How to integrate a SSO based in cookie with ADF Security

At work they asked me to integrate a existing SSO based in cookie with the new ADF + Jdeveloper 11g + WLS. After google for days and read a lot of blogs and official documentation I've made a custom LoginModule. I made it very simple, it's just an "if" inside the login() function with the username, if the username is "john" I put to the Subject some Principals. My steps are:
1- Create a new app based on "Fusion application" template.
2- Make a new ADF Taskflow with only one view inside (the entry point of the taskflow). The jspx only contains a welcome message.
3- Run the ADF Security wizard, all the steps with the default option, I don't change anything.
4- Put some users and some roles in jazn-data.xml, and maping them to an application role. Then I grant permissions to the application role to view the previous task flow.
At this point everything is ok. I run the taskflow and a basic login popup prompts me to write my username and password. Now I try to remove everything useless for me, like idstore, credentials, anonymous, etc. I only want a LoginModule that get the HttpRequest and passes it to an already done class that returns a true/false depending if the cookie is correct or not but, as I said before, my LoginModule is so simple now and even didn't try to do something more complicated than an if. The steps I try are:
in jps-config.xml
5- Remove idstore.xml and credentials.
6- (loginmodule tab) Make a new login module, and put here my class. The class is in the ViewController project and JDeveloper find it navigating through the heriarchy, so I have visibility. I put REQUIRE flag, add all roles and debug mode.
7- In the security context unmark the idstore.loginmodule and mark myLoginModule. Also delete the anonymous security context.
All that I got until now is a 500 error (Internal server error - Authorization Exception). Sometimes (the close i've ever been to do something correct) the browser ask me for user/password but then only recognizes the users that already are in WLS (idstore from previous tests), but NOT the "john" user that is inside my custom LoginModule. Even more, if I run the WLS from JDeveloper 11g in debug mode, the runtime never stops at breakpoints inside my custom login module. It seems that my LoginModule isn't deployed or I made some error maping the roles.
So, my questions are:
- I'm in the good way? If I want an authentication based in cookie/httprequest I have to do a custom LoginModule? My goal is to do a re-usable code, and re-use the code that my co-workers have done. They have a class that with only the HttpRequest determines if a user is logged or not.
- If I'm in the good way... how can I put my custom LoginModule in the WLS? I tried to search something in the Administration Panel (localhost:7101/console) but I did'nt find nothing.
- In case I'd got the custom LoginModule working fine in WLS... how can I get a HttpRequest from a LoginModule and avoid the username/password dialog? I've to make a filter and pass it to the my LoginModule? If it's correct... how?
I don't post my code because is so simple, it's based on DBTableLoginModule but without all the database access code.
Thanks to all!
P.D.: If this message isn't in the correct forum, I'm sorry. Feel free to move it.
P.D.2: Sorry about my english, I'm spanish. I know i've to practise a lot :)

Hi Frank,
Thanks a lot for your answer. Just one more easy question: what I need to do is a custom Authentication Module (which will read the cookie)? If only you can point me to the correct chapter of the WLS documentation I'll be very pleased.
In future releases of JDeveloper will be easier to do this kind of things related to security?
Riveck

Similar Messages

  • How can we handle browser settings while dealing with the security ?

    Hi ,
    how can we handle browser settings while dealing with the security ?When we configured security in web.xml , during the first request the container is asking for the authentication credentials once they are provided it go's on. but when the user gives a fresh request from the second window within the same browser that time it is not asking for authentication. How can we overcome this.Is there anything to do with server configurations?
    How can we make the container no to keep the things or act like session?

    Ya... I am taking a small example need not happen always but a kind of possibility i am thinking off.
    once the user sign out and just left without closing the browser and a friend (suppose not a good friend ... just kidding...) of that user may open the same jsp or file .This time the security is breached. If that feature or property exists....
    I know what you might say ... the user will log-out before leaving where a programer might invalidate the session at the time of log out.
    Consider the case of a bad Programing or just a programer might forget to invalidate,At that time as a application administrator how can he solve that issue.
    Thanks.......
    Edited by: user8483670 on Jun 6, 2011 1:08 AM
    Edited by: user8483670 on Jun 6, 2011 1:09 AM

