Security in ADF

Similar Messages

• How to give JASS Security to ADF BC Swing Application.

  Hello Friends,
  ->I read lots of threads about JASS Security in ADF about Web Application.
  ->But i am not getting any solution/Document Which explains, How to Implement JASS Security to ADF BC Swing Apllication.
  -> I Will Explain Which type of application we developed.
  We had developed one Whole ERP Product by using ADF BC [Swing] Technology.We have 480 Forms in our Application.Now i need to give security to my Application.
  ->I Will Explain Structure of Application.
  We have seperate Application Module for each form means i have 480 Application Modules in my application.I create seperate session beans for each Application Module and I deploy it on Standalone OC4J Server
  So please friends help me out to give security to my application.
  Thanks in Advance.

  Hello Franks
  First thanks for your reply.
  --> As you suggested two options for me but i would like to go with second option.
  JAZN with ADF BC.
  ---> As you said i need to do jbo.security.enforce property set to "auth".but currently i made it "Test" to trace login user means to set History Columns.
  --->Frank i am waiting for your documents.If you have documents in the format of how-to-do then Please Forward me.
  Thanks Frank

• What about security in adf faces application ?

  It seem that the documentation has a little bit changed about security for adf faces application.
  SRDemo J2EE sample application only implemented the security at the web container and may be for the session beans (don't remember) by using security-role and security-constraint in web.xml configuration file.
  It seem that the documentation recommand now to implement adf security and didn't find anymore the reference to the standard j2ee security implementation.
  We found also that the security constraints checked by the web container was sometimes ignored and the container didn't ask us to login before displaying a page.
  Is ADF security a clear Oracle recommandation for ADF Faces application ?
  What about j2ee security for this type of application (why it is not recommended to use it) ?

  Hi,
  there is no single recommedation about security because security ideally is applied on several levels to implement security in depth. Container managed security with J2EE is a good option to secure page access and - if using EJB - to propagate the user identity for method level access control.
  Using ADF Security, which is security added to the binding layer based on JAAS, a second layer of the security onion becomes available that allows you to define which user is allowed to perform which operation on an iterator or attribute binding. This goes beyond of what container managed security can do for you.
  The thrid layer is business layer security and eventually database security.
  For Oracle Open World we will have a developmengt track and one of the presentation I am giving with Ric Smith from our team is about end-to-end application security for ADF Faces, ADF, ADF BCor TopLink/EJB and the Oracle database.
  The plan is to also write this up in a paper, but this would come late because of other priorities I have on my plate. So attending OOW probably is the best option for you to get the big picture
  Frank

• Change security of adf application on weblogic

  hi all,
  i am new in weblogic. i set oid in weblogic succesfully. But i couldn't change security of adf application. Is there any documantationof how change security of adf application?

  hi frank,
  i mean that i set oid in myrealm which is my default security realm. I change order of Authentication Providers. all of the users of oid are in myrealm . However my application does not use this ldap configuration. i couldn't change security of application, and i need help. Before i deploy my 10.1.3 adf application to oc4j and during deployment i can set the security of application but i couldnt see anything like oc4j in weblogic
  i configure my oid like below link
  http://www.oracle.com/technology/products/jdev/tips/fnimphius/oidconfig/index.html

• How can i implement "my own" security in ADF 11g

  Hi everybody,
  I have a problem and hope anyone could help me...
  Currently i am developing a ADF application, and i want to implement the security... the problem i have (and i read a lot of posts in the forum and other blogs and i don't found anything that help me) is that the "validation" of the user of password is with a webservice..... and the "roles" of the application are given to me with another web service.
  I read a lot and in the Fusion's Developer Guide in chapter 30 (Enabling ADF Security in a Fusion Web Application) explains very good how to implement the security in the application, but, that example really doesn't work for my problem.
  I wan't to know any way to in the "doLogin" action of my "Login button in my login page" to implement my own logic.
  public String doLogin() {
  2 String un = _username;
  3 byte[] pw = _password.getBytes();
  4 FacesContext ctx = FacesContext.getCurrentInstance();
  5 HttpServletRequest request =
  6 (HttpServletRequest)ctx.getExternalContext().getRequest();
  7 CallbackHandler handler = new SimpleCallbackHandler(un, pw);
  8 try {
  9 Subject mySubject = Authentication.login(handler); <<----------------------------- Here i wan't to invoke the WS that validate the user and pwd.
  10 ServletAuthentication.runAs(mySubject, request);
  11 String loginUrl = "/adfAuthentication?success_url=/faces" +
  12 ctx.getViewRoot().getViewId();
  13 HttpServletResponse response =
  14 (HttpServletResponse)ctx.getExternalContext().getResponse();
  15 sendForward(request, response, loginUrl);
  16 } catch (FailedLoginException fle) {
  17 FacesMessage msg = new FacesMessage(FacesMessage.SEVERITY_ERROR,
  18 "Incorrect Username or Password",
  19 "An incorrect Username or Password" +
  20 " was specified");
  21 ctx.addMessage(null, msg);
  22 } catch (LoginException le) {
  23 reportUnexpectedLoginError("LoginException", le);
  24 }
  25 return null;
  26 }
  And i wan't to know if i can save some other user information in some kind of session (like company, mail and other stuff).....
  And when i can login validating usr and pwd from the WS... how could i manage my roles ?
  Welll i hope anyone can help me.
  Regards from Mexico.

