ADF security removes applied authorizations

Similar Messages

• Providing ADF security  to fusion WebAppliaction (ADF 11g)

  I created ADF application contains single page .
  i am able to deploy this on standalone WLS10.3
  But i need to provide the security to my application.
  I am reading the chapter :
  Enabling ADF Security in a Fusion Web Application in develpers guide.
  is there any other sources like demos / blogs/step by step tutorials about security which is helpful for begginers.if you have , pls provide me.
  Sailaja

  Here are some links:
  - [Adding Security(Oracle Doc)|http://download.oracle.com/docs/cd/E12839_01/web.1111/b31974/adding_security.htm#BGBCEDDD]
  - [ADF Security Part 1: Container Managed Security (By Frank Nimphius)|http://www.oracle.com/technology/products/jdev/tips/fnimphius/adfsec_camt1/adfsec1.htm]
  - [ADF Security Part 2: Setup and Authentication (By Frank Nimphius)|http://www.oracle.com/technology/products/jdev/tips/fnimphius/adfsec_camt2/ADF%20Security%20Authentication%20and%20Setup.htm]
  - [ADF Security Part 3: Authorization (By Frank Nimphius)|http://www.oracle.com/technology/products/jdev/tips/fnimphius/adfsec_camt3/ADF%20Security%20-%20Authorization.htm]
  - [ADF Security Part 5: ADF BC Entity Security (By Frank Nimphius)|http://www.oracle.com/technology/products/jdev/tips/fnimphius/adfsec_camt5/ADF%20Entity%20Object%20Security%20through%20ADF%20Security.htm]
  Sireesha

• ADF security and database

  Hi all,
  I am implementing ADF security on my application and I came across the following Documents:
  1- http://www.oracle.com/technology/products/jdev/howtos/1013/adfsecurity/adfsecurity_10132.html
  2-http://www.oracle.com/technology/products/jdev/howtos/1013/oc4jjaas/oc4j_jaas_login_module.htm
  and I have a few of questions :
  1- in ADF security, the edit authorization options in the PageDef reads the roles (gorups) stored on the system-jazn-data.xml file. If my roles are stored on the Database how can I read them?
  2- In the first document it is said " If the role name in web.xml matches a group name in system-jazn-data.xml, no further mapping is required. If the names do not match, then the web.xml role name needs to be mapped to the name in the system-jazn-data.xml using the orion-application.xml file. ". Can I do the mapping between the system-jazn-data.xml and the Database?
  3-When I assign ADF security permissions on PageDefs, It will be stored in the app-jazn-data.xml file. Can I store/read those permissions from the Database and no the app-jazn-data.xml file or at least can I do some kind of mapping between the Database and this file?
  thanks in advance,
  Ahmad Esbita

  Hi albertpi,
  Thanks for you response. This is our first ADF application.
  We are planning to impliment the security as mentioned above.
  We can configure the LDAP users in Weblogic server.
  We have a page with multiple tables which need to be shown based on the User roles.
  These roles we are planning to define in the table.
  1. I need to show list of users from my LDAP Users on the ADF UI to assign the roles.
  2. We will be defining our list of roles in a database table, which not sure whether they need to map to ADF application security roles.
  Data in table will be something like this.
  User Role
  Admin Tab1
  Admin Tab2
  Admin Tab3
  User1 Tab1
  User2 Tab2
  User2 Tab3
  Once the User is logged in we will read this table to show/hide the respective tabs.
  Can you tell us are we in right path, if yes How to achieve this.
  Thanks,
  Satya

• ADF Security Authorization

  As it's written in Oracle® Application Development Framework Developer’s Guide For Forms/4GL Developers B25947-01 I created file adf-config.xml file like this
  <?xml version="1.0" encoding="windows-1252" ?>
  <adf-config xmlns:xsi=" http://www.w3.org/2001/XMLSchema-instance"
  xsi:schemaLocation=" http://xmlns.oracle.com/adf/config
  ../../../../../bc4jrt/src/oracle/adf/share/config/schema/config.xsd"
  xmlns=" http://xmlns.oracle.com/adf/config "
  xmlns:sec=" http://xmlns.oracle.com/adf/security/config ">
  <sec:adf-config-child xmlns=" http://xmlns.oracle.com/adf/security/config ">
  <JaasSecurityContext
       initialContextFactoryClass="oracle.adf.share.security.JAASInitialContextFactory"
       authorizationEnforce="true"
       jaasProviderClass="oracle.adf.share.security.providers.jazn.JAZNSecurity Context" >
  </JaasSecurityContext>
  </sec:adf-config-child>
  </adf-config>
  Assigned permissions to my roles in Authorization editior on iterators etc.. But it did get any effect.
  All roles have full access to iterators!
  ADFContext.getCurrent().getSecurityContext().isAuthorizationEnabled() returns false

  Hi,
  here's the adf-config file from my woking app
  <?xml version="1.0" encoding="windows-1252" ?>
  <adf-config xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xsi:schemaLocation="http://xmlns.oracle.com/adf/config ../../../../../bc4jrt/src/oracle/adf/share/config/schema/config.xsd"
  xmlns="http://xmlns.oracle.com/adf/config"
  xmlns:sec="http://xmlns.oracle.com/adf/security/config">
  <sec:adf-config-child xmlns="http://xmlns.oracle.com/adf/security/config">
  <JaasSecurityContext initialContextFactoryClass="oracle.adf.share.security.JAASInitialContextFactory"
  jaasProviderClass="oracle.adf.share.security.providers.jazn.JAZNSecurityContext"
  authorizationEnforce="true"/>
  </sec:adf-config-child>
  </adf-config>
  Note that I don't use debug but run it from JDeveloper and the security settings are enforced. Did you set up the web.xml file - in other words, are you able to authenticate?
  Frank

• Implementing authorization using Oralce ADF security

  Hi,
  We have successfully deployed a Jdev (10.1.3) ADFBC application to IAS with the authentication and part of the authorization.
  Now we want to use another level of granularity to allow object instance access control based on Java Permissins using JAAS. Like "binding container", "iterator binding", "attribute binding" and "methodAction binding".
  We tried to follow the "Oracle Application Development Framework Developer's Guide", chapter 30. Everything went well until we got to 30.7.2--Setting authorization on ADF binding Containers, list 3. "The Authorization Editor shows the pre-defined permissions for the binding container, along with the principles (roles and users) as defined by your resource provider". The roles and users we defined in our web.xml or jaza-data.xml do not show up in the authorization editor.
  The SRDemoADFBC does not use this technique. Anybody has any idea how to do this?
  Remember Frank said he was working on an end-to-end ADF security application and it could be ready by the end of this year. Is it ready yet?
  Thank you,
  Annie

