OSB message level authentication fault and predicate

Similar Messages

• Regarding message level authentication in WSDL

  Hi,
  We developed scenario like below.
  There is a consumer webservice interface which we developed through proxy class.
  When we created the binding, selected 'Message level authentication' with 'Username and password' option.
  But in the XML I couldn't see any tags asking for user name and password.
  The requirement is to take the credentials through message header.
  My queries are:
  How do I edit the <sp:WssUsernameToken10 /> in XML to input username and password?
  I tried to research and found out that IF_WSPROTOCOL_WS_HEADER can be used here but dont know where to call this in my code.
  Also how this will validate the user name and password?
  Or is there any other way to include username and password in the XML?
  Please help as this is causing so much issues.

  >
  Anitha SAP wrote:
  > Hi Rajesh,
  >
  >       I have to use only FTPS. Because my client is suggesting that only. Isn't possible using FTPS ?
  > And Tell me The Difference Between FTPS for Control Connection and FTPS and Control and Data Connection .
  > Neccesity of Public key certificate from FTP Sever?
  >
  > Thanks.
  > Anitha.
  PI supports FTPS. you can use the File adapter for the same.
  The basic difference when we talk about FTPS for Control Connection* and FTPS and Control and Data Connection is that in case of FTPS and Control and Data Connection, you data is also encrypted. Else the connection is secure but the data level encryption will not be active
  FTPS works with Certificates and hence the need for the same

• Getting an error message, "unknown authentication issue" and solutions have only made it worse.

  When trying to publish with Muse, get error message, "unknown authentication error has occurred using your adobe id.  (shared unknown error)".  Support site said to delete OOBE folder.  Did that and got an error when opening Muse that says to redownload application manager.  Go to that page and it says to redownload the adobe cloud desktop.  Still getting both errors.  ???

  Please refer to the following link
  An unknown authentication error has occurred using your Adobe ID (AUTH_UNKNOWN_ERROR)

