Pages

Wednesday, December 17, 2008

Using database tables as authentication provider in WebLogic

In WebLogic you can use database tables as authentication provider for your web applications. In these tables you can store your application users with its roles. WebLogic will use these tables for your application authentication. WebLogic even provides you a web interface where you can add or change users / roles.
You can use this SQL authenticator for your container security or use it for your JDeveloper 11G ADF security. For more info over ADF security see my previous blog. This SQL authenticator replaces the dbloginmodule of the OC4J container which was available in the Technical Previews of JDeveloper 11g.
First we need to have some authorization tables. I will use the user and roles tables of JHeadstart. Here is the ddl with some sample users.

CREATE TABLE JHS_ROLES
(
ID NUMBER(*, 0) NOT NULL,
ORG_KEY VARCHAR2(30) DEFAULT 'DEFAULT' NOT NULL,
SHORT_NAME VARCHAR2(10) NOT NULL,
NAME VARCHAR2(40) NOT NULL
);

CREATE TABLE JHS_USER_ROLE_GRANTS
(
ID NUMBER(*, 0) NOT NULL,
USR_ID NUMBER(*, 0) NOT NULL,
RLE_ID NUMBER(*, 0) NOT NULL
);

CREATE TABLE JHS_USERS
(
ID NUMBER(*, 0) NOT NULL,
EMAIL_ADDRESS VARCHAR2(240),
USERNAME VARCHAR2(240) NOT NULL,
ORG_KEY VARCHAR2(30) DEFAULT 'DEFAULT',
PASSWORD VARCHAR2(240),
DISPLAY_NAME VARCHAR2(240),
LOCALE VARCHAR2(10)
);

ALTER TABLE JHS_ROLES
ADD CONSTRAINT JHS_RLE_PK PRIMARY KEY
( ID ) ENABLE;

ALTER TABLE JHS_ROLES
ADD CONSTRAINT JHS_RLE_UK1 UNIQUE
( SHORT_NAME,ORG_KEY ) ENABLE;

ALTER TABLE JHS_USER_ROLE_GRANTS
ADD CONSTRAINT JHS_URG_PK PRIMARY KEY
( ID ) ENABLE;

ALTER TABLE JHS_USER_ROLE_GRANTS
ADD CONSTRAINT JHS_URG_UK1 UNIQUE
( RLE_ID, USR_ID ) ENABLE;

ALTER TABLE JHS_USERS
ADD CONSTRAINT JHS_USR_PK PRIMARY KEY
( ID ) ENABLE;

CREATE SEQUENCE JHS_SEQ INCREMENT BY 1 MAXVALUE 999999999999999999999999999 MINVALUE 1 CACHE 20 ;

-- Create two users SKING and AHUNOLD
insert into jhs_users (ID, EMAIL_ADDRESS, USERNAME, ORG_KEY, PASSWORD, DISPLAY_NAME)
select jhs_seq.nextval,'SKING','SKING','DEFAULT','SKING', 'Steven King'
from dual
where not exists (select '1' from jhs_users where username='SKING');

insert into jhs_users (ID, EMAIL_ADDRESS, USERNAME, ORG_KEY, PASSWORD, DISPLAY_NAME)
select jhs_seq.nextval,'AHUNOLD','AHUNOLD','DEFAULT','AHUNOLD', 'Alexander Hunold'
from dual
where not exists (select '1' from jhs_users where username='AHUNOLD');

-- set up two roles: Administrator and User
insert into jhs_roles(id, SHORT_NAME, name)
select jhs_seq.nextval, 'ADMIN','Administrator'
from dual
where not exists (select '1' from jhs_roles where short_name='ADMIN');

insert into jhs_roles(id, SHORT_NAME, name)
select jhs_seq.nextval, 'USER','User'
from dual
where not exists (select '1' from jhs_roles where short_name='USER');

-- Make Steven King Administrator
insert into jhs_user_role_grants (id,rle_id,usr_id)
select jhs_seq.nextval, rle.id, usr.id
from jhs_roles rle, jhs_users usr
where rle.short_name='ADMIN'
and usr.username='SKING'
and not exists (select '1' from jhs_user_role_grants urg2
where urg2.usr_id = usr.id
and urg2.rle_id = rle.id);

-- Make Alexander Hunold User
insert into jhs_user_role_grants (id,rle_id,usr_id)
select jhs_seq.nextval, rle.id, usr.id
from jhs_roles rle, jhs_users usr
where rle.short_name='USER'
and usr.username='AHUNOLD'
and not exists (select '1' from jhs_user_role_grants urg2
where urg2.usr_id = usr.id
and urg2.rle_id = rle.id);

commit;

Now we can add the SQL authenticator provider in WebLogic. First we need to create a datasource for the database connection and remember the datasource name ( not the jndi name) We needs this value for the provider.