  Hi Vinod,
  In my post, I present it as a best practice to have a one to one mapping of application roles and enterprise roles though it is not required. If you have 10 application roles you should create 10 enterprise roles, but again this is not required. For testing, you could create only one enterprise role, then make that role as member to all your application roles.
  To simplify the case you can do the following STEPS:
  In jazn.xml:
  1) Let say in jazn.xml you have the following 5 application roles:
  <li>ApplicationRole1
  <li>ApplicationRole2
  <li>ApplicationRole3
  <li>ApplicationRole4
  <li>ApplicationRole5
  2) Still in jazn.xml, create one Enterprise Role "EnterpriseAdmin".
  3) Make the"EnterpriseAdmin" as member of the 5 application roles above.
  In weblogic console:
  4) Go to the User and Groups page of myrealm (Home >Summary of Security Realms >myrealm >Users and Groups).
  5) Create a new group named "EnterpriseAdmin" and instead of the Default Authenticator, set the authenticator to the name of SQLAuthenticator that you have created.
  6) Create a user in the SQLAuthenticator and make it a member of the "EnterpriseAdmin".
  7) Run your secured application in JDeveloper and login with the user credentials that you created in step#6.
  Regards,
  Pino

• JDev11 R.1. ADF Security Authorization

  Hi,
  I would like to know if it might be possible to use authenticatication via RDBMS authentication provider of Weblogic App. Server and ADF Security Authorization together in a JDev 11 application?. I am reading documentation and it says that; 'ADF Security relies on the jazn-data.xml file for the policy store whether you are using the XML-based identity store or the LDAP identity store. One could define roles and its access rights in jazn-data.xml and might expect authentication and isUserInRole services coming from the authentication service without defining users (role members) at design time. Is it or will it be possible in future?
  Best Regards.

  Hi
  I think it is too early and I don't know if they will ever build this. ( because they also have to support other app servers). Is RDBMS authentication provider of Weblogic App. Server a JAAS implementation?
  in TP4 you had a db login module , don't know if this is supported in 11g production.
  jps-config.xml
  <serviceInstance provider="jaas.login.provider" name="testlogin">
  <description>Sample LoginModule</description>
  <property value="oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule" name="loginModuleClassName"/>
  <property value="REQUIRED" name="jaas.login.controlFlag"/>
  <property value="ovs_user" name="table"/>
  <property value="jdbc/OVSDS" name="data_source_name"/>
  <property value="role_name" name="groupMembershipGroupFieldName"/>
  <property value="password" name="passwordField"/>
  <property value="ovs_user_role_view" name="groupMembershipTableName"/>
  <property value="role_name" name="usernameField"/>
  <property value="role_name" name="pw_encoding_class"/>
  <property value="oracle.security.jazn.login.module.db.util.DBLoginModuleMD5Encoder" name="groupMembershipGroupFieldName"/>
  </serviceInstance>
  <serviceInstance provider="jaas.login.provider" name="oracledb.loginmodule">
  <property value="true" name="debug"/>
  <property value="true" name="addAllRoles"/>
  <property value="passwd" name="passwordField"/>
  <property value="role_name" name="groupMembershipGroupFieldName"/>
  <property value="jdbc/authschemaDS" name="data_source_name"/>
  <property value="REQUIRED" name="jaas.login.controlFlag"/>
  <property value="application_roles" name="groupMembershipTableName"/>
  <property value="oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule" name="loginModuleClassName"/>
  <property value="FINEST" name="log.level"/>
  <property value="username" name="usernameField"/>
  <property value="application_users" name="table"/>
  <property value="username" name="user_pk_column"/>
  <property value="username" name="roles_fk_column"/>
  <property value="tolower" name="casing"/>
  <property value="oracle.security.jazn.login.module.db.util.DBLoginModuleClearTextEncoder" name="pw_encoding_class"/>
  </serviceInstance>
  thanks Edwin
  Edited by: biemond on Oct 19, 2008 10:50 AM

• GOTCHA's with Setting up ADF Security with JDev 11.1.1.6.0

  If you're getting into ADF security, you're probably going to want to get rid of that ugly default login.html page. I mean, it gets the job done, but we want something a little better. And if you want something a little better and you're using JDev 11.1.1.6.0, it behooves you to read this post!
  First off, get acquainted with these four posts. All good stuff. They'll walk you through the 1st half of what you need to know. Y'know, the non-Gotcha half.
  http://one-size-doesnt-fit-all.blogspot.com/2010/07/adf-security-revisited-again-again.html
  http://myadfnotebook.blogspot.com/2011/11/adf-security-basics.html
  http://andrejusb.blogspot.com/2010/11/things-you-must-know-about-adf-faces.html
  http://java2go.blogspot.com/2010/12/creating-centered-page-layout-using-adf.html
  Are you getting either of the following errors?
  <CodebasePolicyHandler> <migrateDeploymentPolicies> Migration of codebase policy failed. Reason: {0}.
  oracle.security.jps.JpsException: java.lang.IllegalArgumentException: oracle.security.jps.internal.core.principals.JpsAnonymousRoleImpl
  Error 500--Internal Server Error
  java.lang.RuntimeException: Cannot find FacesContextI'll show you where they're coming from. Follow along.
  1) Create a new application.
  2) Create three .jspx pages called login, error, and welcome.
  3) Generate PageDef files for them by right-clicking on the file and selecting "Go To PageDefinition". You'll want these so that you may apply security against them.
  4) Right-Click on your Application and select Secure->Configure ADF Security
  5) ADF Authentication and Authorization -> Form Based Authentication (Use the search symbol to select your created login and error pages. Should be something like "/faces/login.jspx") -> No Automatic Grants -> Finish
  Right-Click your welcome.jspx and select run. You'll get this error before your web page opens up in your browser and then proceeds to wig out.
  <CodebasePolicyHandler> <migrateDeploymentPolicies> Migration of codebase policy failed. Reason: {0}.
  oracle.security.jps.JpsException: java.lang.IllegalArgumentException: oracle.security.jps.internal.core.principals.JpsAnonymousRoleImplThat just won't do. Let's fix it, shall we?
  6) Open your newly JDev created jazn-data.xml file. It's located in the Application Resources panel (usually located by Data Controls and your Projects expandable panels)
  7) Resource Grants -> Resource Type (Web Page dropdown) -> error page should have a key symbol by it. Delete the anonymous role in the "Granted To" column. Now click the green button to add an Application Role. Huh, there's TWO of them? How bout that? Looks like we're going to have to delete some XML code!
  8) Click the Source tab on the bottom of the page to open up the XML View. You'll see the following piece of erroneous code. Erroneous, I say!
    <policy-store>
      <applications>
        <application>
          <name>SecurityError</name>
          <app-roles>
            // Hello, I'm the app role that has sucked away two hours of your life that you can never, ever get back
            <app-role>
              <name>anonymous-role</name>
              <class>oracle.security.jps.internal.core.principals.JpsAnonymousRoleImpl</class>
              <display-name>anonymous-role</display-name>
            </app-role>
           // Whew, the end of that app role
          </app-roles>
          <jazn-policy>
            <grant>9) You're going to want to delete that app role XML
  10) Go back into your jazn-data.xml file and create some users. For example, bob and jane. Create an Enterprise role called "admin". Put bob and jane as members into this Enterprise role. Create an Application role called managers. Map managers to your Enterprise role admin.
  11) Go back to the Resource Grants tab -> Resource Type (Web Page) and delete any "Granted To" authorizations that may assigned to any of the pages. Assigned a "Granted To" application role of "anonymous-role" to the error and login pages. Assign "managers" to welcome.
  12) Run your welcome page. Yay, the error is gone. How sweet it is.
  Now you want to refactor/move your login and error page somewhere else? Great, just right-click and select factor. Refactor to some place like /public_html/jspx/<your login page>.jspx. Re-run your welcome page.
  // You fool!
  Error 404--Not Found
  From RFC 2068 Hypertext Transfer Protocol -- HTTP/1.1:
  10.4.5 404 Not FoundThat's not so good. Let's fix that.
  1) Open up web.xml. It's located at ViewController/WEB-INF/web.xml.
  2) Click the security tab and you'll see Form-Based Authentication with a login page and error page. Click that Search glass and locate your new file. Do the same for the error page. You should see something like "/jspx/login.jspx" come back.
  3) Re-run your welcome page.
  // Suckered AGAIN!
  Error 500--Internal Server Error
  java.lang.RuntimeException: Cannot find FacesContextThis is a tricky one. The search icon brings back a faulty address. Since we're using a .jspx page, it needs to be "/faces/jspx/login.jspx". Repeat for the error page. Re-run your welcome.jspx.
  Ahh!! Now THAT's how we do it in Kingsport!
  Finally, a custom .jspx login works. Now what are you doing here? Shouldn't you be playing some Diablo 3?
  Will

