ADF security roles

Security roles, created for my application in web.xml file aren't shown in authorithation editor for container neither in Authorithation tab for model components !
Where the problem could be?

Hi Frank!
oc4j-app-administrators is a role in system--jazn-data.xml and my roles manager and staff also. I don't know where to switch between global OC4J user/roles settings and workspace specific but my roles are present in both places of Embeded OC4J server preferences( in system-jazn-data.xml and in <My project>-jazn-data.xml ).
But my roles still unvisible in "Authorization editor" .

Similar Messages

Role based oracle adf security and filtering data

while oracle adf security looks great its only role based... does anyone know of any resources describing an architecture where this is used in addition to filtering of data based on say, organization?
it seems that oracle adf security is not really geared towards a self service app where administrative users have a security interface as part of the application where they can assign roles and associate users to entities for the further filtering of data...

Hi,
it seems that oracle adf security is not really geared towards a self service app where administrative users have a security interface as part of the application where they can assign roles and associate users to entities for the further filtering of data...
ADF Security is a JAAS based security implementation to protect resources (like entities). It is nota security provider like OPSS or OID which you can use for user provisioning and self service (if you code against the IDM APIs). ADF Security only checks for whether a user is authenticated and if the user has the permission to perform a task.
However, you can use groovy to access the security context from Groovy, which allows you to add the authenticated username to a query - for example to filter recrds out that match the username in one of its attributes.
For example, you could create a ViewCriteria that for example filters the query by a specific attribute. Say that managers can see data starting from department 10 whereas employees can see data starting from department 100. The ViewCriteria would reference a bind variable with the following default setting
adf.context.securityContext.isUserInRole('manager')? 10 : 100
Frank

Does ADF security support sub-roles? If not are there plans to support it?

hi,
I have following scenario: there are dozens of regions and each region has dozen of facilities and each facility dozens of offices.
I would like to setup Office roles to have Query permission only and create a new role OfficeUpdate role that has update permissions for this office data, and at the same time to inherit permissions from Office role (e.g. Query permissions), so if I assign a user to Office role he will be able to query only and if I assign him to OfficeUpdate role he will be able to query and update the office data because privilege will be inherited from Office role.
User can be a member of different offices/facilities/regions. So I would like to, in order to simplify user management, to be able to assign a whole role as a member of another role. By doing this I wouldn't have to assign users to different roles all over again (all users assigned to a sub-role would automatically become members of main role as well) as this is time-consuming.
But it seems that ADF security does not support this. It seems that ADF security can only deal with roles and not sub-roles? Roles and sub-roles are supported by oc4j container but it seems that ADF security does not support it.
I would like first to be sure that my observation is correct, and if yes to find out if there are any plans to support sub-roles in future Jdev releases?
And also if somebody knows, if Acegi or JsfAcegi security supports role-sub-role privilege inheritance?

I created a testcase that excludes ADF Security and the same behavior can be reproduced, so the problem doesn't seem to be with ADF Security but JAZN.
Need to further track this issue, but so far it appears that a member role is not sufficient to authenticate and authorize a container managed constraint as used by ADF Security for authentication. This could be a problem with the embedded OC4J only but also a general problem with settings on the system-jazn-data.xml. This is what I need to further evaluate.
So for now I can't say that this isn't working in ADF Security because its not even getting there
Frank

ADF Security & DB roles

Adding on behalf of one of my colleague.
ADF Security.
Currently we have roles as database objetcs. These roles are assigned to different users.
We need to populate these roles as Application Roles in ADF Security.
Please let us know is there any suggestion available for this.
Best Regards,
Lokanath

fyi
Frank Nimphius wrote:
... 1. roles in a table
In this case use SQL Authenticator in WLS ...Be wary when using ADF Security (OPSS) with a SQLAuthenticator.
This is feedback I got in SR 3-4124753004 :
"If the you want to use DB as the identity store, then the supported way is to buy OVD server license and configure DB adapter in OVD and then configure an OVD authenticator in Weblogic. SQLAuthenticator will not be used as identity store. And, we do not recommend to use LibOVD for DB identity store. OVD server is the recommended and supported way."
related bugs are :
- bug 13876651, "FMW CONTROL SHOULD NOT ALLOW MANAGING USERS GROUPS FROM SQL AUTHENTICATOR"
- enhancement request 12864498, "OPSS : ADDMEMBERSTOAPPLICATIONROLE : THE SEARCH FOR ROLE FAILED"
related forum threads are :
- "ADF Security : identity store : tables in a SQL database"
- "OPSS : addMembersToApplicationRole : The search for role failed"
regards
Jan Vervecken

Disable the link respective of my users role in ADF Security

Hi,
Am using jdeveloper 11.1.1.6.0.,
In my jspx page i have two links like Employees and Departments. The Departments button should be enabled only to the Managers role.
I have also implemented ADF Security in my project.
Regards,
Prasad K T,

Hi,
Check out this blog : ADF Code Bits: Bit #17 - Using the securityContext bean in a JSF page
-Arun

Configuring roles and users (adf security) application context wise.