Select the Security Realms link then I will select the default realm "myrealm" and go to providers tab. Here we can create a new authentication provider.
We need to select SQLAuthenticator as Type
Select your just created provider and change the Control flag to sufficient. After this we can go to the provider specific tab where we can add the details of the provider.
We need to fill in the datasource name, select a password algorithm and add many SQL statements.Here are my settings for the jheadstart tables.
Go to this folder MiddlewareJdev11g\jdeveloper\system\system11.1.1.0.31.51.88\DefaultDomain\config and change the config.xml file where you can replace your values with this

<sec:authentication-provider xsi:type="wls:sql-authenticatorType">
<sec:name>DB_users</sec:name>
<sec:control-flag>SUFFICIENT</sec:control-flag>
<wls:enable-group-membership-lookup-hierarchy-caching>false</wls:enable-group-membership-lookup-hierarchy-caching>
<wls:data-source-name>scott</wls:data-source-name>
<wls:plaintext-passwords-enabled>true</wls:plaintext-passwords-enabled>
<wls:sql-get-users-password>SELECT password FROM jhs_users WHERE username = ?</wls:sql-get-users-password>
<wls:sql-user-exists>SELECT username FROM jhs_users WHERE username = ?</wls:sql-user-exists>
<wls:sql-list-member-groups>SELECT short_name FROM jhs_user_role_grants g ,jhs_roles r,jhs_users u WHERE g.usr_id = u.id and g.rle_id = r.id and u.username = ?</wls:sql-list-member-groups>
<wls:sql-list-users>SELECT username FROM jhs_users WHERE username LIKE ?</wls:sql-list-users>
<wls:sql-get-user-description>SELECT display_name FROM jhs_users WHERE username = ?</wls:sql-get-user-description>
<wls:sql-list-groups>SELECT short_name FROM jhs_roles WHERE short_name LIKE ?</wls:sql-list-groups>
<wls:sql-group-exists>SELECT short_name FROM jhs_roles WHERE short_name = ?</wls:sql-group-exists>
<wls:sql-is-member>SELECT u.username FROM jhs_user_role_grants g ,jhs_users u WHERE u.id = g.usr_id and rle_id = ( select id from jhs_roles where short_name = ? ) AND usr_id = ( select id from jhs_users where username = ? )</wls:sql-is-member>
<wls:sql-get-group-description>SELECT name FROM jhs_roles WHERE short_name = ?</wls:sql-get-group-description>
<wls:password-style>PLAINTEXT</wls:password-style>
<wls:sql-create-user>INSERT INTO jhs_users ( id,username , password , display_name) VALUES (jhs_seq.nextval, ? , ? , ? )</wls:sql-create-user>
<wls:sql-remove-user>DELETE FROM jhs_users WHERE username = ?</wls:sql-remove-user>
<wls:sql-remove-group-memberships>DELETE FROM jhs_user_role_grants WHERE rle_id = ( select id from jhs_roles where short_name = ? ) or usr_id = ( select id from jhs_users where username = ? )</wls:sql-remove-group-memberships>
<wls:sql-set-user-description>UPDATE jhs_users SET display_name = ? WHERE username = ?</wls:sql-set-user-description>
<wls:sql-set-user-password>UPDATE jhs_users SET password = ? WHERE username = ?</wls:sql-set-user-password>
<wls:sql-create-group>insert into jhs_roles(id, short_name, name) values (jhs_seq.nextval, ?, ?)</wls:sql-create-group>
<wls:sql-set-group-description>UPDATE jhs_roles SET name = ? WHERE short_name = ?</wls:sql-set-group-description>
<wls:sql-add-member-to-group>INSERT INTO jhs_user_role_grants (id,rle_id,usr_id) VALUES( jhs_seq.nextval , ( select id from jhs_roles where short_name = ?),(select id from jhs_users where username = ?))</wls:sql-add-member-to-group>
<wls:sql-remove-member-from-group>DELETE FROM jhs_user_role_grants WHERE rle_id = ( select id from jhs_roles where short_name = ? ) AND usr_id = ( select id from jhs_users where username = ? )</wls:sql-remove-member-from-group>
<wls:sql-remove-group>DELETE FROM jhs_roles WHERE short_name = ?</wls:sql-remove-group>
<wls:sql-remove-group-member>DELETE FROM jhs_user_role_grants WHERE rle_id = ( select id from jhs_roles where short_name = ? )</wls:sql-remove-group-member>
<wls:sql-list-group-members>SELECT username FROM jhs_user_role_grants g ,jhs_roles r,jhs_users u WHERE g.usr_id = u.id and g.rle_id = r.id and r.short_name = ? and u.username like ?</wls:sql-list-group-members>
</sec:authentication-provider>