  Ha :-)
  Point being good summaries like yours tend to get lost on the forums because of the volume of posts. With a blog people have the chance to subscribe to your posts so it's just a better vehicle all round for posting content to help others.
  I highly recommend writing blogs even if it's for scratch notes, because you'll learn a lot in structuring your thoughts. It's also a really good way to get noticed in the community because bloggers stand out.
  But your call, no pressure of course ;-)
  CM.

• How to integrate a SSO based in cookie with ADF Security

  At work they asked me to integrate a existing SSO based in cookie with the new ADF + Jdeveloper 11g + WLS. After google for days and read a lot of blogs and official documentation I've made a custom LoginModule. I made it very simple, it's just an "if" inside the login() function with the username, if the username is "john" I put to the Subject some Principals. My steps are:
  1- Create a new app based on "Fusion application" template.
  2- Make a new ADF Taskflow with only one view inside (the entry point of the taskflow). The jspx only contains a welcome message.
  3- Run the ADF Security wizard, all the steps with the default option, I don't change anything.
  4- Put some users and some roles in jazn-data.xml, and maping them to an application role. Then I grant permissions to the application role to view the previous task flow.
  At this point everything is ok. I run the taskflow and a basic login popup prompts me to write my username and password. Now I try to remove everything useless for me, like idstore, credentials, anonymous, etc. I only want a LoginModule that get the HttpRequest and passes it to an already done class that returns a true/false depending if the cookie is correct or not but, as I said before, my LoginModule is so simple now and even didn't try to do something more complicated than an if. The steps I try are:
  in jps-config.xml
  5- Remove idstore.xml and credentials.
  6- (loginmodule tab) Make a new login module, and put here my class. The class is in the ViewController project and JDeveloper find it navigating through the heriarchy, so I have visibility. I put REQUIRE flag, add all roles and debug mode.
  7- In the security context unmark the idstore.loginmodule and mark myLoginModule. Also delete the anonymous security context.
  All that I got until now is a 500 error (Internal server error - Authorization Exception). Sometimes (the close i've ever been to do something correct) the browser ask me for user/password but then only recognizes the users that already are in WLS (idstore from previous tests), but NOT the "john" user that is inside my custom LoginModule. Even more, if I run the WLS from JDeveloper 11g in debug mode, the runtime never stops at breakpoints inside my custom login module. It seems that my LoginModule isn't deployed or I made some error maping the roles.
  So, my questions are:
  - I'm in the good way? If I want an authentication based in cookie/httprequest I have to do a custom LoginModule? My goal is to do a re-usable code, and re-use the code that my co-workers have done. They have a class that with only the HttpRequest determines if a user is logged or not.
  - If I'm in the good way... how can I put my custom LoginModule in the WLS? I tried to search something in the Administration Panel (localhost:7101/console) but I did'nt find nothing.
  - In case I'd got the custom LoginModule working fine in WLS... how can I get a HttpRequest from a LoginModule and avoid the username/password dialog? I've to make a filter and pass it to the my LoginModule? If it's correct... how?
  I don't post my code because is so simple, it's based on DBTableLoginModule but without all the database access code.
  Thanks to all!
  P.D.: If this message isn't in the correct forum, I'm sorry. Feel free to move it.
  P.D.2: Sorry about my english, I'm spanish. I know i've to practise a lot :)

  Hi Frank,
  Thanks a lot for your answer. Just one more easy question: what I need to do is a custom Authentication Module (which will read the cookie)? If only you can point me to the correct chapter of the WLS documentation I'll be very pleased.
  In future releases of JDeveloper will be easier to do this kind of things related to security?
  Riveck