Dear All,
I referred this tutorial (http://biemond.blogspot.com/2008/12/using-database-tables-as-authentication.html) which shows how to hook up adf security with database schema but at domain level which will be common to all applications in that domain. I want to make it different to each application. (i.e each application will use differene database schema for storing user credientials i.e enterprise roles,application roles and users.)
Can any one please point me to proper way..
Regards,
Santosh
jdev 11.1.1.2.0

Dear Frank,
<i>
Instead you have a single identity management system and have the application policies being different for the applications.Using ADF Security, users and groups can have different privileges in different applications
</i>
suppose i have 3 applications that use adf security, the users will be common to all applications. right..?Roles and group can be different for applications.
application polices means roles and group..?
So how it(application polices) can be made different for applications? is it inbuilt or some configurations needed ?. Can you point me to some blogs or tutorials for more reference.
Bet: Incase i hook up adf security with database schema.
Regards,
Santosh.

GOTCHA's with Setting up ADF Security with JDev 11.1.1.6.0

If you're getting into ADF security, you're probably going to want to get rid of that ugly default login.html page. I mean, it gets the job done, but we want something a little better. And if you want something a little better and you're using JDev 11.1.1.6.0, it behooves you to read this post!
First off, get acquainted with these four posts. All good stuff. They'll walk you through the 1st half of what you need to know. Y'know, the non-Gotcha half.
http://one-size-doesnt-fit-all.blogspot.com/2010/07/adf-security-revisited-again-again.html
http://myadfnotebook.blogspot.com/2011/11/adf-security-basics.html
http://andrejusb.blogspot.com/2010/11/things-you-must-know-about-adf-faces.html
http://java2go.blogspot.com/2010/12/creating-centered-page-layout-using-adf.html
Are you getting either of the following errors?
<CodebasePolicyHandler> <migrateDeploymentPolicies> Migration of codebase policy failed. Reason: {0}.
oracle.security.jps.JpsException: java.lang.IllegalArgumentException: oracle.security.jps.internal.core.principals.JpsAnonymousRoleImpl
Error 500--Internal Server Error
java.lang.RuntimeException: Cannot find FacesContextI'll show you where they're coming from. Follow along.
1) Create a new application.
2) Create three .jspx pages called login, error, and welcome.
3) Generate PageDef files for them by right-clicking on the file and selecting "Go To PageDefinition". You'll want these so that you may apply security against them.
4) Right-Click on your Application and select Secure->Configure ADF Security
5) ADF Authentication and Authorization -> Form Based Authentication (Use the search symbol to select your created login and error pages. Should be something like "/faces/login.jspx") -> No Automatic Grants -> Finish
Right-Click your welcome.jspx and select run. You'll get this error before your web page opens up in your browser and then proceeds to wig out.
<CodebasePolicyHandler> <migrateDeploymentPolicies> Migration of codebase policy failed. Reason: {0}.
oracle.security.jps.JpsException: java.lang.IllegalArgumentException: oracle.security.jps.internal.core.principals.JpsAnonymousRoleImplThat just won't do. Let's fix it, shall we?
6) Open your newly JDev created jazn-data.xml file. It's located in the Application Resources panel (usually located by Data Controls and your Projects expandable panels)
7) Resource Grants -> Resource Type (Web Page dropdown) -> error page should have a key symbol by it. Delete the anonymous role in the "Granted To" column. Now click the green button to add an Application Role. Huh, there's TWO of them? How bout that? Looks like we're going to have to delete some XML code!
8) Click the Source tab on the bottom of the page to open up the XML View. You'll see the following piece of erroneous code. Erroneous, I say!
<policy-store>
    <applications>
      <application>
        <name>SecurityError</name>
        <app-roles>
          // Hello, I'm the app role that has sucked away two hours of your life that you can never, ever get back
          <app-role>
            <name>anonymous-role</name>
            <class>oracle.security.jps.internal.core.principals.JpsAnonymousRoleImpl</class>
            <display-name>anonymous-role</display-name>
          </app-role>
         // Whew, the end of that app role
        </app-roles>
        <jazn-policy>
          <grant>9) You're going to want to delete that app role XML
10) Go back into your jazn-data.xml file and create some users. For example, bob and jane. Create an Enterprise role called "admin". Put bob and jane as members into this Enterprise role. Create an Application role called managers. Map managers to your Enterprise role admin.
11) Go back to the Resource Grants tab -> Resource Type (Web Page) and delete any "Granted To" authorizations that may assigned to any of the pages. Assigned a "Granted To" application role of "anonymous-role" to the error and login pages. Assign "managers" to welcome.
12) Run your welcome page. Yay, the error is gone. How sweet it is.
Now you want to refactor/move your login and error page somewhere else? Great, just right-click and select factor. Refactor to some place like /public_html/jspx/<your login page>.jspx. Re-run your welcome page.
// You fool!
Error 404--Not Found
From RFC 2068 Hypertext Transfer Protocol -- HTTP/1.1:
10.4.5 404 Not FoundThat's not so good. Let's fix that.
1) Open up web.xml. It's located at ViewController/WEB-INF/web.xml.
2) Click the security tab and you'll see Form-Based Authentication with a login page and error page. Click that Search glass and locate your new file. Do the same for the error page. You should see something like "/jspx/login.jspx" come back.
3) Re-run your welcome page.
// Suckered AGAIN!
Error 500--Internal Server Error
java.lang.RuntimeException: Cannot find FacesContextThis is a tricky one. The search icon brings back a faulty address. Since we're using a .jspx page, it needs to be "/faces/jspx/login.jspx". Repeat for the error page. Re-run your welcome.jspx.
Ahh!! Now THAT's how we do it in Kingsport!
Finally, a custom .jspx login works. Now what are you doing here? Shouldn't you be playing some Diablo 3?
Will

