Want to setup supervisor based security profile in comp workbench(critical)

Similar Messages

• Roll based security setup in jsf

  hi all,
  can anyone write me the procedure how to setup roll based security that is, when a user login to my page, menu will be created that i have set for that user in database.
  i also need to know the process, how to set role in database....
  Thank you

  i want to put all information include user access
  role in database.
  please tell me, how to do this..
  Thank you1. create a table called USERS.
  2. create columns in this database that include but are not limited to, USERNAME, ROLE.
  3. Populate the table.
  4. When a user logins, query the table.
  5. Direct the user to the appropriate JSP based on the role using RequestDispatcher's facilites.

• Item based security on List

  Hi,
  I have a list with 3 columns
  Column Name| Column Type
  Employee | Person/Group
  First Name | Single Line Text
  Last Name | Single Line Text
  As the Employee column is of type "Person/Group", I want to apply item based security on this list. For example if Person A is logged in, he MUST NOT be able to update record of others, But yes, he should have rights to update his own Row (Item).
  Please let me know how can i achieve such item based security in list ?

  Hi,
  From your description, I know you want to restrict users to edit items when he is the owner of current item.
  You can try these codes below:
  using System;
  using System.ComponentModel;
  using System.Web;
  using System.Web.UI;
  using System.Web.UI.WebControls;
  using System.Web.UI.WebControls.WebParts;
  using Microsoft.SharePoint;
  using Microsoft.SharePoint.WebControls;
  namespace VisualWebPartProject1.VisualWebPart1
  [ToolboxItemAttribute(false)]
  public partial class VisualWebPart1 : WebPart
  // Uncomment the following SecurityPermission attribute only when doing Performance Profiling using
  // the Instrumentation method, and then remove the SecurityPermission attribute when the code is ready
  // for production. Because the SecurityPermission attribute bypasses the security check for callers of
  // your constructor, it's not recommended for production purposes.
  // [System.Security.Permissions.SecurityPermission(System.Security.Permissions.SecurityAction.Assert, UnmanagedCode = true)]
  public VisualWebPart1()
  protected override void OnInit(EventArgs e)
  base.OnInit(e);
  InitializeControl();
  protected void Page_Load(object sender, EventArgs e)
  SPSecurity.RunWithElevatedPrivileges(delegate()
  SPWeb currentWeb = SPContext.Current.Web;
  String currentUserName = currentWeb.CurrentUser.LoginName;
  SPSite site = new SPSite("http://sp/sites/sharepoint2013");
  SPWeb web = site.OpenWeb();
  SPList list = web.Lists["ListA"];
  web.AllowUnsafeUpdates = true;
  foreach (SPListItem item in list.Items)
  string username = GetUser(item, item.Fields["Employee"]).LoginName;
  //break from parent permissions
  item.BreakRoleInheritance(false);
  //delete any existing permissions in the
  //case that this is an update to an item
  SPRoleAssignmentCollection currentRoles = item.RoleAssignments;
  foreach (SPRoleAssignment role in currentRoles)
  role.RoleDefinitionBindings.RemoveAll();
  role.Update();
  if (username.Equals(currentUserName))
  //create"contributor" role
  SPRoleDefinition roleDef = web.RoleDefinitions.GetByType(SPRoleType.Contributor);
  SPRoleAssignment roleAssignment =
  new SPRoleAssignment(
  currentUserName,
  string.Empty,
  string.Empty,
  string.Empty);
  roleAssignment.RoleDefinitionBindings.Add(roleDef);
  //update list item with new assignment
  currentRoles.Add(roleAssignment);
  item.SystemUpdate();
  else
  //create"reader" role
  SPRoleDefinition roleDef = web.RoleDefinitions.GetByType(SPRoleType.Reader);
  SPRoleAssignment roleAssignment =
  new SPRoleAssignment(
  currentUserName,
  string.Empty,
  string.Empty,
  string.Empty);
  roleAssignment.RoleDefinitionBindings.Add(roleDef);
  //update list item with new assignment
  currentRoles.Add(roleAssignment);
  item.SystemUpdate();
  private SPUser GetUser(SPListItem item, SPField userField)
  string currentValue = item[userField.Title].ToString();
  SPFieldUser field = (SPFieldUser)userField;
  SPFieldUserValue fieldValue = (SPFieldUserValue)field.GetFieldValue(currentValue);
  return fieldValue.User;
  The screenshot below is my result:
  Vincent Han
  TechNet Community Support

