuthorizationEnforcer.java:145)
       at oracle.adf.controller.internal.security.AuthorizationEnforcer.checkPermission(AuthorizationEnforcer.java:124)
       at oracle.adfinternal.controller.state.ControllerState.initializeUrl(ControllerState.java:639)
       at oracle.adfinternal.controller.state.ControllerState.synchronizeStatePart2(ControllerState.java:449)
       at oracle.adfinternal.controller.application.SyncNavigationStateListener.afterPhase(SyncNavigationStateListener.java:44)
       at oracle.adfinternal.controller.lifecycle.ADFLifecycleImpl$PagePhaseListenerWrapper.afterPhase(ADFLifecycleImpl.java:529)
       at oracle.adfinternal.controller.lifecycle.LifecycleImpl.internalDispatchAfterEvent(LifecycleImpl.java:118)
       at oracle.adfinternal.controller.lifecycle.LifecycleImpl.dispatchAfterPagePhaseEvent(LifecycleImpl.java:166)
       at oracle.adfinternal.controller.faces.lifecycle.ADFPhaseListener$PhaseInvokerImpl.dispatchAfterPagePhaseEvent(ADFPhaseListener.java:122)
       at oracle.adfinternal.controller.faces.lifecycle.ADFPhaseListener.afterPhase(ADFPhaseListener.java:68)
       at oracle.adfinternal.controller.faces.lifecycle.ADFLifecyclePhaseListener.afterPhase(ADFLifecyclePhaseListener.java:51)
       at oracle.adfinternal.view.faces.lifecycle.LifecycleImpl._executePhase(LifecycleImpl.java:354)
       at oracle.adfinternal.view.faces.lifecycle.LifecycleImpl.execute(LifecycleImpl.java:175)
       at javax.faces.webapp.FacesServlet.service(FacesServlet.java:265)
       at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:227)
       at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:125)
       at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:292)
       at weblogic.servlet.internal.TailFilter.doFilter(TailFilter.java:26)
       at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:42)
       at oracle.adf.model.servlet.ADFBindingFilter.doFilter(ADFBindingFilter.java:181)
       at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:42)
       at oracle.adfinternal.view.faces.webapp.rich.RegistrationFilter.doFilter(RegistrationFilter.java:85)
       at org.apache.myfaces.trinidadinternal.webapp.TrinidadFilterImpl$FilterListChain.doFilter(TrinidadFilterImpl.java:279)
       at org.apache.myfaces.trinidadinternal.webapp.TrinidadFilterImpl._invokeDoFilter(TrinidadFilterImpl.java:239)
       at org.apache.myfaces.trinidadinternal.webapp.TrinidadFilterImpl._doFilterImpl(TrinidadFilterImpl.java:196)
       at org.apache.myfaces.trinidadinternal.webapp.TrinidadFilterImpl.doFilter(TrinidadFilterImpl.java:139)
       at org.apache.myfaces.trinidad.webapp.TrinidadFilter.doFilter(TrinidadFilter.java:92)
       at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:42)
       at oracle.security.jps.wls.JpsWlsFilter$1.run(JpsWlsFilter.java:85)
       at java.security.AccessController.doPrivileged(Native Method)
       at oracle.security.jps.util.JpsSubject.doAsPrivileged(JpsSubject.java:257)
       at oracle.security.jps.wls.JpsWlsSubjectResolver.runJaasMode(JpsWlsSubjectResolver.java:250)
       at oracle.security.jps.wls.JpsWlsFilter.doFilter(JpsWlsFilter.java:100)
       at oracle.security.jps.ee.http.JpsFilter.doFilter(JpsFilter.java:65)
       at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:42)
       at weblogic.servlet.internal.RequestEventsFilter.doFilter(RequestEventsFilter.java:27)
       at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:42)
       at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3496)
       at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
       at weblogic.security.service.SecurityManager.runAs(Unknown Source)
       at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2180)
       at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2086)
       at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1406)
       at weblogic.work.ExecuteThread.execute(ExecuteThread.java:201)
       at weblogic.work.ExecuteThread.run(ExecuteThread.java:173)
  The questions are :
  - Why do I get the generic HTTP 403 error instead of the error.html (its not the end of the world but I would like to understand) ?
  - Why do I get the error 500 if the case of the username is incorrect but the password is correct ?
  Best Regards
  Paul

