Pages

Wednesday, November 28, 2007

ADF security in your project

ADF Security implementation can be viewed as an extension to the standard J2EE container security and is executed after the standard security constraints have been processed. It is integrated in ADF of jdeveloper 11g and is implemented dynamically. This gives us many advantages such as changes in roles are immediately active and you can have different permissions in one page. For example in the pagedef you can add rights to roles on specific attributes, pages and methods. In your applications, you can also use Expression Language (EL) to show or hide items on a page based on a user's permissions, which are defined in the run time policy store.

If you use adf security in your application and you also selected anonymous access in the adf wizard then you automatically are logged in as anonymous if this page does not have security and if you go to a page where there is no anonymous security defined then you get a login window or you can start the following url /project-context/adfAuthentication to get the login windows.

Here you define in the pagedef of the page that to see the page you have to have the view permission.

If you run the adf security wizard then the following files are created or changed

workspace_home/.adf/META-INF/adf-config.xml

element sec:JaasSecurityContext added




workspace_home/.adf/META-INF/credential-jazn-data.xml

anonymous login account




workspace_home\src\META-INF\orion-application.xml
workspace_home\src\META-INF\jps-config.xml
workspace_home\src\META-INF\jazn-data.xml

and of course the web.xml


If you start the adf security wizard yourself then select no identity store by step 4. Then you use the jazn of the embedded oc4j, the other options gives jazn errors


Make sure if you run on windows xp that you start jdeveloper in single user mode ( jdeveloper -singleuser) else the jazn editor in the embedded oc4j does nothing.

In the next adf security blog I will demostrate the different security options in a page.

15 comments:

  1. Hi Edwin,

    I need your advise on how to migrate security settings from embedded oc4j to webcenter preconfigured oc4j. I am using Jdev 11g TP3. I have explored plenty of options, like copying the file system-jazn-data.xml -
    C:\Documents and Settings\nneelaka\Application Data\JDeveloper\system11.1.1.0.22.47.96\o.j2ee\embedded-oc4j\config

    into the following location (where webcenter oc4j runtime setup resides)

    C:\Documents and Settings\nneelaka\Application Data\JDeveloper\oracle.adfp.seededoc4j.11.1.1.0.0.071218.1800\j2ee\home\config

    But the server does not seem to read the file.

    I also tried copying the users and policies into :

    C:\my_project\dev\continuity-adf\src\META-INF\jazn-data.xml

    In all the cases, authentication does not go through, and I always get the error page.

    ADF Security works perfect when I run my application against embedded oc4j server (right click on main page and run).

    Requesting your advise to resolve this issue.

    Best Regards,
    nattu

    ReplyDelete
  2. Hi Nattu,

    The system-jazn-data.xml is used to add jazn roles to specific adf modes. like for page X you can define that for the update operation your need to have the adf role view. And to the role view you can add jazn roles like oc4j-administrator.

    There is one other important file , this is jps-config.xml located in project_root\src\META-INF . Here is defined which security you want to use.

    If you use the adf security wizard on both projects , the app and webcenter then it is enough to copy the jazn file.

    I hope this helps. Please let me know.

    ReplyDelete
  3. Hi Edwin,

    I am not sure whether my earlier post reached you, but I was able to crack this issue of migration. As reiterated by you, copying was enough. The main gap was that, in my application, the orion-application.xml file did not contain the realm information.

    I am now trying to implement SSO in JDev 11g TP4. Do you have some pointers for the same ? The security wizard is just the same as TP3.

    Best Regards,
    nattu

    ReplyDelete
  4. Ok, SSO is a feature of the application server and too bad we don't have an 11g em website where we can configure it.

    I think you have to wait for it.

    thank Edwin

    ReplyDelete
  5. Hi Edwin,

    If you look at the release notes ( I am sure that you would have already gone through) http://www.oracle.com/technology/products/jdev/htdocs/11tp/readme.html

    It says about SSO :

    Security: SSO Support added, certificate management moved to a common store, added a common user & policy store, and added role & permission based authorization.

    So, wondering how we can configure it ....

    Best Regards, nattu

    ReplyDelete
  6. Hi Nattu,

    The release notes talks about the soa suite where you can use it for the web services or in workflow.