  Hi,
  to do this, you create a JAAS Login Module to authenticate against the Web Service. This then you wrap in an authentication provider that you configure with WLS. ADF Security does not perform any authentication itself and instead leaves it for the container.
  http://download.oracle.com/docs/cd/E17904_01/web.1111/e13718/atn.htm#i1154044
  Frank

• Implementing Security For ADF Pages when integrated with Oracle APPS

  Hi,
  Can anyone please let me know the solution to the below problem ?
  I have an ADF application that is deployed on a weblogic server. An URL is generated to access the ADF Pages.
  I have created one more simple jsp (Launch.jsp) which redirects to this URL on page load.
  I am using Oracle APPS where:
  ->I registered a form function referring to Launch.jsp
  ->I am referring form function in a responsibility , attaching that to a menu
  ->When the valid oracle user logs in, I am sending all oracle apps environment variables (User id , Responsibility id, application id ) for that session
  What my issue is :
  ->The URL along with the parameters that I am sending from the Launch.jsp to the ADF Page is visible to the user. So, even if the Oracle APPS user has not logged in, anybody who knows the URL can access the ADF Pages.
  ->So, Is there any way to implement the security so as, even if anyone knows the URL of the ADF Page cannot access the ADF Pages without the valid user being logged-in through the Oracle APPS.
  I am using Jdeveloper 11g.
  Please let me know if you need anymore details.
  Thanks in advance,
  Kavitha

  Please help me out if anyone has a solution to this problem.
  Thanks,
  Kavitha

• Security in ADF Jdeveloper 11.1.2.1.0

  Hi community,
  I've been tasked with the mission to develop a good practices manual for developing SECURE applications in JDev. I decided to come to the forums first to ask for whatever resource you have on the matter, if there's anything already written about this that you could share, it would be most welcome. So far, I've read that ADF already takes care of most of the basic stuff, as long as developers stick to the recommended developing procedures (like using bind variables in queries, etc). Still, any word you have on this would be very much appreciated, so please share whatever you got!
  Thanks,
  Daniel

  There is a detailed chapter on ADF Security in the Oracle Fusion Middleware Fusion Developer's Guide for Oracle Application Development Framework.
  http://docs.oracle.com/cd/E21764_01/web.1111/b31974/adding_security.htm#BGBGJEAH
  Regards
  Antonis

• [Security]   Row-level security in ADF

  Hi all,
  I want to implement row-level security in my application, the scenario is like this:
  There are several users that connect to the application
  These users are authenticated in some way (XML file, OID, DB)
  When each user wants to access (Select, Update, Delete) an ADF Table, either updatable or read-only, a predefined 'where condition' based on that table and the operation the user wants to do, must be concatenated to his DML, transparent from the user.
  So if for example a user queries the Emp Salary table only records with salary < 10K/Month will be fetched from the underlying table. This should be done automatically and not hard-coded in the application.
  I have tried VPD and it has some useful features but my problems are:
  1) Where and how to define the 'where conditions'?
  2) How to attach the 'where conditions' to the executing DML?
  3) What is the best way to make DB know which user is really executing DMLs? (Not a single Application Server admin user)
  4) What is the best authentication approach?
  Any helps will be really appreciated.
  S/\EE|)

