JDEV 10.1.3.1 "ADF security" questions

Similar Messages

• Jdev 10.1.3.1 "ADF Security": Application without a custom login page?

  Hi,
  We are trying to develop an application using "ADF security", which means we can give permissions to certain roles based on "Binding Container", "Iterator Binding", "Method Action Binding" and "Attribute-level Binding".
  After reading the document -- "Oracle® Containers for J2EE Security Guide 10g (10.1.3.1.0) B28957-01" that Frank pointed out. We have a question:
  Can we develop an ADF application without creating a custom login page? Right now we've followed the security guide and modified the configuration files. But when we run the application, we get the "user null" error message. The reason is clear because we do not have a login page. On the security guide, it says that it is possible to use the oracle default login module. But it does not say how. Does anyone have any idea?
  Thanks,
  Annie

  Brenden,
  Thank you so much for the reply. This is our code in the web.xml:
  <login-config>
  <auth-method>BASIC</auth-method>
  <realm-name>default</realm-name>
  </login-config>
  We are using HTTP basic Authentication. This technique worked for the container-managed security. The browser default login page pops up when the end users try to log into a secured JSP. But here we want to use "ADF security" to set up "Iterator binding" and "Attribute level binding" security. The browser default login page does NOT show up. Instead we get the "user null" error message.
  If you have detailed step on how to select HTTP Basic Authentication, it would be very helpful to us. Or if you know any document has the detail.
  regards,
  Annie

• ADF Security Customization

  Hi All,
  I have unique requirement of creation of users, roles and policies.
  In my project i need to create users and roles dynamically other than from EM console or Jdeveloper i.e from front end. The data will flow through a BPEL process and the users, roles and policies have to be created.
  How to create these users in "system-jazn.xml" dynamically?
  Weblogic - 11g (11.1.1)
  Please let me know in case of any additional information required..
  Reagrds
  Surya

  Hi,
  its not an ADF Security question but OPSS (Oracle Platform Security Services), which is the owner of that file. However, this blog entry shows you how to use the OPSS API to access the Role Manager and User Manager in OPSS to do what you want
  http://fusionsecurity.blogspot.com/2009/07/opss-sample-application.html
  Frank

• How to define permission in ADF Security programmatically

  Hi
  I try to develop an application in ADF and I need to declare Application-Role, Permission, Principal programmatically and store them in policy store.
  I found an example in chapter 19 of E10043-12 but it just creates Application-Role!! . I need know how can I detect my TaskFlow, PageDefination and other resources of my application at RunTime to protect them after deployment through a custom security console. In other word i try to find a way in which i store my pageDef or TaskFlow name in database or detect them programmatically in runtime and Grant Permission to my users or enterprise role for access/denied to my application pages, TaskFlow and also if possible entities and their attributes.
  [link to chapet 19 of E10043-12|http://docs.oracle.com/cd/E23943_01/core.1111/e10043/intregrating.htm#BABECICC]
  Thank you so much

  Hi,
  you can configure WLS to use the database as the policy store, which then means that you write permissions to the database infrastructure. However, you should be able to update the default file based policy store or OID based store as well
  For database OPSS store See: http://docs.oracle.com/cd/E15586_01/core.1111/e10043/cfgauthr.htm#CHDHAIBJ
  I am not sure if OPSS supports direct updates to the policy tables. Here's a blog post of how to update policies with WLST scropts: http://enterprisesecurityinjava.blogspot.de/2010/03/ok-more-details-here.html
  Bottom line is that this is less a ADF Security question than a general WLS/OPSS question of how to administer policies using a custom interface. For this you can use WLS MBeans and WLST script, which is my understanding.
  Frank