• Problem with ADF security and task flow calls

  Hi.
  I am using JDeveloper 11.1.2.0.0.
  I encountered a problem when tried to apply ADF security to my application.
  The way to reproduce the problem:
  1. Create new Fusion Web Application;
  2. Import Business Components from Tables from any existing schema and add at least one table to the ApplicationModule.
  3. Create "welcome page" (for instance, welcome.jsf). Add a button with fixed action outcome "test".
  4. Create test page, for instance, test.jsf. Drag and drop any view object from Data Controls onto the page and create a form with navigation controls. Add a button with fixed action outcome "return".
  5. Create bounded task flow, name it "test", drag and drop our test page on it - the page will be the default activity. Add a task flow return activity. Add a control flow case from the default view activity to the return activity, set From Outcome property to "return". So our return button should cause the task flow to exit.
  6. Open adfc-config.xml in diagram mode and place our welcome page on it. Then drag and drop the test task flow to create a task flow call activity. Add a control flow case from welcome page to task flow call activity, set the From Outcome property to "test". So our test button should call the test task flow.
  7. Configure application to run the unbounded task flow starting with Welcome view activity.
  At this point all works as expected: when application runs, the welcome page is displayed with test button. Pressing the test button results in displaying the test page, return button leads back to the welcome page.
  Now let's configure ADF Security.
  Run the ADF Security configuration wizard, choose ADF Authentication and Authorization.
  On the second page select Form-Based Authentication, check the Generate Default Pages flag.
  On the third page choose No Automatic Grants.
  On the next page keep the Redirect Upon Successful Authentication unchecked. Press Finish.
  Open jazn-data.xml to configure roles, users and resource grants:
  1. Create application role test-role.
  2. Grant the test-role privileges to view the test task flow.
  3. Create user and grant him the test-role.
  Now we have the public available welcome page and the test page with restricted access.
  When application runs, the welcome page is displayed as expected. Pressing the test button redirect us to auto-generated login page. After successful authorization the test page is displayed. But nothing happens if we click now the return button for the first time. When we click the return button once more, the application crushes with Error-500 and message "Target Unreachable, identifier 'bindings' resolved to null". The exact error trace depends on UI control bindings, but looks like this:
  javax.el.PropertyNotFoundException: //C:/Users/DUDKIN/AppData/Roaming/JDeveloper/system11.1.2.0.38.60.17/o.j2ee/drs/Test1/ViewControllerWebApp.war/test.jsf @10,120 value="#{bindings.Id.inputValue}": Target Unreachable, identifier 'bindings' resolved to null
       at com.sun.faces.facelets.el.TagValueExpression.isReadOnly(TagValueExpression.java:122)
       at oracle.adfinternal.view.faces.renderkit.rich.EditableValueRenderer._getUncachedReadOnly(EditableValueRenderer.java:476)
       at oracle.adfinternal.view.faces.renderkit.rich.EditableValueRenderer.getReadOnly(EditableValueRenderer.java:390)
       at oracle.adfinternal.view.faces.renderkit.rich.EditableValueRenderer.wasSubmitted(EditableValueRenderer.java:345)
       at oracle.adfinternal.view.faces.renderkit.rich.EditableValueRenderer.decodeInternal(EditableValueRenderer.java:116)
       at oracle.adfinternal.view.faces.renderkit.rich.LabeledInputRenderer.decodeInternal(LabeledInputRenderer.java:56)
       at oracle.adf.view.rich.render.RichRenderer.decode(RichRenderer.java:342)
       at org.apache.myfaces.trinidad.render.CoreRenderer.decode(CoreRenderer.java:274)
       at org.apache.myfaces.trinidad.component.UIXComponentBase.__rendererDecode(UIXComponentBase.java:1324)
  (the rest of lines skipped).
  Any suggestions?
  Edited by: user13307311 on Apr 16, 2013 11:39 PM

  @Lovin_JV_941794
  The welcome page is public available since it does not have appropriate PageDef file.
  Login page comes not from the welcome page, it comes after attempt to access the test page. So after the login succeeded the test page appears, because redirect to welcome page after successful login is not configured. I do not need to return the welcome page at this moment, I need to go to the test page.
  It seems the task flow call stack to be destroyed after redirect to login page.
  Edited by: user13307311 on Apr 17, 2013 12:45 AM

• ADF Security in JDeveloper 10.1.3.2

  Hi,
  i used this link http://www.oracle.com/technology/products/jdev/howtos/1013/adfsecurity/adfsecurity_10132.html
  to apply security to my AD application using the JAN but i faced a problem which is ,if i logged in using the user i create on the OTC i always get this error HTTP Error 403 - Forbidden "You are not authorized to view this page", Although i didn't apply the authorization on my pages yet.
  can anyone help?
  Thanx

  Hi,
  using ADF Security, security is enabled as soon as you switch on ADF Security. Its a pessimistic thinking that is that you don't have access unless explicitly granted access
  Frank

