Session expired (timeout) without ADF Security using.

Similar Messages

• How to crate new user in adf security using jspx page

  how to crate new user in adf security using code in java file.plz help me this work will submited to day plz help me...

  sigh
  Search really would help and point you in the right direction. You'd find [url http://forums.oracle.com/forums/thread.jspa?messageID=4584464]this, for example.

• ADF Security using sqlauthenticator issue unable to login

  Hi,
  AM using jdev 11.1.2.3
  I followed these blogs to configure adf security using sql authenticator
  http://biemond.blogspot.in/2008/12/using-database-tables-as-authentication.html
  http://hazem-adf-tips.blogspot.in/2012/06/adf-security-database-authentication.html
  am unable to login.. I can able to see the users and roles in WL admin console. When i am giving the user credentials it is redirecting to error page saying unauthorized .
  plz can anybody help me out from this issue.
  Thanks,
  Nitesh

  HI Timo,
  I have created application roles admin and user. Unable to create enterprise role with same name. When i am trying to map application role with enterprise role it is not displaying in mapping window..
  The following log message
  Removing existing role admin
  creating new role admin.
  with this it is recreating the new role and role id gets change when ever i m restarting my server and deploying the application..
  Thanks,
  Nitesh

• Controlling user actions without ADF Security

  Hi!
  I have an application in which we use J2EE security, and therefore we have user accounts that can be managed by, in our case, the OID. We have not implemented ADF security yet, because that means we will have to import all kinds of permissions to a suitable place in the OID, and there is no time yet to investigate how to do that (especially how to migrate it to a node in the OID where we want the info, not the default way).
  Now I have a requirement to make a JSF screen with an input form read only, based on either a user role or a parameter being populated or not.
  I know that I can achieve this by modifying all ReadOnly and Disabled properties of the controls and put an EL expression in there, but I would rather do this on a higher level. Is it possible to make a whole iterator or form read-only with EL or using backing beans?
  Regards,
  Jeroen van Veldhuizen

  Jeroen,
  You could certainly write some code in a backing bean that would iterate over all the children of the form and set the property. Without using ADF security (which would let you do it on the iterator level - much preferred, but more work), I cannot think of another way other than setting readOnly/disabled on each individual control.
  You can iterate over the children of a component using something like this:
      UIComponent target;
      List children;
      int i, cnt;
      children = target.getChildren();
      cnt = target.getChildCount();
      for (i = 0; i < cnt; i++)
        // do whatever here
      }Hope this helps,
  John