Ha :-)
Point being good summaries like yours tend to get lost on the forums because of the volume of posts. With a blog people have the chance to subscribe to your posts so it's just a better vehicle all round for posting content to help others.
I highly recommend writing blogs even if it's for scratch notes, because you'll learn a lot in structuring your thoughts. It's also a really good way to get noticed in the community because bloggers stand out.
But your call, no pressure of course ;-)
CM.

Creating a WebCenter Application with PageCutomizable and ADF Security

I created a Webcenter App in Jdev 11.1.1.2.0 with webcenter extension.
I have 2 JSPX files.
One called mainTemplate.jspx
- contains header, footer in ADF and a center facet.
One called Welcome.jspx created from mainTemplate
- contains page customizable > panel customizable > layout customizable > various custom panel configs.
ADF security is configured with BASIC, authentication only. Because form authentication seems harder to get working.
We have one weblogic user, and currently deploy to the integrated WLS, although we'll deploy out to a full server once security/composer is working.
The problem is, when we run the Welcome.jspx, and because we added a reference to a logged in var, it requests http login fine.
We then refresh the page and see that we are indeed logged in as 'weblogic'.
Is weblogic a special user? should I create a new one? Is there any setup required on the Integrated WLS to get this working?
However when we click on 'add Content' using the composer we get a permission error.
+<RegistrationConfigurator><handleError> Server Exception during PPR, #1+
javax.el.ELException: oracle.adf.view.page.editor.security.ComposerSecurityException: You do not have permission to edit the page
+     at com.sun.el.parser.AstValue.invoke(AstValue.java:161)+
+...+
Caused by: oracle.adf.view.page.editor.security.ComposerSecurityException: You do not have permission to edit the page
+     at oracle.adfinternal.view.page.editor.bean.DialogBean.setDialogHelp(DialogBean.java:129)+
+     at oracle.adfinternal.view.page.editor.bean.DialogBean.showResourceCatalog(DialogBean.java:356)+
+     at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)+
+...+
I tried using the Customization allowed var in the property inspector, but could not map 'allowed by' to a user or role that my setup would recognise. The doco specifies 'admin' which does not work for me.
In my catalog I have a WCM portlet taskflow, which will require its own permissions.
I tried enabling permissions for the test-all role to all of my pages/taskflows, leaving just the 'view' permission to the anonymous role.
I also tried authentication/authorization profiles, and building my own jspx login/error pages, but no luck there either, the login button doesn't seem to tirgger my java doLogin class, even though I set the binding on the button using the method expression builder to the bean method.
*note: I didn't try the welcome/login/error page auto create as they generate html files, I created JSFs with full UI in there. Am I required to use those html types instead of jspx? I found that the redirection worked by appending the jspx reference with '/faces/Login.jspx'. The problem seemed to have been somewhere else.
If we have any Webcenter Composer / Security gurus out there, help would be greatly appreciated.
Our main goal is to create a Webcenter App which has security/composer/navigation and a catalog with WCM/Siebel portlets similar to the Avitek demo without using WC Spaces.
Thanks.
Thanks.
Edited by: Guillaume_Davies_SC on Apr 20, 2010 7:28 PM

When you want to achieve this you need to configure ADF security with basic authentication & authorization. THe authorization is the part that takes care of what a user may and may not do in an application. Authentication is just the log in part.
When you have configured your application for authorization as well, you have to create roles and groups.
You will also have to set the authorization of your pages. Open a jsxp and in the design or source view, right click and "edit authorization". You then have to add roles to your pages and define their rights. Then you can set the authorization for edit,cuustomize,personlise,view,...
Hope this helps.

