Implementing authorization using Oralce ADF security

Similar Messages

• Use Adf Security In jspx page

  Hi guys,
  Currently I am using default adf security.is there any way to use same security on my login jspx page.
  Thanks,
  Raul

  hi user,
  i hope that you are looking for
  http://www.fireboxtraining.com/blog/2012/02/09/oracle-adf-11g-authentication-using-custom-adf-login-form/
  http://docs.oracle.com/cd/E26098_01/web.1112/e16182/adding_security.htm
  please see the if you want custom login.
  Figure 35-3 Using the Configure ADF Security Wizard to Generate a Simple Login Page
  there is lot of youtube videos. just google it out.
  this is to timo:
  What do you mean by  '...I am using default adf security...'
  if i am understood correctly. while creating new fusion web apps while configuring adf-security HTTP Basic Authentication is comes as default option. he mentioning in that way.
  do You want to secure the login page itself? This doesn't make sense as you need to login to get to the login page.
  i hope he is not asking like as you mentioned.
  from my experience i will interpret like this
  "Currently I am using default adf security".
  he is currently using default adf security(HTTP Basic Authentication).
  is there any way to use same security on my login jspx page.
  he need use the same adf-security concept on custom login page.
  Thanks

• ADF security for authorizaion

  HI All,
  I want to implement ADF security without authentication i.e. Authentication is already done at a another parent website.
  We get the user credentials and role details ,We just want to use the authorization part of adf security for role base check and url checks ,
  How can I implement the same using ADF security only.
  As per my current database structure ,I am storing role and privileges in the database ,but not the user credentials .
  Currently I m using Jdeveloper 11.1.1.4 and weblogic 10.3.4.

  Hi,
  for ADF Security, authentication must be be through Java EE authentication (WLS web based authentication). If you need SSO, configure SSO, but you cannot have authorization only
  Frank

