Configuring ADF Security to use LDAP

HI All
We are building an application which is secured using SSO authentication. We have an LDAP setup for this.
During development, we wanted to configure LDAP in ADF Security Wizard in Jdeveloper for authentication. I tried the following in ADF Security Wizard in the 10 steps of the wizard:
1) Configure ADF for Web Application, enforce Authorization
2) Enable Credential Store
3) No Policy Store
4) LDAP Identity Store
5) Enter LDAP credentials, LdAp URL, user base
6) No Anonymous Provider
7) Did not select any login module
8) Form Based Authentication, generate default
9) Added pages that need to be secured
10) Finish
The login page is rendered whenever i try to access a protected page. But when I enter the LDAP user credentials for login, it does not work. It says "You are not authorized to view this page".
Is there anything missing in the setup that is causing the issue. Any pointers on this would be helpful.
Thanks
Srinidhi.

Hi,
note that there don't exist documentation for configuring ADF Security in JDeveloper 11 with LDAP. In general, ADF Security in JDeveloper 11 is not yet ready for SSO and LDAP testings and still is under development. Note that LDAP authentication - as container managed authentication - is configured in the jps-config.xml file of the deployed application. However, as said, its not documented and would be just too much at this point to put into a forum answer
Frank

Similar Messages

Authenticate ADF application using adf security wizard against LDAP OID

I have an adf application which i intend to authorise using LDAP. For now , i have actually hand coded in java for authenticating the users of my application. Using JNDI I directly connect to LDAP and authenticate users. However , recently it came to my notice that i can also do that using ADF sercurity wizard , but i am unable to do so. which securing the ADF application ,no where in the wizard LDAP configuration is mentioned. do i have to change some file manually ? i have no idea on how to proceed on that.

i have setup wls , making th OIDAuthentication as Sufficient. but i dont know how to configure from ADF side so that it can authenticate against LDAP. when i try the ADF sercurity wizard option , it tells me to create new Roles . Is there any way where i can import the ldap credentials to the security wizard ..?

How to configure ADF application to use OAM Identity Assertion ? web.xml

We have a web application developed using ADF (application development framework) and deployed on WebCenter 11.1.1.2 (weblogic 10.3.2)
OID Authentication and OAM identity assertion is configured in WebLogic 10.3.2 .
How to configure security in ADF application (web.xml or weblogic.xml) so that it uses OAM identity assertion (already configured as authentication providers in weblogic server)
Any pointers or documentation so that application (developed using ADF) check for identity tocken and verifies it with one of identity assertion providers.

John,
I have to concur. With OAM you don't need this. OAM intercepts the calls and inserts a cookie for WLS to get user information from.
I strongly advise to go through the above mention OFM Security Guide. Esp. Chapter 10 tells you in every detail how to implement OAM SSO with WLS (with or without OHS as a proxy).
Reading this chapter saves you time and turnarounds on this topic...
--olaf

Using a Filter on OC4J with JAZN security enabled using LDAP

I have a LDAP security in place on OC4J. I have to create a filter which uses the HttpRequestWrapper to do some preprocessing with the request parameters. I have all the code in place along and the Filter which uses HttpRequestWrapper. Now the problem is that the OC4J gives an error -
Servlet error
javax.servlet.ServletException: JAAS-OC4J: JAZNFilter.doFilter - unable to find the current servlet
at oracle.security.jazn.oc4j.JAZNFilter.doFilter(Unknown Source)
at com.evermind[Oracle Application Server Containers for J2EE 10g (9.0.4.2.0)].server.http.EvermindFilterChain.doFilter(EvermindFilterChain.java:16)
at com.myapp.filter.RequestFilter.doFilter(RequestFilter.java:429)
at com.evermind[Oracle Application Server Containers for J2EE 10g (9.0.4.2.0)].server.http.ServletRequestDispatcher.invoke(ServletRequestDispatcher.java:617)
at com.evermind[Oracle Application Server Containers for J2EE 10g (9.0.4.2.0)].server.http.ServletRequestDispatcher.forwardInternal(ServletRequestDispatcher.java:330)
at com.evermind[Oracle Application Server Containers for J2EE 10g (9.0.4.2.0)].server.http.HttpRequestHandler.processRequest(HttpRequestHandler.java:794)
at com.evermind[Oracle Application Server Containers for J2EE 10g (9.0.4.2.0)].server.http.AJPRequestHandler.run(AJPRequestHandler.java:208)
at com.evermind[Oracle Application Server Containers for J2EE 10g (9.0.4.2.0)].server.http.AJPRequestHandler.run(AJPRequestHandler.java:125)
at com.evermind[Oracle Application Server Containers for J2EE 10g (9.0.4.2.0)].util.ReleasableResourcePooledExecutor$MyWorker.run(ReleasableResourcePooledExecutor.java:192)
at java.lang.Thread.run(Thread.java:534)
The error happens while executing the following line:
chain.doFilter(new MyHttpServletRequestWrapper((HttpServletRequest) request ), response);
The constructor call MyHttpServletRequestWrapper is successful. Something seems to be wrong as it appears the server is not able to locate the path where to forward to from within the Filter.
If I execute the same code without the JAZN LDAP security everything works fine.
Can anybody please provide some help to resolve this issue?