• X509 message level authentication - Unable to validate identity assertions

  Hi All,
  I am creating a proxy service that will authenticate a soap request with incoming x509 certificate.
  I configured weblogic server following the below blog post
  http://tim.blackamber.org.uk/?p=831
  I also setup SSL and keystore tab in the weblogic server by following steps in the the below URL
  http://biemond.blogspot.com/2009/06/ws-security-in-osb.html
  In my proxy service I am using pre-defined policy "Auth.xml"
  The proxy service is attached below
  I am running the proxy service from test console. I have a security provider created pointing the keystore and selected while running the proxy service from test console ( no user name/password provided)
  I was expecting that proxy service will read the security token and map the CN name correspons to the security token key (my default User name mapper attribute is CN) to an user created in weblogic server and able to authenticate it.
  But I am getting following error. Please suggest.
  <An error ocurred during web service security inbound request processing [error-code: Fault, message-id: 1345281693794990467-5e61805e.1324a2f888f.-7f8a, proxy: myPrototypes/ProxyService/ProxyServiceExtBizV2, operation: null]
  --- Error message:
  <env:Envelope xmlns:env="http://www.w3.org/2003/05/soap-envelope"><env:Header/><env:Body><env:Fault xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"><Code xmlns="http://www.w3.org/2003/05/soap-envelope"><Value>env:Sender</Value><Subcode><Value>wsse:InvalidSecurity</Value></Subcode></Code><Reason xmlns="http://www.w3.org/2003/05/soap-envelope"><Text xml:lang="en-US">Unable to validate identity assertions.</Text></Reason></env:Fault></env:Body></env:Envelope>
  weblogic.xml.crypto.wss.WSSecurityException: Unable to validate identity assertions.
  *     at weblogic.wsee.security.wss.SecurityPolicyValidator.doIdentity(SecurityPolicyValidator.java:144)*
  *     at weblogic.wsee.security.wss.SecurityPolicyValidator.processIdentity(SecurityPolicyValidator.java:107)*
       at weblogic.wsee.security.wss.SecurityPolicyValidator.processInbound(SecurityPolicyValidator.java:78)
       at weblogic.wsee.security.WssServerPolicyHandler.processInbound(WssServerPolicyHandler.java:54)
       at weblogic.wsee.security.WssServerPolicyHandler.processRequest(WssServerPolicyHandler.java:30)
       at weblogic.wsee.security.WssHandler.handleRequest(WssHandler.java:74)
       at com.bea.wli.sb.security.wss.wls.Wls92InboundHandler.processRequest(Wls92InboundHandler.java:164)
       at com.bea.wli.sb.security.wss.WssHandlerImpl.doInboundRequest(WssHandlerImpl.java:223)
       at com.bea.wli.sb.context.BindingLayerImpl.addRequest(BindingLayerImpl.java:289)
       at com.bea.wli.sb.pipeline.MessageProcessor.processRequest(MessageProcessor.java:87)
       at com.bea.wli.sb.pipeline.RouterManager$1.run(RouterManager.java:593)
       at com.bea.wli.sb.pipeline.RouterManager$1.run(RouterManager.java:591)
       at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:363)
       at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:146)
       at com.bea.wli.sb.security.WLSSecurityContextService.runAs(WLSSecurityContextService.java:55)
       at com.bea.wli.sb.pipeline.RouterManager.processMessage(RouterManager.java:590)
       at com.bea.wli.sb.test.service.ServiceMessageSender.send0(ServiceMessageSender.java:332)
       at com.bea.wli.sb.test.service.ServiceMessageSender.access$000(ServiceMessageSender.java:79)
       at com.bea.wli.sb.test.service.ServiceMessageSender$1.run(ServiceMessageSender.java:137)
       at com.bea.wli.sb.test.service.ServiceMessageSender$1.run(ServiceMessageSender.java:135)
       at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:363)
       at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:146)
  proxy service definition:
  <?xml version="1.0" encoding="UTF-8"?>