  Nope nothing in there that looks out of place...
  Here's the contents of the web.xml file ..
  <?xml version = '1.0' encoding = 'windows-1252'?>
  <web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" version="2.5" xmlns="http://java.sun.com/xml/ns/javaee">
  <description>Empty web.xml file for Web Application</description>
  <context-param>
  <param-name>javax.faces.STATE_SAVING_METHOD</param-name>
  <param-value>client</param-value>
  </context-param>
  <context-param>
  <description>If this parameter is true, there will be an automatic check of the modification date of your JSPs, and saved state will be discarded when JSP's change. It will also automatically check if your skinning css files have changed without you having to restart the server. This makes development easier, but adds overhead. For this reason this parameter should be set to false when your application is deployed.</description>
  <param-name>org.apache.myfaces.trinidad.CHECK_FILE_MODIFICATION</param-name>
  <param-value>false</param-value>
  </context-param>
  <context-param>
  <description>Whether the 'Generated by...' comment at the bottom of ADF Faces HTML pages should contain version number information.</description>
  <param-name>oracle.adf.view.rich.versionString.HIDDEN</param-name>
  <param-value>false</param-value>
  </context-param>
  <filter>
  <filter-name>JpsFilter</filter-name>
  <filter-class>oracle.security.jps.ee.http.JpsFilter</filter-class>
  <init-param>
  <param-name>enable.anonymous</param-name>
  <param-value>true</param-value>
  </init-param>
  <init-param>
  <param-name>remove.anonymous.role</param-name>
  <param-value>false</param-value>
  </init-param>
  <init-param>
  <param-name>addAllRoles</param-name>
  <param-value>true</param-value>
  </init-param>
  <init-param>
  <param-name>jaas.mode</param-name>
  <param-value>doasprivileged</param-value>
  </init-param>
  </filter>
  <filter>
  <filter-name>trinidad</filter-name>
  <filter-class>org.apache.myfaces.trinidad.webapp.TrinidadFilter</filter-class>
  </filter>
  <filter>
  <filter-name>adfBindings</filter-name>
  <filter-class>oracle.adf.model.servlet.ADFBindingFilter</filter-class>
  </filter>
  <filter-mapping>
  <filter-name>JpsFilter</filter-name>
  <servlet-name>Faces Servlet</servlet-name>
  <dispatcher>FORWARD</dispatcher>
  <dispatcher>REQUEST</dispatcher>
  <dispatcher>INCLUDE</dispatcher>
  </filter-mapping>
  <filter-mapping>
  <filter-name>trinidad</filter-name>
  <servlet-name>Faces Servlet</servlet-name>
  <dispatcher>FORWARD</dispatcher>
  <dispatcher>REQUEST</dispatcher>
  </filter-mapping>
  <filter-mapping>
  <filter-name>adfBindings</filter-name>
  <servlet-name>Faces Servlet</servlet-name>
  <dispatcher>FORWARD</dispatcher>
  <dispatcher>REQUEST</dispatcher>
  </filter-mapping>
  <servlet>
  <servlet-name>Faces Servlet</servlet-name>
  <servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
  <load-on-startup>1</load-on-startup>
  </servlet>
  <servlet>
  <servlet-name>resources</servlet-name>
  <servlet-class>org.apache.myfaces.trinidad.webapp.ResourceServlet</servlet-class>
  </servlet>
  <servlet>
  <servlet-name>adfAuthentication</servlet-name>
  <servlet-class>oracle.adf.share.security.authentication.AuthenticationServlet</servlet-class>
  <load-on-startup>1</load-on-startup>
  </servlet>
  <servlet-mapping>
  <servlet-name>Faces Servlet</servlet-name>
  <url-pattern>/faces/*</url-pattern>
  </servlet-mapping>
  <servlet-mapping>
  <servlet-name>resources</servlet-name>
  <url-pattern>/adf/*</url-pattern>
  </servlet-mapping>
  <servlet-mapping>
  <servlet-name>resources</servlet-name>
  <url-pattern>/afr/*</url-pattern>
  </servlet-mapping>
  <servlet-mapping>
  <servlet-name>adfAuthentication</servlet-name>
  <url-pattern>/adfAuthentication/*</url-pattern>
  </servlet-mapping>
  <session-config>
  <session-timeout>35</session-timeout>
  </session-config>
  <mime-mapping>
  <extension>html</extension>
  <mime-type>text/html</mime-type>
  </mime-mapping>
  <mime-mapping>
  <extension>txt</extension>
  <mime-type>text/plain</mime-type>
  </mime-mapping>
  <security-constraint>
  <web-resource-collection>
  <web-resource-name>adfAuthentication</web-resource-name>
  <url-pattern>/adfAuthentication</url-pattern>
  </web-resource-collection>
  <auth-constraint>
  <role-name>valid-users</role-name>
  </auth-constraint>
  </security-constraint>
  <login-config>
  <auth-method>FORM</auth-method>
  <form-login-config>
  <form-login-page>/login.html</form-login-page>
  <form-error-page>/error.html</form-error-page>
  </form-login-config>
  </login-config>
  <security-role>
  <role-name>valid-users</role-name>
  </security-role>
  </web-app>
  Regards
  Paul