Yeah, it's a known problem - it caught me out as well.
The xml parser installed with OJSP is more strict than the one
with Orion. The order of the parameters becomes important. The
general solution is to check the dtd listed at the top of the
xml file for the parameter order and make sure any you specify
in the xml file are in this order.
Your specific case: the order of session-config and
welcome-file-list should be reveresed, ie session-config should
come first in the web.xml file.
Jonny

How can I configure ECC6.0 to use LDAP (Active Directory) password

We're setting up an integrated authentication between the ECC 6.0 and the LDAP server, in our case the Microsoft Active Directory. We have some users that can't use WebGui because some features, that only run in the SapGui. We have already configured UME in the Sap Portal accessing directly the ADS server, and Sap Logon Ticket from Portal to ECC. Everything is ok to access the WebGui and SapGui by the Portal with the Sap Logon Ticket. However it demands that all users make the authentication previously in the Sap Portal. Is there another scenario only with SAP tools, for example using Sap Logon directly to the Active Directory. Obs.: Our entire sap servers are UNIX.

I had already read all these notes.
In the last week, I tried to configure the UME in our PI/XI environment to access the LDAP. As the result, the ABAP stack was perform the authentication perfectly above the LDAP. However I had some problems with the Java stack and I comeback the back. I will try it, in the next week again.
It's what I'd like to ECC environment. Anyone has already configured the UME in an ECC? Install a basic Java stack without all Java components only the UME in order to make this integration. If its possible Ill very appreciate any documentation.
Other problem is the limitation of datasource in the UME, I didn't remember exactly but I guess that is only 5 (Authorization in the ECC, BI, SolMan, PI, APO, CRM, LDAP, Portal, etc). If it's possible I'll group the environments in different UME managers. Forget this paragraph lets focus in the integrated authentication in this thread after that authorization.