• GOTCHA's with Setting up ADF Security with JDev 11.1.1.6.0

  If you're getting into ADF security, you're probably going to want to get rid of that ugly default login.html page. I mean, it gets the job done, but we want something a little better. And if you want something a little better and you're using JDev 11.1.1.6.0, it behooves you to read this post!
  First off, get acquainted with these four posts. All good stuff. They'll walk you through the 1st half of what you need to know. Y'know, the non-Gotcha half.
  http://one-size-doesnt-fit-all.blogspot.com/2010/07/adf-security-revisited-again-again.html
  http://myadfnotebook.blogspot.com/2011/11/adf-security-basics.html
  http://andrejusb.blogspot.com/2010/11/things-you-must-know-about-adf-faces.html
  http://java2go.blogspot.com/2010/12/creating-centered-page-layout-using-adf.html
  Are you getting either of the following errors?
  <CodebasePolicyHandler> <migrateDeploymentPolicies> Migration of codebase policy failed. Reason: {0}.
  oracle.security.jps.JpsException: java.lang.IllegalArgumentException: oracle.security.jps.internal.core.principals.JpsAnonymousRoleImpl
  Error 500--Internal Server Error
  java.lang.RuntimeException: Cannot find FacesContextI'll show you where they're coming from. Follow along.
  1) Create a new application.
  2) Create three .jspx pages called login, error, and welcome.
  3) Generate PageDef files for them by right-clicking on the file and selecting "Go To PageDefinition". You'll want these so that you may apply security against them.
  4) Right-Click on your Application and select Secure->Configure ADF Security
  5) ADF Authentication and Authorization -> Form Based Authentication (Use the search symbol to select your created login and error pages. Should be something like "/faces/login.jspx") -> No Automatic Grants -> Finish
  Right-Click your welcome.jspx and select run. You'll get this error before your web page opens up in your browser and then proceeds to wig out.
  <CodebasePolicyHandler> <migrateDeploymentPolicies> Migration of codebase policy failed. Reason: {0}.
  oracle.security.jps.JpsException: java.lang.IllegalArgumentException: oracle.security.jps.internal.core.principals.JpsAnonymousRoleImplThat just won't do. Let's fix it, shall we?
  6) Open your newly JDev created jazn-data.xml file. It's located in the Application Resources panel (usually located by Data Controls and your Projects expandable panels)
  7) Resource Grants -> Resource Type (Web Page dropdown) -> error page should have a key symbol by it. Delete the anonymous role in the "Granted To" column. Now click the green button to add an Application Role. Huh, there's TWO of them? How bout that? Looks like we're going to have to delete some XML code!
  8) Click the Source tab on the bottom of the page to open up the XML View. You'll see the following piece of erroneous code. Erroneous, I say!
    <policy-store>
      <applications>
        <application>
          <name>SecurityError</name>
          <app-roles>
            // Hello, I'm the app role that has sucked away two hours of your life that you can never, ever get back
            <app-role>
              <name>anonymous-role</name>
              <class>oracle.security.jps.internal.core.principals.JpsAnonymousRoleImpl</class>
              <display-name>anonymous-role</display-name>
            </app-role>
           // Whew, the end of that app role
          </app-roles>
          <jazn-policy>
            <grant>9) You're going to want to delete that app role XML
  10) Go back into your jazn-data.xml file and create some users. For example, bob and jane. Create an Enterprise role called "admin". Put bob and jane as members into this Enterprise role. Create an Application role called managers. Map managers to your Enterprise role admin.
  11) Go back to the Resource Grants tab -> Resource Type (Web Page) and delete any "Granted To" authorizations that may assigned to any of the pages. Assigned a "Granted To" application role of "anonymous-role" to the error and login pages. Assign "managers" to welcome.
  12) Run your welcome page. Yay, the error is gone. How sweet it is.
  Now you want to refactor/move your login and error page somewhere else? Great, just right-click and select factor. Refactor to some place like /public_html/jspx/<your login page>.jspx. Re-run your welcome page.
  // You fool!
  Error 404--Not Found
  From RFC 2068 Hypertext Transfer Protocol -- HTTP/1.1:
  10.4.5 404 Not FoundThat's not so good. Let's fix that.
  1) Open up web.xml. It's located at ViewController/WEB-INF/web.xml.
  2) Click the security tab and you'll see Form-Based Authentication with a login page and error page. Click that Search glass and locate your new file. Do the same for the error page. You should see something like "/jspx/login.jspx" come back.
  3) Re-run your welcome page.
  // Suckered AGAIN!
  Error 500--Internal Server Error
  java.lang.RuntimeException: Cannot find FacesContextThis is a tricky one. The search icon brings back a faulty address. Since we're using a .jspx page, it needs to be "/faces/jspx/login.jspx". Repeat for the error page. Re-run your welcome.jspx.
  Ahh!! Now THAT's how we do it in Kingsport!
  Finally, a custom .jspx login works. Now what are you doing here? Shouldn't you be playing some Diablo 3?
  Will

  Ha :-)
  Point being good summaries like yours tend to get lost on the forums because of the volume of posts. With a blog people have the chance to subscribe to your posts so it's just a better vehicle all round for posting content to help others.
  I highly recommend writing blogs even if it's for scratch notes, because you'll learn a lot in structuring your thoughts. It's also a really good way to get noticed in the community because bloggers stand out.
  But your call, no pressure of course ;-)
  CM.