• Restricted Access in Compensation Workbench based on Security Profile

  Customer does not want the HR Professional to access at other team's data even when using Switch Manager in the below scenario.
  1) 2 CWB Plans (CWB Plan for A, CWB Plan for B) are built based on Supervisor Hierarchy. Each of the CWB plan is for a set of organisations for e.g a plan for Organisation 'A' and another for Organisation 'B'.
  2) HR Professionals have a security Profile which restricts them to view employees in either 'A or 'B' organisation.
  3) Switch Manager is enabled for the 'Compensation Workbench Administrator'
  4) There exists a common manager who manages people from 'A' and from 'B'
  5) When HR Professional (who is in the A organisation) switches as the Manager in point (4), he gets to see the details of the 'CWB Plan for B' along with the 'CWB Plan for A' even though the people in the B plan are not part of the HR Professional's security Profile

  Hi,
  Thanks alot. its working fine
  Can we configure DCL Relation two times in one information filed ??? i should not create not more than fields to this requirement.
  Type -> subtype = DCL already existed
  Now, i want to Create DCL to
  Subtype ---> Security group
  As per my requirement, if i change the security group in checkin form, values should be change in the SubType drop down list.
  Created checkin profile there was DCL relation to " Type and "Sub Type" . now i want to map Relation ( DCL ) for subtype to security group.
  i was trying do for DCL for subtype and security group. but there was already existing DCL created for subtype information field (Relation configuration done for content type). even though i was trying to do for DCL in Security group information field. but, i could not find security group information field in configuration manager.
  Now what should i do ?? how to create DCL to subtype and security group ??
  Help would be appreciated.
  yt

• Create security profile based on different payroll

  we have two payrolls, I want to assign different responsibilities based on the two apyrolls. I tried to do that by creating a new security profile but it is not working. can anubody tell me in detail steps what to do, please..

  tvikramsingh,
  Just want to confirm here --- I thought the check to see if multiple security groups is enabled is to go to US Super HRMS Manager => Security => Assign Security Profiles. If that windows open up, that means security groups are enabled.
  Plus in our instance we dont have Security List Maintenance scheduled which adds to my confusion....
  Can someone clarify?
  Thanks

• Urgent!! How to make Security Profile Based on Payrolls???

  Dear Everyone,
  I am facing this urgent case which is:
  * My company have 2 payrolls, they need to make security based on payrolls, and the case is our HR team can access all employees data including elements except managers elements or managers data at all ( so they cant find them while querying on them from people enter and maintain window)
  * I tried to make a separate payroll for managers (third payroll) and then making security profile includes all payrolls so they can access all payrolls element and data, then I make another security profile with the original 2 payrolls for other HR team so they can access employees assigned to these payrolls only, but I had to choose which is restricted ( employees or contingent workers or applicants or contacts), I tried to restrict employees in both security options, then I assigned the first security profile which includes the 3 payrolls to their responsibility in profile options, also did that with the second security profile and assigned to the profile option for the responsibility of HR team.
  after choosing restrict employees in security profiles, in both responsibilities I cant find any employees( because I restricted them).
  Please tell me how to make some of the top management cannot be find within search in people enter and maintain, only top management responsibilities can access all employees data and information.
  thanks for your time
  Mohamed Mannaa
  [email protected]

  to use custom you can write something like
  ASSIGNMENT.grade_id in (select g.grade_id
  from
  per_grade_definitions gd,
  per_grades g
  where
  g.grade_definition_id=gd.grade_definition_id (+)
  and gd.segment1 <= 12
  this is showing all employees having grade less than or equal to 12; you can use any other criteria based on your needs.

• Security Profile not taking effect.