I accessed the page protected by ADF security using direct url access attac

hi,
I played with my application which is based on SRDemo code (with added ADF security handling protection of resources) using direct url access scenarios. I was able to access a protected page as authenticated but not authorized user. I'll try to explain what I did.
There are two folders/web resources in my application, faces/folderA/* and faces/folderB/*.
roleA only is configured to access first web resource and the roleB is configured to access the second resource.
I used ADF security to authorize only roleA for page in folderA and to authorize only roleB for page in folderB.
I configured error pages in web.xml:
<error-page>
<error-code>400</error-code>
<location>faces/error/error400.jspx</location>
</error-page>
<error-page>
<error-code>401</error-code>
<location>faces/error/error401.jspx</location>
</error-page>
<error-page>
<error-code>403</error-code>
<location>faces/error/error403.jspx</location>
</error-page>
<error-page>
<error-code>404</error-code>
<location>faces/error/error404.jspx</location>
</error-page>
<error-page>
<exception-type>java.lang.Throwable</exception-type>
<location>faces/error/error500.jspx</location>
</error-page>
Other config params are:
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>infrastructure/ABLogin.jspx</form-login-page>
<form-error-page>faces/error/error401.jspx</form-error-page>
</form-login-config>
</login-config>
<security-constraint>
<web-resource-collection>
<web-resource-name>AB Prototype</web-resource-name>
<url-pattern>faces/ABAbout.jspx</url-pattern>
<url-pattern>faces/ABHelp.jspx</url-pattern>
<url-pattern>faces/ABLogout.jspx</url-pattern>
<url-pattern>faces/ABWelcome.jspx</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>A</role-name>
<role-name>B</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>AZone</web-resource-name>
<url-pattern>faces/folderA/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>A</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>BZone</web-resource-name>
<url-pattern>faces/folderB/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>B</role-name>
</auth-constraint>
</security-constraint>
<filter>
<filter-name>adfBindings</filter-name>
<filter-class>oracle.adf.model.servlet.ADFBindingFilter</filter-class>
<init-param>
<param-name>unauthorizedErrorPage</param-name>
<param-value>faces/error/error401.jspx</param-value>
</init-param>
</filter>
<filter>
<filter-name>adfFaces</filter-name>
<filter-class>oracle.adf.view.faces.webapp.AdfFacesFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>adfBindings</filter-name>
<url-pattern>*.jsp</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>adfBindings</filter-name>
<url-pattern>*.jspx</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>adfFaces</filter-name>
<url-pattern>*.jsp</url-pattern>
<dispatcher>FORWARD</dispatcher>
<dispatcher>REQUEST</dispatcher>
<dispatcher>ERROR</dispatcher>
</filter-mapping>
<filter-mapping>
<filter-name>adfFaces</filter-name>
<url-pattern>*.jspx</url-pattern>
<dispatcher>FORWARD</dispatcher>
<dispatcher>REQUEST</dispatcher>
<dispatcher>ERROR</dispatcher>
</filter-mapping>
<servlet>
<servlet-name>Faces Servlet</servlet-name>
<servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet>
<servlet-name>resources</servlet-name>
<servlet-class>oracle.adf.view.faces.webapp.ResourceServlet</servlet-class>
</servlet>
<servlet>
<servlet-name>adfAuthentication</servlet-name>
<servlet-class>oracle.adf.share.security.authentication.AuthenticationServlet</servlet-class>
<load-on-startup>2</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>Faces Servlet</servlet-name>
<url-pattern>/faces/*</url-pattern>
</servlet-mapping>
Once I authenticated as user in roleA I was trying to directly access URLs accessible only by users in roleB. In the beginning everything worked OK: I was dispatched to error401.jspx page with message Not authorized... etc.
But I kept trying to access different URLs, like http://localhost:8988/AB/faces, http://localhost:8988/AB/faces/folderB, http://localhost:8988/AB/faces/folderB/pageB.jspx, http://localhost:8988/AB
(not necessarily in that order, I played for a couple of minutes and the system would always dispatch to error401.jspx page if unauthorized attempt. But all of sudden, to my surprise, I got the pageB.jspx page while logged in as user belonging to roleA!)
Not sure how that happened but the connectedUser on pageB (#{userInfo.authenticated}) shows that I am logged in as user whose role is A.
I checked Authorization in ADF security and it is still correct: pageB is only accessible to roleB and pageA is only accessible to roleA.
I hope I made some stupid mistake in my configuration?

Hi,
ADF Security is JAAS permission based and not container managed. Note that unless you explicitly configured ADF Security you don't use ADF Security but container managed security, which is all that I can see in your configurations.
Not sure which version fo JDeveloper you use, but if you could change the following setting
<security-constraint>
<web-resource-collection>
<web-resource-name>AZone</web-resource-name>
<url-pattern>faces/folderA/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>A</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>BZone</web-resource-name>
<url-pattern>faces/folderB/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>B</role-name>
</auth-constraint>
</security-constraint>
to contain jspx file references instead of wildcards like in faces/folderB/* then what you see should no longer be possible. There was a known issue with the security settings in SRDemo that was caused by a defect in OC4J container managed security. I would expect this issue to be fixed in a more recent version of OC4J.
However, the work around until then is to protect all JSPX files in a directory instead of using wild card matches
Frank