We need to restart the WebLogic server. After the reboot we can go the User and Group tab of your default security realm where we can change or add users and roles. Here is an overview where we can see SKING
When we select SKING we can add roles to this user.
Now we can test it, ( see my previous blog for more details)

Here the result of the authentication

160 comments:

  1. Hi Edwin,
    I've done a similar thing (except I made the SQLProvider optional) but I run into something... It seams that the authentication goes well,but not authorization part... Every new user that is added to myrealm (same group as one defined in jazn.com) won't authorize, but it authenticate. What have you choosed in ADF Security wizard, ADf Authentication and Authorization or just ADf Authentication?
    Thanks F
    lorin POP

    ReplyDelete
  2. Hi
    I use ADf Authentication and Authorization and after that I choosed LDAP ( so ADF will not use the jazn-data users ).

    I change the standard provider to sufficient and the sql provider also to sufficient .

    and you have to map the wls to the adf roles in weblogic.xml.

    See my previous post

    then it works.

    thanks

    ReplyDelete
  3. Hi Edwin,

    Did you try to deploy this application on a standalone Weblogic?

    It is working with me from jdev 11g on the embeded weblogic but not on the standalone. Any idea?

    Note that I migrated security as explained by Steve but still can't login.

    Jamil

    ReplyDelete
  4. Hi , it should work.

    maybe you have to change the default security provider to sufficient default is required. so it will the other provider too

    thanks

    ReplyDelete
  5. Thank you

    It is working after changing the default security provider to sufficient.

    Jamil

    ReplyDelete
  6. Hi Edwin,

    I need to insert/verify the password into DB as encrypted. Right now it works fine with a plain text password. What should I do to enable the encryption from my application and from Weblogic?.

    The scenario I can see is that before insert a user from my application I need to encrypt the password using a JCE algorithm like SHA-1. In this case how I can tell weblogic to verify the password as encrypted?

    Thanks
    Jamil

    ReplyDelete
  7. Hi,

    normally your encrypt the password with sha1 once then when the user logs in, this password is encrypted again and compared with the db value.

    it is never decrypted only compared.

    thanks Edwin

    ReplyDelete
  8. How weblogic will do the job and encrypt the password to compare it if I am using this blog method to authenticate?
    uncheck the "Plaintext Passwords Enabled" seems not working.

    Jamil

    ReplyDelete
  9. Hi,

    Do you have your own login page or use the standard login box of your browser. In this case wls will capture this and encrypt the password with sha1 en compare this with the db password column.

    maybe this can help you
    http://edocs.bea.com/wls/docs103/secmanage/atn.html#wp1208013

    ReplyDelete
  10. Hi,

    I am using the Form-Based Authentication with my own login.jspx which use j_security_check to check the authentication.

    Right now there in no encryption when sending the password and it works.

    My question is how to tell wls to encrypt the password before compare it with the password column into DB?

    I am sure there is a property to set to tell wls to encrypt or not ans which algorithm to use. No?

    Where is this property?

    Thanks
    Jamil

    ReplyDelete
  11. Hi,

    maybe you better make a post in the wls or jdev forum, in the meanwhile I will test this.

    thanks Edwin

    ReplyDelete
  12. Hi Edwin,
    I need your help about weblogic security of database table .
    I was tried to do according to your posting but I am getting error and I had tried different way to run weblogic domain but did not find any solution, please reply me.

    here : http://forums.oracle.com/forums/thread.jspa?threadID=901013&tstart=15

    Thanks.
    zakir
    ====

    ReplyDelete
  13. Hi,

    When you delete the provider , is it working again?

    How did you create the provider , console or in the config.xml

    thanks Edwin

    ReplyDelete
  14. Hi,
    I had created the provider by console. server failed to start after do this.

    Is may need create RDBMS Security Store first? I am in confusion how can SQL authentication work.
    I tried to do RDBMS Security configuration what I found in config.xml nad getting exception http://www.atilimited.net/zakir/err/AdminServer.log

    see sec:rdbms-security-store in http://www.atilimited.net/zakir/err/config.xml

    when I deleted this tag sec:rdbms-security-store then it start sucessfully.

    Thanks
    zakir
    ====

    ReplyDelete
  15. Hi

    Is may need create RDBMS Security Store first?

    No you don't need this. the rdbms security is only for the store all keys / passwords etc. in a database instead of the file system.

    you need to go to myrealm security realm -> providers / authentication and add a new sql authenticator.

    If you still want to create a rdbms security store , then use the configuration wizard for this.

    thanks Edwin

    ReplyDelete
  16. Hi Edwin,
    Thank you for your clearification.
    I have another question is how to get connection peticular database ? because there is no any option to define connection parameter in sql authenticator providers. So what is the mechanism to access database?