  Hi,
  yes you can. Database proxy user is setup in the prepare session method as well and EUS can be configured to take the J2EE username to then re-connect the app to teh database schema
      public void prepareSession(SessionData SessionData)
         super.prepareSession(SessionData);
         oconn = ((PrxyTransactionImpl)this.getDBTransaction()).getPrxyConnection();
         // Specify the user that connects through the proxy user and its roles
         Properties prop = new Properties();
         prop.put(OracleConnection.PROXY_USER_NAME,"hr");
         //prop.put(OracleConnection.PROXY_ROLES, roles);
         String appContext = "Begin ctxhrpckg.set_userinfo('"+getApplicationUserName()+"'); END;";
         java.sql.CallableStatement st= null;
        // Open the proxy session (DB-authenticated users)
        try
          oconn.openProxySession(OracleConnection.PROXYTYPE_USER_NAME, prop);
          st = getDBTransaction().createCallableStatement(appContext,0);
          st.execute();
        catch (SQLException e)
          e.printStackTrace();
  package oracle.sample.dbprxy.adfbc;
  import oracle.jbo.server.DBTransactionImpl2;
  import oracle.jbo.server.DatabaseTransactionFactory;
  * TransactionFactory that returns PrxTransactionImpl, which is a subclass of
  * DBTransactionImpl2
  * @author Frank Nimphius
  public class PrxyDatabaseTransactionFactory extends DatabaseTransactionFactory
    public PrxyDatabaseTransactionFactory()
      super();
     * Override the create method to return an instance of PrxyTransactionImpl instead
     * of DBTransactionImpl2
     * @return PrxyTransactionImpl
    public DBTransactionImpl2 create()
      return new PrxyTransactionImpl();
  package oracle.sample.dbprxy.adfbc;
  import oracle.jbo.server.DBTransactionImpl2;
  import oracle.jdbc.OracleConnection;
  public class PrxyTransactionImpl
    extends DBTransactionImpl2
    public PrxyTransactionImpl()
      super();
     * The DBTransactionImpl2 does not expose the connection in a public
     * method. This class is a wrapper to expose the connection to the
     * BC app, so it can be accessed in the ApplicationModuleImpl class
     * @return OracleConnection - SQL Connection
    public OracleConnection getPrxyConnection()
      return (OracleConnection) this.getJdbcConnection();
  }Note that for EUS ApplicationModule pooling should be disabled
  Frank

• WS Security in ADF BC v/s Non ADF BC services

  Hi,
  I came to know about ADB BC services being more functionally secure than the plain web services. My question is what makes the ADF BC services functionally secure? If we have to make plain web services secure, what is the procedure?
  Also, If i think of converting the above plain web services (fyi..we don't need any db connection in our web services) to ADF BC service, is it ok if i have an AM and expose the functions from AM without having the EO/VO?
  Thanks in advance,
  -Anil.

  Hi,
  I came to know about ADB BC services being more functionally secure than the plain web services. My question is what makes the ADF BC services functionally secure? If we have to make plain web services secure, what is the procedure?
  Also, If i think of converting the above plain web services (fyi..we don't need any db connection in our web services) to ADF BC service, is it ok if i have an AM and expose the functions from AM without having the EO/VO?
  Thanks in advance,
  -Anil.

• Mixing Security With ADF Library Feature

  While using ADF Library feature, what should be the way to implement security.
  For example, assume a project ProjectProducer having a task flow. I deploy ProjectProducer as an ADF library.
  ProjectConsumer
       |->     ProjectProducer (ADFLib JAR)
  Now, in another Workspace (or application), I have another project with name ProjectConsumer, and now I want to use the ProjectProducer's task flow in ProjectConsumer.
  Now, after making a connection, I add ProjectProducer library to ProjectConsumer
  Now assume that I need to implement security in ProjectConsumer project using jazn. Because of this, I might need to hide/show some columns of a table shown in the ProjectProducer task flow's first (default) view activity based on some role assignments.
  Can I do that by configuring security using jazn of ProjectConsumer project?
  How should I plan this?

  Hi,
  The pageDef in app B must have an entry for the method in order to access it. Just adding the adfjar isn't enough.
  You need to go the bindings of the page in app B and add the method you want to access. Once the method is added you can access using the following code:
  BindingContainer bindings = getBindings();
  OperationBinding operationBinding = bindings.getOperationBinding("getWeatherbyCityName");
  Map map =operationBinding.getParamsMap();
  map.put("theCityName", "Tokyo");
  operationBinding.execute();
  This should work.
  Thanks,
  Siddharth.