ADF security : How to get fnd_users list in weblogic server

Hi All,
I have a question related to ADF security.
I am able to apply ADF security to the application, where users information and roles are defined in jazn.xml file.
On deployment, users/ roles information is being successfully ported to weblogic server.
But my requirement is to fetch users information from fnd_users table. If you have any idea as how to get the fnd_users data to weblogic, please reply.
Thanks,
Randhir

Thanks John.
I went through the link and got steps for authentication with fnd_users.
I have one more question on this.
Do I need to enable jazn.xml for implementing security or only the steps given in this link is sufficient?
Since roles are also stored into fnd table, how to secure the taskflow? (roles are not defined in jazn.xml)

How to integrate a SSO based in cookie with ADF Security

At work they asked me to integrate a existing SSO based in cookie with the new ADF + Jdeveloper 11g + WLS. After google for days and read a lot of blogs and official documentation I've made a custom LoginModule. I made it very simple, it's just an "if" inside the login() function with the username, if the username is "john" I put to the Subject some Principals. My steps are:
1- Create a new app based on "Fusion application" template.
2- Make a new ADF Taskflow with only one view inside (the entry point of the taskflow). The jspx only contains a welcome message.
3- Run the ADF Security wizard, all the steps with the default option, I don't change anything.
4- Put some users and some roles in jazn-data.xml, and maping them to an application role. Then I grant permissions to the application role to view the previous task flow.
At this point everything is ok. I run the taskflow and a basic login popup prompts me to write my username and password. Now I try to remove everything useless for me, like idstore, credentials, anonymous, etc. I only want a LoginModule that get the HttpRequest and passes it to an already done class that returns a true/false depending if the cookie is correct or not but, as I said before, my LoginModule is so simple now and even didn't try to do something more complicated than an if. The steps I try are:
in jps-config.xml
5- Remove idstore.xml and credentials.
6- (loginmodule tab) Make a new login module, and put here my class. The class is in the ViewController project and JDeveloper find it navigating through the heriarchy, so I have visibility. I put REQUIRE flag, add all roles and debug mode.
7- In the security context unmark the idstore.loginmodule and mark myLoginModule. Also delete the anonymous security context.
All that I got until now is a 500 error (Internal server error - Authorization Exception). Sometimes (the close i've ever been to do something correct) the browser ask me for user/password but then only recognizes the users that already are in WLS (idstore from previous tests), but NOT the "john" user that is inside my custom LoginModule. Even more, if I run the WLS from JDeveloper 11g in debug mode, the runtime never stops at breakpoints inside my custom login module. It seems that my LoginModule isn't deployed or I made some error maping the roles.
So, my questions are:
- I'm in the good way? If I want an authentication based in cookie/httprequest I have to do a custom LoginModule? My goal is to do a re-usable code, and re-use the code that my co-workers have done. They have a class that with only the HttpRequest determines if a user is logged or not.
- If I'm in the good way... how can I put my custom LoginModule in the WLS? I tried to search something in the Administration Panel (localhost:7101/console) but I did'nt find nothing.
- In case I'd got the custom LoginModule working fine in WLS... how can I get a HttpRequest from a LoginModule and avoid the username/password dialog? I've to make a filter and pass it to the my LoginModule? If it's correct... how?
I don't post my code because is so simple, it's based on DBTableLoginModule but without all the database access code.
Thanks to all!
P.D.: If this message isn't in the correct forum, I'm sorry. Feel free to move it.
P.D.2: Sorry about my english, I'm spanish. I know i've to practise a lot :)

Hi Frank,
Thanks a lot for your answer. Just one more easy question: what I need to do is a custom Authentication Module (which will read the cookie)? If only you can point me to the correct chapter of the WLS documentation I'll be very pleased.
In future releases of JDeveloper will be easier to do this kind of things related to security?
Riveck