    Thanks.
    zakir
    ====

    ReplyDelete
  17. Hi Edwin,
    It works fine. after creating JDBC data source by Users and Groups >Summary of Services: JDBC >Summary of JDBC Data Sources

    Thanks
    zakir
    =====

    ReplyDelete
  18. Jamil,

    Did you ever figure out the encryption part? I'm having the exact issue.

    ReplyDelete
  19. Hi Edwin

    Is there any reason in this post why you modified the config.xml directly rather than using the console? A bug or just easier to work with the config.xml file?

    Cheers,

    CM.

    ReplyDelete
  20. Hi Chris.

    No, it was too much work to type in the wls console, next time I will use a wslt script.

    thanks

    ReplyDelete
  21. Thanks Edwin, really useful post.

    Cheers,

    CM.

    ReplyDelete
  22. Hi Edwin,
    how did u get the DB roles on the .jspx page?
    I'm trying that

    for ( String role : ADFContext.getCurrent().getSecurityContext().getUserRoles() ) {
    System.out.println("role "+role);
    }

    but only thing what I get is anonymous-role! and authenticated-role!!

    ReplyDelete
  23. There is another problem that I cannot point the application to the correct realm(the second I created), it keeps taking the default realm...

    ReplyDelete
  24. Hi Renan,

    Hi make a backing bean with a method which return a string

    public String getRoles() {
    String roles = null;
    for ( String role : ADFContext.getCurrent().getSecurityContext().getUserRoles() ) {
    roles = roles + role;
    System.out.println("role "+role);
    }
    return roles;
    }

    and when you create a second realm did you also use this as the default realm, I think it is domain setting.

    thanks Edwin

    ReplyDelete
  25. Hi Edwin,
    Thanks for your useful post.

    I have the following requirement for user authentication and authorization. This is an enterprise web application which includes BPEL, Web Services, BRE and etc. The application is build using ADF, Jdeveloper 11g and Jheadstart as well. The end user should have a user managment pannel to define users, roles, and grant permissions to roles.

    Based on this architecture I have two quetions:

    1. It seems that we should choose the JAAS model, so BPEL and the other technologies can integrate with the core application authentication and authorization mechanism, is it right or we can have a better choice?

    2. If we switch to JAAS, we can not deliver a user managment that the end user can work with. So, if we store the credential and grants information in the database tables, we can easily write the user management module. On the other hand, we need to be JAAS, so is there any way to have a Database JAAS Privoder or Database LDAP Provider.

    Thank you in advance

    Farnoush (the_farnoush@yahoo.com)

    ReplyDelete
  26. Hi Farnoush,

    see below


    The end user should have a user managment pannel to define users, roles, and grant permissions to roles.

    Based on this architecture I have two quetions:

    1. It seems that we should choose the JAAS model, so BPEL and the other technologies can integrate with the core application authentication and authorization mechanism, is it right or we can have a better choice?

    yep , that will work and are you using bpel 10.1.3 ( maybe then ldap is better then sqlauthenticator ) and adf can use jaas and in wls still use the sql authenticator

    2. If we switch to JAAS, we can not deliver a user managment that the end user can work with.

    in wls console you still can add or change users and roles

    or use the wls sql authenticator and for example use the default adf views of jheadstart to change the users and roles.

    So, if we store the credential and grants information in the database tables, we can easily write the user management module. On the other hand, we need to be JAAS, so is there any way to have a Database JAAS Privoder or Database LDAP Provider.

    use the wls sql authenticater

    thanks Edwin

    ReplyDelete
  27. Dear Edwin,

    Thanks for your reply.

    It seems that the sql authenticator will support only the authentication part, I mean it will only retrieve the user name and passwords for authentication from the database.
    But I need to save the grants and permissions and all the authorization information in the database as well.

    My native end user can not work with wls console or any other IDE like JDeveloper and I should build a custom user management application module based on the database that I hope to be able to save both authentication and authorization data in it as well.

    Thanks
    Farnoush

    ReplyDelete
  28. Hi

    It seems that the sql authenticator will support only the authentication part,

    it does both , you will get the roles too and map this in the weblogic.xml to the applications roles

    My native end user can not work with wls console or any other IDE like JDeveloper and I should build a custom user management application module based on the database that I hope to be able to save both authentication and authorization data in it as well.

    yep that is easy when you jheadstart you will get the datamodel and adf views out of the box.

    thanks Edwin

    ReplyDelete
    Replies
    1. Hi Edwin,
      Is this approach supported in 12C?

      Thanks.