• Secure the ADF pages in portlet via ADF portlet bridge

  Hi All
  My project is using the ADF security model to do the authentication and authorization and the project can be deploy to weblogic and works fine.
  Currently i want o extend the pages and taskflows to WebCenter portlet client via the ADF portlet bridge. How can i implement the security policy
  to reuse the existing code? i have no idea how the portlet client interactively work with producer to do the authentication.
  appreciated if anyone can give a hand on this or show some examples.

  Could you tell me how you were able to combine an adf-table bound to BC with a portlet in the same page? I'm getting a 'portlet unavailable exception' when I try to customize my RichTextPortlet?
  If I run the portlet on it's own in a jspx-document everything runs just fine, but from the moment you add an adf-component the portlet is unavailable?

• GOTCHA's with Setting up ADF Security with JDev 11.1.1.6.0

  If you're getting into ADF security, you're probably going to want to get rid of that ugly default login.html page. I mean, it gets the job done, but we want something a little better. And if you want something a little better and you're using JDev 11.1.1.6.0, it behooves you to read this post!
  First off, get acquainted with these four posts. All good stuff. They'll walk you through the 1st half of what you need to know. Y'know, the non-Gotcha half.
  http://one-size-doesnt-fit-all.blogspot.com/2010/07/adf-security-revisited-again-again.html
  http://myadfnotebook.blogspot.com/2011/11/adf-security-basics.html
  http://andrejusb.blogspot.com/2010/11/things-you-must-know-about-adf-faces.html
  http://java2go.blogspot.com/2010/12/creating-centered-page-layout-using-adf.html
  Are you getting either of the following errors?
  <CodebasePolicyHandler> <migrateDeploymentPolicies> Migration of codebase policy failed. Reason: {0}.
  oracle.security.jps.JpsException: java.lang.IllegalArgumentException: oracle.security.jps.internal.core.principals.JpsAnonymousRoleImpl
  Error 500--Internal Server Error
  java.lang.RuntimeException: Cannot find FacesContextI'll show you where they're coming from. Follow along.
  1) Create a new application.
  2) Create three .jspx pages called login, error, and welcome.
  3) Generate PageDef files for them by right-clicking on the file and selecting "Go To PageDefinition". You'll want these so that you may apply security against them.
  4) Right-Click on your Application and select Secure->Configure ADF Security
  5) ADF Authentication and Authorization -> Form Based Authentication (Use the search symbol to select your created login and error pages. Should be something like "/faces/login.jspx") -> No Automatic Grants -> Finish
  Right-Click your welcome.jspx and select run. You'll get this error before your web page opens up in your browser and then proceeds to wig out.
  <CodebasePolicyHandler> <migrateDeploymentPolicies> Migration of codebase policy failed. Reason: {0}.
  oracle.security.jps.JpsException: java.lang.IllegalArgumentException: oracle.security.jps.internal.core.principals.JpsAnonymousRoleImplThat just won't do. Let's fix it, shall we?
  6) Open your newly JDev created jazn-data.xml file. It's located in the Application Resources panel (usually located by Data Controls and your Projects expandable panels)
  7) Resource Grants -> Resource Type (Web Page dropdown) -> error page should have a key symbol by it. Delete the anonymous role in the "Granted To" column. Now click the green button to add an Application Role. Huh, there's TWO of them? How bout that? Looks like we're going to have to delete some XML code!
  8) Click the Source tab on the bottom of the page to open up the XML View. You'll see the following piece of erroneous code. Erroneous, I say!
    <policy-store>
      <applications>
        <application>
          <name>SecurityError</name>
          <app-roles>
            // Hello, I'm the app role that has sucked away two hours of your life that you can never, ever get back
            <app-role>
              <name>anonymous-role</name>
              <class>oracle.security.jps.internal.core.principals.JpsAnonymousRoleImpl</class>
              <display-name>anonymous-role</display-name>
            </app-role>
           // Whew, the end of that app role
          </app-roles>
          <jazn-policy>
            <grant>9) You're going to want to delete that app role XML
  10) Go back into your jazn-data.xml file and create some users. For example, bob and jane. Create an Enterprise role called "admin". Put bob and jane as members into this Enterprise role. Create an Application role called managers. Map managers to your Enterprise role admin.
  11) Go back to the Resource Grants tab -> Resource Type (Web Page) and delete any "Granted To" authorizations that may assigned to any of the pages. Assigned a "Granted To" application role of "anonymous-role" to the error and login pages. Assign "managers" to welcome.
  12) Run your welcome page. Yay, the error is gone. How sweet it is.
  Now you want to refactor/move your login and error page somewhere else? Great, just right-click and select factor. Refactor to some place like /public_html/jspx/<your login page>.jspx. Re-run your welcome page.
  // You fool!
  Error 404--Not Found
  From RFC 2068 Hypertext Transfer Protocol -- HTTP/1.1:
  10.4.5 404 Not FoundThat's not so good. Let's fix that.
  1) Open up web.xml. It's located at ViewController/WEB-INF/web.xml.
  2) Click the security tab and you'll see Form-Based Authentication with a login page and error page. Click that Search glass and locate your new file. Do the same for the error page. You should see something like "/jspx/login.jspx" come back.
  3) Re-run your welcome page.
  // Suckered AGAIN!
  Error 500--Internal Server Error
  java.lang.RuntimeException: Cannot find FacesContextThis is a tricky one. The search icon brings back a faulty address. Since we're using a .jspx page, it needs to be "/faces/jspx/login.jspx". Repeat for the error page. Re-run your welcome.jspx.
  Ahh!! Now THAT's how we do it in Kingsport!
  Finally, a custom .jspx login works. Now what are you doing here? Shouldn't you be playing some Diablo 3?
  Will