• ADF and SiteMinder not working

  Hi,
  I'm working on a project where the CA SiteMinder Authenticator and IdentityAsserter have been configured in a clustered environment alongside the Default Authenticator and IdentityAsserter. An ADF app using a combination basic J2EE security (isUserInGroup/Role type calls to show/hide tabs depending on user's role) and ADF Security roles and policies (used to lock down task flows to specific roles/groups/users).
  The J2EE security call works fine, proving that SiteMinder has populated the security Subject with the correct Principals and authorised correctly.
  However, ADF Security does not work at all, even though I can see the groups that originated in the SiteMinder Authenticator in the Enterprise Manager security config screens.
  I have mapped the ADF Application Roles to J2EE groups successfully, but when I access the application having successfully logged in as a user who is a member of that group, the taskflows don't show up...
  When I run this in a non-clustered WLS environment with only DefaultAuthenticator/IdentityAsserter, all is well, TaskFlows show/hide as expected.
  This falls neatly between Oracle and CA in terms of problem solving, can't get much help from either at the moment.
  Any thoughts or possible lines of enquiry are welcome.
  Edited by: 893022 on 27-Oct-2011 04:23

  Hi Frank,
  I'm just trying that now - reducing the variables seems like a good plan.
  A couple of things we're unsure of:
  1. Does ADF support Siteminder R12? My feeling is that the two are probably not related as ADF accesses the security realm via OPSS and the SiteMinder app server agent is an implementation of the WLS SSPIs, which would never be directly accessed from ADF (as far as I can tell).
  2. I've seen an example on redstack where an ADF application is deployed into an environment that is configured to use an Acitive Directory provider. There is a step includes that involves editing jps-config.xml on the server to include username.attr and user.login.attr properties to the idstore.ldap service instance. Is there similar any FMW-level config I'd need to do for SiteMinder?
  3. When JDeveloper builds the ADF app, it changes the class uses Groups and Users from:
  oracle.seurity.jps.internal.core.principals.JpsXmlEnterpriseroleImpl
  to:
  weblogic.security.principal.WLSUserImpl
  We did some debugging on on our app and saw that the SiteMinder 'Groups' that are fed into WLS by the SSPI are actually of a different class althoghether:
  com.netegrity.siteminder.weblogic.sspi.auth.SmWLSGroupImpl
  I'm building my ADF app with Maven so have used XMLTask to make this change to jazn-data.xml on deploy, but still no joy. ADF just doesn't appear to be able to 'see' the users and groups that have come from SiteMinder providers.