  Hi,
  I created a new responsibility such is pretty much a  cut down version of Oracle standard ' Manager Self Service' responsibility.
  I have created a new security profile which I want it to restrict the list of employees to a particular person i.e 'John Smith'. The user of this responsibility should only be able to process manager self service function for John Smith.
  I have then attach the security profile to the responsibility and bounched Apache. But after testing the responsibility it is producing the list of employees who the user is supervisor of. I dont't want it to list the user's employees, I want it to bring up just John Smith.
  Please what am I missing? Why is it base on supervisor hierarchy and not my security profile?
  Regards
  TL

  Vignesh,
  What I  am saying is when I create security profile and attach it to the responsibility my security changes is not reflecting at all. The responsibility I created is similar to seeded 'Manager Self Service'.The list of employees it shows on self service is based on supervisor hierarchy.I want to know how it knows to produce employees using supervisor hierarchy and why its not producing the list of employees as defined in the security profile.
  I have even made a change to another security profile, by changing the top organisation. After I assign this security profile to the seeded 'HR Profession V4' responsibility it doesn't reflect the change. This responsibility is still able to see everyone in the business and not restricting it to the top organisation.
  Is there a step I'm missing? Is there a menu function that is overriding my security profile?
  Regards
  TL

• How to restrict employees from accessing managers data using custom security profile

  Hi,
  I am using custom security profile for restricting the employees from accessing supervisors details(PG.SEGMENT2=4). I have written the custom code as below :
  Responsibility :US Super HRMS Manager
  ASSIGNMENT.PERSON_ID
  IN
  (SELECT PAF.PERSON_ID FROM PER_ALL_PEOPLE_F PAF,
  PER_ALL_ASSIGNMENTS_F PF,
  PAY_PEOPLE_GROUPS PG,
  PER_PERSON_TYPE_USAGES_F PPU,
  FND_USER FNU
  WHERE PAF.PERSON_ID=PF.PERSON_ID
  AND :EFFECTIVE_DATE BETWEEN PAF.EFFECTIVE_START_DATE
  AND PAF.EFFECTIVE_END_DATE
  AND PF.PEOPLE_GROUP_ID=PG.PEOPLE_GROUP_ID
  AND :EFFECTIVE_DATE BETWEEN PF.EFFECTIVE_START_DATE AND PF.EFFECTIVE_END_DATE
  AND PPU.PERSON_ID=PAF.PERSON_ID
  AND PPU.PERSON_ID=PF.PERSON_ID
  AND :EFFECTIVE_DATE BETWEEN PPU.EFFECTIVE_START_daTE AND PPU.EFFECTIVE_END_DATE
  AND PAF.PERSON_ID=FNU.EMPLOYEE_ID
  AND PAF.PERSON_TYPE_ID =2
  AND PPU.PERSON_TYPE_ID
  IN(2,62)
  and PAF.person_id = FND_PROFILE.value('user_id')
  AND PG.SEGMENT2=8)
  and using "restrict the people visible to each other using this profile".
  I have assigned the security profile to HR user responsibility
  But when I query the supervisor name in HR User responsibility , it is not restricting me from viewing supervisor details.
  When I query for first time, its restricting me to view others details, but when I close that click on torch button and try searching, its allowing me to access manages details.
  Can any one please let me know what setups need to be done for restricting employees from viewing supervisors data.
  I have gone through the document "Understanding and Using HRMS Security in Oracle HRMS" but didn't got any idea.
  Please suggest.
  Thanks & Regards,
  Anusha.

  Hi All ,
  i solved the problem by using event 01 of header view and using the table "Extract" .
  Regards,
  Neha

• R12 Security Profiles

  Hi- novice here. I do this: select security_profile_id, security_profile_name
  from per_security_profiles
  If I do the above query, I get values like:
  1508 SECCPF5O
  1509 SECCPF5P
  1510 SECCPF5R
  1511 SECCPF5T
  1512 SECCPF5V
  1513 SECCPF5W
  1514 SECCPF5X
  These are security profile names. My client uses these to decide what data a user can see when they log in. What the custom code is doing is comparing that security profile name (formerly secure_oracle_username in 10.7) with the user that is logged in and lets the user see specific data based on this.
  The thing is, user names are not the above SECC% name. I need to know where in the database (tables or forms) I can find the relation between who is logged in (user name) and the security profile for each. Is there a table to coorolate the two? I assume all users have a security profile attached to them correct? Is there a form I can navigate to in order to see/assign this? If so, I can examine that form and find the tables.
  Thanks in advance for your input.