• ADF Security -- permissions dont work as documented in Jdev Article

  Hello
  i read the article Introduction to ADF Security in Jdev 10.1.3.2, Feb 2007. I followed the steps and authentication worked fine. However, Authorization did not work until i defined permission at All Level start with PageDef itself down to Iterator, until the attribute level. The documentation does not state that the attribute level is also required. An extract is
  "The application developer defines authorization declaratively for iterator bindings, action bindings, and method bindings defined in the ADF page definition (pageDef.xml) file and, alternatively, for the entire page definition itself"
  I found the document more appealing as i dont believe that it feels right to visit each and every attribute for each iterator in the application when i want all the attributes to inherit their premission from the iterator (Select and Update). If i dont do that, the page appears but no rows are shown (expect the total no of row indicator, which is probably working due to the iterator Read Permission)
  I read in other posts that the attributes need to be handled, is there multiselect option, that i can use to do group attribute permission setting
  rgds
  Ammar Sajdi
  REALSOFT
  Amman - Jordan

  Hi,
  you are correct that attribute bindings too need to be authorized. In 10.1.3 ADF Security is an all or nothing approach, which means that you either have authorization or you don't.
  This is an administration overhead that we eliminate for JDeveloper 11. In JDeveloper 11 we treat all bindings as publicly accessible unless there is a permission defined for it. This makes security administration easier.
  Frank

• ADF Security set up - step by step tutorial - quick question

  Hi
  We have standalone WLS running and we have configured our ADF app security enabled in JDeveloper.
  It appears that there are manual steps needed to setup on WLS or EM for users and groups in order for JDev
  1- we're still unclear on what steps needed to setup on standalone WLS to get embedded LDAP or OID to match up with the users and application roles defined in JDeveloper.
  We, using the ADF Security wizard have added users and application roles.
  2- How do we get jazn-data.xml merged or converted to system-jazn-data.xml in standalone WLS ? Is that a manual copy merge ?
  3- Is there one tutorial that would show and explain all the pieces needed to get ADF security working beginning from JDev configurations all the way to standalone WLS configuration ?
  4- Which do we use to configure users and groups ? WebLogic console or Enterprise Manager ? It appears that there are 2 ways of doing it
  We apologise for wrong ideas if you think we are wrong in security configurations.

  Hi,
  +1- we're still unclear on what steps needed to setup on standalone WLS to get embedded LDAP or OID to match up with the users and application roles defined in JDeveloper.+
  We, using the ADF Security wizard have added users and application roles.
  Only application roles are deployed to a stand alone WLS server (as it probably runs in production mode). So the enterprise role names (WLS groups) need to exist on WLS. This can be through manual creation using the integrated LDAP or OID, database or whatever your identity management system is. If a group name doesn't match the enterprise role name you chose in JDeveloper, you can use weblogic.xml to map the names. This can also be done using Enterprise Manager (which I think usually is preferred for production systems)
  +2- How do we get jazn-data.xml merged or converted to system-jazn-data.xml in standalone WLS ? Is that a manual copy merge ?+
  For security reasons, production WLS configurations only allow application roles and permissions to be automatically copied into the system-jazn-data.xml file. Users and user groups are not allowed to be copied as it would have a risk that developer deploy a backdoor into a server which then can be used by unauthorized users. As mentioned in 1), you need to provide user groups and users through your identity management system. If this is LDAP in WLS then you use the WLS console to create these. Also note that if your application uses a Java EE datasource, this needs to be configured on the stand alone server. Same here, credentials cannot be deployed to a stand alone server
  +3- Is there one tutorial that would show and explain all the pieces needed to get ADF security working beginning from JDev configurations all the way to standalone WLS configuration ?+
  There are 4 recordings about ADF Security here: http://www.oracle.com/technetwork/developer-tools/adf/learnmore/adfinsider-093342.html (just search for ADF Application Security and watch the 4 sessions in a row)
  +4- Which do we use to configure users and groups ? WebLogic console or Enterprise Manager ? It appears that there are 2 ways of doing it+
  If WLS LDAP is your identity store, you use the WLS console. All of ADF Security configuration beyond user and group provisioning is in Enterprise Manager
  Frank

• [JDev TP3] : Abou ADF Security ?

  i tryed to develop application that mange several (assignment/task/project) and using adf security that cofigure users and roles from database BUT i have for every task same types of roles For Example:
  i have
  task A ,task B,task C,.....
  for every task i have roles Manager,Technician,User
  note: the task created from application when i need.
  i know the users for every task from DB users table when i create a task, and i know them roles but how to configure the task in ADF security to determine that this user(Whatever role) for this task?
  can i do like this by ADF Security?