• ADF security and database

  Hi all,
  I am implementing ADF security on my application and I came across the following Documents:
  1- http://www.oracle.com/technology/products/jdev/howtos/1013/adfsecurity/adfsecurity_10132.html
  2-http://www.oracle.com/technology/products/jdev/howtos/1013/oc4jjaas/oc4j_jaas_login_module.htm
  and I have a few of questions :
  1- in ADF security, the edit authorization options in the PageDef reads the roles (gorups) stored on the system-jazn-data.xml file. If my roles are stored on the Database how can I read them?
  2- In the first document it is said " If the role name in web.xml matches a group name in system-jazn-data.xml, no further mapping is required. If the names do not match, then the web.xml role name needs to be mapped to the name in the system-jazn-data.xml using the orion-application.xml file. ". Can I do the mapping between the system-jazn-data.xml and the Database?
  3-When I assign ADF security permissions on PageDefs, It will be stored in the app-jazn-data.xml file. Can I store/read those permissions from the Database and no the app-jazn-data.xml file or at least can I do some kind of mapping between the Database and this file?
  thanks in advance,
  Ahmad Esbita

  Hi albertpi,
  Thanks for you response. This is our first ADF application.
  We are planning to impliment the security as mentioned above.
  We can configure the LDAP users in Weblogic server.
  We have a page with multiple tables which need to be shown based on the User roles.
  These roles we are planning to define in the table.
  1. I need to show list of users from my LDAP Users on the ADF UI to assign the roles.
  2. We will be defining our list of roles in a database table, which not sure whether they need to map to ADF application security roles.
  Data in table will be something like this.
  User Role
  Admin Tab1
  Admin Tab2
  Admin Tab3
  User1 Tab1
  User2 Tab2
  User2 Tab3
  Once the User is logged in we will read this table to show/hide the respective tabs.
  Can you tell us are we in right path, if yes How to achieve this.
  Thanks,
  Satya

• Security questions does work and wont reset

  security questions dont work on verifcation request on my iphone. can only download free apps. can not reset on my apple id eather. anyone got an answer?

  make a new apple id

• JDEV 10.1.3.1 "ADF security" questions

  Hi,
  We have a couple of questions about ADF security. Hope someone knows something about it. Any help is deeply appreciated. Jdeveloper version we use is 10.1.3.1.
  1. Using the ADF security to develop the application, can we deploy it to the IAS and switch to LDAP (OID) or we are obligated to use system-jazn-data.xml on IAS as well? If we have to use system-jazn-data.xml on IAS, do we need to copy the exact system-jazn-data.xml file to IAS embeddedoc4j/config directory? Any other configurations we need to do?
  2. I read some documents that say it is prefered to use LDAP(OID) and
  that's what we really want on the IAS. So if the answer for question 1 is we
  have to use system-jazn-data.xml, does oracle have any plan for the future to
  change it? I guess my question is will that be possible for us to develope the
  app using system-jazn-data.xml on the developer's station (for testing
  purpose) and later on we can convert it LDAP (OID) when we deploy it on IAS.
  Thanks,
  Annie
  Message was edited by:
  user447669

  Hi,
  1)
  can we deploy it to the IAS and switch to LDAP (OID)
  yes.
  If we have to use system-jazn-data.xml on IAS, do we need to copy the exact system-jazn-data.xml file to IAS embeddedoc4j/config directory?
  No. Only make suere the users and user goup exist and copy the JAAS Permissions added by ADF security
  2) There exist a migration utility to upload ADF Security permissions from syste-jazn-data.xml to OID. It is explained in teh OC4J security guide (chapter 7) whih comes with the Oracle Application Serber 10.1.3.1
  Frank

