Pages

Thursday, November 29, 2007

ADF security in action

In my previous blog we enabled the project for adf security. Now is time to see it in action. I will show how you can add security to a page and to specific button actions. I use in this example the system-jazn-data.xml of the embedded oc4j. You can edit this from the menu tools / embedded oc4j server preferences.


First we make a region with security info so we can see on every page what the security settings are. This region also contains a login and logout button.

I use a backing bean to do this. The login action is done redirecting to this url /adfAuthentication?succes_url=/faces/dept.jspx and the logout is done by this /adfAuthentication?logout=true&end_url=/faces/start.jspx


public class SecurityBean {
public SecurityBean() {
}

public String getSecurityEnabled() {
if (ADFContext.getCurrent().getSecurityContext().isAuthorizationEnabled()){
return "true";
}
return "false";
}

public String getIsAuthenticated() {
if (ADFContext.getCurrent().getSecurityContext().isAuthenticated()){
return "true";
}
return "false";
}

public boolean isAuthenticated() {
return ADFContext.getCurrent().getSecurityContext().isAuthenticated();
}


public String getCurrentUser() {
return ADFContext.getCurrent().getSecurityContext().getUserName();
}

public String doLogOut() throws IOException{
ExternalContext ectx = FacesContext.getCurrentInstance().getExternalContext();
HttpServletResponse response = (HttpServletResponse)ectx.getResponse();
String url = ectx.getRequestContextPath()+"/adfAuthentication?logout=true&end_url=/faces/start.jspx";
response.sendRedirect(url);

return null;
}

public String doLogIn() throws IOException{
ExternalContext ectx = FacesContext.getCurrentInstance().getExternalContext();
HttpServletResponse response = (HttpServletResponse)ectx.getResponse();
String url = ectx.getRequestContextPath()+"/adfAuthentication?succes_url=/faces/dept.jspx" ;
response.sendRedirect(url);

return null;
}


}

In this example I have two pages , the first page start.jspx doesn't have any security so adf security uses the anomynous account.



the second page have security on the page , you need to have the role users to see this page and the navigation buttons are enabled if the user belows to the oc4j-administrators role.

Now let see how we can add page security to a page. To view this page you need to have view right. We can do this by opening the pagedef.

the next step is to add the view rights to the roles users and oc4j-administrators. We now go the pagedef structure window and select the pagedef node and with the right button we open the authorization window.


These security entries are put in system-jazn-data.xml and jazn use the pagedef name as unique entry so make sure you don't have the same pagedef twice on the production server else both pages has the same security.
You can do this also for the binding actions like next, first etc. Now we make sure that you need to have oc4j-administrator role to press next etc.

and we ready to test it.

Here you have the example project and the system-jazn-data.xml which you have to put in the config dir of the embedded oc4j . this are the users oc4jadmin / welcome , test / test

3 comments:

  1. Hi Edwin,

    I develop ADF app in jdev 10.1.3.3.0.
    I use DBLoginModule.jar as described in http://technology.amis.nl/blog/2851/using-database-table-for-authentication-in-adf-applications for login action. Login action works. I tried to do logout acion as described in your example but it seems not to work. When i perfom logout action performDbAuthentication() is invoked twice and last logged user is authenticated again.


    Best Regards,
    andrew

    ReplyDelete
  2. Hi

    you are mixing two things.
    I use adf security with oc4j and in jdev 11g they change it a little bit for weblogic. ( you can use the dblogin module of weblogic to authenticate)

    in the Amis example they are using jdev 10.1.3

    the step you are missing is to initialize adf security, you have to create an adf security object and everthing will work.
    I know Frank N. will make a db login example based on weblogic.

    If I have the time I'll make a new blog item.

    thanks Edwin

    ReplyDelete
  3. Hi,

    Problem was I used BASIC login form instead custom page, I changed it for custom page and everything is ok.

    andrew

    ReplyDelete