      Delete
  29. Hi again Edwin,
    it is possible to use that 'table' roles to grant and block pages on jazn-data.xml?
    If yes, how I can do it? Because I don't see the table roles on app level roles...

    ReplyDelete
  30. Hi,

    what do you mean exactly , I know you can disable a table by checking #{securityContext.userInRole['roleList']}


    And take a look at this adf security policies document.

    http://download.oracle.com/docs/cd/E15523_01/web.1111/b31974/adding_security.htm#ADFFD2009

    and adf bc has support for security on the transaction level.

    hope this helps

    ReplyDelete
  31. Hi Farnoush,

    can you take a look at this document. chapter 30.11.2

    http://download.oracle.com/docs/cd/E15523_01/web.1111/b31974/adding_security.htm#BGBIFHDF

    Only I don't think you can do it dynamicly.

    thanks

    ReplyDelete
  32. I dont mean adf tables, I mean the database tables... The problem is that I can't use my database roles on jazn-data.xml.

    ReplyDelete
  33. Ok,

    you can always make your weblogic authenticator.

    thanks

    ReplyDelete
  34. Hi Edwin

    Thanks for your link, but I do not want the custom permissions, the permission set is defined at design time. What I need to be dynamic at runtime is the ability to define new roles and assign permissions to those roles by the end user(user management administrator). It is something like what happened in Jheadstart Custom Security.

    By the way, the authentication works properly with this method that you've mentioned in this post, I am searching for a mechanism that support authorization as well.

    Thanks
    Farnoush

    ReplyDelete
  35. Hi Farnoush,

    You can make your own Weblogic security provider or post a question in the weblogic security forum of OTN, maybe they can help you.

    Thanks Edwin

    ReplyDelete
  36. Hi Edwin,

    Nice topic. I tried the same but in vein. Below is the step details I followed -

    I was using Jdeveloper 11.1.1.1.0. with the integrated weblogic 10.3.

    I had four below pages -
    1. Login.html (created during ADF Security configuration)
    2. Logut.html (created during ADF Security Configuration)
    3. welcome.jsp (Also I choose to create it during ADF Security Configuration)
    4. My own jspx(main.jspx).
    Before ADF security configuration I was able to browse this main.jspx.
    Next I set up ADF Security configuration - and I created two below user
    1. aaa
    2. bbb
    Next I setup my ADF Policies to secure mt page main.jspx. and run my application from JDeveloper IDE. It's ran successfully as expected. It ask me for login. After login I got into welcome.jsp. next I try to visit main.jspx i got the displayed.

    Next as per your blog I uncheck those option so that application do the credential check against my DB table.
    DB table of mine was different than you, It was as per weblogic recomendation as below -

    users(U_NAME,U_PASSWORD,U_DESCRIPTION)

    groups(G_NAME,G_DESCRIPTION)

    groupmembers(G_NAME,G_DESCRIPTION)

    In user table I filled below sample data
    'aaa','information', 'Test User'
    In Groups table below is my sample data
    'valid_users','Test Group'
    'users','Test Group'
    In groupmembers table below is my sample data -
    'valid_users','aaa'
    'users','aaa'

    I created My provider with SQL Authentication and made it SUFFICIENT. By The way I made it SUFFICIENT fro default Authenticator too.
    Now I started my server and was able to see all the users and groups defined in DB table.
    I deployed my .ear, i visited my login.html. provided the credentials(UID and PWD) but in vein. I did not get my welcome.jsp. To make you more clear I am attaching my console error here-

    Error 403--Forbidden
    From RFC 2068 Hypertext Transfer Protocol -- HTTP/1.1:
    10.4.4 403 Forbidden
    The server understood the request, but is refusing to fulfill it. Authorization will not help and the request SHOULD NOT be repeated. If the request method was not HEAD and the server wishes to make public why the request has not been fulfilled, it SHOULD describe the reason for the refusal in the entity. This status code is commonly used when the server does not wish to reveal exactly why the request has been refused, or when no other response is applicable.

    Now I tried to access the main.jspx on the same browser just typing the url i got below error in console -
    on:V2.0]] Servlet failed with Exception
    java.lang.RuntimeException: Cannot find FacesContext
    at javax.faces.webapp.UIComponentClassicTagBase.getFacesContext(UICompon
    entClassicTagBase.java:1855)
    at javax.faces.webapp.UIComponentClassicTagBase.setJspId(UIComponentClas
    sicTagBase.java:1672)
    at jsp_servlet.__main_jspx._jspx___tag0(__main_jspx.java:95)
    at jsp_servlet.__main_jspx._jspService(__main_jspx.java:70)
    at weblogic.servlet.jsp.JspBase.service(JspBase.java:34)
    Truncated. see log file for complete stacktrace
    >

    By the way I got one statement in my console while start up my server -
    Overwriting credentials is allowed in application credential store migration with Weblogic server running in Development Mode and system property 'jps.app.credential.overwrite.allowed' set to true

    Could you please help me out where i am going wrong. I am sure some where i am missing the configuration.
    Thanks in advance for your time to read my message.