Problem with ADF security and task flow calls

Hi.
I am using JDeveloper 11.1.2.0.0.
I encountered a problem when tried to apply ADF security to my application.
The way to reproduce the problem:
1. Create new Fusion Web Application;
2. Import Business Components from Tables from any existing schema and add at least one table to the ApplicationModule.
3. Create "welcome page" (for instance, welcome.jsf). Add a button with fixed action outcome "test".
4. Create test page, for instance, test.jsf. Drag and drop any view object from Data Controls onto the page and create a form with navigation controls. Add a button with fixed action outcome "return".
5. Create bounded task flow, name it "test", drag and drop our test page on it - the page will be the default activity. Add a task flow return activity. Add a control flow case from the default view activity to the return activity, set From Outcome property to "return". So our return button should cause the task flow to exit.
6. Open adfc-config.xml in diagram mode and place our welcome page on it. Then drag and drop the test task flow to create a task flow call activity. Add a control flow case from welcome page to task flow call activity, set the From Outcome property to "test". So our test button should call the test task flow.
7. Configure application to run the unbounded task flow starting with Welcome view activity.
At this point all works as expected: when application runs, the welcome page is displayed with test button. Pressing the test button results in displaying the test page, return button leads back to the welcome page.
Now let's configure ADF Security.
Run the ADF Security configuration wizard, choose ADF Authentication and Authorization.
On the second page select Form-Based Authentication, check the Generate Default Pages flag.
On the third page choose No Automatic Grants.
On the next page keep the Redirect Upon Successful Authentication unchecked. Press Finish.
Open jazn-data.xml to configure roles, users and resource grants:
1. Create application role test-role.
2. Grant the test-role privileges to view the test task flow.
3. Create user and grant him the test-role.
Now we have the public available welcome page and the test page with restricted access.
When application runs, the welcome page is displayed as expected. Pressing the test button redirect us to auto-generated login page. After successful authorization the test page is displayed. But nothing happens if we click now the return button for the first time. When we click the return button once more, the application crushes with Error-500 and message "Target Unreachable, identifier 'bindings' resolved to null". The exact error trace depends on UI control bindings, but looks like this:
javax.el.PropertyNotFoundException: //C:/Users/DUDKIN/AppData/Roaming/JDeveloper/system11.1.2.0.38.60.17/o.j2ee/drs/Test1/ViewControllerWebApp.war/test.jsf @10,120 value="#{bindings.Id.inputValue}": Target Unreachable, identifier 'bindings' resolved to null
     at com.sun.faces.facelets.el.TagValueExpression.isReadOnly(TagValueExpression.java:122)
     at oracle.adfinternal.view.faces.renderkit.rich.EditableValueRenderer._getUncachedReadOnly(EditableValueRenderer.java:476)
     at oracle.adfinternal.view.faces.renderkit.rich.EditableValueRenderer.getReadOnly(EditableValueRenderer.java:390)
     at oracle.adfinternal.view.faces.renderkit.rich.EditableValueRenderer.wasSubmitted(EditableValueRenderer.java:345)
     at oracle.adfinternal.view.faces.renderkit.rich.EditableValueRenderer.decodeInternal(EditableValueRenderer.java:116)
     at oracle.adfinternal.view.faces.renderkit.rich.LabeledInputRenderer.decodeInternal(LabeledInputRenderer.java:56)
     at oracle.adf.view.rich.render.RichRenderer.decode(RichRenderer.java:342)
     at org.apache.myfaces.trinidad.render.CoreRenderer.decode(CoreRenderer.java:274)
     at org.apache.myfaces.trinidad.component.UIXComponentBase.__rendererDecode(UIXComponentBase.java:1324)
(the rest of lines skipped).
Any suggestions?
Edited by: user13307311 on Apr 16, 2013 11:39 PM

@Lovin_JV_941794
The welcome page is public available since it does not have appropriate PageDef file.
Login page comes not from the welcome page, it comes after attempt to access the test page. So after the login succeeded the test page appears, because redirect to welcome page after successful login is not configured. I do not need to return the welcome page at this moment, I need to go to the test page.
It seems the task flow call stack to be destroyed after redirect to login page.
Edited by: user13307311 on Apr 17, 2013 12:45 AM

ADF Security Wizzard

All,
the ADF Security Wizzard adds the following line to my jsp-config.xml which results in an exception as soon as a BC4J-connection is opened:
jsp-config.xml:
<property value="doasprivileged" name="oracle.security.jps.jaas.mode"/>
exception:
oracle.adf.share.security.ADFSecurityRuntimeException: Unable to fetch JpsUser principal from the current subject Betreff:
     Principal: DBUserPrincipal: test
     Principal: [JpsAuthenticatedRoleImpl: authenticated-role]
     at oracle.adf.share.security.providers.jps.CSFCredentialStore.extractJpsUser(CSFCredentialStore.java:824)
     at oracle.adf.share.security.providers.jps.CSFCredentialStore.getUserPrincipal(CSFCredentialStore.java:804)
     at oracle.adf.share.security.providers.jps.CSFCredentialStore.fetchCredential(CSFCredentialStore.java:320)
     at oracle.adf.share.security.credentialstore.CredentialStore.fetchCredential(CredentialStore.java:108)
     at oracle.adf.share.jndi.CredentialStoreHelper.fetchCredential(CredentialStoreHelper.java:93)
     at oracle.adf.share.jndi.ReferenceStoreHelper.loadCredentials(ReferenceStoreHelper.java:812)
     at oracle.adf.share.jndi.ReferenceStoreHelper.createReference(ReferenceStoreHelper.java:579)
     at oracle.adf.share.jndi.ReferenceStoreHelper.getReferencesMapEx(ReferenceStoreHelper.java:329)
     at oracle.adf.share.jndi.ContextImpl.load(ContextImpl.java:661)
     at oracle.adf.share.jndi.ContextImpl.init(ContextImpl.java:335)
     at oracle.adf.share.jndi.ContextImpl.<init>(ContextImpl.java:81)
     at oracle.adf.share.jndi.InitialContextFactoryImpl.getInitialContext(InitialContextFactoryImpl.java:15)
     at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:667)
     at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:247)
     at javax.naming.InitialContext.init(InitialContext.java:223)
[2008-06-04T18:52:34.941+02:00] [adf] [WARNING] [] [share.jndi.ReferenceStoreHelper] [tid: 12] [ecid: 0000HdKVbj000000000000000002g6lsq000000003,0] [APP: current-workspace-app] Incomplete connection information
[2008-06-04T18:52:53.984+02:00] [adf] [WARNING] [] [controller.faces.lifecycle.FacesPageLifecycle] [tid: 12] [ecid: 0000HdKVbj000000000000000002g6lsq000000003,0] [APP: current-workspace-app] ADFc: Error while opening JDBC connection.[[
oracle.jbo.DMLException: JBO-26061: Error while opening JDBC connection.
     at oracle.jbo.server.ConnectionPool.createConnection(ConnectionPool.java:253)
     at oracle.jbo.server.ConnectionPool.instantiateResource(ConnectionPool.java:168)
     at oracle.jbo.pool.ResourcePool.createResource(ResourcePool.java:545)
     at oracle.jbo.pool.ResourcePool.useResource(ResourcePool.java:327)
     at oracle.jbo.server.ConnectionPool.getConnectionInternal(ConnectionPool.java:104)
     at oracle.jbo.server.ConnectionPool.getConnection(ConnectionPool.java:70)
     at oracle.jbo.server.ConnectionPoolManagerImpl.getConnection(ConnectionPoolManagerImpl.java:56)
     at oracle.jbo.server.DBTransactionImpl.establishNewConnection(DBTransactionImpl.java:997)
     at oracle.jbo.server.DBTransactionImpl.initTransaction(DBTransactionImpl.java:1253)
     at oracle.jbo.server.DBTransactionImpl.initTxn(DBTransactionImpl.java:6397)
Wizzard Settings:
enforce authorization
redirect upon successful authentification
no identity store
enable credential store
no policy store
no anonymous provider
custom login module with some settings
form-based Authentification
Cheers
Andy