  Pl post details of OS, database and EBS versions.
  Pl see if these MOS Docs can help
  Understanding and Using HRMS Security in Oracle HRMS          (Doc ID 394083.1)
  Secure Users Functionality in Release 11          (Doc ID 50850.1)
  You Have Installed, Now Before You Setup, Read This! - HR Shared          (Doc ID 116376.1)
  More information is in the "Oracle HRMS Configuring, Reporting, and System Administration Guide" for your release at http://www.oracle.com/technetwork/documentation/applications-167706.html
  HTH
  Srini

• SAP PP: Security Profiles

  Hi All
  I want to find the PP relevant security profiles & the transactions associated with it..Kindly help in finding this.
  Thanks
  Tom

  Hi Mario,
  Let me try to break this down some more.
  The coverage profile is determining 30 days based on an average daily requirement of the forecast of a 3 month period.
  For example, April 20000, May 1000, June 1000.
  Let's assume 30 days in a month.  (20000 + 1000 + 1000) / 90 = 22000/90= 244.4 * 30days = 7333.
  So, In week 3 of April, purchases are being suggested to maintain 7333.
  I want the calculation to read more like 1 week in April remaining (20000/30 =666 a day * 7= 4666) + (1000/30=33.3*23=766)....so 30 days is really 4666+766= 5432.
  Is this possible?
  -Tim

• How to make Custom Discoverer workbook use Custom Security profile of Apps

  We use Discoverer in Oracle Apps setup. We have added Custom security in our HR People Form of Apps.
  This Custom Security restricts one HR Emplpoyee not view other HR employee record except for himself/herself. Also maintining that they should be able to view all other employee's records.
  The following code was put under the Security Profile Form -- > Custom Security Tab
  exists (select 1
  from per_jobs b
  where ASSIGNMENT.job_id = b.job_id
  and (b.name not like '%HR%')
  and (b.name not like '%Human%')
  and ASSIGNMENT.assignment_number is not null
  union
  select 1
  from fnd_user fu
  where fu.user_name = fnd_global.user_name
  and fu.employee_id = PERSON.person_id
  and ASSIGNMENT.assignment_number is not null)
  Above security profile works fine for HR People Form.
  However, It does not work for our Discoverer Workbooks. I found a note on Metalink 422841.1 which talks about leveraging the Custom Security of Apps in Discoverer Report. I read it, but did not get much clue.
  Can Anyone help.
  Thanks

  Hi,
  If you want to use custom HR security with Discoverer you have to ensure that the correct security filters are applied when the Discoverer reports are run. These filters can use the supplied HR_SECURITY package or you can develop your own conditions using table lookups or functions. To get the filters applied to your reports you have a number of options:
  1. Build the security into custom folders using additional conditions
  2. Use custom database views in Discoverer and build the security into the views
  3. Use mandatory conditions in you Discoverer folders using either a function call or database contexts set at login time
  4. Use VPD (Virtual Private Database)
  I am not sure which of these options you are using to implement your HR security in Discoverer. The last option, VPD, is the most flexible and can give the best performance but maybe it is more complex to set up.
  Rod West

• Security Profile Not Working

  Hi,
  I want to restrict persons records based on their assignment - organizations.
  Approach 1:
  For this i have created a new custom security profile in Organizatin Security tab
  Security Type : Secure organizations by organization hierarchy and / or org list
  Organization Hierarchy : <gave our primary reporting here>
  selected radio button - use the org on the users's assingemnts as the top org
  In the next block under organization name, gave org 1 and selected Include radio button and next 5 orgs (org 2 to org 6 ) and choosed Exclude radio button (Classification column left blank for all orgs).
  Assigned this Security profile to resposbility (for HR:Security profile)
  When i login to this responsbility and query in enter & maintain form; I am able to see all persons belong to org 2 to org 6; My expectation i should see only those persons whose assignment has org 1;
  Approach 2:
  I have created one more new security profile (in the custom security tab); selected Restrict the people visible to this profile , and gave in command box
  ASSIGNMENT.organization_id = 100 (org id 100 is for Org 1)
  and assigned this to responsbility; When i login to this resp , my expectaion is it will show only persons who assignments having org1. But it shows all other persons, whose assignment having differents orgs (org 2 to org 6)
  In both the above two approaches, I am not getting what i am looking for.
  I have even ran Secuirty List Maintanence program also
  I am doing some thing wrong? Please help on this?
  We are on 11.5.10
  Thanks!!