  • Cookie with a Secure Falg

    In Portal, Can we mark JSESSIONID cookie with a secure flag ?
    After logging into the Portal, the portal sets a cookie called JSESSIONID to track the useru2019s session. This cookie is not set with the u201Csecureu201D flag, which means that the cookie could potentially be transmitted via a non-SSL connection.
    Thanks

    Dear net pas,
    Hope you are doing good.
    You have raised a very valid issue.
    Please do have a look at the SAP NOTE: 1144722-Global configuration of session cookies and attributes
    Also:
    Protecting Sessions Security
    http://help.sap.com/saphelp_nw70/helpdata/en/44/691ccdce2a3675e10000000a114a6b/frameset.htm
    Here pay special attention at:
    cookies named JSESSIONID (in accordance with the JavaÔ Servlet 2.3 specification) for tracking Web browser sessions.
    For this purpose, make sure that the value of SystemCookiesDataProtection and SystemCookieHTTPProtection properties of the HTTP Provider Service on the server nodes is set to true:
    More info at:
    http://help.sap.com/saphelp_nw70ehp2/Helpdata/EN/44/691ccdce2a3675e10000000a114a6b/content.htm
    Thank you and have a nice day :).
    Kind Regards,
    Hemanth
    SAP AGS

  • How to integrate Java SSO with Oracle Weblogic

    Hi,
    I am new to Oracle weblogic, but i want to do something like below.
    I want to use Oracle weblogic as application server and want to integrate Java SSO into it. I think we can do it using Oracle access manager but since OAM itself is massive drop this plan.
    I think we can use OC4j Java SSO into Oracle weblogic, but don't knw whether it is feasible.
    Can somebody please guide me solve this problem.
    Any suggestion or comment is most appreciated.

    weblogic docs (and there identity asserters) - http://one-size-doesnt-fit-all.blogspot.com/2008/12/configuring-wls-with-ms-active.html

  • Create the JSESSIONID cookie with the secure flag

    Hello,
    I wonder if it is possible, through UCM or Weblogic configurations, to automatically create the JSESSIONID cookie used when a user is logged on with the secure flag?
    I have not found any parameters so far that could allow this.
    Thanks in advance!

    We have public Websites running on UCM/SiteStudio which are only accessible through SSL by visitors. The aim is that every cookies should be secure to be sure that they are not transmitted in plain text to our server.
    We thus would like to find a way to put the secure flag on JSESSIONID to avoid any case of session hijacking.
    Thanks.
    Edited by: Leo-G on 17 juil. 2012 23:57

  • How to integrate Oracle Enterprise Pack for Eclipse with Weblogic Portal

    Hi
    I am following this documentation http://download.oracle.com/docs/cd/E15919_01/wlp.1032/e14252/setup_dev_env.htm#i1013214
    to setup my development environment for developing portal applications, but I cannot set it up, my eclipse does not have PORTAL perspective.
    I have downloaded the Oracle Enterprise Pack for Eclipse 11gR1 (11.1.1.5) and the Oracle WebLogic Portal 10.3 as mentioned in the documentation.
    The Oracle Weblogic Portal 10.3 includes a workshop version of eclipse, but that is not based on a recent Eclipse, that is why I would like to use the Oracle Enterprise Pack for Eclipse 11gR1 (11.1.1.5).
    It is weird int he Oracle Portal 10.3 installation that I cannot install the Weblogic Portal without the Workshop.
    Could you help me in this? How can I integrate the Oracle Enterprise Pack for Eclipse with Weblogic Portal?
    Thank you.

    For WebLogic Portal tooling you have a couple of options. For WebLogic Portal 10.3 and older, Workshop for WebLogic will be your tooling environment.
    Starting in WebLogic Portal 10.3.2, which released this year, the development tools have migrated to Oracle Enterprise Pack for Eclipse. The WebLogic Portal 10.3.2 installer will install both the runtime and the IDE configured with additional WebLogic Portal Eclipse features (Portal Project Configuration, Perspecitives, Palettes, Deployment, etc).
    If you are interest in the latest version, you can download from the WebLogic Portal OTN page - http://www.oracle.com/technology/products/weblogic/portal/index.html

  • How to integrate a java script date picker with jsf?

    Hi I have a javascript data picker which I want to integrate with a text tield.. that is <jsf:inputtext tag...
    I know about onlclick .. but I am more interested in knowing .. how will the java script set date into that input text field.. i mean how will it recognize the field..