• ADF Security not working 401 error

  I am having problems with securing my ADF using LDAP after the server I was using was rebuilt and all software re-installed.....
  This did work before the rebuild so I am guessing that there are some settings that were no configured after the rebuild.
  We are using weblogic and Jdeveloper 11.1.1.6 and When I use the Wizard to secure my app and if I pick "ADF Authentication" I get the login in page and I can log into the application and things work.
  I then try to go in and use the "ADF Authentication and Authorization" option and deploy and I get a 401 - Unauthorized error..
  It used to work so I am pretty sure I am setting the Enterprise roles / Application Roles etc... correctly but wondered if anyone might be able to point me to what settings might be the issue etc.
  Thank you in advance for any assistance.

  After turning off ADF security in application - it works.
  When ADF security is turned on - it doesn't.
  When opening the same application with ADF security on in previous version of JDev - it works again.
  Our application uses custom login bean, but it is not even reaching login bean after login form submit (sample is made as http://www.youtube.com/watch?v=mAWBezngA1s)

• WEB Application security don't work properly with adf faces

  We introduce conventional web security in our java ee application integrating ui as adf faces.
  We got problem when we access protected jspx document. It seem the container don't ask the user to log on when the page did not contains any link with the model (page definitions i think). It seem that the container react lately too, after displaying part of the screen.
  For example:
  We have an application with a home page with two tabs representing our applications.
  The home page is an unprotected directory.
  The both applications home pages are in protected directories.
  The both applications home pages did not contains any link to the model. Some text are displayed in showDetailHeader, panelHeader, etc
  Whe we start the application, the home page is displayed. The infoUser part on the panelPage indicate that nobody is authenticated. All is fine.
  When we click on the first tab representing the first application, the page is displayed and the containes don't ask to login. The page is into a protected directory. When we click on showDetailHeader, nothing is done, the content still disclosed.
  When click on a menu that load a page that reference to the model part (page definitions exists), the container ask to login. After a sucessfully login, all pages are accessible, showDetailHeader work properly, infoUser part is loaded with the username for the authenticated session.
  Is this due to a bug ?
  Is this due to a bad design or an error in our development ?
  Note that we didn't implement since yet the adf security layer may be it will solve this problem.

  Hello,
  when your security is based on URL, the problem could be the url is changed one click later. Check this: Re: Browser URL and current page

• I don't understand how ADF Security  works

  In short I used ADF Security wizard to make a secured fusion webapp (Form authentification, XML id store, no grants). It made me the error,login and welcome page and I added one more (a page with a table). I granted that page view access to one role defined in jazn.xml. I noticed that at deploy the content of 'jazn.com' is merged into 'myrealm'. Everything goes well when I try a user defined in jazn.xml, but when I add a new user directly from the WLS console (same group as the others defined in jazn.com) I can login but I cannot access the page with the table because I'm not authorized. I think it's a role mapping issue but I'm quite not sure... I tried to look after the valid-users=users mapping but I haven't managed to find the users role into wls.
  How is the application getting the users and roles (groups) from the wls realm? Why I can log in but not authorize ?
  Thanks
  Kquizak

  Hi,
  at devlopment / testing time the way the user provisioning works is that existing users and groups of the same name are initially removed and then re-created. So in your case you have a user created in WLS that is added to a group that is re-newed by the develop-test cycle. This means that when running the application, you no longer have the user to be a member of the group. In a next version of JDeveloper 11 we probably make the user/group provisioning an option, in which case your settings will be preserved. Note that this problem doesn't exist if you deploy the app to a stand alone server, like in production
  Frank

• Jdeveloper tools/ADF security wizard , what is this item? no documentation.

  Hi
  Thank you for reading my post
  i find that there is a menu item in Jdeveloper that secure an adf application.
  Jdeveloper documentatio has nothing about it.
  can some on clearify ,
  -if i select a realm name , will jdeveloper create that realm for me in application server (OC4J standalone) ?