• [SOLVED] ADF Security: No success with DBTableOraDataSourceLoginModule

  Hi,
  because do not have success to implement simple ADF Security to my application for weeks I try it again with this post.
  Hopefully someone who was already successful with this issue can give me the hint, missing step or something else.
  I have read many forum posts, blogs and documentation (10.x) but because ADF security has been changed from 10g to 11g I'm never sure if a documented step from 10g is necessary for 11g also.
  I also posted my problem to posts with similar problems but no response :-(
  I use 11g, TP4.
  My Requirement:
  =============
  - user accounts and roles are stored within database tables
  - roles are not used (every user has the same rights) but stored in the database table
  - Custom Login-Page (jspx)
  - At login ADF Security only needs to check if the entered user/password is stored in the database table (no password encryption is used at the moment)
  Steps I have done:
  ADF Security wizard:
  ================
  Step 1: Enforce Authorization NOT checked (Also tried to CHECK this checkbox)
  Redirect upon sucessfull Authentication CHECKED
  generate Default CHECKED
  Step 2: No identity store CHECKED
  Step 3: Enable Credital Store CHECKED
  Step 4: No Policy Store CHECKED
  Step 5: Enable Anonymous Provider
  Step 6: Manage Login Modules --> Add "oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule"
  Name = oracledb.loginmodule
  Login Control Flag = Required
  Log Level = fine
  --> Add "oracledb.loginmodule" as the only "Selected login module"
  Step 7: Form-Based Authentication
  Generate default is CHECKED
  Step 8: WebResources: allPages
  Selected Roles: valid-users
  Step 9: FINISH Wizard
  Then I edit jps-config.xml manually. Here the actual content:
  =============================================================
  <serviceInstance provider="jaas.login.provider"
  name="oracledb.loginmodule">
  <property value="true" name="debug"/>
  <property value="REQUIRED" name="jaas.login.controlFlag"/>
  <property value="true" name="addAllRoles"/>
  <property value="oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule"
  name="loginModuleClassName"/>
  <property value="FINE" name="log.level"/>
  <property value="jdbc/TLS-BOBDS" name="data_source_name"/>
  <property value="passwort" name="passwordField"/>
  <property value="rol_rolle" name="groupMembershipGroupFieldName"/>
  <property value="bediener_rollen" name="groupMembershipTableName"/>
  <property value="user_kennung" name="usernameField"/>
  <property value="bediener" name="table"/>
  <property value="persnr" name="user_pk_column"/>
  <property value="bed_persnr" name="roles_fk_column"/>
  <property value="toupper" name="casing"/>
  </serviceInstance>
  ====================================
  Then I start the application. Re-direction to the login-page works fine.
  I enter username/password and press submit --> Following error occures in OC4J log:
  ===================
  WARNUNG: TLS-BOB-ViewController-webapp: error encountered during authentication
  java.util.MissingResourceException: Can't find resource for bundle oracle.security.jps.internal.common.resources.common.CommonResources, key JPS-02575
       at java.util.ResourceBundle.getObject(ResourceBundle.java:325)
       at java.util.ResourceBundle.getObject(ResourceBundle.java:322)
       at java.util.ResourceBundle.getString(ResourceBundle.java:285)
       at oracle.security.jps.util.JpsBundle.getString(JpsBundle.java:133)
       at oracle.security.jps.internal.idstore.xml.idm.IdmXmlIdentityStore.searchUser(IdmXmlIdentityStore.java:424)
       at oracle.security.jps.internal.idstore.xml.idm.IdmXmlIdentityStore.searchUser(IdmXmlIdentityStore.java:401)
       at oracle.security.jps.internal.idstore.xml.idm.IdmXmlIdentityStore.searchUser(IdmXmlIdentityStore.java:99)
       at oracle.security.jps.fmw.JpsUserManager.getUserFromIdmStore(JpsUserManager.java:1109)
       at oracle.security.jps.fmw.JpsUserManager.getUser(JpsUserManager.java:1022)
       at com.evermind.security.IndirectUserManager.getUser(IndirectUserManager.java:90)
       at com.evermind.security.IndirectUserManager.getUser(IndirectUserManager.java:90)
       at com.evermind.server.http.EvermindHttpServletRequest.getUserPrincipalInternal(EvermindHttpServletRequest.java:3927)
       at com.evermind.server.http.HttpApplication.checkAuthenticationAndAuthorize(HttpApplication.java:6965)
       at com.evermind.server.http.HttpApplication.getRequestDispatcher(HttpApplication.java:3350)
       at com.evermind.server.http.HttpRequestHandler.doResolveRequestDispatcher(HttpRequestHandler.java:1005)
       at com.evermind.server.http.HttpRequestHandler.doProcessRequest(HttpRequestHandler.java:822)
       at com.evermind.server.http.HttpRequestHandler.processRequest(HttpRequestHandler.java:658)
       at com.evermind.server.http.HttpRequestHandler.processRequest(HttpRequestHandler.java:626)
       at com.evermind.server.http.HttpRequestHandler.serveOneRequest(HttpRequestHandler.java:417)
       at com.evermind.server.http.HttpRequestHandler.run(HttpRequestHandler.java:189)
       at com.evermind.server.http.HttpRequestHandler.run(HttpRequestHandler.java:163)
       at oracle.oc4j.network.ServerSocketReadHandler$ClientRunnable.run(ServerSocketReadHandler.java:275)
       at oracle.oc4j.network.ServerSocketAcceptHandler.procClientSocket(ServerSocketAcceptHandler.java:237)
       at oracle.oc4j.network.ServerSocketAcceptHandler.access$800(ServerSocketAcceptHandler.java:29)
       at oracle.oc4j.network.ServerSocketAcceptHandler$AcceptHandlerHorse.run(ServerSocketAcceptHandler.java:877)
       at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:650)
       at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:675)
       at java.lang.Thread.run(Thread.java:595)
  ==================================================
  My questions:
  =============
  1) Are there additional steps necessary to implement ADF Security for my requirements ?
  2) If yes, which? Which files I have to edit manually after ADF security wizard has been finished?
  Any help is warmly welcome !
  regards
  Peter

  Hello
  Many thanks to CP and Andre who gave the missing hints in this tread:
  OC4J 11g and JAZN
  The property custom.provider mentioned by cp was the "missing link" --> now it works.
  BUT "Nobody knows the trouble I've seen ..." !
  I made dozens of trials with the same application and always similar (strange) results.
  When I CHECK "enforce Authorization" in the ADF security wizard then
  the redirection to the Login Page does NOT work (reason is unclear for me)
  If I UNCHECK "enforce Authorization" in the ADF security wizard then
  the redirection to the login page works fine BUT the redirect upon succesful Authentication doesn't work.
  --> In this case following code is missing in web.xml
  =====================
  <servlet>
  <servlet-name>adfAuthentication</servlet-name>
  <servlet-class>oracle.adf.share.security.authentication.AuthenticationServlet</servlet-class>
  <init-param>
  <param-name>success_url</param-name>
  <param-value>welcome.jsp</param-value>
  </init-param>
  <load-on-startup>1</load-on-startup>
  </servlet>
  =================================
  I think (but not 100%) that SOMETIMES the propertie "<property value="true" name="custom.provider"/>" has been created by the ADF security wizard.
  SOMETIMES I was not able to create the default welcome.jsp with the ADF Security Wizard, ....
  Maybe someone can reproduce this behaviour and fills a bug.
  regards
  Peter