• I accessed the page protected by ADF security using direct url access attac

  hi,
  I played with my application which is based on SRDemo code (with added ADF security handling protection of resources) using direct url access scenarios. I was able to access a protected page as authenticated but not authorized user. I'll try to explain what I did.
  There are two folders/web resources in my application, faces/folderA/* and faces/folderB/*.
  roleA only is configured to access first web resource and the roleB is configured to access the second resource.
  I used ADF security to authorize only roleA for page in folderA and to authorize only roleB for page in folderB.
  I configured error pages in web.xml:
  <error-page>
  <error-code>400</error-code>
  <location>faces/error/error400.jspx</location>
  </error-page>
  <error-page>
  <error-code>401</error-code>
  <location>faces/error/error401.jspx</location>
  </error-page>
  <error-page>
  <error-code>403</error-code>
  <location>faces/error/error403.jspx</location>
  </error-page>
  <error-page>
  <error-code>404</error-code>
  <location>faces/error/error404.jspx</location>
  </error-page>
  <error-page>
  <exception-type>java.lang.Throwable</exception-type>
  <location>faces/error/error500.jspx</location>
  </error-page>
  Other config params are:
  <login-config>
  <auth-method>FORM</auth-method>
  <form-login-config>
  <form-login-page>infrastructure/ABLogin.jspx</form-login-page>
  <form-error-page>faces/error/error401.jspx</form-error-page>
  </form-login-config>
  </login-config>
  <security-constraint>
  <web-resource-collection>
  <web-resource-name>AB Prototype</web-resource-name>
  <url-pattern>faces/ABAbout.jspx</url-pattern>
  <url-pattern>faces/ABHelp.jspx</url-pattern>
  <url-pattern>faces/ABLogout.jspx</url-pattern>
  <url-pattern>faces/ABWelcome.jspx</url-pattern>
  </web-resource-collection>
  <auth-constraint>
  <role-name>A</role-name>
  <role-name>B</role-name>
  </auth-constraint>
  </security-constraint>
  <security-constraint>
  <web-resource-collection>
  <web-resource-name>AZone</web-resource-name>
  <url-pattern>faces/folderA/*</url-pattern>
  </web-resource-collection>
  <auth-constraint>
  <role-name>A</role-name>
  </auth-constraint>
  </security-constraint>
  <security-constraint>
  <web-resource-collection>
  <web-resource-name>BZone</web-resource-name>
  <url-pattern>faces/folderB/*</url-pattern>
  </web-resource-collection>
  <auth-constraint>
  <role-name>B</role-name>
  </auth-constraint>
  </security-constraint>
  <filter>
  <filter-name>adfBindings</filter-name>
  <filter-class>oracle.adf.model.servlet.ADFBindingFilter</filter-class>
  <init-param>
  <param-name>unauthorizedErrorPage</param-name>
  <param-value>faces/error/error401.jspx</param-value>
  </init-param>
  </filter>
  <filter>
  <filter-name>adfFaces</filter-name>
  <filter-class>oracle.adf.view.faces.webapp.AdfFacesFilter</filter-class>
  </filter>
  <filter-mapping>
  <filter-name>adfBindings</filter-name>
  <url-pattern>*.jsp</url-pattern>
  </filter-mapping>
  <filter-mapping>
  <filter-name>adfBindings</filter-name>
  <url-pattern>*.jspx</url-pattern>
  </filter-mapping>
  <filter-mapping>
  <filter-name>adfFaces</filter-name>
  <url-pattern>*.jsp</url-pattern>
  <dispatcher>FORWARD</dispatcher>
  <dispatcher>REQUEST</dispatcher>
  <dispatcher>ERROR</dispatcher>
  </filter-mapping>
  <filter-mapping>
  <filter-name>adfFaces</filter-name>
  <url-pattern>*.jspx</url-pattern>
  <dispatcher>FORWARD</dispatcher>
  <dispatcher>REQUEST</dispatcher>
  <dispatcher>ERROR</dispatcher>
  </filter-mapping>
  <servlet>
  <servlet-name>Faces Servlet</servlet-name>
  <servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
  <load-on-startup>1</load-on-startup>
  </servlet>
  <servlet>
  <servlet-name>resources</servlet-name>
  <servlet-class>oracle.adf.view.faces.webapp.ResourceServlet</servlet-class>
  </servlet>
  <servlet>
  <servlet-name>adfAuthentication</servlet-name>
  <servlet-class>oracle.adf.share.security.authentication.AuthenticationServlet</servlet-class>
  <load-on-startup>2</load-on-startup>
  </servlet>
  <servlet-mapping>
  <servlet-name>Faces Servlet</servlet-name>
  <url-pattern>/faces/*</url-pattern>
  </servlet-mapping>
  Once I authenticated as user in roleA I was trying to directly access URLs accessible only by users in roleB. In the beginning everything worked OK: I was dispatched to error401.jspx page with message Not authorized... etc.
  But I kept trying to access different URLs, like http://localhost:8988/AB/faces, http://localhost:8988/AB/faces/folderB, http://localhost:8988/AB/faces/folderB/pageB.jspx, http://localhost:8988/AB
  (not necessarily in that order, I played for a couple of minutes and the system would always dispatch to error401.jspx page if unauthorized attempt. But all of sudden, to my surprise, I got the pageB.jspx page while logged in as user belonging to roleA!)
  Not sure how that happened but the connectedUser on pageB (#{userInfo.authenticated}) shows that I am logged in as user whose role is A.
  I checked Authorization in ADF security and it is still correct: pageB is only accessible to roleB and pageA is only accessible to roleA.
  I hope I made some stupid mistake in my configuration?