    Pass the input element as 'this' reference to the JS function?onclick="doSomething(this);"This has not much to do with JSF though.

  • How to integrate Oracle Tutor Desk manual Index with Oracle ApplicationsR12

    Hi,
    I have created a desk manual Index and related HTML files in oracle Tutor 14. Can anyone help me in integrating the desk manual index with the Oracle Applications Help.
    My questions are:
    -> In what top shd i upload my files using help Upload ?
    -> How do i integrate the desk manual index HTML file with my applications help?
    Has anyone done this before . If so , Can u please guide me through the process.
    Thanks.
    Edited by: Vyas on Apr 8, 2012 12:52 AM

    Here are some instructions - please let me know if this is what you are looking for.
    Kind Regards,
    Emily
    -> In what top shd i upload my files using help Upload ?
    Create Upload and Download Directories on Middle Tier.
         The download path must be a location on the machine that hosts the Application Server - ie, the "middle tier". Directories for the upload (for example, /u01/tutor/upload) and download (for example, /u01/tutor/download) functions must be created on the middle tier.
         ***These directories, as well as any future subdirectories, must have full read/write/execute permissions. The Help Utility will automatically create subdirectories, so the permissions must be set correctly before the Help Utility is used.
         Verify that the HELP_UTIL_DOWNLOAD_DIR directory points to a directory that can be accessed from both the JServ tier and the Concurrent Manager tier.
    From the EBS
    EBS R12 System Administrator > Profile > System > Find System Profile Values
    - Verify Site is checked
    - Verify Profiles with No Values is checked
    - In the profile field, enter %help%
    - Click Find button
    Update system profile values with the correct paths.For example:
         Help Utility Download Path > /u01/tutor/download OR /dbfiles/applcsf/outbound
         Help Utility Upload Path > /u01/tutor/upload OR /dbfiles/applcsf/inbound
         Help System Root > FND:LIBRARY
         TCF:Host > http://<hostname.domainname>
         TCF:Port > <port number>
    -> How do i integrate the desk manual index HTML file with my applications help?
    Use Help Builder to add the DESK_MANUAL_INDEX to the Help Tree
    To learn all the features about customizing Help Navigation Trees, refer to the Oracle Applications System Administration User Guide.
    EBS R12 System Administration > Help Administration > Help Builder
    When Help Builder first opens it may appear as a tiny screen in the upper left corner, if this happens, maximize the screen. You may also have to resize the screen as you may see the entire screen at first.
    - Enter FND in the Node Application field.
    - Press the Find button on the Find Trees Window.
    This should bring the Trees tab region forward with a list of available trees.
    - Scroll down and find FND | US | Applications Help Library in the Trees tab
    - Select and double click on it.
    This will open the Applications Help Library tree in the left frame
    - Expand the Application Help Library by clicking on the + next to it.
    - Click the New Node icon on the toolbar.
    - Enter the following information in Properties window.
    The next items assume the default Desk Manual Index terminology is used.
    If your organization uses or plans to use different terms, adjust the entries in the various properties field accordingly.
         Prompt: Desk Manual Index
         Description: Desk Manual Index
         Data: @DESK_MANUAL_INDEX
    Or enter the exact Desk Manual Index file name if it is different than the example.
    - Click the View button to verify the link works.
    You may have to experiment with using the @ sign. It may not be required.
         Click the Apply button.
    The Desk Manual Index will now appear as a Node under the Application Help Library. If the name is NOT fully displayed, click on the - (minus) sign to expand it.
    Link does not work
    - Change the information in the Data field.
    - Delete the @ and add .htm extension
    Example: DESK_MANUAL_INDEX.htm
    - Click the View button to verify the link works.
    - Click on the Save icon.