• Does ADF security support sub-roles? If not are there plans to support it?

  hi,
  I have following scenario: there are dozens of regions and each region has dozen of facilities and each facility dozens of offices.
  I would like to setup Office roles to have Query permission only and create a new role OfficeUpdate role that has update permissions for this office data, and at the same time to inherit permissions from Office role (e.g. Query permissions), so if I assign a user to Office role he will be able to query only and if I assign him to OfficeUpdate role he will be able to query and update the office data because privilege will be inherited from Office role.
  User can be a member of different offices/facilities/regions. So I would like to, in order to simplify user management, to be able to assign a whole role as a member of another role. By doing this I wouldn't have to assign users to different roles all over again (all users assigned to a sub-role would automatically become members of main role as well) as this is time-consuming.
  But it seems that ADF security does not support this. It seems that ADF security can only deal with roles and not sub-roles? Roles and sub-roles are supported by oc4j container but it seems that ADF security does not support it.
  I would like first to be sure that my observation is correct, and if yes to find out if there are any plans to support sub-roles in future Jdev releases?
  And also if somebody knows, if Acegi or JsfAcegi security supports role-sub-role privilege inheritance?

  I created a testcase that excludes ADF Security and the same behavior can be reproduced, so the problem doesn't seem to be with ADF Security but JAZN.
  Need to further track this issue, but so far it appears that a member role is not sufficient to authenticate and authorize a container managed constraint as used by ADF Security for authentication. This could be a problem with the embedded OC4J only but also a general problem with settings on the system-jazn-data.xml. This is what I need to further evaluate.
  So for now I can't say that this isn't working in ADF Security because its not even getting there
  Frank

• ADF security   problem

  hi ,
  I created a page called " main.jspx " and I used the ADF security in jdeveloper 11.1.1.2.0 . I deployed my application to a standalone weblogic . When I typed "http://localhost:7001/test/faces/main.jspx" , it redirected to "http://localhost:7001/test/login.html" . After typing correct "username" and "password" ,it redirected to my "main.jspx" . That is correct . But now I open this application in jdeveloper 11.1.1.3.0 , and redeploy it to a standalone weblogic . When I typed "http://localhost:7001/test/faces/main.jspx" , it directly show the main.jspx page . Why no Authentication ? I "remove ADF Security Configuration" and " reconfigure ADF Security" . It doesn't work . But if I create a new application and use ADF security in jdeveloper 11.1.1.3.0 . The new application works well . I need to work with my old application . Can you give me any advice ? thanks!!

  duplicate
  Frank

• Oracle ADF Security Login page

  hi.
  I am using oracle ADF 11.1.2.2.0 (oracle Jdevelopr 11g release 2) in my job environment. There are 3000 users working as client level in our company. They have separated user Id and roles. They can change their passwords. There are expiration period for passwords which is handle by in database level. when the employees are going to terminate or retirement , we can control their login status. that mean we change their Active status as a Inactive status. some times we recruit number of emplooyes for cover our business targets. Their User Id also in database table level.
  My main problem is how we can handle number of employees using Oracle ADF security configuration.
  second one is how user can change their passwords.
  Third is how number of employees going to terminate ,handle their Active/Inactive State.
  Fourth one is If we use this Oracle Security system ,project managers or project cordinator or Adminstrator level authenticator must need to deploy time to time war file, because of adding removing users in jazn-data.xml.
  hoping help from you.Thanking for all.

  So, you can define SQLAuthenticator/SQLReadOnlyAuthenticator on Weblogic which will retrieve users from your db table(instead of jazn-data file) to application server.
  Then, in your application you can enable ADF Security and this will generate login page.
  And, this is it :)
  If you need some custom processing before users login to your app, then you can create custom login page and do whatever you want in Java code:
  http://docs.oracle.com/cd/E16162_01/web.1112/e16182/adding_security.htm#BABDEICH
  >
  But 11g has Database connection in Application Resource. Using that connection I need to log to the system using user's User iD and Password
  >
  This connection is valid only in design time. When you deploy your application to application server, then you can include this connection in .ear file, or you can define Data Source on Weblogic(which is better approach).
  To programmatically retreive db connection, you can create utility method in your Application Module.
  Dario