  Hi,
  ADF Security operates on the class level, not the data level. A task is an instance of an Entity (which most likely is task). Now the task might be exposed in a table. On this table ADF Security allows you to set Create, Edit, View, etc. privileges based on a role you are in. This however. So if there is a manager role then this manager can perform the oprations on the iterator or action.
  If a task assigns the manager role to a user just for this task, then ADF Security is not fine grained enough. In this case you need to expose a model (e.g. on the task table) that allows to use EL to get the task and the associated roles/role-holder to then implement the security with EL. Note that JAAS does not have instance specific authorization by design
  Frank

• ADF Security Design Question

  Hi All,
  I am developing an ADF web application. The security design is such that user authentication is mapped to database users. The design I see several pros and cons
  1) Different database users means I cannot take advantage of connection pooling.
  2) The architect argues SQL querying can be controlled at database level for each user.
  I have never been involved in such a web application. Can anybody please guide me if this is the way to go for ADF web application, any other pros and cons. The database is Oracle 11g. I still believe that application security should not be tied to the database security.
  Worst case if I have to go with this design, How to implement ADF security using database users.
  Thanks

  I blogged a use case for using Proxy Authentication with JPA here http://blogs.oracle.com/olaf/2010/04/using_oracle_proxy_authenticat.html. (Being a sample it includes a setter for user name, but a case with a JAAS Subject and Principal is easily adaptable).
  I'll dig out an ADF BC example and blog about it, too.
  --olaf                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           