  <xml-fragment xmlns:ser="http://www.bea.com/wli/sb/services" xmlns:tran="http://www.bea.com/wli/sb/transports" xmlns:env="http://www.bea.com/wli/config/env" xmlns:http="http://www.bea.com/wli/sb/transports/http" xmlns:con="http://www.bea.com/wli/sb/services/security/config" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:con1="http://www.bea.com/wli/sb/pipeline/config" xmlns:con2="http://www.bea.com/wli/sb/stages/logging/config" xmlns:con3="http://www.bea.com/wli/sb/stages/config" xmlns:con4="http://www.bea.com/wli/sb/stages/publish/config">
  <ser:coreEntry isProxy="true" isEnabled="true">
  <ser:serviceProvider ref="myPrototypes/x509keyprovider"/>
  <ser:security>
  <con:inboundWss processWssHeader="true"/>
  </ser:security>
  <ser:binding type="abstract SOAP" isSoap12="true" xsi:type="con:AnySoapBindingType" xmlns:con="http://www.bea.com/wli/sb/services/bindings/config"/>
  <ser:monitoring isEnabled="false">
  <ser:aggregationInterval>10</ser:aggregationInterval>
  <ser:pipelineMonitoringLevel>Pipeline</ser:pipelineMonitoringLevel>
  </ser:monitoring>
  <ser:reporting>true</ser:reporting>
  <ser:logging isEnabled="true">
  <ser:logLevel>debug</ser:logLevel>
  </ser:logging>
  <ser:sla-alerting isEnabled="true">
  <ser:alertLevel>normal</ser:alertLevel>
  </ser:sla-alerting>
  <ser:pipeline-alerting isEnabled="true">
  <ser:alertLevel>normal</ser:alertLevel>
  </ser:pipeline-alerting>
  <ser:ws-policy>
  <ser:binding-mode>service-policy-bindings</ser:binding-mode>
  <ser:policies>
  <ser:service-policy>
  <ser:predefined-policy>Auth.xml</ser:predefined-policy>
  </ser:service-policy>
  </ser:policies>
  </ser:ws-policy>
  </ser:coreEntry>
  <ser:endpointConfig>
  <tran:provider-id>http</tran:provider-id>
  <tran:inbound>true</tran:inbound>
  <tran:URI>
  <env:value>/myPrototypes/ProxyService/ProxyServiceExtBizV2</env:value>
  </tran:URI>
  <tran:inbound-properties/>
  <tran:all-headers>true</tran:all-headers>
  <tran:provider-specific>
  <http:inbound-properties/>
  </tran:provider-specific>
  </ser:endpointConfig>
  <ser:router>
  <con1:pipeline type="request" name="PipelinePairNode1_request">
  <con1:stage name="stage1">
  <con1:context/>
  <con1:actions>
  <con2:log>
  <con3:id>_ActionId-3973507234039169612-4f70a750.1323cbeae66.-7e09</con3:id>
  <con2:logLevel>info</con2:logLevel>
  <con2:expr>
  <con3:xqueryText>$header</con3:xqueryText>
  </con2:expr>
  <con2:message>osb_extbiz_log:request side:hdr is</con2:message>
  </con2:log>
  <con4:route>
  <con3:id>_ActionId-3973507234039169612-4f70a750.1323cbeae66.-7866</con3:id>
  <con4:service ref="myPrototypes/BizService/BizServiceExtBiz" xsi:type="ref:BusinessServiceRef" xmlns:ref="http://www.bea.com/wli/sb/reference"/>
  <con4:outboundTransform/>
  </con4:route>
  </con1:actions>
  </con1:stage>
  </con1:pipeline>
  <con1:pipeline type="response" name="PipelinePairNode1_response">
  <con1:stage name="stage1">
  <con1:context/>
  <con1:actions>
  <con2:log>
  <con3:id>_ActionId-3973507234039169612-4f70a750.1323cbeae66.-7cd6</con3:id>
  <con2:logLevel>info</con2:logLevel>
  <con2:expr>
  <con3:xqueryText>$header</con3:xqueryText>
  </con2:expr>
  <con2:message>osb_extbiz_log:response side:hdr is</con2:message>
  </con2:log>
  <con2:log>
  <con3:id>_ActionId-3973507234039169612-4f70a750.1323cbeae66.-79d3</con3:id>
  <con2:logLevel>info</con2:logLevel>
  <con2:expr>
  <con3:xqueryText>$outbound</con3:xqueryText>
  </con2:expr>
  <con2:message>osb_extbiz_log:response side:outbound is</con2:message>
  </con2:log>
  <con2:log>
  <con3:id>_ActionId-3973507234039169612-4f70a750.1323cbeae66.-79b6</con3:id>
  <con2:logLevel>info</con2:logLevel>
  <con2:expr>
  <con3:xqueryText>$inbound</con3:xqueryText>
  </con2:expr>
  <con2:message>osb_extbiz_log:response side:inbound is</con2:message>
  </con2:log>
  </con1:actions>
  </con1:stage>
  </con1:pipeline>
  <con1:flow>
  <con1:pipeline-node name="PipelinePairNode1">
  <con1:request>PipelinePairNode1_request</con1:request>
  <con1:response>PipelinePairNode1_response</con1:response>
  </con1:pipeline-node>
  </con1:flow>
  </ser:router>
  </xml-fragment>
  Edited by: 818591 on Sep 8, 2011 4:47 PM