  Hi
  Is this still aproblem or has Gaurav sorted it out for you. His explanation looks like it will solve the problem, but there might also be a problem in the coding of the custom code. You should be able to achieve what you want without the custom code, by using the organisation tab instead.
  Regards
  Tim

• RBAC / Role Based Security Set Up in R12

  We are working with a 3rd party consulting organization to implement Role Based Access Control in E-Business Suite R12. We have approximately 50 users and with 35 responsibilities today and are currently in the process of designing our role based security set up. In advance of this the consulting company has provided us with effort estimates to cutover from the current responsibility structure to RBAC. We are told this must be done while all users are off the system. The dowtime impact to the business is very high, expecially considering our small user base.
  With RBAC cutover downtime estimates such as these I can't understand how any company larger than ours could go live with it?
  Does anyone have previous Role Based Access Control implementation experience in EBS R11i or R12 and could provide some insight on their experience and recommendations, best practice for cutover to mitigate impacts to the business as we cannot accept the 90 hours of downtime outlined by the consulting company below?
  Disable users old assignments:
  *12.00 hours*
  Disable Responsibilities targeted for the elimination:
  *12.00 hours*
  Disable Responsibilities targeted for the elimination:
  *16.00 hours*
  Setup OUM options and profiles:
  *6.00 hours*
  Setup Roles and Hierarchies:
  *14.00 hours*
  Grant Permissions:
  *12.00 hours*
  Setup Functional Security and disable the obsolete responsibilities:
  *12.00 hours*
  Setup Data Security and disable the obsolete data accesses:
  *6.00 hours*
  Total *90 hours*
  Note - all activities must be performed sequentially*
  Any advice or experiences you could share would be extremely valuable for us. Thank you for taking the time advance to review & respond.

  On Srini`s comments "Creating Roles.. will have to be done manually "... I would like to know will the same approach be followed for PRODUCTION instance also. Say if we need to create 35 responsibilities and 50 roles so should this be done manually in PRODUCTION.
  I have not worked on this but I know that in my previous company this was done using scripts. Need to find more on this.

• Override Security Profile for one employee

  Hi
  I have one employee who works in 'Accounts Department' and the HR user of accounts department can see only the employees of Accounts Department based on the security profile. This is working fine. But theres a different requirement. Some employees are transferred to other departments for 3-6 months for different purposes. During this time also the HR user of accounts department needs to view this employees details due to HR policies and procedures. Can we achieve this? If yes, how?
  - Gulzar

  Q 1 - When Employee is transferred from Dept 1 to Dept 2 for 6 months, Should the HR for both Dept 1 and Dept 2 be able to see his details for 6 months?
  Q 2 - After 6 months period, employee's organization is again updated to Dept 1, should again HRs of both Dept 1 and Dept 2 be able to see his details even after the 6 months period?
  Q 3 - If answer for Q 2 is - "after 6 months period, only HR of Dept 1 should see his details" , how to identify Employee's home department? Will it be the Employee's Organization effective as of Employee's hire date?