• ADF Security to J2EE Container Managed Security Problems

  Hi al!
  I had ADF security enabled in my application. I've added roles and users to embedded OC4J Server Preferences..., configured authorization using pageDefs... (following the Introduction to ADF Security in JDeveloper 10.1.3.2 howto).
  For the sake of friendlier user and roles management I decided to go to 2EE Container Managed Security (I want application manager in production environment to be able to manage users in only one place, not in DB table and extra for web app). I followed Frank Nimphius's Database Authentication and Authorization in J2EE Container Managed Security article.
  Now I have some problems. I removed users and roles from embedded OC4J Server Preferences... (I believe this are used only for ADF security, am I right?). I can log to application with admin user account (app index page doesn't have any binds and even pageDef), but when trying to access admin pages I get 401 Unauthorized page.
  What am I doing wrong, probably I've forgotten something? I'm a bit confused now with users and roles settings and ADF and container managed security.
  Part of my web.xml file:
  <servlet>
  <servlet-name>adfAuthentication</servlet-name>
  <servlet-class>oracle.adf.share.security.authentication.AuthenticationServlet</servlet-class>
  <init-param>
  <param-name>success_url</param-name>
  <param-value>/faces/app/index.jspx</param-value>
  </init-param>
  <load-on-startup>1</load-on-startup>
  </servlet>
  <servlet-mapping>
  <servlet-name>adfAuthentication</servlet-name>
  <url-pattern>/adfAuthentication/*</url-pattern>
  </servlet-mapping>
  <security-role>
  <description>Admins</description>
  <role-name>admin_role</role-name>
  </security-role>
  <security-role>
  <description>Users</description>
  <role-name>user_role</role-name>
  </security-role>
  <security-role>
  <role-name>oc4j-administrators</role-name>
  </security-role>
  <security-constraint>
  <web-resource-collection>
  <web-resource-name>AllAdmins</web-resource-name>
  <url-pattern>faces/admin/*</url-pattern>
  </web-resource-collection>
  <auth-constraint>
  <role-name>admin_role</role-name>
  </auth-constraint>
  </security-constraint>
  <security-constraint>
  <web-resource-collection>
  <web-resource-name>AllUsers</web-resource-name>
  <url-pattern>faces/app/*</url-pattern>
  </web-resource-collection>
  <auth-constraint>
  <role-name>user_role</role-name>
  <role-name>admin_role</role-name>
  </auth-constraint>
  </security-constraint>
  <security-constraint>
  <web-resource-collection>
  <web-resource-name>adfAuthentication</web-resource-name>
  <url-pattern>/adfAuthentication</url-pattern>
  </web-resource-collection>
  <auth-constraint>
  <role-name>oc4j-administrators</role-name>
  <role-name>user_role</role-name>
  <role-name>admin_role</role-name>
  </auth-constraint>
  </security-constraint>
  Do I have to remove this adfAuthentication tags?
  I know I've made things a bit complicated for me now and for anyone to help, but I hope I will get at least some pointers what to do now and maybe some explanation about roles in container managed security? Is it enaugh to have security constraints and roles defined in web.xml file or they have to be defined somewhere else also (beside the database)?
  Thank you in advance!
  Bye
  PS
  Maybe stack trace after login:
  FINE: LoginConfigProvider.ctr: lmm=[LoginModuleManager: jznCfg=[JAZNConfig null], appConfigEntries={oracle.security.jazn.oc4j.CertificateAuthenticator=[javax.security.auth.login.AppConfigurationEntry@3625d0], oracle.security.jazn.tools.Admintool=[javax.security.auth.login.AppConfigurationEntry@eca6e7], oracle.security.jazn.oc4j.WebCoreIDSSOAuthenticator=[javax.security.auth.login.AppConfigurationEntry@c1c7c4], oracle.security.jazn.oc4j.DigestAuthenticator=[javax.security.auth.login.AppConfigurationEntry@221f81], oracle.security.wss.jaas.SAMLAuthManager=[javax.security.auth.login.AppConfigurationEntry@426e05], oracle.security.jazn.oc4j.JAZNUserManager=[javax.security.auth.login.AppConfigurationEntry@145240a], current-workspace-app=[javax.security.auth.login.AppConfigurationEntry@4120aa], oracle.security.wss.jaas.JAASAuthManager=[javax.security.auth.login.AppConfigurationEntry@1c78f98]}]
  24.8.2007 10:17:19 oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule initialize
  FINE: [DBTableOraDataSourceLoginModule] option data_source_name = jdbc/TESTDbDS
  24.8.2007 10:17:19 oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule initialize
  FINE: [DBTableOraDataSourceLoginModule] option table = APPLICATION_USER
  24.8.2007 10:17:19 oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule initialize
  FINE: [DBTableOraDataSourceLoginModule] option groupMembershipTableName = APPLICATION_ROLE
  24.8.2007 10:17:19 oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule initialize
  FINE: [DBTableOraDataSourceLoginModule] option usernameField = USR_EMAIL
  24.8.2007 10:17:19 oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule initialize
  FINE: [DBTableOraDataSourceLoginModule] option passwordField = USR_PSW
  24.8.2007 10:17:19 oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule initialize
  FINE: [DBTableOraDataSourceLoginModule] option groupMembershipGroupFieldName = ROLE_NAME
  24.8.2007 10:17:19 oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule initialize
  FINE: [DBTableOraDataSourceLoginModule] option user_pk_column = USR_EMAIL
  24.8.2007 10:17:19 oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule initialize
  FINE: [DBTableOraDataSourceLoginModule] option roles_fk_column = USR_EMAIL
  24.8.2007 10:17:19 oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule initialize
  FINE: [DBTableOraDataSourceLoginModule] option pw_encoding_class = null
  24.8.2007 10:17:19 oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule initialize
  FINE: [DBTableOraDataSourceLoginModule] option realm_column = null
  24.8.2007 10:17:19 oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule initialize
  FINE: [DBTableOraDataSourceLoginModule] option application_realm = null
  24.8.2007 10:17:19 oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule initialize
  FINE: [DBTableOraDataSourceLoginModule] option casing = toupper
  24.8.2007 10:17:19 oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule login
  FINE: [DBTableOraDataSourceLoginModule]login called on DBTableLoginModule
  24.8.2007 10:17:19 oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule login
  FINE: [DBTableOraDataSourceLoginModule]Calling callbackhandler ...
  24.8.2007 10:17:19 oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule login
  FINE: [DBTableOraDataSourceLoginModule]Username returned by callback = admin
  24.8.2007 10:17:19 oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule login
  FINE: [DBTableOraDataSourceLoginModule]Username changed to case as defined by toupper to ADMIN
  24.8.2007 10:17:19 oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule performDbAuthentication
  FINE: [DBTableOraDataSourceLoginModule]User query string: select USR_EMAIL,USR_PSW from APPLICATION_USER where USR_EMAIL= (?)
  24.8.2007 10:17:19 oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule performDbAuthentication
  FINE: [DBTableOraDataSourceLoginModule]User primary key value found = ADMIN
  24.8.2007 10:17:19 oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule performDbAuthentication
  FINE: [DBTableOraDataSourceLoginModule]Password encoded by: oracle.security.jazn.login.module.db.util.DBLoginModuleClearTextEncoder
  24.8.2007 10:17:19 oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule performDbAuthentication
  FINE: [DBTableOraDataSourceLoginModule]User ADMIN authenticated successfully
  24.8.2007 10:17:19 oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule performDbAuthentication
  FINE: [DBTableOraDataSourceLoginModule]Roles query string: select ROLE_NAME from APPLICATION_ROLE where USR_EMAIL= (?)
  24.8.2007 10:17:19 oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule performDbAuthentication
  FINE: [DBTableOraDataSourceLoginModule]DBUser Principal Name: ADMIN
  24.8.2007 10:17:19 oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule performDbAuthentication
  FINE: [DBTableOraDataSourceLoginModule]DBRole Principal Name: admin_role
  24.8.2007 10:17:19 oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule login
  FINE: [DBTableOraDataSourceLoginModule]Logon Successful = true
  24.8.2007 10:17:19 oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule commit
  FINE: [DBTableOraDataSourceLoginModule]Subject contains 0 Principals before auth
  24.8.2007 10:17:19 oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule commit
  FINE: [DBTableOraDataSourceLoginModule]Local LM commit succeeded
  24.8.2007 10:17:19 oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule commit
  FINE: [DBTableOraDataSourceLoginModule]Subject contains 2 Principals after auth
  24.8.2007 10:17:19 oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule commit
  FINE: [DBTableOraDataSourceLoginModule]Cleaning internal state!