  For anyone watching this thread for any relevant information,
  after adding sign.xml policy, it started working

• Message Level Security in FTPS

  Hi ,
     Did File Adapter with FTPS will provide the Message Level Security ?
  And What is the Exact  Difference Between FTPS for Control Connection and FTPS for Control and Data Connection .
  What is the Significance of Use X.509 Certificate for Client Authentication check box. If we check it what will happen r if we dont what will happen ?
  Thanks.
  Anitha.

  >
  Anitha SAP wrote:
  > Hi Rajesh,
  >
  >       I have to use only FTPS. Because my client is suggesting that only. Isn't possible using FTPS ?
  > And Tell me The Difference Between FTPS for Control Connection and FTPS and Control and Data Connection .
  > Neccesity of Public key certificate from FTP Sever?
  >
  > Thanks.
  > Anitha.
  PI supports FTPS. you can use the File adapter for the same.
  The basic difference when we talk about FTPS for Control Connection* and FTPS and Control and Data Connection is that in case of FTPS and Control and Data Connection, you data is also encrypted. Else the connection is secure but the data level encryption will not be active
  FTPS works with Certificates and hence the need for the same

• Accepting a SOAP message that contains fault elements

  Hi,
  I am trying to create a webservice that will accept a valid soap messages that
  contains faults. Actual functionality required is to accept a valid soap message
  with or without faults. For this, I created separate methods in my java class
  (one for normal flow and one that will handle fault elements) that implements
  my web service. I need to manipulate the soap message for both cases. Hence, I
  created separate handlers to do this task. I created two handler chains in my
  web-services.xml one for handling soap messages that contains faults and one for
  handling soap messages that doesn't contain faults. The web services was successfully
  deployed and works fine for soap messages that doesn't contain fault. But, if
  I send a soap message with faults the client (that calls my webservice) is not
  even hitting my web service. It gets a HTTP
  500. Can anybody help me on this ?
  Thanks,
  Ganesh Balachandran

  Hi Ganesh,
  Which version of weblogic server you are using? Can you turn on verbose in
  client side? You can give a "-Dweblogic.webservice.verbose=true" to client
  side JVM. We need to see what your soap message with fault looks like.
  Thanks,
  -Neal
  "Ganesh" <[email protected]> wrote in message
  news:[email protected]..
  >
  Hi,
  I am trying to create a webservice that will accept a valid soap messagesthat
  contains faults. Actual functionality required is to accept a valid soapmessage
  with or without faults. For this, I created separate methods in my javaclass
  (one for normal flow and one that will handle fault elements) thatimplements
  my web service. I need to manipulate the soap message for both cases.Hence, I
  created separate handlers to do this task. I created two handler chains inmy
  web-services.xml one for handling soap messages that contains faults andone for
  handling soap messages that doesn't contain faults. The web services wassuccessfully
  deployed and works fine for soap messages that doesn't contain fault. But,if
  I send a soap message with faults the client (that calls my webservice) isnot
  even hitting my web service. It gets a HTTP
  500. Can anybody help me on this ?
  Thanks,
  Ganesh Balachandran

• OSB 11g - Authentication - Username and password in SOAP body

  Hi,
  I have a PS based on the WSDL provided by the client. According to the WSDL the client will send the username and password (to be used for authentication) in SOAP Body. I have extract the username and password from the body and authenticate it and then only process the data.
  The approach I am thinking of is to create two PS. The first PS will be called by client to send the data. There will be no authentication required for this PS. Once this PS (PS-1) receives the message it will extract the username, password and data from the SOAP body. It will then set the username and password in the HTTP header of the second PS (PS-2) and the data in the SOAP body of PS-2.
  PS-2 will be under basic authentication. PS-2 will accept the data as the only payload. Upon receiving the data it will do the normal processing.
  But I do not see any way to set the HTTP header (Authorization) for the second PS. Is my approach correct? Is there another/better approach?
  I went through this link [http://download.oracle.com/docs/cd/E13159_01/osb/docs10gr3/security/model.html] and found that we may have to configure another Authentication provider. How to do that?
  Thanks,
  Sanjay

  Hi Sanjay,
  Your approach seems correct to me (using two proxies) but instead of setting the username and password in HTTP header, you may set it as SOAP header and use Custom Authentication method in OSB. To know more about it, please refer -
  http://download.oracle.com/docs/cd/E17904_01/doc.1111/e15866/message_level_cust_auth.htm#i1069719
  Regards,
  Anuj

• Office 2013 add-in - How to add custom button in existing tab/group at home and the same at individual message level?