  Hi,
  ADF Security is JAAS permission based and not container managed. Note that unless you explicitly configured ADF Security you don't use ADF Security but container managed security, which is all that I can see in your configurations.
  Not sure which version fo JDeveloper you use, but if you could change the following setting
  <security-constraint>
  <web-resource-collection>
  <web-resource-name>AZone</web-resource-name>
  <url-pattern>faces/folderA/*</url-pattern>
  </web-resource-collection>
  <auth-constraint>
  <role-name>A</role-name>
  </auth-constraint>
  </security-constraint>
  <security-constraint>
  <web-resource-collection>
  <web-resource-name>BZone</web-resource-name>
  <url-pattern>faces/folderB/*</url-pattern>
  </web-resource-collection>
  <auth-constraint>
  <role-name>B</role-name>
  </auth-constraint>
  </security-constraint>
  to contain jspx file references instead of wildcards like in faces/folderB/* then what you see should no longer be possible. There was a known issue with the security settings in SRDemo that was caused by a defect in OC4J container managed security. I would expect this issue to be fixed in a more recent version of OC4J.
  However, the work around until then is to protect all JSPX files in a directory instead of using wild card matches
  Frank

• Session expiration across different adf web applications

  Version of jdeveloper is 11.1.1.4.0. I have two adf jsf applications deployed in two different weblogic servers. Web application 1 navigates web application 2 in an external window or inline popup using a url view activity. I navigate from web application 1 to web application 2 without a problem. However when navigating back from web application 2 to web application 1 any action made in the ui of web app 1 throws an exception:
  javax.faces.application.ViewExpiredException: viewId:/main.jspx - ADF_FACES-30108:The view state of the page has expired because of inactivity. Reload the page.
  This problem does not occur when the 2 web applications are deployed in the same weblogic managed server. Is there any way to overcome this session inactivity issue.
  Thanks in advance

  you can set session timeout in
  web.xml
  weblogic.xml
  weblogic-aplication.xml

• Frank session expiration sample - Does it work with a Custom JAAS Module ?

  I configured the sample as described in "Detecting and handling user session expiry" - http://thepeninsulasedge.com/frank_nimphius/2007/08/22/adf-faces-detecting-and-handling-user-session-expiry/
  I also have a custom database JAAS login module as described in http://www.oracle.com/technology/products/jdev/howtos/1013/oc4jjaas/oc4j_jaas_login_module.htm
  Thing is that when the session expires (timeout) I am redirected to the Login.jsp page of the JAAS Login Module instead of the SessionHasExpired.jspx page.
  Is there any way to say that the filter should go before the JAAS module ?
  Am I missing something ?
  Thanks,
  Claudio.

  Claudio,
  no, unfortunately not. The servlet filter is executed after the container checked for user authentication. This is less a problem for BASIC and cerificate based authentication because in both cases users are authenticated automatically (even if using custom LoginModules) by the brower or cerificate.
  Form based authentication is different because the browser doesn't re-establish the authentication and the container checks for security before the servlet is called.
  Frank

• Process of login with ADF security

  Hi,
  I was looking at how to implement the process of Login with the ADF security using JDev 11g and I feel very good...
  My question is if it is possible to use this tool in case of use a container as Tomcat 6.x or JBoss. If it is possible to use ADF security for these containers, what should be configured to work?

  Hi,
  ok, I'd like to use authorization with ADF security, but as you say it is not possible in Tomcat. well, but could implement it, if there must be 3 users with different roles of the little system that I want to develop. Any idea?. There maybe a small example with user roles to use without authorization of ADF security?.