    Thanks
    Subrata B.

    ReplyDelete
  37. Hi,

    I tried the same. With jazn.data it works fine. but the time I tried the same wirh DB tables i got error. I am sending a details mail to you to give you a clear idea, about the issue i faced. I was trying to post the same here but i feel due to some max char restriction it was not getting published. Please have a look of my mail and provide your valuable suggession.

    Thanks in advance
    Subrata B.

    ReplyDelete
  38. Hi,

    I think you forgot the map the wls roles to your application roles. you can do this in the weblogic.xml located in web-inf/ folder.

    else the wls db user don't have the right application roles

    thanks

    ReplyDelete
  39. sorry, but how can do the mapping the wls roles to my application roles?

    ReplyDelete
  40. Hi,

    Here an example of the weblogic.xml located in your WEB-INF folder

    <?xml version = '1.0' encoding = 'windows-1252'?>
    <weblogic-web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.bea.com/ns/weblogic/weblogic-web-app.xsd" xmlns="http://www.bea.com/ns/weblogic/weblogic-web-app">
    <security-role-assignment>
    <role-name>ADMIN_APP</role-name>
    <principal-name>ADMIN</principal-name>
    </security-role-assignment>
    <security-role-assignment>
    <role-name>USER_APP</role-name>
    <principal-name>USER</principal-name>
    </security-role-assignment>
    </weblogic-web-app>

    ReplyDelete
  41. Edwin, After I modified "config.xml" I have restarted WL server. But, it automatically revert the changes I had made. I am confused. Please let me know. Thakns.

    ReplyDelete
  42. Hi,

    strange , maybe you add it in the wrong place, can you add a sql authenticator from the console and after that stop the wls and add the rest of the stuff in the config.xml

    thanks Edwin

    ReplyDelete
  43. hello Edwin!

    Is necessary LDAP for authentication with a provider SQLAuthenticator?

    If your answer is not. Then, How i can configure ADF security in my application?

    Thanks

    ReplyDelete
  44. Oh no you don't need LDAP, I used the same ldap webapp to test this sqlauthenticator. For this you only need a database with some tables.

    here you got more info over ADF http://biemond.blogspot.com/2008/12/using-weblogic-provider-as.html

    thanks

    ReplyDelete
  45. Dear Edwin,

    I have follow-up the step and also I have read all the comment many people like me have the problem that the authentication part is done but the authorization is not done.
    I also have checked the weblogic-application.xml.

    I would be really appreciated if you provide us the sample application for your post in latest version 11.1.2.0

    Amir

    ReplyDelete
  46. Hi,

    I am just making some blogs about the subject.



    but basically
    run the adf security wizard.
    and you only need have to have the valid user mapping in weblogic.xml, and the same role in web.xml

    then you should add the wls roles you need in the enterprise role part in jazn.
    then add some application roles in jazn , map enterprise role to application role.

    then add adf security to the pages by adding a application role with view right to the page or fragment.

    ReplyDelete
  47. Hi I just finished a test case when I have 3 roles approles (manager, coordinator, analyst) and I create 3 enterprise roles wlsmanager, wlscoordinator and wlsanalyst too. I modified weblogic.xml to register the enterprise roles and principals (in this case principals are approles). After that I add the enterprise roles in web.xml and in the section I add too these roles.

    Later in jazn.xml I add enterprise roles and approles, to approles I associate enterprise roles previously created and finally create one page and grant view access to manager and coordinator approles.

    Previously I register the sql authenticator provider and Follow the steps that you share in others of your posts.

    Result: It´s working !! but ...

    I login with 3 diferent users:

    user1 had role manager
    user2 had role coordinator
    user3 had role analyst

    I expect that user3 can not see the page (because he don´t have view acces) But he can view. I show the roles that have the user and give me that only have authenticated-role anonymous-role and analyst. What's wrong?

    Please I hope you could help me.

    ReplyDelete
  48. Hi Edwin,

    We have a requirement to build the security module for our application using OPSS and ADF 11g. We have to develop a custom screen in the application to perform user administration and not thru weblogic console or fusion middleware control, can you show us the link or some materials which does it? we have to do it thru db authentication and not thru ldap or flat file.

    Thanks,
    Sara

    ReplyDelete
  49. Hi oscarmjv

    Can you check the page authorization.
    when you have anonymous or authenticated then this explains this. when you remove these app roles from the page then this can not log in.