hi,
if you delete this line
<property value="doasprivileged" name="oracle.security.jps.jaas.mode"/>
in the jsp-config.xml you can at least use your application with authentication but authorization doesn't work b/c the subject does not contain the principals:
ADFContext.getCurrent().getSecurityContext().getUserRoles();
returns an empty String[].
Is there a workaround?
Cheers Andy

Jdev 10.1.3.1 "ADF Security": Application without a custom login page?

Hi,
We are trying to develop an application using "ADF security", which means we can give permissions to certain roles based on "Binding Container", "Iterator Binding", "Method Action Binding" and "Attribute-level Binding".
After reading the document -- "Oracle® Containers for J2EE Security Guide 10g (10.1.3.1.0) B28957-01" that Frank pointed out. We have a question:
Can we develop an ADF application without creating a custom login page? Right now we've followed the security guide and modified the configuration files. But when we run the application, we get the "user null" error message. The reason is clear because we do not have a login page. On the security guide, it says that it is possible to use the oracle default login module. But it does not say how. Does anyone have any idea?
Thanks,
Annie

Brenden,
Thank you so much for the reply. This is our code in the web.xml:
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>default</realm-name>
</login-config>
We are using HTTP basic Authentication. This technique worked for the container-managed security. The browser default login page pops up when the end users try to log into a secured JSP. But here we want to use "ADF security" to set up "Iterator binding" and "Attribute level binding" security. The browser default login page does NOT show up. Instead we get the "user null" error message.
If you have detailed step on how to select HTTP Basic Authentication, it would be very helpful to us. Or if you know any document has the detail.
regards,
Annie