    There is a example in the 11g soa forums who got human workflow working with ad.

    soa suite is a special web application in the container.

    but you can always look at the preconfigured soa suite container

    ReplyDelete
  7. Hi Edwin,

    I am new to Oracle JDeveloper and ADF 11g Security and i need your advice on ADF security.

    I was developing one Fusion Web application and implemented the ADF security using the wizard. Initially i configured to use the XML base jazn and implemented the application authentication and authorization. Now i would like to hookup the LDAP (OID) as my identity and policy stores. (and also thinking about the SSO too)

    I reran my ADF security wizard to hook the LDAP. However i couldn't be able to configure my web application (ViewController project) to use the LDAP.

    Document says to modify the orient-system.xml file jazn tag to configure the application to use SSO or LDAP. However i am using weblogic so i don't have that and i have the weblogic-system.xml file. How can i hook that into the weblogic descriptor?

    Could you please advice me on this?

    Thanks & regards
    Thiva

    ReplyDelete
  8. Hi , I heard from Oracle that it should. He didn't try the authorization part, but the authentication should work,
    see: http://oracle.com/technology/products/jdev/tips/fnimphius/oidconfig/index.html

    thanks Edwin

    ReplyDelete
  9. Thanks a lot Edwin.

    Still i am in confusion. Here is my understanding based on the ADF Security, Please correct me if am wrong.

    Here are the ways that we can enable the security in ADF 11g.
    1. Container managed security. Let the container to manage the security based on the app server realms.
    2. ADF Security, using wizard. We can specify either XML based or LDAP based authentication and Authorization during the configuration. The identity and policy migration needs to be done before the production deployment using the migration tool.

    Now my question is if i would like to follow the second approach then the how can i plug in the OID and SSO? Is that given link approached? I guess the given url link is for the first approach.

    Please pass me some light since i couldn't find much ADF documentation for SSO and OID security configuration for ADF 11g.

    Much appreciate your help.

    ReplyDelete
  10. Hi, you are right on all points ( I thought so but when I read the documentation and see these lines about ADF security. I can conclude I was wrong. Now I am making a test client ( adf sec with ldap and a ldapprovider in wls ) to test it

    Oracle ADF Security lets you define an
    access policy for a variety of application resources. For example, you can control access
    to a particular task flow based on the access right grants that you make in the policy
    store for the ADF task flow. During development, this policy store is file-based, with
    access right grants stored in the jazn-data.xml file, whereas the identity store can be
    file-based or LDAP-based, with grants stored in an LDAPv3-compliant directory, such
    as Oracle Internet Directory.


    The repository associated with the security provider can be an XML file or a
    directory service. Both repository types are supported by JDeveloper's Integrated
    WLS. However, when you choose the LDAP identity store, you must configure the
    LDAP store outside of JDeveloper

    ADF Security relies on the jazn-data.xml file for the policy store whether you are
    using the XML-based identity store or the LDAP identity store. Thus, with Oracle ADF
    Security, you define user interface access policies in two steps

    ReplyDelete
  11. Hi

    I made a new blog about ADF security and a LDAP or table authentication and it works


    http://biemond.blogspot.com/2008/12/using-weblogic-provider-as.html

    ReplyDelete
  12. Hello Edwin!
    I just want to have more info about ADF security such as: the possibility of using it with oher IDE, perhaps my question doesn't sound good, but I ask it somehow, because if I've understood it is integrated in Oracle.

    ReplyDelete
  13. Hi,

    Off course you can use it with an other ide but you have to do everything yourself. The ADF security takes place in the web.xml ( servlet) , jazn-data.xml and jps-config.xml
    the jazn is converted to the wls settings.

    but I don't know if it still works without adf jsf components and task flows.
    too much work I think

    thanks Edwin

    ReplyDelete
  14. Hi,

    firstable, very good post.
    I have further question. Is there a possibility to call a Service for authentification to get the credentials? If yes, is there a Tutorial or a example that explain this issue?

    Many Thanks

    ReplyDelete
  15. Hi,

    you mean you want to authenticate against an service.

    Ok you must take a look at the weblogic authentication providers. Here you can use ldap , saml etc.

    hope this helps.

    ReplyDelete