    ReplyDelete
  50. Hi Sara,

    Don't kown OPPS but I think you can use this blog in combination with ADF Security and add a login page. This is described in the ADF documentation
    http://download.oracle.com/docs/cd/E12839_01/web.1111/b31974/adding_security.htm#BABDEICH

    thanks

    ReplyDelete
  51. Thanks a lot for your answer, I finally make run my example, the problem was a confusion between enterprise roles and application roles. Now I try to follow your example about dynamic menus based in roles. And about this I have a question. Can I have two tables one with enterprise roles and other with application roles, and make my menu over application roles? Because in my previous example I make a mapping one to one between roles.

    ReplyDelete
  52. Hi,

    you can only have one table for the enterprise roles ( sqlauthenticator in wls ) , the application roles are only added by ADF Security in the jazn xml or in the weblogic.xml

    thanks Edwin

    ReplyDelete
  53. In my current project where you helped me to understand and clarify better the concepts of authentication and providers, I created an SQLauthenticator and everything goes ok, until my boss told me that I use the project with some BPEL processes. The problem here is that if I create, configure and use some properties accounts of the LDAP embeded like mail, notifications work well. I want to use the SQLauthenticator in SOA Suite Server too but I see that with this provider does not exists the properties section in the console's weblogic. What can I do?

    Could you help me?

    ReplyDelete
  54. Hi,

    Indeed Human workflow and the SQL authenticator does not work well together. it relays on a LDAP repos with all the attributes. You can use the internal LDAP or use AD / OID etc.

    But you can use the same LDAP provider in your Web application. this works perfectly.

    thanks

    ReplyDelete
  55. Hi,

    Marc Kelderman has a solution to use the SQL Authenticator with Human Workflow

    http://orasoa.blogspot.com/2010/06/sqlauthenticator-and-human-worklist.html

    thanks

    ReplyDelete
  56. Thanks a lot for your answer, I'll check the sites that you mentioned, but I have another question, I read in your post "Creating Users and Groups in Weblogic with WLST" a great way for create users, but based on your example I was looking in weblogic's documentation a way of configure properties like "mail", but I can´t found information or an example, please could you help me again (I am sorry :( )

    ReplyDelete
  57. Hi,

    First when you use a ldap authenticator, like the internal one of weblogic, you can set these properties in the wls console at a user ( myrealm security realm) or you can do it in java and maybe this can help you http://biemond.blogspot.com/2010/02/soa-11g-identity-service-and-human-task.html.

    dont think you can set email with a sql authenticator.

    thanks

    ReplyDelete
  58. Thanks a lot again !! I read the post that you told me and I think it contains a good approach and it can work for me. Java World is new to me and SOA concepts too, but with your guide and pointers everything goes Ok.

    Regards.

    ReplyDelete
  59. Edwin,
    I have two applications on the same domain and security realm running on different JDBC Data sources and Authentication Providers.
    The problem is, my users are getting confused between applications, for example, I can log with weblogic/weblogic on my application...

    Do you know how I can solve this????

    Thanks,
    Renan.

    ReplyDelete
  60. Hi,

    Do you only have authenticated users as your security in your apps. Then this explains this.

    you should use specific unique groups in your authenticators and map this to the adf enterprise roles & adf application roles of your ADF Application. These applications roles can be the role for the jsf pages and task flows and don't use authenticated role.

    for more information see this.

    http://blog.whitehorses.nl/2010/02/01/weblogic-web-application-container-security-part-2-adf-security/

    thanks

    ReplyDelete
  61. Could we have LDAP for authentication and Database tables for Authorization?

    ReplyDelete
  62. Hi,

    Could we have LDAP for authentication and Database tables for Authorization?

    I never tried it but I think it is possible. Add two authenticators , all authenticators on sufficient and the user must exists in both authenticators. and let's hope that Weblogic will merge these authenticators

    thanks

    ReplyDelete
  63. Thanks for quick reply. I'll try your suggestion. If not I am assuming that I should implement custom JAAS module. Do you agree?

    ReplyDelete
  64. Hi, i follow this example i could create user and groups on wls using sql authenticator, the problem i found is when i use my login:

    byte[] pw = _password.getBytes();
    HttpServletRequest request =
    (HttpServletRequest)ctx.getExternalContext().getRequest();
    CallbackHandler handler = new SimpleCallbackHandler(_username, pw);
    try {
    Subject mySubject = Authentication.login(handler);
    ServletAuthentication.runAs(mySubject, request);
    String loginUrl = "/adfAuthentication?success_url=/faces/TextoVuo";
    HttpServletResponse response =
    (HttpServletResponse)ctx.getExternalContext().getResponse();
    sendForward(request, response, loginUrl);

    if my user use DefaultAuthenticator it works ok, but when my user use the sql authenticator db_users it goes trough FailedLoginException.

    any ideas? thanks!!