Deploying ADF application to a managed weblogic server - ADF security error

Hi,
Our group has written an ADF web application, which we are attempting to deploy to a managed weblogic server. Thus far, we have been unsuccessful. The application does successfully deploy to the AdminServer. Our setup:
Weblogic version is 10.3.0. Domain name is adf_domain. We have installed the ADF (ADF version is 11.1.1.0.0), JSTL(1.2.0.1), and JSF(1.2.7.1) runtime libraries, and they are targeted to both the admin server AND the managed server, which is called CollabServer. This server communicates with the node manager and can be started and stopped via the admin console successfully. The AdminServer is on port 7101, and the CollabServer is on port 7104. We are not using SSL.
application.xml:
<?xml version = '1.0' encoding = 'windows-1252'?>
<application xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/application_5.xsd"
version="5" xmlns="http://java.sun.com/xml/ns/javaee">
<display-name>OracleRetailCollaboration</display-name>
<module>
<web>
<web-uri>orc.war</web-uri>
<context-root>orc</context-root>
</web>
</module>
</application>
weblogic-application.xml (as taken from the ear file):
<?xml version = '1.0' encoding = 'windows-1252'?>
<weblogic-application xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.bea.com/ns/weblogic/weblogic-application.xsd" xmln
s="http://www.bea.com/ns/weblogic/weblogic-application">
<listener>
<listener-class>oracle.security.jps.wls.listeners.JpsApplicationLifecycleListener</listener-class>
</listener>
<library-ref>
<library-name>adf.oracle.domain</library-name>
</library-ref>
</weblogic-application>
weblogic.xml (as taken from the war file):
<?xml version = '1.0' encoding = 'UTF-8'?>
<weblogic-web-app xmlns="http://www.bea.com/ns/weblogic/weblogic-web-app" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://ww
w.bea.com/ns/weblogic/weblogic-web-app http://www.bea.com/ns/weblogic/weblogic-web-app/1.0/weblogic-web-app.xsd">
<container-descriptor>
<prefer-web-inf-classes>true</prefer-web-inf-classes>
</container-descriptor>
<security-role-assignment>
<role-name>valid-users</role-name>
<principal-name>users</principal-name>
</security-role-assignment>
<library-ref>
<library-name>jstl</library-name>
<specification-version>1.2</specification-version>
</library-ref>
<library-ref>
<library-name>jsf</library-name>
<specification-version>1.2</specification-version>
</library-ref>
</weblogic-web-app>
As I said, there are no deployment errors when we deploy to the admin server. However, we always see the following errors when deploying to the managed server:
java.lang.ClassNotFoundException: oracle.security.jps.wls.listeners.JpsApplicationLifecycleListener
etc.
This error occurs when deploying via the <wldeploy> ant task included with weblogic, and when deploying the application manually via the admin console.
So I removed this from weblogic-application.xml:
<listener>
<listener-class>oracle.security.jps.wls.listeners.JpsApplicationLifecycleListener</listener-class>
</listener>
Which resolved the initial error (I assume there is some sort of bug that causes this workaround to be necessary). The next error is this:
java.lang.ClassNotFoundException: oracle.adf.share.security.authentication.AuthenticationServlet
Again, we don't get this error when deploying to the AdminServer - ONLY the managed server CollabServer.
web.xml:
<servlet>
<servlet-name>adfAuthentication</servlet-name>
<servlet-class>oracle.adf.share.security.authentication.AuthenticationServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>adfAuthentication</servlet-name>
<url-pattern>/adfAuthentication/*</url-pattern>
</servlet-mapping>
I then added some adf jar files to the ear file, finally get this error message:
java.lang.ClassNotFoundException: oracle.adf.share.jsp.ADFLibUtils
Any ideas on how to resolve this? Thanks.
Edited by: user10451099 on Apr 15, 2009 12:10 PM

Dan,
thanks fro reminding me :-)
Here are the steps we had to take to get a managed WLS to run an adf application without copying any jar in the domain/lib directory:
1. you still have to install the adf runtime to any server you want the adf application to deploy to
2. open the admin console, select the managed server, and select the 'server start' tab in configutation settings.
3. add /u01/bea/patch_wls1030/profiles/default/sys_manifest_classpath/weblogic_patch.jar:/u01/bea/patch_jdev1111/profiles/default/sys_manifest_classpath/weblogic_patch.jar:
/u01/bea/patch_cie660/profiles/default/sys_manifest_classpath/weblogic_patch.jar:/u01/bea/jrockit_160_05/lib/tools.jar:/u01/bea/wlserver_103/server/lib/weblogic_sp.jar:
/u01/bea/wlserver_103/server/lib/weblogic.jar:/u01/bea/modules/features/weblogic.server.modules_10.3.0.0.jar:/u01/bea/wlserver_103/server/lib/webservices.jar:
/u01/bea/modules/org.apache.ant_1.6.5/lib/ant-all.jar:/u01/bea/modules/net.sf.antcontrib_1.0.0.0_1-0b2/lib/ant-contrib.jar:/u01/bea/jdeveloper/modules/features/adf.share_11.1.1.jar:
/u01/bea/wlserver_103/common/eval/pointbase/lib/pbclient57.jar:/u01/bea/wlserver_103/server/lib/xqrl.jar:
/u01/bea/patch_wls1030/profiles/default/sysext_manifest_classpath/weblogic_ext_patch.jar to the classpath edit box you have to change '/u01/bea/' with your bea home. The classpath should be on one line without the CR/LF i put in to make it readable.
4. add -Xms256m -Xmx512m -da -Dplatform.home=/u01/bea/wlserver_103 -Dwls.home=/u01/bea/wlserver_103/server -Dweblogic.home=/u01/bea/wlserver_103/server
-Ddomain.home=/u01/bea/user_projects/domains/naa_qs -Doracle.home=/u01/bea/jdeveloper -Doracle.security.jps.config=/u01/bea/user_projects/domains/naa_qs/config/oracle/jps-config.xml
-Doracle.dms.context=OFF -Djava.protocol.handler.pkgs=oracle.mds.net.protocol -Dweblogic.management.discover=false -Dweblogic.management.server=http://localhost:7001
-Dwlw.iterativeDev=false -Dwlw.testConsole=false -Dwlw.logErrorsToConsole=
-Dweblogic.ext.dirs=/u01/bea/patch_wls1030/profiles/default/sysext_manifest_classpath:/u01/bea/patch_jdev1111/profiles/default/sysext_manifest_classpath:/u01/bea/patch_cie660/profiles/default/sysext_manifest_classpath
-Dweblogic.management.username=weblogic -Dweblogic.management.password=******** -Dweblogic.Name=GESTIS_QS
-Djava.security.policy=/u01/bea/wlserver_103/server/lib/weblogic.policy to the 'Arguments' edit box. As with the calsspath change '/u01/bea' to your bea home and change the domain name (in our case 'naa_qs') to your domain name. change the managementuser and passwort to your needs. As whith the classpath I put some CR/LF into the code section to make it readable.
5. save the changes and restart the server
Essentially all we copied the arguments from the admin server start script in addition to adding the class path.
Timo