• Adf security with upper case user results in 500-internal server error

  Hello
  JDev 11.1.1.0.2, Integrated WLS
  I'v set up ADF security as explained in the documentation.
  The only difference being that the role test-all has been removed.
  I have one user 'paul' with a password of 'password'
  I have one application role 'myrole'
  'paul' is a member of 'myrole'
  I have one unbounded task flow with one view (view1).
  Via the janz-data.xml 'View1' has been granted to 'myrole' (view action)
  When running View1 I get the login.html page which is correct.
  The fun starts when playing around with the user/password.
  If I login with 'paul' and 'password' view1 is display, this is correct
  If I login with an unknown user or an incorrect password Windows Explorer 7 shows a generic HTTP 403 error page and not the error.html
  If I login with 'PAUL' and 'password' (or Paul, or any mixed cased version of Paul with the correct password) I get the following stack trace :
  oracle.adf.controller.security.AuthorizationException: ADFC-0619: Echec de la vérification des autorisations : '/view1.jspx' 'VIEW'.
       at oracle.adf.controller.internal.security.AuthorizationEnforcer.handleFailure(AuthorizationEnforcer.java:145)
       at oracle.adf.controller.internal.security.AuthorizationEnforcer.checkPermission(AuthorizationEnforcer.java:124)
       at oracle.adfinternal.controller.state.ControllerState.initializeUrl(ControllerState.java:639)
       at oracle.adfinternal.controller.state.ControllerState.synchronizeStatePart2(ControllerState.java:449)
       at oracle.adfinternal.controller.application.SyncNavigationStateListener.afterPhase(SyncNavigationStateListener.java:44)
       at oracle.adfinternal.controller.lifecycle.ADFLifecycleImpl$PagePhaseListenerWrapper.afterPhase(ADFLifecycleImpl.java:529)
       at oracle.adfinternal.controller.lifecycle.LifecycleImpl.internalDispatchAfterEvent(LifecycleImpl.java:118)
       at oracle.adfinternal.controller.lifecycle.LifecycleImpl.dispatchAfterPagePhaseEvent(LifecycleImpl.java:166)
       at oracle.adfinternal.controller.faces.lifecycle.ADFPhaseListener$PhaseInvokerImpl.dispatchAfterPagePhaseEvent(ADFPhaseListener.java:122)
       at oracle.adfinternal.controller.faces.lifecycle.ADFPhaseListener.afterPhase(ADFPhaseListener.java:68)
       at oracle.adfinternal.controller.faces.lifecycle.ADFLifecyclePhaseListener.afterPhase(ADFLifecyclePhaseListener.java:51)
       at oracle.adfinternal.view.faces.lifecycle.LifecycleImpl._executePhase(LifecycleImpl.java:354)
       at oracle.adfinternal.view.faces.lifecycle.LifecycleImpl.execute(LifecycleImpl.java:175)
       at javax.faces.webapp.FacesServlet.service(FacesServlet.java:265)
       at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:227)
       at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:125)
       at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:292)
       at weblogic.servlet.internal.TailFilter.doFilter(TailFilter.java:26)
       at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:42)
       at oracle.adf.model.servlet.ADFBindingFilter.doFilter(ADFBindingFilter.java:181)
       at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:42)
       at oracle.adfinternal.view.faces.webapp.rich.RegistrationFilter.doFilter(RegistrationFilter.java:85)
       at org.apache.myfaces.trinidadinternal.webapp.TrinidadFilterImpl$FilterListChain.doFilter(TrinidadFilterImpl.java:279)
       at org.apache.myfaces.trinidadinternal.webapp.TrinidadFilterImpl._invokeDoFilter(TrinidadFilterImpl.java:239)
       at org.apache.myfaces.trinidadinternal.webapp.TrinidadFilterImpl._doFilterImpl(TrinidadFilterImpl.java:196)
       at org.apache.myfaces.trinidadinternal.webapp.TrinidadFilterImpl.doFilter(TrinidadFilterImpl.java:139)
       at org.apache.myfaces.trinidad.webapp.TrinidadFilter.doFilter(TrinidadFilter.java:92)
       at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:42)
       at oracle.security.jps.wls.JpsWlsFilter$1.run(JpsWlsFilter.java:85)
       at java.security.AccessController.doPrivileged(Native Method)
       at oracle.security.jps.util.JpsSubject.doAsPrivileged(JpsSubject.java:257)
       at oracle.security.jps.wls.JpsWlsSubjectResolver.runJaasMode(JpsWlsSubjectResolver.java:250)
       at oracle.security.jps.wls.JpsWlsFilter.doFilter(JpsWlsFilter.java:100)
       at oracle.security.jps.ee.http.JpsFilter.doFilter(JpsFilter.java:65)
       at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:42)
       at weblogic.servlet.internal.RequestEventsFilter.doFilter(RequestEventsFilter.java:27)
       at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:42)
       at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3496)
       at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
       at weblogic.security.service.SecurityManager.runAs(Unknown Source)
       at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2180)
       at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2086)
       at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1406)
       at weblogic.work.ExecuteThread.execute(ExecuteThread.java:201)
       at weblogic.work.ExecuteThread.run(ExecuteThread.java:173)
  The questions are :
  - Why do I get the generic HTTP 403 error instead of the error.html (its not the end of the world but I would like to understand) ?
  - Why do I get the error 500 if the case of the username is incorrect but the password is correct ?
  Best Regards
  Paul