Use Adf Security In jspx page

Hi guys,
Currently I am using default adf security.is there any way to use same security on my login jspx page.
Thanks,
Raul

hi user,
i hope that you are looking for
http://www.fireboxtraining.com/blog/2012/02/09/oracle-adf-11g-authentication-using-custom-adf-login-form/
http://docs.oracle.com/cd/E26098_01/web.1112/e16182/adding_security.htm
please see the if you want custom login.
Figure 35-3 Using the Configure ADF Security Wizard to Generate a Simple Login Page
there is lot of youtube videos. just google it out.
this is to timo:
What do you mean by '...I am using default adf security...'
if i am understood correctly. while creating new fusion web apps while configuring adf-security HTTP Basic Authentication is comes as default option. he mentioning in that way.
do You want to secure the login page itself? This doesn't make sense as you need to login to get to the login page.
i hope he is not asking like as you mentioned.
from my experience i will interpret like this
"Currently I am using default adf security".
he is currently using default adf security(HTTP Basic Authentication).
is there any way to use same security on my login jspx page.
he need use the same adf-security concept on custom login page.
Thanks

Can we do customization using db based MDS where ADF security not enabled?

JDeveloper 11.1.1.6 : ADF BC + ADF Faces
Requirement : I want to customize the application across the user session. In this app I have NOT used ADF security. There is siteminder security setup on the server which authenticates the application. The logged in userid/username is available in the request header.
Now my question is can i customize this app using db based MDS?
Any help will be appreciated.
~Abhijit

Abhijit,
My first instinct was to say "of course you must enable ADF Security" and post a link to the docs. However, the docs are silent on this.
The best quote that I can give you is from [url http://docs.oracle.com/cd/E18941_01/tutorials/jdtut_11r2_18/jdtut_11r2_18.html]here, which says (in step 12):
Before you can persist user customizations across sessions using MDS as the repository, you must configure ADF Security and create users for the application.John

ADF Security using sqlauthenticator issue unable to login

Hi,
AM using jdev 11.1.2.3
I followed these blogs to configure adf security using sql authenticator
http://biemond.blogspot.in/2008/12/using-database-tables-as-authentication.html
http://hazem-adf-tips.blogspot.in/2012/06/adf-security-database-authentication.html
am unable to login.. I can able to see the users and roles in WL admin console. When i am giving the user credentials it is redirecting to error page saying unauthorized .
plz can anybody help me out from this issue.
Thanks,
Nitesh

HI Timo,
I have created application roles admin and user. Unable to create enterprise role with same name. When i am trying to map application role with enterprise role it is not displaying in mapping window..
The following log message
Removing existing role admin
creating new role admin.
with this it is recreating the new role and role id gets change when ever i m restarting my server and deploying the application..
Thanks,
Nitesh

Using LDAP as security realm

Hi,
Our goal is to use LDAP(Iplanet Directory Server 5.0) as a security Realm
for Weblogic Personalization and Commerce 3.5.
Using the WLCS console, I've modified the config.xml file and following
elements are added:
<LDAPRealm AuthProtocol='simple' Credential='admin'
GroupDN='ou=groups,dc=netnumina,dc=com' GroupIsContext='false'
GroupUsernameAttribute='uniquemember'
LDAPURL='ldap://sanand.netnumina.com:389' Name='wlcsLDAPRealm'
Principal='uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot'
UserAuthentication='local' UserDN='ou=people,dc=netnumina,dc=com'
UserNameAttribute='uid'/>
<CachingRealm BasicRealm='wlcsLDAPRealm' CacheCaseSensitive='true'
Name='wlcsCachingRealm'/>
But when we try to restart the WLCS, it throws java exceptions that context
is not initialized and I get the following error
<Jun 15, 2001 3:41:28 PM EDT> <Emergency> <Server> <Unable to initialize the
ser
ver: 'Fatal initialization exception
Throwable: weblogic.security.ldaprealm.LDAPException: could not get
context - wi
th nested exception:
[java.lang.reflect.InvocationTargetException - with target exception:
[javax.naming.AuthenticationException: [LDAP: error code 49 - Invalid
Credential
s]]]
weblogic.security.ldaprealm.LDAPException: could not get context - with
nested e
xception:
I tried using Windows NT as a security realm but that gave me errors too.
Does anyone has any experience using anything other than the default Realm?
Any help would be appreciated. Thanks!
Asim Raja
[email protected]