• Using container managed form-based security in JSF

  h1. Using container managed, form-based security in a JSF web app.
  A Practical Solution
  h2. {color:#993300}*But first, some background on the problem*{color}
  The Form components available in JSF will not let you specify the target action, everything is a post-back. When using container security, however, you have to specifically submit to the magic action j_security_check to trigger authentication. This means that the only way to do this in a JSF page is to use an HTML form tag enclosed in verbatim tags. This has the side effect that the post is not handled by JSF at all meaning you can't take advantage of normal JSF functionality such as validators, plus you have a horrible chimera of a page containing both markup and components. This screws up things like skinning. ([credit to Duncan Mills in this 2 years old article|http://groundside.com/blog/DuncanMills.php?title=j2ee_security_a_jsf_based_login_form&more=1&c=1&tb=1&pb=1]).
  In this solution, I will use a pure JSF page as the login page that the end user interacts with. This page will simply gather the input for the username and password and pass that on to a plain old jsp proxy to do the actual submit. This will avoid the whole problem of having to use verbatim tags or a mixture of JSF and JSP in the user view.
  h2. {color:#993300}*Step 1: Configure the Security Realm in the Web App Container*{color}
  What is a container? A container is basically a security framework that is implemented directly by whatever app server you are running, in my case Glassfish v2ur2 that comes with Netbeans 6.1. Your container can have multiple security realms. Each realm manages a definition of the security "*principles*" that are defined to interact with your application. A security principle is basically just a user of the system that is defined by three fields:
  - Username
  - Group
  - Password
  The security realm can be set up to authenticate using a simple file, or through JDBC, or LDAP, and more. In my case, I am using a "file" based realm. The users are statically defined directly through the app server interface. Here's how to do it (on Glassfish):
  1. Start up your app server and log into the admin interface (http://localhost:4848)
  2. Drill down into Configuration > Security > Realms.
  3. Here you will see the default realms defined on the server. Drill down into the file realm.
  4. There is no need to change any of the default settings. Click the Manage Users button.
  5. Create a new user by entering username/password.
  Note: If you enter a group name then you will be able to define permissions based on group in your app, which is much more usefull in a real app.
  I entered a group named "Users" since my app will only have one set of permissions and all users should be authenticated and treated the same.
  That way I will be able to set permissions to resources for the "Users" group that will apply to all users that have this group assigned.
  TIP: After you get everything working, you can hook it all up to JDBC instead of "file" so that you can manage your users in a database.
  h2. {color:#993300}*Step 2: Create the project*{color}
  Since I'm a newbie to JSF, I am using Netbeans 6.1 so that I can play around with all of the fancy Visual Web JavaServer Faces components and the visual designer.
  1. Start by creating a new Visual Web JSF project.
  2. Next, create a new subfolder under your web root called "secure". This is the folder that we will define a Security Constraint for in a later step, so that any user trying to access any page in this folder will be redirected to a login page to sign in, if they haven't already.
  h2. {color:#993300}*Step 3: Create the JSF and JSP files*{color}
  In my very simple project I have 3 pages set up. Create the following files using the default templates in Netbeans 6.1:
  1. login.jsp (A Visual Web JSF file)
  2. loginproxy.jspx (A plain JSPX file)
  3. secure/securepage.jsp (A Visual Web JSF file... Note that it is in the sub-folder named secure)
  Code follows for each of the files:
  h3. {color:#ff6600}*First we need to add a navigation rule to faces-config.xml:*{color}
      <navigation-rule>
  <from-view-id>/login.jsp</from-view-id>
          <navigation-case>
  <from-outcome>loginproxy</from-outcome>
  <to-view-id>/loginproxy.jspx</to-view-id>
          </navigation-case>
      </navigation-rule>
  NOTE: This navigation rule simply forwards the request to loginproxy.jspx whenever the user clicks the submit button. The button1_action() method below returns the "loginproxy" case to make this happen.
  h3. {color:#ff6600}*login.jsp -- A very simple Visual Web JSF file with two input fields and a button:*{color}