  Hi there!
  I have another question about this. I've modified a bit DBRolePrincipal class to see what's going on. At the beginning of the equals(Object another) method I added this lines:
  log("method equals start",0);
  log("another type = " + another.getClass(), 0);
  if (another instanceof Principal)
  Principal mine = (Principal)another;
  log("Principal mine.getName() = " + mine.getName(), 0);
  The result is this output (after navigating to page that gives 401 forbidden):
  07/10/12 08:38:36 [DBRolePrincipal] method equals start
  07/10/12 08:38:36 [DBRolePrincipal] another type = class oracle.security.jazn.oc4j.JAZNUserAdaptor
  07/10/12 08:38:36 [DBRolePrincipal] Principal mine.getName() = admin_user
  07/10/12 08:38:36 [DBRolePrincipal] method equals start
  07/10/12 08:38:36 [DBRolePrincipal] another type = class oracle.adf.share.security.authentication.ADFRolePrincipal
  07/10/12 08:38:36 [DBRolePrincipal] Principal mine.getName() = anyone
  07/10/12 08:38:36 [DBRolePrincipal] method equals start
  07/10/12 08:38:36 [DBRolePrincipal] another type = class oracle.security.jazn.oc4j.JAZNUserAdaptor
  07/10/12 08:38:36 [DBRolePrincipal] Principal mine.getName() = admin_user
  07/10/12 08:38:36 [DBRolePrincipal] method equals start
  07/10/12 08:38:36 [DBRolePrincipal] another type = class oracle.adf.share.security.authentication.ADFRolePrincipal
  07/10/12 08:38:36 [DBRolePrincipal] Principal mine.getName() = anyone
  07/10/12 08:38:36 [DBRolePrincipal] method equals start
  07/10/12 08:38:36 [DBRolePrincipal] another type = class oracle.security.jazn.oc4j.JAZNUserAdaptor
  07/10/12 08:38:36 [DBRolePrincipal] Principal mine.getName() = admin_user
  07/10/12 08:38:36 [DBRolePrincipal] method equals start
  07/10/12 08:38:36 [DBRolePrincipal] another type = class oracle.adf.share.security.authentication.ADFRolePrincipal
  07/10/12 08:38:36 [DBRolePrincipal] Principal mine.getName() = anyone
  07/10/12 08:38:36 [DBRolePrincipal] method equals start
  07/10/12 08:38:36 [DBRolePrincipal] another type = class oracle.security.jazn.oc4j.JAZNUserAdaptor
  07/10/12 08:38:36 [DBRolePrincipal] Principal mine.getName() = admin_user
  07/10/12 08:38:36 [DBRolePrincipal] method equals start
  07/10/12 08:38:36 [DBRolePrincipal] another type = class oracle.adf.share.security.authentication.ADFRolePrincipal
  07/10/12 08:38:36 [DBRolePrincipal] Principal mine.getName() = anyone
  07/10/12 08:38:36 [DBRolePrincipal] method equals start
  07/10/12 08:38:36 [DBRolePrincipal] another type = class oracle.security.jazn.oc4j.JAZNUserAdaptor
  07/10/12 08:38:36 [DBRolePrincipal] Principal mine.getName() = admin_user
  07/10/12 08:38:36 [DBRolePrincipal] method equals start
  07/10/12 08:38:36 [DBRolePrincipal] another type = class oracle.adf.share.security.authentication.ADFRolePrincipal
  07/10/12 08:38:36 [DBRolePrincipal] Principal mine.getName() = anyone
  07/10/12 08:38:36 [DBRolePrincipal] method equals start
  07/10/12 08:38:36 [DBRolePrincipal] another type = class oracle.security.jazn.oc4j.JAZNUserAdaptor
  07/10/12 08:38:36 [DBRolePrincipal] Principal mine.getName() = admin_user
  07/10/12 08:38:36 [DBRolePrincipal] method equals start
  07/10/12 08:38:36 [DBRolePrincipal] another type = class oracle.adf.share.security.authentication.ADFRolePrincipal
  07/10/12 08:38:36 [DBRolePrincipal] Principal mine.getName() = anyone
  07/10/12 08:38:36 [DBRolePrincipal] method equals start
  07/10/12 08:38:36 [DBRolePrincipal] another type = class oracle.security.jazn.oc4j.JAZNUserAdaptor
  07/10/12 08:38:36 [DBRolePrincipal] Principal mine.getName() = admin_user
  07/10/12 08:38:36 [DBRolePrincipal] method equals start
  07/10/12 08:38:36 [DBRolePrincipal] another type = class oracle.adf.share.security.authentication.ADFRolePrincipal
  07/10/12 08:38:36 [DBRolePrincipal] Principal mine.getName() = anyone
  Why is the name of ADFRolePrincipal always anyone? When I sign in with this user the output says:
  07/10/12 08:46:09 [DBTableOraDatasourceLoginModule] User query string: select USERNAME,PASSWORD from ACTIVE_APP_USER_V where USERNAME= (?)
  07/10/12 08:46:09 [DBTableOraDatasourceLoginModule] User primary key value found = admin_user
  07/10/12 08:46:09 [DBTableOraDatasourceLoginModule] Password encoded by: oracle.sample.dbloginmodule.util.DBLoginModuleCearTextEncoder
  07/10/12 08:46:09 [DBTableOraDatasourceLoginModule] User admin_user authenticated successfully
  07/10/12 08:46:09 [DBTableOraDatasourceLoginModule] Roles query string: select ROLE_NAME from ACTIVE_APP_ROLE_V where USERNAME= (?)
  07/10/12 08:46:09 [DBTableOraDatasourceLoginModule] DBRole Principal Name: admin_role
  07/10/12 08:46:09 [DBTableOraDatasourceLoginModule] DBUser Principal Name: admin_user
  07/10/12 08:46:09 [DBTableOraDatasourceLoginModule] Logon Successful = true
  07/10/12 08:46:09 [DBTableOraDatasourceLoginModule] Subject contains 0 Principals before auth
  07/10/12 08:46:09 [DBUserPrincipal] method equals start
  07/10/12 08:46:09 [DBUserPrincipal] another type = class oracle.sample.dbloginmodule.principals.DBRolePrincipal
  07/10/12 08:46:09 [DBTableOraDatasourceLoginModule] Local LM commit succeeded
  07/10/12 08:46:09 [DBTableOraDatasourceLoginModule] Subject contains 2 Principals after auth
  07/10/12 08:46:09 [DBTableOraDatasourceLoginModule] Cleaning internal state!
  Frank, if you haven't given up on this issue yet could you please try to explain this to me? Why doesn't admin_role principal never get compared in [equals[/i] method?
  Thank you!
  BB