  • How do you allow Unix based ONC  RPC within the security constraints of SGD

    On our new boxes running SGD 4.2.91and up we notice that our applications that uses rpc to communicate no longer work. One of the programs, the arbitrator, (i.e. runs in its on process space, not a linked in library). Therefore, two user will share the same arbitrator (or conversely, only one arbitrator runs per machine). The arbitrator runs without a display (i.e. has no stdout, etc, similar to a daemon). The arbitration process also uses the UNIX kernel resource of shared memory. Here is what I have observed with my testing. The arbitrator routine is successfully registered in the port map ( svc_register). This means it does run. But later when svc_run is called, the process is not found ( actually the select fails), and ps �ef | grep arbitrator indicates that the arbitrator is not running

    Does SGD put any restrictions/constraints on ONC RPC, ie does it attempt to block or authenicate?
    What object list_attributes does the application that luanches arbitrator need?
    Does abribrator need to be in the list of allow applications for the current user? Can it be put in this list and not have an icon on the desktop ( since the user does not manually launch it, and usually is not even aware of it)?
    Or, more generally, how does the enumerated allowed list of executables handle a process that exec/forks a new process? ie does SGD have to know the forked process name, etc?

  • How to configure a form based login page with entitlement role

    We need to have login page to our portal app.
    When using "form based" authentication is it possible to map the security on a
    "entitlement role" ?
    Our need is to be abled to give direct url acces to some pages of the portal (for
    exemple by sending urls like "http://server/appcontextpath/appmanager/myportal/mydesktop?_nfpb=true&_pageLabel=mypage")"
    by email to portal users) and need a simple mecanism of authentication before
    redirecting to the portal page.
    Inste

    Olivier,
    You can't reference WLP visitor roles in weblogic.xml, but you can
    reference global roles (created using the WLS console):
    - <security-role-assignment>
    <role-name>PortalSystemAdministrator</role-name>
    <externally-defined />
    </security-role-assignment>
    -Phil
    "Olivier" <[email protected]> wrote in message
    news:[email protected]..
    >
    We need to have login page to our portal app.
    When using "form based" authentication is it possible to map the securityon a
    "entitlement role" ?
    Our need is to be abled to give direct url acces to some pages of theportal (for
    exemple by sending urls like"http://server/appcontextpath/appmanager/myportal/mydesktop?_nfpb=true&_page
    Label=mypage")"
    by email to portal users) and need a simple mecanism of authenticationbefore
    redirecting to the portal page.
    Inste

  • How to integrate Web Dynpro Java 7.1 with EP 7.0?

    Hi,
    I have 2 servers: 1 is EP 7.0 and another is CE 7.1. Is there any way how to use Web Dynpro Java deployed in CE 7.1 as an iView in EP 7.0 other than portal federation? We cannot use the portal content producer-consumer concept. Is there any other way how to do that?
    Regards,
    Tomas

    I have same task.
    I did not understood how and which system you created to resolve problem?
    As well, any reference  would be very helpful.
    thanks
    Edited by: Ivan Ivanov on Sep 7, 2009 5:51 PM

  • How to get rid of the ARRAffinity cookie with websites?

    In this
    forum post here it is explained that Azure websites use application and request routing (ARR) to keep a client (browser) always on the same VM instance.
    For my website sticky sessions are fatal for scaling and I need to make 100% sure that all subsequent requests from every client are equally distributed through all VM's. Some clients will make almost no additional requests, but some clients will do a hell
    of a lot of subsequent requests. Now the round robin distribution of only the initial request could (and mathematically eventually will) end up in a situation where the heavy load is sticky to a single VM.
    Of course I could add some JavaScript to my application to delete the ARRAffinity and the
    WAWebsiteID cookies set by ARR to make sure the delivered page looses it's stickyness. It would be re-added with every subsequent request and I would have to delete it every.single.time.over.and.over.again. This seems to be a non-optimal solution.
    It would be better, if I could disable this behaviour completely for my website. Is there a way to disable the VM stickyness in Azure Websites through ARR, or do I really have to manually delete the cookies after every single request?
    -- Sebastian P.R. Gingter

    You can disable ARRAfinity cookie by including this in your web.config:
    <system.webServer>
        <httpProtocol>
          <customHeaders>
            <add name="ARR-Disable-Session-Affinity" value="true"/>
          </customHeaders>
        </httpProtocol>
      </system.webServer>

  • How to integrate a Laserprinter into a WLAN with multiple Aiport Stations?