  Nope nothing in there that looks out of place...
  Here's the contents of the web.xml file ..
  <?xml version = '1.0' encoding = 'windows-1252'?>
  <web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" version="2.5" xmlns="http://java.sun.com/xml/ns/javaee">
  <description>Empty web.xml file for Web Application</description>
  <context-param>
  <param-name>javax.faces.STATE_SAVING_METHOD</param-name>
  <param-value>client</param-value>
  </context-param>
  <context-param>
  <description>If this parameter is true, there will be an automatic check of the modification date of your JSPs, and saved state will be discarded when JSP's change. It will also automatically check if your skinning css files have changed without you having to restart the server. This makes development easier, but adds overhead. For this reason this parameter should be set to false when your application is deployed.</description>
  <param-name>org.apache.myfaces.trinidad.CHECK_FILE_MODIFICATION</param-name>
  <param-value>false</param-value>
  </context-param>
  <context-param>
  <description>Whether the 'Generated by...' comment at the bottom of ADF Faces HTML pages should contain version number information.</description>
  <param-name>oracle.adf.view.rich.versionString.HIDDEN</param-name>
  <param-value>false</param-value>
  </context-param>
  <filter>
  <filter-name>JpsFilter</filter-name>
  <filter-class>oracle.security.jps.ee.http.JpsFilter</filter-class>
  <init-param>
  <param-name>enable.anonymous</param-name>
  <param-value>true</param-value>
  </init-param>
  <init-param>
  <param-name>remove.anonymous.role</param-name>
  <param-value>false</param-value>
  </init-param>
  <init-param>
  <param-name>addAllRoles</param-name>
  <param-value>true</param-value>
  </init-param>
  <init-param>
  <param-name>jaas.mode</param-name>
  <param-value>doasprivileged</param-value>
  </init-param>
  </filter>
  <filter>
  <filter-name>trinidad</filter-name>
  <filter-class>org.apache.myfaces.trinidad.webapp.TrinidadFilter</filter-class>
  </filter>
  <filter>
  <filter-name>adfBindings</filter-name>
  <filter-class>oracle.adf.model.servlet.ADFBindingFilter</filter-class>
  </filter>
  <filter-mapping>
  <filter-name>JpsFilter</filter-name>
  <servlet-name>Faces Servlet</servlet-name>
  <dispatcher>FORWARD</dispatcher>
  <dispatcher>REQUEST</dispatcher>
  <dispatcher>INCLUDE</dispatcher>
  </filter-mapping>
  <filter-mapping>
  <filter-name>trinidad</filter-name>
  <servlet-name>Faces Servlet</servlet-name>
  <dispatcher>FORWARD</dispatcher>
  <dispatcher>REQUEST</dispatcher>
  </filter-mapping>
  <filter-mapping>
  <filter-name>adfBindings</filter-name>
  <servlet-name>Faces Servlet</servlet-name>
  <dispatcher>FORWARD</dispatcher>
  <dispatcher>REQUEST</dispatcher>
  </filter-mapping>
  <servlet>
  <servlet-name>Faces Servlet</servlet-name>
  <servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
  <load-on-startup>1</load-on-startup>
  </servlet>
  <servlet>
  <servlet-name>resources</servlet-name>
  <servlet-class>org.apache.myfaces.trinidad.webapp.ResourceServlet</servlet-class>
  </servlet>
  <servlet>
  <servlet-name>adfAuthentication</servlet-name>
  <servlet-class>oracle.adf.share.security.authentication.AuthenticationServlet</servlet-class>
  <load-on-startup>1</load-on-startup>
  </servlet>
  <servlet-mapping>
  <servlet-name>Faces Servlet</servlet-name>
  <url-pattern>/faces/*</url-pattern>
  </servlet-mapping>
  <servlet-mapping>
  <servlet-name>resources</servlet-name>
  <url-pattern>/adf/*</url-pattern>
  </servlet-mapping>
  <servlet-mapping>
  <servlet-name>resources</servlet-name>
  <url-pattern>/afr/*</url-pattern>
  </servlet-mapping>
  <servlet-mapping>
  <servlet-name>adfAuthentication</servlet-name>
  <url-pattern>/adfAuthentication/*</url-pattern>
  </servlet-mapping>
  <session-config>
  <session-timeout>35</session-timeout>
  </session-config>
  <mime-mapping>
  <extension>html</extension>
  <mime-type>text/html</mime-type>
  </mime-mapping>
  <mime-mapping>
  <extension>txt</extension>
  <mime-type>text/plain</mime-type>
  </mime-mapping>
  <security-constraint>
  <web-resource-collection>
  <web-resource-name>adfAuthentication</web-resource-name>
  <url-pattern>/adfAuthentication</url-pattern>
  </web-resource-collection>
  <auth-constraint>
  <role-name>valid-users</role-name>
  </auth-constraint>
  </security-constraint>
  <login-config>
  <auth-method>FORM</auth-method>
  <form-login-config>
  <form-login-page>/login.html</form-login-page>
  <form-error-page>/error.html</form-error-page>
  </form-login-config>
  </login-config>
  <security-role>
  <role-name>valid-users</role-name>
  </security-role>
  </web-app>
  Regards
  Paul

• Process of login with ADF security

  Hi,
  I was looking at how to implement the process of Login with the ADF security using JDev 11g and I feel very good...
  My question is if it is possible to use this tool in case of use a container as Tomcat 6.x or JBoss. If it is possible to use ADF security for these containers, what should be configured to work?