Error While Login ADF Security Sample Application

Hi All,
Jdevloper Version : 11.1.1.5.0
we are Creating ADF Login Application contains login.jspx and main.jspx pages.
we define ADF Security on this Sample Application.
when we provide valid credentials to login(username and password) it shows Error:
Error 404--Not Found
From RFC 2068 Hypertext Transfer Protocol -- HTTP/1.1:
10.4.5 404 Not Found
The server has not found anything matching the Request-URI. No indication is given of whether the condition is temporary or permanent.
If the server does not wish to make this information available to the client, the status code 403 (Forbidden) can be used instead.
The 410 (Gone) status code SHOULD be used if the server knows, through some internally configurable mechanism,
that an old resource is permanently unavailable and has no forwarding address.
ManagedBean(BackingbeanScope) doLogin():
         public String doLogin() {
        String un = _userName;
        byte[] pw = _password.getBytes();
        FacesContext ctx = FacesContext.getCurrentInstance();
        HttpServletRequest request =(HttpServletRequest)ctx.getExternalContext().getRequest();
        try {
            Subject subject =Authentication.login(new URLCallbackHandler(un, pw));
            weblogic.servlet.security.ServletAuthentication.runAs(subject,request);
            String loginUrl = "/adfAuthentication?success_url=/faces/main.jspx";
            HttpServletResponse response =(HttpServletResponse)ctx.getExternalContext().getResponse();
            RequestDispatcher dispatcher =request.getRequestDispatcher(loginUrl);
     ctx.responseComplete();
    catch (FailedLoginException fle)
                FacesMessage msg =new FacesMessage(FacesMessage.SEVERITY_ERROR, "Incorrect Username or Password", "An incorrect Username or Password was specified");
                ctx.addMessage(null, msg);
        return null;
In ADF Security We Define :
User : admin1
Enterprise Role : ManagerGroup(added user admin1 to this EnterpriseRole)
Application Role : Manager
Resource Grants : Resource Type : Web Page
                           login page
                          main page - Granted Role(Manager)
jazn-data.xml file
<?xml version = '1.0' encoding = 'UTF-8' standalone = 'yes'?>
<jazn-data xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
           xsi:noNamespaceSchemaLocation="http://xmlns.oracle.com/oracleas/schema/jazn-data-11_0.xsd">
<jazn-realm default="jazn.com">
    <realm>
      <name>jazn.com</name>
      <users>
        <user>
          <name>admmin1</name>
          <display-name>admmin1</display-name>
          <credentials>{903}y2I4TDwMavn90VxJJfPfgxtBsRnF0qiaMoxzP93XF74=</credentials>
        </user>
      </users>
      <roles>
        <role>
          <name>ManagerGroup</name>
          <display-name>ManagerGroup</display-name>
          <members>
            <member>
              <type>user</type>
              <name>admmin1</name>
            </member>
          </members>
        </role>
      </roles>
    </realm>
</jazn-realm>
<policy-store>
    <applications>
      <application>
        <name>ADFLogin</name>
        <app-roles>
          <app-role>
            <name>Manager</name>
            <class>oracle.security.jps.service.policystore.ApplicationRole</class>
            <display-name>Manager</display-name>
            <members>
              <member>
                <name>ManagerGroup</name>
                <class>oracle.security.jps.internal.core.principals.JpsXmlEnterpriseRoleImpl</class>
              </member>
            </members>
          </app-role>
        </app-roles>
        <jazn-policy>
          <grant>
            <grantee>
              <principals>
                <principal>
                  <name>Manager</name>
                  <class>oracle.security.jps.service.policystore.ApplicationRole</class>
                </principal>
              </principals>
            </grantee>
            <permissions>
              <permission>
                <class>oracle.adf.share.security.authorization.RegionPermission</class>
                <name>multiofonds.adf.common.view.pageDefs.mainPageDef</name>
                <actions>view</actions>
              </permission>
            </permissions>
          </grant>
        </jazn-policy>
      </application>
    </applications>
</policy-store>
</jazn-data>
Please help us how to resolve it.
Thanks,
kumar

A best practice in this situation is to check on a running sample e.g. Oracle ADF: Security for Everyone
I guess your resource grants are not set correctly.
Timo

ADF security roles

Similar Messages

Maybe you are looking for