I'm not sure, but I suspect you can't
since this would create a circular dependency -
your realm would rely on the upper level security
checking calls but those calls would rely on your
realm.
My suggestion is to give it a try and see what
happens.
-Tom
Ozcan ADIYAMAN <[email protected]> wrote:
Hi ,
I am implementing a simple custom security realm using LDAP as the
security store and I can see the users, groups and acls from the admin
console.
My question is (a custom realm newbie question) ;
Is it possible to use weblogic.security.acl.Security with my custom
realm to check permissions, get the current user,etc.,
OR
is this class ONLY used with default realms (when ACL is stored in a
file) ?
Thanks
Ozcan

GOTCHA's with Setting up ADF Security with JDev 11.1.1.6.0

If you're getting into ADF security, you're probably going to want to get rid of that ugly default login.html page. I mean, it gets the job done, but we want something a little better. And if you want something a little better and you're using JDev 11.1.1.6.0, it behooves you to read this post!
First off, get acquainted with these four posts. All good stuff. They'll walk you through the 1st half of what you need to know. Y'know, the non-Gotcha half.
http://one-size-doesnt-fit-all.blogspot.com/2010/07/adf-security-revisited-again-again.html
http://myadfnotebook.blogspot.com/2011/11/adf-security-basics.html
http://andrejusb.blogspot.com/2010/11/things-you-must-know-about-adf-faces.html
http://java2go.blogspot.com/2010/12/creating-centered-page-layout-using-adf.html
Are you getting either of the following errors?
<CodebasePolicyHandler> <migrateDeploymentPolicies> Migration of codebase policy failed. Reason: {0}.
oracle.security.jps.JpsException: java.lang.IllegalArgumentException: oracle.security.jps.internal.core.principals.JpsAnonymousRoleImpl
Error 500--Internal Server Error
java.lang.RuntimeException: Cannot find FacesContextI'll show you where they're coming from. Follow along.
1) Create a new application.
2) Create three .jspx pages called login, error, and welcome.
3) Generate PageDef files for them by right-clicking on the file and selecting "Go To PageDefinition". You'll want these so that you may apply security against them.
4) Right-Click on your Application and select Secure->Configure ADF Security
5) ADF Authentication and Authorization -> Form Based Authentication (Use the search symbol to select your created login and error pages. Should be something like "/faces/login.jspx") -> No Automatic Grants -> Finish
Right-Click your welcome.jspx and select run. You'll get this error before your web page opens up in your browser and then proceeds to wig out.
<CodebasePolicyHandler> <migrateDeploymentPolicies> Migration of codebase policy failed. Reason: {0}.
oracle.security.jps.JpsException: java.lang.IllegalArgumentException: oracle.security.jps.internal.core.principals.JpsAnonymousRoleImplThat just won't do. Let's fix it, shall we?
6) Open your newly JDev created jazn-data.xml file. It's located in the Application Resources panel (usually located by Data Controls and your Projects expandable panels)
7) Resource Grants -> Resource Type (Web Page dropdown) -> error page should have a key symbol by it. Delete the anonymous role in the "Granted To" column. Now click the green button to add an Application Role. Huh, there's TWO of them? How bout that? Looks like we're going to have to delete some XML code!
8) Click the Source tab on the bottom of the page to open up the XML View. You'll see the following piece of erroneous code. Erroneous, I say!
<policy-store>
    <applications>
      <application>
        <name>SecurityError</name>
        <app-roles>
          // Hello, I'm the app role that has sucked away two hours of your life that you can never, ever get back
          <app-role>
            <name>anonymous-role</name>
            <class>oracle.security.jps.internal.core.principals.JpsAnonymousRoleImpl</class>
            <display-name>anonymous-role</display-name>
          </app-role>
         // Whew, the end of that app role
        </app-roles>
        <jazn-policy>
          <grant>9) You're going to want to delete that app role XML
10) Go back into your jazn-data.xml file and create some users. For example, bob and jane. Create an Enterprise role called "admin". Put bob and jane as members into this Enterprise role. Create an Application role called managers. Map managers to your Enterprise role admin.
11) Go back to the Resource Grants tab -> Resource Type (Web Page) and delete any "Granted To" authorizations that may assigned to any of the pages. Assigned a "Granted To" application role of "anonymous-role" to the error and login pages. Assign "managers" to welcome.
12) Run your welcome page. Yay, the error is gone. How sweet it is.
Now you want to refactor/move your login and error page somewhere else? Great, just right-click and select factor. Refactor to some place like /public_html/jspx/<your login page>.jspx. Re-run your welcome page.
// You fool!
Error 404--Not Found
From RFC 2068 Hypertext Transfer Protocol -- HTTP/1.1:
10.4.5 404 Not FoundThat's not so good. Let's fix that.
1) Open up web.xml. It's located at ViewController/WEB-INF/web.xml.
2) Click the security tab and you'll see Form-Based Authentication with a login page and error page. Click that Search glass and locate your new file. Do the same for the error page. You should see something like "/jspx/login.jspx" come back.
3) Re-run your welcome page.
// Suckered AGAIN!
Error 500--Internal Server Error
java.lang.RuntimeException: Cannot find FacesContextThis is a tricky one. The search icon brings back a faulty address. Since we're using a .jspx page, it needs to be "/faces/jspx/login.jspx". Repeat for the error page. Re-run your welcome.jspx.
Ahh!! Now THAT's how we do it in Kingsport!
Finally, a custom .jspx login works. Now what are you doing here? Shouldn't you be playing some Diablo 3?
Will