  <?xml version="1.0" encoding="UTF-8"?>
  <jsp:root version="2.1"
  xmlns:f="http://java.sun.com/jsf/core"
  xmlns:h="http://java.sun.com/jsf/html"
  xmlns:jsp="http://java.sun.com/JSP/Page"
  xmlns:webuijsf="http://www.sun.com/webui/webuijsf">
      <jsp:directive.page
  contentType="text/html;charset=UTF-8"
  pageEncoding="UTF-8"/>
      <f:view>
          <webuijsf:page
  id="page1">
  <webuijsf:html id="html1">
  <webuijsf:head id="head1">
  <webuijsf:link id="link1"
  url="/resources/stylesheet.css"/>
  </webuijsf:head>
  <webuijsf:body id="body1" style="-rave-layout: grid">
  <webuijsf:form id="form1">
  <webuijsf:textField binding="#{login.username}"
  id="username" style="position: absolute; left: 216px; top:
  96px"/>
  <webuijsf:passwordField binding="#{login.password}" id="password"
  style="left: 216px; top: 144px; position: absolute"/>
  <webuijsf:button actionExpression="#{login.button1_action}"
  id="button1" style="position: absolute; left: 216px; top:
  216px" text="GO"/>
  </webuijsf:form>
  </webuijsf:body>
  </webuijsf:html>
          </webuijsf:page>
      </f:view>
  </jsp:root>h3. *login.java -- implent the
  button1_action() method in the login.java backing bean*
      public String button1_action() {
          setValue("#{requestScope.username}",
  (String)username.getValue());
  setValue("#{requestScope.password}", (String)password.getValue());
          return "loginproxy";
      }h3. {color:#ff6600}*loginproxy.jspx -- a login proxy that the user never sees. The onload="document.forms[0].submit()" automatically submits the form as soon as it is rendered in the browser.*{color}
  {code}
  <?xml version="1.0" encoding="UTF-8"?>
  <jsp:root xmlns:jsp="http://java.sun.com/JSP/Page"
  version="2.0">
  <jsp:output omit-xml-declaration="true" doctype-root-element="HTML"
  doctype-system="http://www.w3.org/TR/html4/loose.dtd"
  doctype-public="-W3CDTD HTML 4.01 Transitional//EN"/>
  <jsp:directive.page contentType="text/html"
  pageEncoding="UTF-8"/>
  <html>
  <head> <meta
  http-equiv="Content-Type" content="text/html;
  charset=UTF-8"/>
  <title>Logging in...</title>
  </head>
  <body
  onload="document.forms[0].submit()">
  <form
  action="j_security_check" method="POST">
  <input type="hidden" name="j_username"
  value="${requestScope.username}" />
  <input type="hidden" name="j_password"
  value="${requestScope.password}" />
  </form>
  </body>
  </html>
  </jsp:root>
  {code}
  h3. {color:#ff6600}*secure/securepage.jsp -- A simple JSF{color}
  target page, placed in the secure folder to test access*
  {code}
  <?xml version="1.0" encoding="UTF-8"?>
  <jsp:root version="2.1"
  xmlns:f="http://java.sun.com/jsf/core"
  xmlns:h="http://java.sun.com/jsf/html"
  xmlns:jsp="http://java.sun.com/JSP/Page" xmlns:webuijsf="http://www.sun.com/webui/webuijsf">
  <jsp:directive.page
  contentType="text/html;charset=UTF-8"
  pageEncoding="UTF-8"/>
  <f:view>
  <webuijsf:page
  id="page1">
  <webuijsf:html id="html1">
  <webuijsf:head id="head1">
  <webuijsf:link id="link1"
  url="/resources/stylesheet.css"/>
  </webuijsf:head>
  <webuijsf:body id="body1" style="-rave-layout: grid">
  <webuijsf:form id="form1">
  <webuijsf:staticText id="staticText1" style="position:
  absolute; left: 168px; top: 144px" text="A Secure Page"/>
  </webuijsf:form>
  </webuijsf:body>
  </webuijsf:html>
  </webuijsf:page>
  </f:view>
  </jsp:root>
  {code}
  h2. {color:#993300}*_Step 4: Configure Declarative Security_*{color}
  This type of security is called +declarative+ because it is not configured programatically. It is configured by declaring all of the relevant parameters in the configuration files: *web.xml* and *sun-web.xml*. Once you have it configured, the container (application server and java framework) already have the implementation to make everything work for you.
  *web.xml will be used to define:*
  - Type of security - We will be using "form based". The loginpage.jsp we created will be set as both the login and error page.
  - Security Roles - The security role defined here will be mapped (in sun-web.xml) to users or groups.
  - Security Constraints - A security constraint defines the resource(s) that is being secured, and which Roles are able to authenticate to them.
  *sun-web.xml will be used to define:*
  - This is where you map a Role to the Users or Groups that are allowed to use it.
  +I know this is confusing the first time, but basically it works like this:+
  *Security Constraint for a URL* -> mapped to -> *Role* -> mapped to -> *Users & Groups*
  h3. {color:#ff6600}*web.xml -- here's the relevant section:*{color}
  {code}
  <security-constraint>
  <display-name>SecurityConstraint</display-name>
  <web-resource-collection>