  Hi,
  ok, I'd like to use authorization with ADF security, but as you say it is not possible in Tomcat. well, but could implement it, if there must be 3 users with different roles of the little system that I want to develop. Any idea?. There maybe a small example with user roles to use without authorization of ADF security?.

• Web Center app with ADF Security - login problem

  I have a custome Oracle Web Center app.
  I have a page.html with an embedded login form posting to j_security_check. I've configured the ADF security policies to redirect to a JSPX on successful login.
  When I try the correct username/password, I get redirected not to the page I defined in ADF, but to the root page http://127.0.0.1:7101/MyApp-ViewController-context-root/
  and i get
  Error 403--Forbidden
  I've checked the weblogic.xml as per http://andrejusb.blogspot.com/2009/12/solving-error-403-forbidden-in-adf.html, all the required entries are there.
  This works fine if i use a Login link with
  destination="#{'/adfAuthentication?login=true&amp;end_url=/faces/postLogin.jspx'} "
  which redirects to the default login.html and then to the right page. I've copied the form from the default login.html into my master HTML page.
  Hope my question is clear. Any suggestions why it is going to the wrong URL after login.
  Is there anything specific I should see in the jazn-data.xml or web.xml regarding the post-login URL since i cant see that in either.
  P.S. Have been advised to try here when I originally asked this in the WebCenter forum. Web Center app ADF Security - login problem
  Edited by: new_to_webcenter on 18-Jan-2011 05:25

  Thanks for your response Frank.
  The web.xml has
  <security-constraint>
  <web-resource-collection>
  <web-resource-name>adfAuthentication</web-resource-name>
  <url-pattern>/adfAuthentication</url-pattern>
  </web-resource-collection>
  <auth-constraint>
  <role-name>valid-users</role-name>
  </auth-constraint>
  </security-constraint>
  <login-config>
  <auth-method>FORM</auth-method>
  <form-login-config>
  <form-login-page>/login.html</form-login-page>
  <form-error-page>/error.html</form-error-page>
  </form-login-config>
  </login-config>
  When configuring ADF Security via JDev , I chose "Redirect upon successful authentication" to the Welcome Page
  "/faces/postLogin.jspx"
  this then adds into web.xml
  <servlet>
  <servlet-name>adfAuthentication</servlet-name>
  <servlet-class>oracle.adf.share.security.authentication.AuthenticationServlet</servlet-class>
  <init-param>
  <param-name>success_url</param-name>
  <param-value>/faces/postLogin.jspx</param-value>
  </init-param>
  <load-on-startup>1</load-on-startup>
  </servlet>
  So the sequence which works is:
  Login via the '/adfAuthentication?login=true&end_url=/faces/postLogin.jspx' and this redirects to login.html (OOTB form which posts to j_security_check) and then to the postLogin.jspx
  I'm trying to do away with a Login link, and trying the simple login form embedded in my page alongwith other content.
  So should the form be posting to j_security_check directly or to the adfAuthentication ?

• ADF security and database

  Hi all,
  I am implementing ADF security on my application and I came across the following Documents:
  1- http://www.oracle.com/technology/products/jdev/howtos/1013/adfsecurity/adfsecurity_10132.html
  2-http://www.oracle.com/technology/products/jdev/howtos/1013/oc4jjaas/oc4j_jaas_login_module.htm
  and I have a few of questions :
  1- in ADF security, the edit authorization options in the PageDef reads the roles (gorups) stored on the system-jazn-data.xml file. If my roles are stored on the Database how can I read them?
  2- In the first document it is said " If the role name in web.xml matches a group name in system-jazn-data.xml, no further mapping is required. If the names do not match, then the web.xml role name needs to be mapped to the name in the system-jazn-data.xml using the orion-application.xml file. ". Can I do the mapping between the system-jazn-data.xml and the Database?
  3-When I assign ADF security permissions on PageDefs, It will be stored in the app-jazn-data.xml file. Can I store/read those permissions from the Database and no the app-jazn-data.xml file or at least can I do some kind of mapping between the Database and this file?
  thanks in advance,
  Ahmad Esbita

  Hi albertpi,
  Thanks for you response. This is our first ADF application.
  We are planning to impliment the security as mentioned above.
  We can configure the LDAP users in Weblogic server.
  We have a page with multiple tables which need to be shown based on the User roles.
  These roles we are planning to define in the table.
  1. I need to show list of users from my LDAP Users on the ADF UI to assign the roles.
  2. We will be defining our list of roles in a database table, which not sure whether they need to map to ADF application security roles.
  Data in table will be something like this.
  User Role
  Admin Tab1
  Admin Tab2
  Admin Tab3
  User1 Tab1
  User2 Tab2
  User2 Tab3
  Once the User is logged in we will read this table to show/hide the respective tabs.
  Can you tell us are we in right path, if yes How to achieve this.
  Thanks,
  Satya