• ADF Security Framework

  Hi,
  Has somebody successfully implemented ADF Security framework with LDAP provider?
  I followed this nice article by Frank http://www.oracle.com/technology/products/jdev/howtos/1013/adfsecurity/adfsecurity_10132.html
  and it works but very slow - I must say I have maybe 100 VO's attributes on page, but to wait 3minutes to get rendered the page is too long. Maybe some bottleneck somewhere so I am asking...
  thanks,
  Branislav

  Hi
  I have also used ADF security using LDAP with less VO's per page without any problems.
  I must tell you however that during development I use file based security and change it to LDAP later on during deployment on the application server (I use 10.1.3.1).If you combine this with SSO then you end up with a neat solution -- that in my case more or less works satisfactorily. :-)
  Thanassis

• Migrating ADF Security from file-based provider to LDAP provider

  We have deployed a small application using ADF Security with file-based provider in OAS and it works fine.
  Now we want to migrate to ADF Security using LDAP provider.
  In order to make this possible we followed the next steps:
  - Migrate all the roles and policies from the file to OID with JAZNMigrationtool.
  - In OAS we've changed the Application Security Provider to 'Oracle Identity Management'.
  - Reset the OC4J instance.
  But there was no success, the application continues working with the file-based provider.
  What more is necessary to configurate?

  Hi,
  if you use EM make sure you change the setting for the application, not the general OC4J setting.
  You can also deploy the provider settings with the orion-application.xml file added to your project
  Frank

• How to handle session expiration in ATG

  Hi,
  We have a requirement wherein we have to redirect the user to a specific jsp when his session is expired. For example if a guest user is in cart page and is idle for more than 30 min he should be redirected to session expired page. We are using Apache web server and Jboss app server. Following are the ways i tried
  1. In Apache/conf/extra/httpd-vhosts.conf, I have set ErrorDocument 409 to session expired jsp - This is failed because jsp is not a static content and only static contents will be present in webserver. If it would have been a simple html (static) then this method would have worked fine I believe.
  2. In cart page I have set the sessionExpirationURL of cartformhandler to appropriate jsp, checkForValidSession to true, CheckSessionExpiration.expirationURL to same session expired jsp. I am not sure why this is not working.
  Please let me know the best way to handle this situation. Any suggestions would be appreciated.
  Regards,
  Avinash

  When user clicks any link on your page after session expired then you can redirect him to login page through your formhandler if a handleX() method was invoked by the request or you can use a filter which can check for something like profile.isTransient(). You can then redirect to the login page from your filter keeping a parameter of the original url to be used as login success url so that after login you can again redirect to the page that user originally intended to see.
  For detecting user idleness in browser, here is one of the possible approach using javascript by implementing a document level keyboard/mouse listener to detect user interaction in your page:
  <script type="text/javascript">
      var t;
      window.onload = resetTimer;
      document.onmousemove = resetTimer;
      document.onkeypress = resetTimer;
      function handleIdleTimedOut() {
          //alert("You are now logged out.");
          window.location.href = 'logout.jsp';
      function resetTimer() {
          clearTimeout(t);
          var timeoutPeriod = 1000 * 60 * 5;  //5 minutes       
          t = setTimeout(handleIdleTimedOut, timeoutPeriod);
  </script>Apart from this, you may also want to take a look at reverse ajax to send the timed out kind of notification to the browser with the help of a HttpSessionListener:
  http://directwebremoting.org/dwr/documentation/reverse-ajax/index.html
  Hope this helps.
  Edited by: Nitin Khare on Aug 23, 2012 12:15 AM

• BIP event trigger throwing session expired error!

  Hi,
  I am trying to have some event triggers in my data model, but as soon as i click on the UpdateDefaultPackage button the box throws session expired error.
  I am using Firefox for development, and when i do the same in IE the function list doesn't get populated.
  Give me some suggestions.
  Thanks and Regards
  Prakhar

  Check your browser settings for accepting cookies from this domain, you must have tried this by now clearing all your browser cache and cookies.
  try solutions beacon site where they have Oracle Apps Demo Instances for Public
  http://www.solutionbeacon.com/tools_vision.htm