Ha :-)
Point being good summaries like yours tend to get lost on the forums because of the volume of posts. With a blog people have the chance to subscribe to your posts so it's just a better vehicle all round for posting content to help others.
I highly recommend writing blogs even if it's for scratch notes, because you'll learn a lot in structuring your thoughts. It's also a really good way to get noticed in the community because bloggers stand out.
But your call, no pressure of course ;-)
CM.

Creating a WebCenter Application with PageCutomizable and ADF Security

I created a Webcenter App in Jdev 11.1.1.2.0 with webcenter extension.
I have 2 JSPX files.
One called mainTemplate.jspx
- contains header, footer in ADF and a center facet.
One called Welcome.jspx created from mainTemplate
- contains page customizable > panel customizable > layout customizable > various custom panel configs.
ADF security is configured with BASIC, authentication only. Because form authentication seems harder to get working.
We have one weblogic user, and currently deploy to the integrated WLS, although we'll deploy out to a full server once security/composer is working.
The problem is, when we run the Welcome.jspx, and because we added a reference to a logged in var, it requests http login fine.
We then refresh the page and see that we are indeed logged in as 'weblogic'.
Is weblogic a special user? should I create a new one? Is there any setup required on the Integrated WLS to get this working?
However when we click on 'add Content' using the composer we get a permission error.
+<RegistrationConfigurator><handleError> Server Exception during PPR, #1+
javax.el.ELException: oracle.adf.view.page.editor.security.ComposerSecurityException: You do not have permission to edit the page
+     at com.sun.el.parser.AstValue.invoke(AstValue.java:161)+
+...+
Caused by: oracle.adf.view.page.editor.security.ComposerSecurityException: You do not have permission to edit the page
+     at oracle.adfinternal.view.page.editor.bean.DialogBean.setDialogHelp(DialogBean.java:129)+
+     at oracle.adfinternal.view.page.editor.bean.DialogBean.showResourceCatalog(DialogBean.java:356)+
+     at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)+
+...+
I tried using the Customization allowed var in the property inspector, but could not map 'allowed by' to a user or role that my setup would recognise. The doco specifies 'admin' which does not work for me.
In my catalog I have a WCM portlet taskflow, which will require its own permissions.
I tried enabling permissions for the test-all role to all of my pages/taskflows, leaving just the 'view' permission to the anonymous role.
I also tried authentication/authorization profiles, and building my own jspx login/error pages, but no luck there either, the login button doesn't seem to tirgger my java doLogin class, even though I set the binding on the button using the method expression builder to the bean method.
*note: I didn't try the welcome/login/error page auto create as they generate html files, I created JSFs with full UI in there. Am I required to use those html types instead of jspx? I found that the redirection worked by appending the jspx reference with '/faces/Login.jspx'. The problem seemed to have been somewhere else.
If we have any Webcenter Composer / Security gurus out there, help would be greatly appreciated.
Our main goal is to create a Webcenter App which has security/composer/navigation and a catalog with WCM/Siebel portlets similar to the Avitek demo without using WC Spaces.
Thanks.
Thanks.
Edited by: Guillaume_Davies_SC on Apr 20, 2010 7:28 PM

When you want to achieve this you need to configure ADF security with basic authentication & authorization. THe authorization is the part that takes care of what a user may and may not do in an application. Authentication is just the log in part.
When you have configured your application for authorization as well, you have to create roles and groups.
You will also have to set the authorization of your pages. Open a jsxp and in the design or source view, right click and "edit authorization". You then have to add roles to your pages and define their rights. Then you can set the authorization for edit,cuustomize,personlise,view,...
Hope this helps.