• Creating a WebCenter Application with PageCutomizable and ADF Security

  I created a Webcenter App in Jdev 11.1.1.2.0 with webcenter extension.
  I have 2 JSPX files.
  One called mainTemplate.jspx
  - contains header, footer in ADF and a center facet.
  One called Welcome.jspx created from mainTemplate
  - contains page customizable > panel customizable > layout customizable > various custom panel configs.
  ADF security is configured with BASIC, authentication only. Because form authentication seems harder to get working.
  We have one weblogic user, and currently deploy to the integrated WLS, although we'll deploy out to a full server once security/composer is working.
  The problem is, when we run the Welcome.jspx, and because we added a reference to a logged in var, it requests http login fine.
  We then refresh the page and see that we are indeed logged in as 'weblogic'.
  Is weblogic a special user? should I create a new one? Is there any setup required on the Integrated WLS to get this working?
  However when we click on 'add Content' using the composer we get a permission error.
  +<RegistrationConfigurator><handleError> Server Exception during PPR, #1+
  javax.el.ELException: oracle.adf.view.page.editor.security.ComposerSecurityException: You do not have permission to edit the page
  +     at com.sun.el.parser.AstValue.invoke(AstValue.java:161)+
  +...+
  Caused by: oracle.adf.view.page.editor.security.ComposerSecurityException: You do not have permission to edit the page
  +     at oracle.adfinternal.view.page.editor.bean.DialogBean.setDialogHelp(DialogBean.java:129)+
  +     at oracle.adfinternal.view.page.editor.bean.DialogBean.showResourceCatalog(DialogBean.java:356)+
  +     at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)+
  +...+
  I tried using the Customization allowed var in the property inspector, but could not map 'allowed by' to a user or role that my setup would recognise. The doco specifies 'admin' which does not work for me.
  In my catalog I have a WCM portlet taskflow, which will require its own permissions.
  I tried enabling permissions for the test-all role to all of my pages/taskflows, leaving just the 'view' permission to the anonymous role.
  I also tried authentication/authorization profiles, and building my own jspx login/error pages, but no luck there either, the login button doesn't seem to tirgger my java doLogin class, even though I set the binding on the button using the method expression builder to the bean method.
  *note: I didn't try the welcome/login/error page auto create as they generate html files, I created JSFs with full UI in there. Am I required to use those html types instead of jspx? I found that the redirection worked by appending the jspx reference with '/faces/Login.jspx'. The problem seemed to have been somewhere else.
  If we have any Webcenter Composer / Security gurus out there, help would be greatly appreciated.
  Our main goal is to create a Webcenter App which has security/composer/navigation and a catalog with WCM/Siebel portlets similar to the Avitek demo without using WC Spaces.
  Thanks.
  Thanks.
  Edited by: Guillaume_Davies_SC on Apr 20, 2010 7:28 PM

  When you want to achieve this you need to configure ADF security with basic authentication & authorization. THe authorization is the part that takes care of what a user may and may not do in an application. Authentication is just the log in part.
  When you have configured your application for authorization as well, you have to create roles and groups.
  You will also have to set the authorization of your pages. Open a jsxp and in the design or source view, right click and "edit authorization". You then have to add roles to your pages and define their rights. Then you can set the authorization for edit,cuustomize,personlise,view,...
  Hope this helps.

• ADF security : How to get fnd_users list in weblogic server

  Hi All,
  I have a question related to ADF security.
  I am able to apply ADF security to the application, where users information and roles are defined in jazn.xml file.
  On deployment, users/ roles information is being successfully ported to weblogic server.
  But my requirement is to fetch users information from fnd_users table. If you have any idea as how to get the fnd_users data to weblogic, please reply.
  Thanks,
  Randhir

  Thanks John.
  I went through the link and got steps for authentication with fnd_users.
  I have one more question on this.
  Do I need to enable jazn.xml for implementing security or only the steps given in this link is sufficient?
  Since roles are also stored into fnd table, how to secure the taskflow? (roles are not defined in jazn.xml)