• JDEV 10.1.3.1 "ADF security" questions

  Hi,
  We have a couple of questions about ADF security. Hope someone knows something about it. Any help is deeply appreciated. Jdeveloper version we use is 10.1.3.1.
  1. Using the ADF security to develop the application, can we deploy it to the IAS and switch to LDAP (OID) or we are obligated to use system-jazn-data.xml on IAS as well? If we have to use system-jazn-data.xml on IAS, do we need to copy the exact system-jazn-data.xml file to IAS embeddedoc4j/config directory? Any other configurations we need to do?
  2. I read some documents that say it is prefered to use LDAP(OID) and
  that's what we really want on the IAS. So if the answer for question 1 is we
  have to use system-jazn-data.xml, does oracle have any plan for the future to
  change it? I guess my question is will that be possible for us to develope the
  app using system-jazn-data.xml on the developer's station (for testing
  purpose) and later on we can convert it LDAP (OID) when we deploy it on IAS.
  Thanks,
  Annie
  Message was edited by:
  user447669

  Hi,
  1)
  can we deploy it to the IAS and switch to LDAP (OID)
  yes.
  If we have to use system-jazn-data.xml on IAS, do we need to copy the exact system-jazn-data.xml file to IAS embeddedoc4j/config directory?
  No. Only make suere the users and user goup exist and copy the JAAS Permissions added by ADF security
  2) There exist a migration utility to upload ADF Security permissions from syste-jazn-data.xml to OID. It is explained in teh OC4J security guide (chapter 7) whih comes with the Oracle Application Serber 10.1.3.1
  Frank

• ADF Security set up - step by step tutorial - quick question

  Hi
  We have standalone WLS running and we have configured our ADF app security enabled in JDeveloper.
  It appears that there are manual steps needed to setup on WLS or EM for users and groups in order for JDev
  1- we're still unclear on what steps needed to setup on standalone WLS to get embedded LDAP or OID to match up with the users and application roles defined in JDeveloper.
  We, using the ADF Security wizard have added users and application roles.
  2- How do we get jazn-data.xml merged or converted to system-jazn-data.xml in standalone WLS ? Is that a manual copy merge ?
  3- Is there one tutorial that would show and explain all the pieces needed to get ADF security working beginning from JDev configurations all the way to standalone WLS configuration ?
  4- Which do we use to configure users and groups ? WebLogic console or Enterprise Manager ? It appears that there are 2 ways of doing it
  We apologise for wrong ideas if you think we are wrong in security configurations.

  Hi,
  +1- we're still unclear on what steps needed to setup on standalone WLS to get embedded LDAP or OID to match up with the users and application roles defined in JDeveloper.+
  We, using the ADF Security wizard have added users and application roles.
  Only application roles are deployed to a stand alone WLS server (as it probably runs in production mode). So the enterprise role names (WLS groups) need to exist on WLS. This can be through manual creation using the integrated LDAP or OID, database or whatever your identity management system is. If a group name doesn't match the enterprise role name you chose in JDeveloper, you can use weblogic.xml to map the names. This can also be done using Enterprise Manager (which I think usually is preferred for production systems)
  +2- How do we get jazn-data.xml merged or converted to system-jazn-data.xml in standalone WLS ? Is that a manual copy merge ?+
  For security reasons, production WLS configurations only allow application roles and permissions to be automatically copied into the system-jazn-data.xml file. Users and user groups are not allowed to be copied as it would have a risk that developer deploy a backdoor into a server which then can be used by unauthorized users. As mentioned in 1), you need to provide user groups and users through your identity management system. If this is LDAP in WLS then you use the WLS console to create these. Also note that if your application uses a Java EE datasource, this needs to be configured on the stand alone server. Same here, credentials cannot be deployed to a stand alone server
  +3- Is there one tutorial that would show and explain all the pieces needed to get ADF security working beginning from JDev configurations all the way to standalone WLS configuration ?+
  There are 4 recordings about ADF Security here: http://www.oracle.com/technetwork/developer-tools/adf/learnmore/adfinsider-093342.html (just search for ADF Application Security and watch the 4 sessions in a row)
  +4- Which do we use to configure users and groups ? WebLogic console or Enterprise Manager ? It appears that there are 2 ways of doing it+
  If WLS LDAP is your identity store, you use the WLS console. All of ADF Security configuration beyond user and group provisioning is in Enterprise Manager
  Frank

• JDev11 R.1. ADF Security Authorization

  Hi,
  I would like to know if it might be possible to use authenticatication via RDBMS authentication provider of Weblogic App. Server and ADF Security Authorization together in a JDev 11 application?. I am reading documentation and it says that; 'ADF Security relies on the jazn-data.xml file for the policy store whether you are using the XML-based identity store or the LDAP identity store. One could define roles and its access rights in jazn-data.xml and might expect authentication and isUserInRole services coming from the authentication service without defining users (role members) at design time. Is it or will it be possible in future?
  Best Regards.