• Bug concerning ADF security

  Just wanted to make a thread about this strange behavior when working with ADF security. Discovered it was a bug (i think).
  I have just enabled ADF security in my project after reading chapter 28 of the developers manual and watching Franks tutorials on the Code Core center. I was having trouble implementing it and thought I was just doing it wrong. It seemed so simple in the manual. The trouble I was having was that if I granted some access to a task flow or a web page to a application role or to the anonymous role it wouldn't become active. No changes made in the jazn-data.xml would make any different. Next day when I started up again it all worked. But making further changes would also not become active. I looked ad the logs and noticed the following error in the deploy process:
  +[Running application Health_Project1 on Server Instance DefaultServer...]+
  Uploading jazn-data identities.
  Uploading jazn-data policies.
  oracle.security.jps.JpsException: Destination context default missing in the specified jps-config.xml.
  +     at oracle.security.jps.internal.tools.utility.mgrs.JpsPolicyAPIManager.getPolicyStoreForDestination(JpsPolicyAPIManager.java:165)+
  +     at oracle.security.jps.internal.tools.utility.destination.apibased.JpsDstPolicy.<init>(JpsDstPolicy.java:150)+
  +     at oracle.security.jps.internal.tools.utility.destination.JpsInitializerDst.getDestinations(JpsInitializerDst.java:82)+
  +     at oracle.security.jps.internal.tools.utility.JpsUtility.<init>(JpsUtility.java:63)+
  +     at oracle.security.jps.internal.tools.utility.JpsUtilDeploymentImpl.migrateAppPolicyToFarmLevelPolicyStore(JpsUtilDeploymentImpl.java:81)+
  +     at oracle.security.jps.internal.tools.utility.JpsUtilDeploymentImpl.migrateAppPolicyToFarmLevelPolicyStore(JpsUtilDeploymentImpl.java:103)+
  +     at oracle.jdevimpl.adrs.weblogic.JaznDataUploader.uploadPolicies(JaznDataUploader.java:610)+
  +     at oracle.jdevimpl.adrs.weblogic.JaznDataUploader.uploadJaznData(JaznDataUploader.java:212)+
  +     at oracle.jdevimpl.runner.adrs.AdrsStarter.uploadJaznData(AdrsStarter.java:1703)+
  +     at oracle.jdevimpl.runner.adrs.AdrsStarter.mav$uploadJaznData(AdrsStarter.java:116)+
  +     at oracle.jdevimpl.runner.adrs.AdrsStarter$5.run(AdrsStarter.java:1344)+
  +     at java.lang.Thread.run(Thread.java:619)+
  Uploading credentials.
  After some digging I found that this was a bug related to the application path. The application was located in "My Documents" with the path c:\Documents and Settings\.......
  It is no good to have space in the application path. After I moved the application to a more simple like path c:\dev\sb\mywork the ADF security worked fine. Changes in policies would become affective immediately. Later I ran into the same problem but this time the application path was simple but the application name had an underscore in it "my_project". By removing the underscore and making the application name MyProject along with changing all the properties, xml and connection files the ADF security worked like it should.
  So in short:
  ** Don't have a space in the path where the application is stored.*
  ** Don't have a underscore in the application name.*
  Please comment if I'm wrong. This post is just for information if other users are running into similar problems.
  Best regards,
  Sturla Thor

  hi,
  if you delete this line
  <property value="doasprivileged" name="oracle.security.jps.jaas.mode"/>
  in the jsp-config.xml you can at least use your application with authentication but authorization doesn't work b/c the subject does not contain the principals:
  ADFContext.getCurrent().getSecurityContext().getUserRoles();
  returns an empty String[].
  Is there a workaround?
  Cheers Andy

• About login authentication in ADF Security

  I have applied ADF Security in application which I learned from the Cue Cards example and I did it successfully but I wanted to change the login page.
  So I created a PopUp which I learned from "Oracle JDeveloper 11g Handbook A Guide to Oracle Fusion Web Development" and instead of the Menu Button, I used a Go Link Button as I had done in the Cue Cards example.
  But the problem is how to manage the login/logout authentication. As in the book I created a managed bean to handle login and the code is :
  package inventory.controller;
  import java.io.IOException;
  import javax.faces.application.FacesMessage;
  import javax.faces.context.FacesContext;
  import javax.security.auth.Subject;
  import javax.security.auth.callback.CallbackHandler;
  import javax.security.auth.login.FailedLoginException;
  import javax.security.auth.login.LoginException;
  import javax.servlet.RequestDispatcher;
  import javax.servlet.ServletException;
  import javax.servlet.http.HttpServletRequest;
  import javax.servlet.http.HttpServletResponse;
  import weblogic.security.SimpleCallbackHandler;
  import weblogic.security.services.Authentication;
  import weblogic.servlet.security.ServletAuthentication;
  public class LoginHandler {
  private String _username;
  private String _password;
  public LoginHandler() {
  super();
  public String performLogin() {
  byte[] pw = _password.getBytes();
  FacesContext ctx = FacesContext.getCurrentInstance();
  HttpServletRequest request =
  (HttpServletRequest)ctx.getExternalContext().getRequest();
  CallbackHandler handler = new SimpleCallbackHandler(_username, pw);
  try {
  Subject mySubject = Authentication.login(handler);
  ServletAuthentication.runAs(mySubject, request);
  String loginUrl =
  "/adfAuthentication?success_url=/faces" + ctx.getViewRoot().getViewId();
  HttpServletResponse response =
  (HttpServletResponse)ctx.getExternalContext().getResponse();
  sendForward(request, response, loginUrl);
  } catch (FailedLoginException fle) {
  FacesMessage msg =
  new FacesMessage(FacesMessage.SEVERITY_ERROR, "Incorrect Username or Password",
  "An incorrect Username or Password" +
  " was specified");
  ctx.addMessage(null, msg);
  } catch (LoginException le) {
  reportUnexpectedLoginError("LoginException", le);
  return null;
  private void sendForward(HttpServletRequest request,
  HttpServletResponse response, String loginUrl) {
  FacesContext ctx = FacesContext.getCurrentInstance();
  RequestDispatcher dispatcher = request.getRequestDispatcher(loginUrl);
  try {
  dispatcher.forward(request, response);
  } catch (ServletException se) {
  reportUnexpectedLoginError("ServletException", se);
  } catch (IOException ie) {
  reportUnexpectedLoginError("IOException", ie);
  ctx.responseComplete();
  private void reportUnexpectedLoginError(String errType, Exception e) {
  FacesMessage msg =
  new FacesMessage(FacesMessage.SEVERITY_ERROR, "Unexpected Error During Login",
  "Unexpected Error during Login (" + errType +
  "), please consult logs for detail");
  FacesContext.getCurrentInstance().addMessage(null, msg);
  e.printStackTrace();
  public String performLogout() {
  FacesContext ctx = FacesContext.getCurrentInstance();
  HttpServletRequest request =
  (HttpServletRequest)ctx.getExternalContext().getRequest();
  HttpServletResponse response =
  (HttpServletResponse)ctx.getExternalContext().getResponse();
  String logoutUrl =
  "/adfAuthentication?logout=true&end_url=/faces/home";
  sendForward(request, response, logoutUrl);
  return null;
  public void setUsername(String _username) {
  this._username = _username;
  public String getUsername() {
  return _username;
  public void setPassword(String _password) {
  this._password = _password;
  public String getPassword() {
  return _password;
  But as I run the page and click the login link, it displays the PopUp box but I think it can't get the username and password from the field inserted and displays the error message specified in the above code(ie in try/catch) when I enter the required username and password and click the login button. So is there something in the code, I ran the application TUHRA which I downloaded, which was an example in the book I specified. and it went well and the login popup worked well.
  And I want to know that how to work the button by just pressing Enter key without clicking the button ? And also is there procedural change in the ADF configuration in jDev 11.1.1.1.0 and jDev 11.1.1.5.0 as I have jDev 11.1.1.5.0 installed and there was something different in following the steps specified in the book but I managed it by looking at the cure cards example. So is this the steps problem or something else?
  Thanks in advance.