• ADF Security Design Question

  Hi All,
  I am developing an ADF web application. The security design is such that user authentication is mapped to database users. The design I see several pros and cons
  1) Different database users means I cannot take advantage of connection pooling.
  2) The architect argues SQL querying can be controlled at database level for each user.
  I have never been involved in such a web application. Can anybody please guide me if this is the way to go for ADF web application, any other pros and cons. The database is Oracle 11g. I still believe that application security should not be tied to the database security.
  Worst case if I have to go with this design, How to implement ADF security using database users.
  Thanks

  I blogged a use case for using Proxy Authentication with JPA here http://blogs.oracle.com/olaf/2010/04/using_oracle_proxy_authenticat.html. (Being a sample it includes a setter for user name, but a case with a JAAS Subject and Principal is easily adaptable).
  I'll dig out an ADF BC example and blog about it, too.
  --olaf                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           

• PROBLEM USING FILTER TO KNOW SESSION EXPIRATION

  Hi, i'm using a filter to know when the session expires but it appeasr not to work, so i am a bit confuse because the filter always executes well but when the session gets the timeout and the user send a request it isnt executed, the server redirects the user to the login page.
  I am not sure about it, but is it possible that the reason of why the filter is not executed, is becuase i am using the apache form-authentication????
  filter's code:
  public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
  HttpServletRequest req;
  RequestDispatcher disp;
  HttpServletResponse res;
  boolean userInSession;
  String forward = getConfig().getInitParameter("sessionClosed");
  req = (HttpServletRequest) request;
  res = (HttpServletResponse) response;
  System.out.println("InFilter");
  userInSession = req.getUserPrincipal() != null;
  if(userInSession) {
  chain.doFilter(request, response);
  System.out.println("Session: " + req.getSession(false).getId());
  System.out.println("Session: " + req.getSession(false).getMaxInactiveInterval());
  System.out.println("getSessionTime: " + req.getSession(false).getCreationTime());
  } else {
  disp = req.getRequestDispatcher(forward);
  disp.forward(request, response);
       res.sendRedirect("http://www.google.com");
  System.out.println("outFilter");
  tnks
  CERR

  Hi Robert,
  thanks very much for ur pointers on the AuthFilter class.. will try that out.
  Robert Greig <[email protected]> wrote:
  Stephen wrote:
  I am using WLS 6.1 and tried using a custom filter to intercept theauthentication
  request submitted from a FORM BASE jsp (using the j_security_checkform).
  However, no matter what i've tried, it is always the authenticationpart that
  gets executed before the filter.
  Any idea how could I intercept the request before the j_security_checkservlet
  calls the security provider for authentication?There is a (now deprecated) class weblogic.servlet.security.AuthFilter.
  I haven't used it because it is deprecated but I think it does what
  you're after.
  In my apps, I make the FORM auth submit to my own servlet which can then
  do what j_security_check does (most although not all is accessible
  through public APIs).
  Robert

• Jdev 10.1.3.1 "ADF Security": Application without a custom login page?

  Hi,
  We are trying to develop an application using "ADF security", which means we can give permissions to certain roles based on "Binding Container", "Iterator Binding", "Method Action Binding" and "Attribute-level Binding".
  After reading the document -- "Oracle® Containers for J2EE Security Guide 10g (10.1.3.1.0) B28957-01" that Frank pointed out. We have a question:
  Can we develop an ADF application without creating a custom login page? Right now we've followed the security guide and modified the configuration files. But when we run the application, we get the "user null" error message. The reason is clear because we do not have a login page. On the security guide, it says that it is possible to use the oracle default login module. But it does not say how. Does anyone have any idea?
  Thanks,
  Annie

  Brenden,
  Thank you so much for the reply. This is our code in the web.xml:
  <login-config>
  <auth-method>BASIC</auth-method>
  <realm-name>default</realm-name>
  </login-config>
  We are using HTTP basic Authentication. This technique worked for the container-managed security. The browser default login page pops up when the end users try to log into a secured JSP. But here we want to use "ADF security" to set up "Iterator binding" and "Attribute level binding" security. The browser default login page does NOT show up. Instead we get the "user null" error message.
  If you have detailed step on how to select HTTP Basic Authentication, it would be very helpful to us. Or if you know any document has the detail.
  regards,
  Annie