  Ha :-)
  Point being good summaries like yours tend to get lost on the forums because of the volume of posts. With a blog people have the chance to subscribe to your posts so it's just a better vehicle all round for posting content to help others.
  I highly recommend writing blogs even if it's for scratch notes, because you'll learn a lot in structuring your thoughts. It's also a really good way to get noticed in the community because bloggers stand out.
  But your call, no pressure of course ;-)
  CM.

• ADF Security from Database Table

  I have two database tables one holding username and password and other username and role.
  I want to secure my ADF application based on this. I have already gone through the following link ->
  http://www.oracle.com/technology/products/jdev/howtos/1013/oc4jjaas/oc4j_jaas_login_module.htm
  But, after configuring all the things for embedded J2EE server also I am finding some problem. It's not trying to connect with the database.
  If any other links or sample projects, you can mention that will be helpful for understanding.

  Hi,
  check the data source name that you use with the LoginModule. Use Enterprise Manager in OC4J to verify that the data source can connect to the database. If not, change the data source's connection information. This most likely is your problem.
  Frank

• Getting error in ADF Login security

  Hi Team,
  I am making security login mechanism.
  I referred - Oracle ADF 11g Security - Custom ADF Login Form - Part 1 (High) and part 2 video from youtube.
  I am not getting any error in my log but after entering username and password its giving me error-
  Error 401--Unauthorized
  From RFC 2068 Hypertext Transfer Protocol -- HTTP/1.1:
  *10.4.2 401 Unauthorized*
  The request requires user authentication. The response MUST include a WWW-Authenticate header field (section 14.46) containing a challenge applicable to the requested resource. The client MAY repeat the request with a suitable Authorization header field (section 14.8). If the request already included Authorization credentials, then the 401 response indicates that authorization has been refused for those credentials. If the 401 response contains the same challenge as the prior response, and the user agent has already attempted authentication at least once, then the user SHOULD be presented the entity that was given in the response, since that entity MAY include relevant diagnostic information. HTTP access authentication is explained in section 11.
  Can you please suggest me how to resolve this.
  Jdev :- 11.1.1.6.0
  Thanks in advance.
  Ramit Mathur

  Hi.
  Check the grants/permissions in jazn-data
  After you log in, the security framework checks the user's right to access the resource. For example, if you receive an unexpected 401 unauthorized user error, verify that you have created grants as suggested in Section 30.11.4, "Best Practices for Working with Oracle ADF Security."
  http://docs.oracle.com/cd/E14571_01/web.1111/b31974/adding_security.htm#BABFIHAF

• Authenticate ADF application using adf security wizard against LDAP OID

  I have an adf application which i intend to authorise using LDAP. For now , i have actually hand coded in java for authenticating the users of my application. Using JNDI I directly connect to LDAP and authenticate users. However , recently it came to my notice that i can also do that using ADF sercurity wizard , but i am unable to do so. which securing the ADF application ,no where in the wizard LDAP configuration is mentioned. do i have to change some file manually ? i have no idea on how to proceed on that.

  i have setup wls , making th OIDAuthentication as Sufficient. but i dont know how to configure from ADF side so that it can authenticate against LDAP. when i try the ADF sercurity wizard option , it tells me to create new Roles . Is there any way where i can import the ldap credentials to the security wizard ..?