  <web-resource-name>SecurePages</web-resource-name>
  <description/>
  <url-pattern>/faces/secure/*</url-pattern>
  <http-method>GET</http-method>
  <http-method>POST</http-method>
  <http-method>HEAD</http-method>
  <http-method>PUT</http-method>
  <http-method>OPTIONS</http-method>
  <http-method>TRACE</http-method>
  <http-method>DELETE</http-method>
  </web-resource-collection>
  <auth-constraint>
  <description/>
  <role-name>User</role-name>
  </auth-constraint>
  </security-constraint>
  <login-config>
  <auth-method>FORM</auth-method>
  <realm-name/>
  <form-login-config>
  <form-login-page>/faces/login.jsp</form-login-page>
  <form-error-page>/faces/login.jsp</form-error-page>
  </form-login-config>
  </login-config>
  <security-role>
  <description/>
  <role-name>User</role-name>
  </security-role>
  {code}
  h3. {color:#ff6600}*sun-web.xml -- here's the relevant section:*{color}
  {code}
  <security-role-mapping>
  <role-name>User</role-name>
  <group-name>Users</group-name>
  </security-role-mapping>
  {code}
  h3. {color:#ff6600}*Almost done!!!*{color}
  h2. {color:#993300}*_Step 5: A couple of minor "Gotcha's"_ *{color}
  h3. {color:#ff6600}*_Gotcha #1_*{color}
  You need to configure the "welcome page" in web.xml to point to faces/secure/securepage.jsp ... Note that there is *_no_* leading / ... If you put a / in there it will barf all over itself .
  h3. {color:#ff6600}*_Gotcha #2_*{color}
  Note that we set the <form-login-page> in web.xml to /faces/login.jsp ... Note the leading / ... This time, you NEED the leading slash, or the server will gag.
  *DONE!!!*
  h2. {color:#993300}*_Here's how it works:_*{color}
  1. The user requests the a page from your context (http://localhost/MyLogin/)
  2. The servlet forwards the request to the welcome page: faces/secure/securepage.jsp
  3. faces/secure/securepage.jsp has a security constraint defined, so the servlet checks to see if the user is authenticated for the session.
  4. Of course the user is not authenticated since this is the first request, so the servlet forwards the request to the login page we configured in web.xml (/faces/login.jsp).
  5. The user enters username and password and clicks a button to submit.
  6. The button's action method stores away the username and password in the request scope.
  7. The button returns "loginproxy" navigation case which tells the navigation handler to forward the request to loginproxy.jspx
  8. loginproxy.jspx renders a blank page to the user which has hidden username and password fields.
  9. The hidden username and password fields grab the username and password variables from the request scope.
  10. The loginproxy page is automatically submitted with the magic action "j_security_check"
  11. j_security_check notifies the container that authentication needs to be intercepted and handled.
  12. The container authenticates the user credentials.
  13. If the credentials fail, the container forwards the request to the login.jsp page.
  14. If the credentials pass, the container forwards the request to *+the last protected resource that was attempted.+*
  +Note the last point! I don't know how, but no matter how many times you fail authentication, the container remembers the last page that triggered authentication and once you finally succeed the container forwards your request there!!!!+
  +The user is now at the secure welcome page.+
  If you have read this far, I thank you for your time, and I seriously question your ability to ration your time pragmatically.
  Kerry Randolph

  If you want login security on your web app, this is one way to do it. (the easiest way i have seen).
  This method allows you to create a custom login form and error page using JSF.
  The container handles the actual authentication and protection of the resources based on what you declare in web.xml and sun-web.xml.
  This example uses a statically defined user/password, stored in a file, but you can also configure JDBC realm in Glassfish, so that that users can register for access and your program can store the username/passwrod in a database.
  I'm new to programming, so none of this may be a good practice, or may not be secure at all.
  I really don't know what I'm doing, but I'm learning, and this has been the easiest way that I have found to add authentication to a web app, without having to write the login modules yourself.
  Another benefit, and I think this is key ***You don't have to include any extra code in the pages that you want to protect*** The container manages this for you, based on the constraints you declare in web.xml.
  So basically you set it up to protect certain folders, then when any user tries to access pages in that folder, they are required to authenticate.
  --Kerry