  Hi
  I think it is too early and I don't know if they will ever build this. ( because they also have to support other app servers). Is RDBMS authentication provider of Weblogic App. Server a JAAS implementation?
  in TP4 you had a db login module , don't know if this is supported in 11g production.
  jps-config.xml
  <serviceInstance provider="jaas.login.provider" name="testlogin">
  <description>Sample LoginModule</description>
  <property value="oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule" name="loginModuleClassName"/>
  <property value="REQUIRED" name="jaas.login.controlFlag"/>
  <property value="ovs_user" name="table"/>
  <property value="jdbc/OVSDS" name="data_source_name"/>
  <property value="role_name" name="groupMembershipGroupFieldName"/>
  <property value="password" name="passwordField"/>
  <property value="ovs_user_role_view" name="groupMembershipTableName"/>
  <property value="role_name" name="usernameField"/>
  <property value="role_name" name="pw_encoding_class"/>
  <property value="oracle.security.jazn.login.module.db.util.DBLoginModuleMD5Encoder" name="groupMembershipGroupFieldName"/>
  </serviceInstance>
  <serviceInstance provider="jaas.login.provider" name="oracledb.loginmodule">
  <property value="true" name="debug"/>
  <property value="true" name="addAllRoles"/>
  <property value="passwd" name="passwordField"/>
  <property value="role_name" name="groupMembershipGroupFieldName"/>
  <property value="jdbc/authschemaDS" name="data_source_name"/>
  <property value="REQUIRED" name="jaas.login.controlFlag"/>
  <property value="application_roles" name="groupMembershipTableName"/>
  <property value="oracle.security.jazn.login.module.db.DBTableOraDataSourceLoginModule" name="loginModuleClassName"/>
  <property value="FINEST" name="log.level"/>
  <property value="username" name="usernameField"/>
  <property value="application_users" name="table"/>
  <property value="username" name="user_pk_column"/>
  <property value="username" name="roles_fk_column"/>
  <property value="tolower" name="casing"/>
  <property value="oracle.security.jazn.login.module.db.util.DBLoginModuleClearTextEncoder" name="pw_encoding_class"/>
  </serviceInstance>
  thanks Edwin
  Edited by: biemond on Oct 19, 2008 10:50 AM

• Best way Of providing user authentication using ADF security...

  Hi,
  I have a web application . I want to implement to ADF security to the application.. What is the best approach of doing this? I have the user information in the database tables along with the roles and other information. I want to these tables for authorization ?
  What is the best approach to do this? It would be great if u could help ..
  I ma using 11g release 2
  Thanks in advance.
  Rakesh

  Hi,
  Thanks for the quick response.
  I have been looking at the post but i found one of the forum post in which the person was saying the SQLAuthentication doesnt work ..
  "Be wary when using ADF Security (OPSS) with a SQLAuthenticator.
  This is feedback I got in SR 3-4124753004 :
  "If the you want to use DB as the identity store, then the supported way is to buy OVD server license and configure DB adapter in OVD and then configure an OVD authenticator in Weblogic. SQLAuthenticator will not be used as identity store. And, we do not recommend to use LibOVD for DB identity store. OVD server is the recommended and supported way."
  related bugs are :
  - bug 13876651, "FMW CONTROL SHOULD NOT ALLOW MANAGING USERS GROUPS FROM SQL AUTHENTICATOR"
  - enhancement request 12864498, "OPSS : ADDMEMBERSTOAPPLICATIONROLE : THE SEARCH FOR ROLE FAILED"
  related forum threads are :
  - "ADF Security : identity store : tables in a SQL database"
  - "OPSS : addMembersToApplicationRole : The search for role failed"
  regards
  Jan Vervecken"
  Is this true?
  Rakesh