  I use Jdeveloper 10.1.3.1.0 (the new developer preview)
  and the ADF Security Wizard is under tools menue.
  I just do not know what does doAs and doAsPrivileged means in JASS module.
  Thanks

• How to integrate a SSO based in cookie with ADF Security

  At work they asked me to integrate a existing SSO based in cookie with the new ADF + Jdeveloper 11g + WLS. After google for days and read a lot of blogs and official documentation I've made a custom LoginModule. I made it very simple, it's just an "if" inside the login() function with the username, if the username is "john" I put to the Subject some Principals. My steps are:
  1- Create a new app based on "Fusion application" template.
  2- Make a new ADF Taskflow with only one view inside (the entry point of the taskflow). The jspx only contains a welcome message.
  3- Run the ADF Security wizard, all the steps with the default option, I don't change anything.
  4- Put some users and some roles in jazn-data.xml, and maping them to an application role. Then I grant permissions to the application role to view the previous task flow.
  At this point everything is ok. I run the taskflow and a basic login popup prompts me to write my username and password. Now I try to remove everything useless for me, like idstore, credentials, anonymous, etc. I only want a LoginModule that get the HttpRequest and passes it to an already done class that returns a true/false depending if the cookie is correct or not but, as I said before, my LoginModule is so simple now and even didn't try to do something more complicated than an if. The steps I try are:
  in jps-config.xml
  5- Remove idstore.xml and credentials.
  6- (loginmodule tab) Make a new login module, and put here my class. The class is in the ViewController project and JDeveloper find it navigating through the heriarchy, so I have visibility. I put REQUIRE flag, add all roles and debug mode.
  7- In the security context unmark the idstore.loginmodule and mark myLoginModule. Also delete the anonymous security context.
  All that I got until now is a 500 error (Internal server error - Authorization Exception). Sometimes (the close i've ever been to do something correct) the browser ask me for user/password but then only recognizes the users that already are in WLS (idstore from previous tests), but NOT the "john" user that is inside my custom LoginModule. Even more, if I run the WLS from JDeveloper 11g in debug mode, the runtime never stops at breakpoints inside my custom login module. It seems that my LoginModule isn't deployed or I made some error maping the roles.
  So, my questions are:
  - I'm in the good way? If I want an authentication based in cookie/httprequest I have to do a custom LoginModule? My goal is to do a re-usable code, and re-use the code that my co-workers have done. They have a class that with only the HttpRequest determines if a user is logged or not.
  - If I'm in the good way... how can I put my custom LoginModule in the WLS? I tried to search something in the Administration Panel (localhost:7101/console) but I did'nt find nothing.
  - In case I'd got the custom LoginModule working fine in WLS... how can I get a HttpRequest from a LoginModule and avoid the username/password dialog? I've to make a filter and pass it to the my LoginModule? If it's correct... how?
  I don't post my code because is so simple, it's based on DBTableLoginModule but without all the database access code.
  Thanks to all!
  P.D.: If this message isn't in the correct forum, I'm sorry. Feel free to move it.
  P.D.2: Sorry about my english, I'm spanish. I know i've to practise a lot :)

  Hi Frank,
  Thanks a lot for your answer. Just one more easy question: what I need to do is a custom Authentication Module (which will read the cookie)? If only you can point me to the correct chapter of the WLS documentation I'll be very pleased.
  In future releases of JDeveloper will be easier to do this kind of things related to security?
  Riveck