Problem with ADF security and task flow calls

Hi.
I am using JDeveloper 11.1.2.0.0.
I encountered a problem when tried to apply ADF security to my application.
The way to reproduce the problem:
1. Create new Fusion Web Application;
2. Import Business Components from Tables from any existing schema and add at least one table to the ApplicationModule.
3. Create "welcome page" (for instance, welcome.jsf). Add a button with fixed action outcome "test".
4. Create test page, for instance, test.jsf. Drag and drop any view object from Data Controls onto the page and create a form with navigation controls. Add a button with fixed action outcome "return".
5. Create bounded task flow, name it "test", drag and drop our test page on it - the page will be the default activity. Add a task flow return activity. Add a control flow case from the default view activity to the return activity, set From Outcome property to "return". So our return button should cause the task flow to exit.
6. Open adfc-config.xml in diagram mode and place our welcome page on it. Then drag and drop the test task flow to create a task flow call activity. Add a control flow case from welcome page to task flow call activity, set the From Outcome property to "test". So our test button should call the test task flow.
7. Configure application to run the unbounded task flow starting with Welcome view activity.
At this point all works as expected: when application runs, the welcome page is displayed with test button. Pressing the test button results in displaying the test page, return button leads back to the welcome page.
Now let's configure ADF Security.
Run the ADF Security configuration wizard, choose ADF Authentication and Authorization.
On the second page select Form-Based Authentication, check the Generate Default Pages flag.
On the third page choose No Automatic Grants.
On the next page keep the Redirect Upon Successful Authentication unchecked. Press Finish.
Open jazn-data.xml to configure roles, users and resource grants:
1. Create application role test-role.
2. Grant the test-role privileges to view the test task flow.
3. Create user and grant him the test-role.
Now we have the public available welcome page and the test page with restricted access.
When application runs, the welcome page is displayed as expected. Pressing the test button redirect us to auto-generated login page. After successful authorization the test page is displayed. But nothing happens if we click now the return button for the first time. When we click the return button once more, the application crushes with Error-500 and message "Target Unreachable, identifier 'bindings' resolved to null". The exact error trace depends on UI control bindings, but looks like this:
javax.el.PropertyNotFoundException: //C:/Users/DUDKIN/AppData/Roaming/JDeveloper/system11.1.2.0.38.60.17/o.j2ee/drs/Test1/ViewControllerWebApp.war/test.jsf @10,120 value="#{bindings.Id.inputValue}": Target Unreachable, identifier 'bindings' resolved to null
     at com.sun.faces.facelets.el.TagValueExpression.isReadOnly(TagValueExpression.java:122)
     at oracle.adfinternal.view.faces.renderkit.rich.EditableValueRenderer._getUncachedReadOnly(EditableValueRenderer.java:476)
     at oracle.adfinternal.view.faces.renderkit.rich.EditableValueRenderer.getReadOnly(EditableValueRenderer.java:390)
     at oracle.adfinternal.view.faces.renderkit.rich.EditableValueRenderer.wasSubmitted(EditableValueRenderer.java:345)
     at oracle.adfinternal.view.faces.renderkit.rich.EditableValueRenderer.decodeInternal(EditableValueRenderer.java:116)
     at oracle.adfinternal.view.faces.renderkit.rich.LabeledInputRenderer.decodeInternal(LabeledInputRenderer.java:56)
     at oracle.adf.view.rich.render.RichRenderer.decode(RichRenderer.java:342)
     at org.apache.myfaces.trinidad.render.CoreRenderer.decode(CoreRenderer.java:274)
     at org.apache.myfaces.trinidad.component.UIXComponentBase.__rendererDecode(UIXComponentBase.java:1324)
(the rest of lines skipped).
Any suggestions?
Edited by: user13307311 on Apr 16, 2013 11:39 PM