• ADF Security Authorization

  As it's written in Oracle® Application Development Framework Developer’s Guide For Forms/4GL Developers B25947-01 I created file adf-config.xml file like this
  <?xml version="1.0" encoding="windows-1252" ?>
  <adf-config xmlns:xsi=" http://www.w3.org/2001/XMLSchema-instance"
  xsi:schemaLocation=" http://xmlns.oracle.com/adf/config
  ../../../../../bc4jrt/src/oracle/adf/share/config/schema/config.xsd"
  xmlns=" http://xmlns.oracle.com/adf/config "
  xmlns:sec=" http://xmlns.oracle.com/adf/security/config ">
  <sec:adf-config-child xmlns=" http://xmlns.oracle.com/adf/security/config ">
  <JaasSecurityContext
       initialContextFactoryClass="oracle.adf.share.security.JAASInitialContextFactory"
       authorizationEnforce="true"
       jaasProviderClass="oracle.adf.share.security.providers.jazn.JAZNSecurity Context" >
  </JaasSecurityContext>
  </sec:adf-config-child>
  </adf-config>
  Assigned permissions to my roles in Authorization editior on iterators etc.. But it did get any effect.
  All roles have full access to iterators!
  ADFContext.getCurrent().getSecurityContext().isAuthorizationEnabled() returns false

  Hi,
  here's the adf-config file from my woking app
  <?xml version="1.0" encoding="windows-1252" ?>
  <adf-config xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xsi:schemaLocation="http://xmlns.oracle.com/adf/config ../../../../../bc4jrt/src/oracle/adf/share/config/schema/config.xsd"
  xmlns="http://xmlns.oracle.com/adf/config"
  xmlns:sec="http://xmlns.oracle.com/adf/security/config">
  <sec:adf-config-child xmlns="http://xmlns.oracle.com/adf/security/config">
  <JaasSecurityContext initialContextFactoryClass="oracle.adf.share.security.JAASInitialContextFactory"
  jaasProviderClass="oracle.adf.share.security.providers.jazn.JAZNSecurityContext"
  authorizationEnforce="true"/>
  </sec:adf-config-child>
  </adf-config>
  Note that I don't use debug but run it from JDeveloper and the security settings are enforced. Did you set up the web.xml file - in other words, are you able to authenticate?
  Frank

• How to use ADF Security policies in OID Ldap

  Hello
  My application uses ADF security policies created by Jdeveloper ADF Security Wizard and page definition Edit Authorization menu. The application runs as expected using file based system-jazn-data.xml. I used the JAZNMigrationTool in order to migrate XML based policies to LDAP based policies. LDIF file was generated by the tool and then using the LDAPModify command the file was uploaded to the OID. No errors were generated during this process.
  I used Oracle Directory Manager in order to examine the migration result, and compare the output to that described by
  Introduction to ADF Security in JDeveloper 10.1.3.2
  An Oracle JDeveloper Article
  Written by Frank Nimphius, Oracle Corporation
  February, 2007
  I was expecting to find Read, Update privileges in the orcljaznpermissionaction and the attribute name in the orcljaznpermissiontarget as shown in Fig 15 ADF security entry in OID.
  to narrow down the source of the issue, we examine the LDIF file, and there was no reference to these entries. Below is one example entry from the LDIF file
  dn: orclguid=EF37EAA603C611DDBFAE635A1BB60EE0,cn=Permissions,cn=Policy,cn=JAZNContext,cn=Products,cn=OracleContext,dc=realsoft,dc=com
  changetype: add
  objectclass: orcljaznpermission
  objectclass: groupofuniquenames
  objectclass: top
  cn: EF37EAA603C611DDBFAE635A1BB60EE0
  orclGuid: EF37EAA603C611DDBFAE635A1BB60EE0
  orcljaznjavaclass: java.security.UnresolvedPermission
  orcljaznpermissiontarget: oracle.adf.share.security.authorization.AttributePermission
  orcljaznpermissionactions:
  uniquemember: orclguid=EF37EAA203C611DDBFAE635A1BB60EE0,cn=Grantees,cn=Policy,cn=JAZNContext,cn=Products,cn=OracleContext,dc=realsoft,dc=com
  Note that the orcljazpermissionactions is empty and orcljaznpermissiontarget does not really specify the actual attribute name.
  The system-jazn-data.xml includes all entries correctly.
  rgds