• Creating a WebCenter Application with PageCutomizable and ADF Security

  I created a Webcenter App in Jdev 11.1.1.2.0 with webcenter extension.
  I have 2 JSPX files.
  One called mainTemplate.jspx
  - contains header, footer in ADF and a center facet.
  One called Welcome.jspx created from mainTemplate
  - contains page customizable > panel customizable > layout customizable > various custom panel configs.
  ADF security is configured with BASIC, authentication only. Because form authentication seems harder to get working.
  We have one weblogic user, and currently deploy to the integrated WLS, although we'll deploy out to a full server once security/composer is working.
  The problem is, when we run the Welcome.jspx, and because we added a reference to a logged in var, it requests http login fine.
  We then refresh the page and see that we are indeed logged in as 'weblogic'.
  Is weblogic a special user? should I create a new one? Is there any setup required on the Integrated WLS to get this working?
  However when we click on 'add Content' using the composer we get a permission error.
  +<RegistrationConfigurator><handleError> Server Exception during PPR, #1+
  javax.el.ELException: oracle.adf.view.page.editor.security.ComposerSecurityException: You do not have permission to edit the page
  +     at com.sun.el.parser.AstValue.invoke(AstValue.java:161)+
  +...+
  Caused by: oracle.adf.view.page.editor.security.ComposerSecurityException: You do not have permission to edit the page
  +     at oracle.adfinternal.view.page.editor.bean.DialogBean.setDialogHelp(DialogBean.java:129)+
  +     at oracle.adfinternal.view.page.editor.bean.DialogBean.showResourceCatalog(DialogBean.java:356)+
  +     at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)+
  +...+
  I tried using the Customization allowed var in the property inspector, but could not map 'allowed by' to a user or role that my setup would recognise. The doco specifies 'admin' which does not work for me.
  In my catalog I have a WCM portlet taskflow, which will require its own permissions.
  I tried enabling permissions for the test-all role to all of my pages/taskflows, leaving just the 'view' permission to the anonymous role.
  I also tried authentication/authorization profiles, and building my own jspx login/error pages, but no luck there either, the login button doesn't seem to tirgger my java doLogin class, even though I set the binding on the button using the method expression builder to the bean method.
  *note: I didn't try the welcome/login/error page auto create as they generate html files, I created JSFs with full UI in there. Am I required to use those html types instead of jspx? I found that the redirection worked by appending the jspx reference with '/faces/Login.jspx'. The problem seemed to have been somewhere else.
  If we have any Webcenter Composer / Security gurus out there, help would be greatly appreciated.
  Our main goal is to create a Webcenter App which has security/composer/navigation and a catalog with WCM/Siebel portlets similar to the Avitek demo without using WC Spaces.
  Thanks.
  Thanks.
  Edited by: Guillaume_Davies_SC on Apr 20, 2010 7:28 PM

  When you want to achieve this you need to configure ADF security with basic authentication & authorization. THe authorization is the part that takes care of what a user may and may not do in an application. Authentication is just the log in part.
  When you have configured your application for authorization as well, you have to create roles and groups.
  You will also have to set the authorization of your pages. Open a jsxp and in the design or source view, right click and "edit authorization". You then have to add roles to your pages and define their rights. Then you can set the authorization for edit,cuustomize,personlise,view,...
  Hope this helps.

• Jdev 10.1.3.1 "ADF Security": Application without a custom login page?

  Hi,
  We are trying to develop an application using "ADF security", which means we can give permissions to certain roles based on "Binding Container", "Iterator Binding", "Method Action Binding" and "Attribute-level Binding".
  After reading the document -- "Oracle® Containers for J2EE Security Guide 10g (10.1.3.1.0) B28957-01" that Frank pointed out. We have a question:
  Can we develop an ADF application without creating a custom login page? Right now we've followed the security guide and modified the configuration files. But when we run the application, we get the "user null" error message. The reason is clear because we do not have a login page. On the security guide, it says that it is possible to use the oracle default login module. But it does not say how. Does anyone have any idea?
  Thanks,
  Annie

  Brenden,
  Thank you so much for the reply. This is our code in the web.xml:
  <login-config>
  <auth-method>BASIC</auth-method>
  <realm-name>default</realm-name>
  </login-config>
  We are using HTTP basic Authentication. This technique worked for the container-managed security. The browser default login page pops up when the end users try to log into a secured JSP. But here we want to use "ADF security" to set up "Iterator binding" and "Attribute level binding" security. The browser default login page does NOT show up. Instead we get the "user null" error message.
  If you have detailed step on how to select HTTP Basic Authentication, it would be very helpful to us. Or if you know any document has the detail.
  regards,
  Annie