  I didn't design the login page but I just created a PopUp window and in the popup window I inserted two Input text fields for username and password.
  And i set the 'value' of the username field as "#{login.username}" and the 'value' of the password field as "#{login.password}"
  Also in the login button the "action" set to #{login.performLogin}.
  And the button which I use to display the popup is a Go Link button, the "Destination" is set to "#{securityContext.authenticated ? "/adfAuthentication?logout=true&end_url=/faces/home.jspx" : "/adfAuthentication?success_url=/faces/home.jspx"} ".
  I inserted the popup inside the Go Button in the structure window.
  And Added the managed bean in the adfc config.xml with the following properties:
  Name as “login”
  Class as “inventory.controller.LoginHandler”
  Scope as “request”
  If I don't use the popup and login with the default generated login form , the login is successful
  And also when i removed the ADF security configuration, the meta data didn't go away and when i reconfigured the security some error is diplayed in the log details as cannot create or something like rewrite the users.
  Please help I don't have much time to complete my project. its an emergency.
  Edited by: SudeepShakya on Nov 4, 2011 10:06 AM

• Task-flow ADF security on Standalone WLS

  Hi,
  Jdev 11g
  I have into the main adfc-config.xml 3 links one to a jspx and 2 links to 2 different bounded task flows.
  I applied ADF security depends on Roles to the three links, one on the jspx itself (on the pagedef) and 2 to the Task-flow.
  All is working perfectly on the embedded WLS.
  When deploying the application to a standalone WLS and applying the security migration as explained (system-jazn-data.xml verified and security is migrated) I have only the jspx working and for the 2 task-flows I have an Authorization check failed exception.
  I always think that it is a migration problem but seems not because the jspx is working depends on the right Role.
  Any idea what can cause this and why the ADF security is working only on jspx page and not on the task-flow after deploying to a standalone WLS?
  Thanks
  Jamil
  <May 27, 2009 12:22:20 PM AST> <Error> <HTTP> <BEA-101017> <[weblogic.servlet.in
  ternal.WebAppServletContext@197171f - appName: 'TasdeeqEAR', name: 'TasdeeqApp',
  context-path: '/TasdeeqApp', spec-version: '2.5', request: weblogic.servlet.int
  ernal.ServletRequestImpl@31dbd4[
  GET /TasdeeqApp/faces/home?_adf.ctrl-state=1028508221_19 HTTP/1.1
  Accept: */*
  Accept-Language: en-US,ar-SA;q=0.5
  User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; SLCC
  1; .NET CLR 2.0.50727; Media Center PC 5.0; InfoPath.2; .NET CLR 3.5.21022; .NET
  CLR 3.5.30729; .NET CLR 3.0.30618; Tablet PC 2.0; FDM)
  Accept-Encoding: gzip, deflate
  Connection: Keep-Alive
  Cookie: JSESSIONID=9Z7tKdGCD0BSvt2GnDfLrkhZJ62rhMPpGLmXtGctDT2YGTQcl2VJ!-1394634
  041
  ]] Root cause of ServletException.
  oracle.adf.controller.security.AuthorizationException: ADFC-0619: Authorization
  check failed: '/WEB-INF/registrar-task-flow.xml#registrar-task-flow' 'VIEW'.
  at oracle.adf.controller.internal.security.AuthorizationEnforcer.handleF
  ailure(AuthorizationEnforcer.java:145)
  at oracle.adf.controller.internal.security.AuthorizationEnforcer.checkPe
  rmission(AuthorizationEnforcer.java:80)
  at oracle.adf.controller.internal.security.AuthorizationEnforcer.checkRe
  ad(AuthorizationEnforcer.java:314)
  at oracle.adf.controller.internal.metadata.MetadataService.getTaskFlowDe
  finition(MetadataService.java:204)
  at oracle.adfinternal.controller.activity.TaskFlowCallActivityLogic.find
  TaskFlowDefinition(TaskFlowCallActivityLogic.java:931)
  Truncated. see log file for complete stacktrace
  >

  Hi Frank,
  I copied the <jazn-policy> section from the jazn-data.xml to system-jazn-data.xml and it is working
  So as expected something wrong with the migration...I will check what
  Thanks
  Jamil

• I don't understand how ADF Security  works

  In short I used ADF Security wizard to make a secured fusion webapp (Form authentification, XML id store, no grants). It made me the error,login and welcome page and I added one more (a page with a table). I granted that page view access to one role defined in jazn.xml. I noticed that at deploy the content of 'jazn.com' is merged into 'myrealm'. Everything goes well when I try a user defined in jazn.xml, but when I add a new user directly from the WLS console (same group as the others defined in jazn.com) I can login but I cannot access the page with the table because I'm not authorized. I think it's a role mapping issue but I'm quite not sure... I tried to look after the valid-users=users mapping but I haven't managed to find the users role into wls.
  How is the application getting the users and roles (groups) from the wls realm? Why I can log in but not authorize ?
  Thanks
  Kquizak

  Hi,
  at devlopment / testing time the way the user provisioning works is that existing users and groups of the same name are initially removed and then re-created. So in your case you have a user created in WLS that is added to a group that is re-newed by the develop-test cycle. This means that when running the application, you no longer have the user to be a member of the group. In a next version of JDeveloper 11 we probably make the user/group provisioning an option, in which case your settings will be preserved. Note that this problem doesn't exist if you deploy the app to a stand alone server, like in production
  Frank