  Eurika
  finally solved,
  runing the JAZNMigrationTool requires setting the correct classpath,
  Setting the classpath to the following
  C:\>Set CLASSPATH=d:\jdevstudio10132\j2ee\home\jazn.jar
  allows you to run the Jaznmigrationtool successfully, however you will find that the generated LDIF file does not include the premission actions (Read, Update ...)
  if however, you add the adfshare.jar to the classpath
  C:\>Set CLASSPATH=d:\jdevstudio10132\j2ee\home\jazn.jar;d:\jdevstudio10132\BC4J\lib\adfshare.jar
  now the tool will migrate the permission policies , the following shows an extract from the LDIF file
  dn: orclguid=A5E662E204D411DDBF8807BC4864C5C2,cn=Permissions,cn=Policy,cn=JAZNContext,cn=Products,cn=OracleContext,dc=realsoft,dc=com
  changetype: add
  objectclass: orcljaznpermission
  objectclass: groupofuniquenames
  objectclass: top
  cn: A5E662E204D411DDBF8807BC4864C5C2
  orclGuid: A5E662E204D411DDBF8807BC4864C5C2
  orcljaznjavaclass: oracle.adf.share.security.authorization.AttributePermission
  orcljaznpermissiontarget: AppModuleDataControl.VRoleAuthorrizationsView1.RanDateTo
  orcljaznpermissionactions: read,update
  uniquemember: orclguid=A5E662E104D411DDBF8807BC4864C5C2,cn=Grantees,cn=Policy,cn=JAZNContext,cn=Products,cn=OracleContext,dc=realsoft,dc=com
  Ammar Sajdi
  www.e-ammar.com/Oracle.html

• I accessed the page protected by ADF security using direct url access attac

  hi,
  I played with my application which is based on SRDemo code (with added ADF security handling protection of resources) using direct url access scenarios. I was able to access a protected page as authenticated but not authorized user. I'll try to explain what I did.
  There are two folders/web resources in my application, faces/folderA/* and faces/folderB/*.
  roleA only is configured to access first web resource and the roleB is configured to access the second resource.
  I used ADF security to authorize only roleA for page in folderA and to authorize only roleB for page in folderB.
  I configured error pages in web.xml:
  <error-page>
  <error-code>400</error-code>
  <location>faces/error/error400.jspx</location>
  </error-page>
  <error-page>
  <error-code>401</error-code>
  <location>faces/error/error401.jspx</location>
  </error-page>
  <error-page>
  <error-code>403</error-code>
  <location>faces/error/error403.jspx</location>
  </error-page>
  <error-page>
  <error-code>404</error-code>
  <location>faces/error/error404.jspx</location>
  </error-page>
  <error-page>
  <exception-type>java.lang.Throwable</exception-type>
  <location>faces/error/error500.jspx</location>
  </error-page>
  Other config params are:
  <login-config>
  <auth-method>FORM</auth-method>
  <form-login-config>
  <form-login-page>infrastructure/ABLogin.jspx</form-login-page>
  <form-error-page>faces/error/error401.jspx</form-error-page>
  </form-login-config>
  </login-config>
  <security-constraint>
  <web-resource-collection>
  <web-resource-name>AB Prototype</web-resource-name>
  <url-pattern>faces/ABAbout.jspx</url-pattern>
  <url-pattern>faces/ABHelp.jspx</url-pattern>
  <url-pattern>faces/ABLogout.jspx</url-pattern>
  <url-pattern>faces/ABWelcome.jspx</url-pattern>
  </web-resource-collection>
  <auth-constraint>
  <role-name>A</role-name>
  <role-name>B</role-name>
  </auth-constraint>
  </security-constraint>
  <security-constraint>
  <web-resource-collection>
  <web-resource-name>AZone</web-resource-name>
  <url-pattern>faces/folderA/*</url-pattern>
  </web-resource-collection>
  <auth-constraint>
  <role-name>A</role-name>
  </auth-constraint>
  </security-constraint>
  <security-constraint>
  <web-resource-collection>
  <web-resource-name>BZone</web-resource-name>
  <url-pattern>faces/folderB/*</url-pattern>
  </web-resource-collection>
  <auth-constraint>
  <role-name>B</role-name>
  </auth-constraint>
  </security-constraint>
  <filter>
  <filter-name>adfBindings</filter-name>
  <filter-class>oracle.adf.model.servlet.ADFBindingFilter</filter-class>
  <init-param>
  <param-name>unauthorizedErrorPage</param-name>
  <param-value>faces/error/error401.jspx</param-value>
  </init-param>
  </filter>
  <filter>
  <filter-name>adfFaces</filter-name>
  <filter-class>oracle.adf.view.faces.webapp.AdfFacesFilter</filter-class>
  </filter>
  <filter-mapping>
  <filter-name>adfBindings</filter-name>
  <url-pattern>*.jsp</url-pattern>
  </filter-mapping>
  <filter-mapping>
  <filter-name>adfBindings</filter-name>
  <url-pattern>*.jspx</url-pattern>
  </filter-mapping>
  <filter-mapping>
  <filter-name>adfFaces</filter-name>
  <url-pattern>*.jsp</url-pattern>
  <dispatcher>FORWARD</dispatcher>
  <dispatcher>REQUEST</dispatcher>
  <dispatcher>ERROR</dispatcher>
  </filter-mapping>
  <filter-mapping>
  <filter-name>adfFaces</filter-name>
  <url-pattern>*.jspx</url-pattern>
  <dispatcher>FORWARD</dispatcher>
  <dispatcher>REQUEST</dispatcher>
  <dispatcher>ERROR</dispatcher>
  </filter-mapping>
  <servlet>
  <servlet-name>Faces Servlet</servlet-name>
  <servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
  <load-on-startup>1</load-on-startup>
  </servlet>
  <servlet>
  <servlet-name>resources</servlet-name>
  <servlet-class>oracle.adf.view.faces.webapp.ResourceServlet</servlet-class>
  </servlet>
  <servlet>
  <servlet-name>adfAuthentication</servlet-name>
  <servlet-class>oracle.adf.share.security.authentication.AuthenticationServlet</servlet-class>
  <load-on-startup>2</load-on-startup>
  </servlet>
  <servlet-mapping>
  <servlet-name>Faces Servlet</servlet-name>
  <url-pattern>/faces/*</url-pattern>
  </servlet-mapping>
  Once I authenticated as user in roleA I was trying to directly access URLs accessible only by users in roleB. In the beginning everything worked OK: I was dispatched to error401.jspx page with message Not authorized... etc.
  But I kept trying to access different URLs, like http://localhost:8988/AB/faces, http://localhost:8988/AB/faces/folderB, http://localhost:8988/AB/faces/folderB/pageB.jspx, http://localhost:8988/AB
  (not necessarily in that order, I played for a couple of minutes and the system would always dispatch to error401.jspx page if unauthorized attempt. But all of sudden, to my surprise, I got the pageB.jspx page while logged in as user belonging to roleA!)
  Not sure how that happened but the connectedUser on pageB (#{userInfo.authenticated}) shows that I am logged in as user whose role is A.
  I checked Authorization in ADF security and it is still correct: pageB is only accessible to roleB and pageA is only accessible to roleA.
  I hope I made some stupid mistake in my configuration?