@Lovin_JV_941794
The welcome page is public available since it does not have appropriate PageDef file.
Login page comes not from the welcome page, it comes after attempt to access the test page. So after the login succeeded the test page appears, because redirect to welcome page after successful login is not configured. I do not need to return the welcome page at this moment, I need to go to the test page.
It seems the task flow call stack to be destroyed after redirect to login page.
Edited by: user13307311 on Apr 17, 2013 12:45 AM

Web Center app with ADF Security - login problem

I have a custome Oracle Web Center app.
I have a page.html with an embedded login form posting to j_security_check. I've configured the ADF security policies to redirect to a JSPX on successful login.
When I try the correct username/password, I get redirected not to the page I defined in ADF, but to the root page http://127.0.0.1:7101/MyApp-ViewController-context-root/
and i get
Error 403--Forbidden
I've checked the weblogic.xml as per http://andrejusb.blogspot.com/2009/12/solving-error-403-forbidden-in-adf.html, all the required entries are there.
This works fine if i use a Login link with
destination="#{'/adfAuthentication?login=true&end_url=/faces/postLogin.jspx'} "
which redirects to the default login.html and then to the right page. I've copied the form from the default login.html into my master HTML page.
Hope my question is clear. Any suggestions why it is going to the wrong URL after login.
Is there anything specific I should see in the jazn-data.xml or web.xml regarding the post-login URL since i cant see that in either.
P.S. Have been advised to try here when I originally asked this in the WebCenter forum. Web Center app ADF Security - login problem
Edited by: new_to_webcenter on 18-Jan-2011 05:25

Thanks for your response Frank.
The web.xml has
<security-constraint>
<web-resource-collection>
<web-resource-name>adfAuthentication</web-resource-name>
<url-pattern>/adfAuthentication</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>valid-users</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/login.html</form-login-page>
<form-error-page>/error.html</form-error-page>
</form-login-config>
</login-config>
When configuring ADF Security via JDev , I chose "Redirect upon successful authentication" to the Welcome Page
"/faces/postLogin.jspx"
this then adds into web.xml
<servlet>
<servlet-name>adfAuthentication</servlet-name>
<servlet-class>oracle.adf.share.security.authentication.AuthenticationServlet</servlet-class>
<init-param>
<param-name>success_url</param-name>
<param-value>/faces/postLogin.jspx</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
So the sequence which works is:
Login via the '/adfAuthentication?login=true&end_url=/faces/postLogin.jspx' and this redirects to login.html (OOTB form which posts to j_security_check) and then to the postLogin.jspx
I'm trying to do away with a Login link, and trying the simple login form embedded in my page alongwith other content.
So should the form be posting to j_security_check directly or to the adfAuthentication ?

ADF Security against database?

I am working with JDeveloper 10.1.3.4 on a project which uses adf/bc and adf faces/jsf 1.1; the application is deploying to iAS 10.1.3.4 and is hooked as a mid-tier instance via SSO to an infra iAS instance on another machine.
How do you change ADF Security to reference a database table to find out settings for page/iterator/attribute security settings?
Most of the existing code in this environment is Web Pl/sql toolkit and portal work. I am adding ADF apps. They would like to control what the different roles have access to via the database...hence this question.
Normally with ADF Security you use an editor in JDeveloper which you can access from within the page def file in the structure pane within JDeveloper; I think this changes system-jazn.xml. If you, instead, want these settings to be located within a database table, what do you have to do?
In my initial research I am thinking somehow I must create an override for ADFPermission.getContext() somehow...but I have not figured out if that is right or not yet.
It may just be easier to re-invent the wheel: just do things programmatically using Java; but there is a lot of structure inherant in ADF Security that I would be reproducing if I go that route, I think.
Anybody have any ideas?
I am continuing to research this issue, but I think this is an unusual use-case; so I am not expecting to find this answer anywhere in particular. Maybe somebody knows this off the top of their head.

Right, Frank; I mostly meant that it would help me learn more about the subject of J2EE permissions. Vik has pointed me in the direction of the Sun Java Forums for more information on this topic, which I will hopefully get a chance to pursue.
Thank you for getting back to me. Thank you again, also, for all your work on custom login modules; I have used that work of yours several times professionally. It is just that this client I am working with now is satisfied with their SSO/LDAP setup...they just want to store permissions in the database also.

Configuring ADF Security to use LDAP

Similar Messages

Maybe you are looking for