  Hello Everyone,
  Currently, I'm developing an outlook add-in and would like to setup a custom ribbon button at one of the existing tabs at home screen and at message level too, when
  it is opened from home screen.
  Following are the helpful screen prints.
  Any help would be much appreciated.
  Thanks, <b>Ankit Shah</b> <hr> Inkey Solutions, India. <hr> Microsoft Certified Business Management Solutions Professionals <hr> http://ankit.inkeysolutions.com

  Hello Ankit,
  All you need is to specify the IdMso value of the built-tab where you want to place your controls. See
  How to: Customize a Built-in Tab for more information (TabMail and TabReadMessage).
  You can find the list of built-in controls in the following documents:
  Office 2010 Help Files: Office Fluent User Interface Control Identifiers
  Office 2013 Help Files: Office Fluent User Interface Control Identifiers
  The Fluent UI is described in depth in the following series of articles in MSDN:
  Customizing the 2007 Office Fluent Ribbon for Developers (Part 1 of 3)
  Customizing the 2007 Office Fluent Ribbon for Developers (Part 2 of 3)
  Customizing the 2007 Office Fluent Ribbon for Developers (Part 3 of 3)

• My contacts and whats app messages are shown on my sister's iphone! How can I secure my iphone and have a high level of security and privacy! Her Contacts are shown in my iphone as well!!

  I have and iphone 6 with iOS 8.1. My contacts and whats app messages are shown on my sister's iphone! She have iPhone 6 and and iOS as well. How can I secure my iphone and have a high level of security and privacy! Her Contacts are shown in my iphone as well! Setting in mac and iphone are a bit presice and sensitive. Is there any way to solve my issue and increase the safety, security and privacy in my iPhone and its data?

  Your problem is that she used your icloud ID to connect to icloud and thus had all your data synced to her device.  Contacts are not saved in a backup to icloud, since they are stored independently in the Contacts section of icloud.  If someone deletes them, they are gone.  If you had them on the PC would they be available in some backup you frequently make of the PC?

• Message Level Security and Performance

  Hi All,
  Does the implementation of Message Level security features Like SSL and Encryption degrade the performance of the server in Processing the messages ?
  regards,
  Rahul

  Encryption related performance issue is purely related to size of messages.
  In my opinion, SSL wouldnt affect the performance for large messages. SSL will take its usual time for checking for security.
  And the volume and size could anytime affect the performance
  Regards,
  Prateek

• WebServices and message level security

  Hello,
  I am investigating about the use of XI web services using message level security (encrypted xml), is it possible to achieve this between an SAP provider and a third party consumer, without using a PCK or developing a specific adapter? (most solutions I see always point to this).
  If anyone could shed some light into this matter i would be thankful.
  Regards,
  Leandro Fonseca

  Hello,
  I am investigating about the use of XI web services using message level security (encrypted xml), is it possible to achieve this between an SAP provider and a third party consumer, without using a PCK or developing a specific adapter? (most solutions I see always point to this).
  If anyone could shed some light into this matter i would be thankful.
  Regards,
  Leandro Fonseca

• Page and Record level Authentication / Access control.

  Hi,
  I hope some of you might have come across this kind of issues. I am trying to setup page level authentication and record level access control. Please see below for the detailed description.
  1. Does APEX have any functionality where I can implement my page level authentication schemes.
  Say there are 5 pages/tabs and 10 users, and I want to restrict access as follows.
  All users can read the data in all the pages.
  User 1 thru 8 can read all the pages and edit page 1 and 2
  User 9 and 10 can read and delete the records inside the page.
  2. Is there any mechanism, that supports record level access control.
  Example : There is a page, it shows a product information of all the products. Is there a mecanism inside APEX wherein this page shows only the products created by it's creater (any end user)
  Is there a way in APEX, we can implement this functionality without having user information stored in the DB. ?
  Thanx in advannce.
  Vijay.