  Hi,
  ADF Security is JAAS permission based and not container managed. Note that unless you explicitly configured ADF Security you don't use ADF Security but container managed security, which is all that I can see in your configurations.
  Not sure which version fo JDeveloper you use, but if you could change the following setting
  <security-constraint>
  <web-resource-collection>
  <web-resource-name>AZone</web-resource-name>
  <url-pattern>faces/folderA/*</url-pattern>
  </web-resource-collection>
  <auth-constraint>
  <role-name>A</role-name>
  </auth-constraint>
  </security-constraint>
  <security-constraint>
  <web-resource-collection>
  <web-resource-name>BZone</web-resource-name>
  <url-pattern>faces/folderB/*</url-pattern>
  </web-resource-collection>
  <auth-constraint>
  <role-name>B</role-name>
  </auth-constraint>
  </security-constraint>
  to contain jspx file references instead of wildcards like in faces/folderB/* then what you see should no longer be possible. There was a known issue with the security settings in SRDemo that was caused by a defect in OC4J container managed security. I would expect this issue to be fixed in a more recent version of OC4J.
  However, the work around until then is to protect all JSPX files in a directory instead of using wild card matches
  Frank

• Configuring ADF Security to use LDAP

  HI All
  We are building an application which is secured using SSO authentication. We have an LDAP setup for this.
  During development, we wanted to configure LDAP in ADF Security Wizard in Jdeveloper for authentication. I tried the following in ADF Security Wizard in the 10 steps of the wizard:
  1) Configure ADF for Web Application, enforce Authorization
  2) Enable Credential Store
  3) No Policy Store
  4) LDAP Identity Store
  5) Enter LDAP credentials, LdAp URL, user base
  6) No Anonymous Provider
  7) Did not select any login module
  8) Form Based Authentication, generate default
  9) Added pages that need to be secured
  10) Finish
  The login page is rendered whenever i try to access a protected page. But when I enter the LDAP user credentials for login, it does not work. It says "You are not authorized to view this page".
  Is there anything missing in the setup that is causing the issue. Any pointers on this would be helpful.
  Thanks
  Srinidhi.

  Hi,
  note that there don't exist documentation for configuring ADF Security in JDeveloper 11 with LDAP. In general, ADF Security in JDeveloper 11 is not yet ready for SSO and LDAP testings and still is under development. Note that LDAP authentication - as container managed authentication - is configured in the jps-config.xml file of the deployed application. However, as said, its not documented and would be just too much at this point to put into a forum answer
  Frank