    Hello,
    I set up a WLAN with multiple Airport Stations in my house like this:
    Time Capsule is the main station (placed in second floor) which creates the WLAN and is connected via Ethernet to the ADSL router of my internet connection provider. Works fine and stable.
    Secondly I placed an AirPort Extreme station in our first floor to extend the WLAN of the main station. Without that second station I had bad connection in first floor.
    Now I wanted to integrate my Laserprinter to that WLAN so that every device could use it. The problem is, that I cannot place the printer in the second floor where the main station (Time Capsule) is located. Therefore I placed the printer in the first floor next to the second station and connected them via ethernet. I gave the printer a unique IP (10.0.0.200) which will never be used by another device (I set DHCP IP range of Time Capsule from 10.0.1.2 to 10.0.1.200).
    But connection to the printer fails
    So, my question: is it possible to connect a ethernet laserprinter to that network via the second station or must it be always connected to the main station?

    i fixed the problem by my own. Topic can be closed

  • Forcing specific clients or groups to use forms based authentication (FBA) instead of windows based authentication (WIA) with ADFS

    Hi,
    We are have a quite specific issue. The problem is most likely by design in ADFS 3.0 (running on Windows Server 2012 R2) and we are trying to find a "work-around".
    Most users in the organization is using their own personal computer and everything is fine and working as expected, single sign-on (WIA) internally to Office 365 and forms based (FBA) externally (using Citrix NetScaler as reverse proxy and load
    balancing with the correct rewrites to add client-ip, proxy header and URL-transformation).
    The problem occurs for a few (50-100) users where they are sharing the same computer, automatically logged on to the computer using a generic AD-user (same for all of them). This AD-user they are logged on with does not have any access to Office365
    and if they try to access SharePoint Online they receive an error that they can't login (from SharePoint Online, not ADFS).
    We can't change this, they need to have this generic account logged on to these computers. The issue occurs when a user that has access to SharePoint Online tries to access it when logged on with a generic account.
    They are not able to "switch" from the generic account in ADFS / SharePoint Online to their personal account.
    The only way I've found that may work is removing IE as a WIA-capable agent and deploy a User-Agent version string specific to most users but not the generic account.
    My question to you: Is there another way? Maybe when ADFS sees the generic user, it forces forms based authentication or something like that?
    Best regards,
    Simon

    I'd go with your original workaround using the user-agent and publishing a GPO for your normal users that elects to use a user-agent string associated with Integrated Windows Auth.. for the generic accounts, I'd look at using a loopback policy that overwrites
    that user agent setting, so that forms logon is preferred for that subset of users. I don't think the Netscaler here is useful in this capacity as it's a front-end proxy and you need to evaluate the AuthZ rules on the AD FS server after the request has been
    proxied. The error pages in Windows Server 2012 R2 are canned as the previous poster mentioned and difficult to customize (Javascript only)...
    http://blog.auth360.net

  • How can aol e-mail be hacked into with the security system through Foxfire?

    My aol e-mail was/is being "hacked" when I used someone else's laptop to check my e-mail while I was in Canada. How can this happen if I have "security" through Firefox/Avast? I have finally opened up a new e-mail system with comcast but what can I do in the mean time?

    It looks like you are using a IMAP mail account, a protocol used by most email providers nowadays. Read -> http://en.wikipedia.org/wiki/Internet_Message_Access_Protocol
    The main feature of IMAP is the sync of all the changes you do on your mail account. If you want to keep your mails on one Mac, have a look at this site -> http://kb.mit.edu/confluence/pages/viewpage.action?pageId=3908294

Maybe you are looking for

  • Macbook Pro can't find my home wifi

    I just got my battery replaced.. All my data disappeared. The worst thing is, I can't find my home wifi network but my neighbour wifi network is available. Pls help me fix this. Mine is a MBP 2011. Your help is much appreciated!

  • PO Creator Report

    Is their any standard report available in system containing both PO Number and PO creator.

  • Unable to change the thread's priority at linux jdk6

    i try to set the thread's priority to value like Thread.MIN_PRIORITY i observe the thread's priority by "threadump" the setting is ok at windows (XP + jdk5 build 1.5.0_12-b04) but not at linux jdk6 (build 1.6.0_04-b12) at linux, i see all threads at

  • HT1414 my iphone has problem in open and if it open iphone shut  down after few minuate

    I have bought this iphone5 from Hannova German in April2013 and I am using this iphone5 in Nepal. In Nepal there is no authorized dealer. This problem came just from 15th July 2013. It has problem in opening and if it open it shut down after few minu

  • Age debt report

    Hi, Can anyone tell what is the standard report name of aged debtor report in ECC6 and 4.0B ?