  Vijay,
  When a user creates the product why not store the user who created it in a column in the same table. That way you can write something like this:<BR>
  CREATE TABLE products_tab
    productid NUMBER PRIMARY KEY,
    product_name VARCHAR2(200),
    user_created VARCHAR2(30)
  );<br>
  SELECT
    productid,
    product_name,
    ( CASE
        WHEN user_created = :F_USER THEN
          --link to edit page goes here
        ELSE '<nbsp>'
      END ) edit_link,
    ( CASE
       WHEN user_created = :F_USER THEN
         --link to delete page goes here
       ELSE '<nbsp>'
      END ) delete_link
  FROM products_tab<br>
  I don't believe you can use an authorization scheme on a button the way you desired. It either displays the column or it doesn't.<br><br>
  Hope this helps.<br><br>
  chet<br><br>

• Authentication Fault: Invalid User Session Token

  Hi,
  I am trying to protect a call to third party webservices using OWSM and OAM. I followed the steps mentioned in Oracle Web Services Manager
  Deployment Guide to integrate OAM in OWSM, but not able to make any break through. I am getting following error if I test my web service using OWSM's inbuilt test tool:
  <SOAP-ENV:Envelope
  xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
  <SOAP-ENV:Body>
  <SOAP-ENV:Fault>
  <faultcode
  xmlns:p="http://schemas.oblix.com/ws/2003/08/Faults">p:Client.AuthorizationFault</faultcode>
  <faultstring>Authentication Fault: Invalid User Session Token</faultstring>
  null</SOAP-ENV:Fault>
  </SOAP-ENV:Body>
  </SOAP-ENV:Envelope>
  In gateway.log file, I get following oneliner message:
  security.SimpleXMLCredsExtractor - SimpleXMLCredsExtractor failed to Extract creds.
  I am using standalone OWSM installation.
  Installed OAM SDK on the same machine of OWSM.
  Added OAM SDK libraries into OWSM's path.
  Please advise as I have already wasted 3-4 weeks into it.
  .. Paresh
  Edited by: user10301925 on Sep 29, 2009 2:24 AM
  Edited by: user10301925 on Sep 29, 2009 2:24 AM

  Hi,
  Yes, I have registered the service in OWSM and calling that service through OWSM testing tool only...
  Following is the request message:
  <?xml version="1.0" encoding="UTF-8" ?>
  - <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
  - <soap:Header>
  - <wsse:Security env:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:env="http://schemas.xmlsoap.org/soap/envelope/">
  - <wsse:UsernameToken xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
  <wsse:Username>owsmuser</wsse:Username>
  <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">welcome11</wsse:Password>
  </wsse:UsernameToken>
  </wsse:Security>
  </soap:Header>
  - <soap:Body xmlns:ns1="http://service/">
  <ns1:getDateTime />
  </soap:Body>
  </soap:Envelope>
  Please advise.
  .. Paresh

• Message Level Security with SOAP Adapter

  Hi,
  I need to use Message Level Security with my SOAP Adapter. Please let me know if anyone has done the same in the past?
  What are the steps I would need to do? How can I use WSS based security in the SOAP Adapter?

  Hi,
  Message-level security is recommended and sometimes a prerequisite for inter-enterprise communication.
  It improves communication-level security by adding security features that are particularly important for inter-enterprise
  Message-level encryption is required if message content needs to be confidential not only on the communication lines but also in intermediate message stores.
  Refer
  How to use Client Authentication with SOAP Adapter
  XML Encryption Using Web Services Security in SAP NetWeaver XI
  https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/f0650f56-7587-2910-7c99-e1b6ffbe4d50
  http://help.sap.com/saphelp_nw04/helpdata/en/a8/882a40ce93185de10000000a1550b0/frameset.htm
  Thanks
  swarup

• Record Level Authentication in ADF Security 11g

  Is it possible to code my application to support record level authentication by using ADF 11g Security?
  For example the CEO Role can read all orders from a view, but other roles can only read the orders by them self.
  Do I have to control this mannually or the ADF Security can handle this for me? Is there any example about this?
  Thanks in advanced,
  Samson Fu

  I can think of three solutions:
  1) Go with the Oracle database Virtual Private Database (VPD) feature. This is the ideal solution as it codes that security logic in the database, and doesn't rely on your program/middletier getting the security correct.
  2) In ADF BC create the custom framework as recommended in the JDev Fusion Guide and then modify the custom ViewObjectImpl executeQuery() method such that it always adds your required predicate (where clause) to each VO query.
  3) Custom code the Where clause into every ADF BC VO query.
  CM.