    ReplyDelete
  65. Hi,

    Please check if all your authenticator have sufficient as control flag,

    and then follow this especially the part about enterprise roles and application roles http://blog.whitehorses.nl/2010/02/01/weblogic-web-application-container-security-part-2-adf-security/

    thanks

    ReplyDelete
  66. Hi Edwin,

    I've configured my application to work with my custom authentication tables based on your proposed solution,
    Do you have any clue that how I can config SOA Suite 11.1.1.2 workflow service to use my custom authentication tables as well?

    Marc Kelderman 's solution which you have mentioned is a file based configuration for SOA Suite 11.1.1.1..
    thanks

    Farnoush (the_farnoush@yahoo.com)

    ReplyDelete
  67. hi edwin
    i create some tables for user management and defined security realms provider for it in weblogic console but when i want to enable adf security in my application i can not find ldap connection in adf security wizard.
    in first page of the wizard i select adf authentication and authorization in second page i chooose form based authentication and select viewcontroller.jpr as a web project but in third screen of the wizard there is no ldap for selecting and finally my application only use jazn.xml as provider.
    my jdeveloper version is 11.1.1.3.0
    thank you
    amir

    ReplyDelete
  68. Hi,

    No need for a LDAP connection , just complete the wizard and manually add your enterprise , application roles and add security to your pages , task flows .

    please follow this guide, especially the part about enterprise roles and application roles http://blog.whitehorses.nl/2010/02/01/weblogic-web-application-container-security-part-2-adf-security/

    thanks

    ReplyDelete
  69. hi edwin
    thanks for your reply
    i do what you say and my application now authonticate users with oracle user table but there is one more problem . security context load user data and it's roles from tables properly but when i define security policy for jsf page in jazn-data.xml it is not work .
    for example test_user has admin role based on oracle tables . in application following statement return true when i login with test_user
    #{securityContext.userInRole['admin']}
    but when i grant untitled1(jsf page) to admin role in jazn-data.xml i cannot view this page by test_user
    thank you
    amir

    ReplyDelete
  70. Hi,

    did you map all the enterprise roles to the application roles.

    And do a system out of the user applications roles. And the pages need to have a Page Definitions.

    thanks

    ReplyDelete
  71. thanks for your reply edwin
    i find the source of my problem
    every time i run my application in integrated welogic , jdeveloper insert jazn enterprise role in roles table with new id .
    i want to create user managment form for end user to assisgn role to user in run time but i can not assign role to user correctly because role id change evey time that application run. i know this problem is come from tag in default domain config file.
    you write insert command in this tag so every time application deploy on weblogic this command insert enterprise role in roles table with new id
    i dont know how write insert in this tag to dont change existing roles.
    current insert role statement in config file is :
    insert into jhs_roles(id, short_name, name) values (jhs_seq.nextval, ?, ?)

    thanks for your help
    amir

    ReplyDelete
  72. Hi,

    you can disable the role creation in the application settings.

    or when you use jheadstart this is also a option.

    thanks

    ReplyDelete
  73. hi edwin
    thanks for your help
    i unchecked deploy user and group check box in jdeveloper security configuration windows and my previous problem solved .
    but i face to another problem
    i have some jsf forms in web content root and some forms in test folder that place inside of web content . all of my root forms work based on jazn policy (i can see them after login ) but when i want to access test folder forms i always get Error 401--Unauthorized
    even i set anonymous for test folder forms in jazn but i get same error.
    the complete error message is :
    The request requires user authentication. The response MUST include a WWW-Authenticate header field (section 14.46) containing a challenge applicable to the requested resource. The client MAY repeat the request with a suitable Authorization header field (section 14.8). If the request already included Authorization credentials, then the 401 response indicates that authorization has been refused for those credentials. If the 401 response contains the same challenge as the prior response, and the user agent has already attempted authentication at least once, then the user SHOULD be presented the entity that was given in the response, since that entity MAY include relevant diagnostic information. HTTP access authentication is explained in section 11.

    ReplyDelete
  74. Hi Edwin,
    I am using jdeveloper 11.1.1.1.2.x
    I have done adf security as shown in this link

    I want to use database tables as authentication provider with respect to a particular application.
    For example: I have a wls domain which has numerous applications all use adf security and use different schema for roles and user management..

    you have defined defined the database tables and schema in the domain config.xml so i think which will be common to all applications...
    So can you provide me some links to tutorials or blogs that teaches me how to do this...

    Regards,
    Santosh.

    ReplyDelete
  75. Hi,

    indeed, every authentication provider works for every application. so the trick is to use unique application roles in your application.

    so then it does not matter.

    thanks

    ReplyDelete
  76. Hi,
    Thanks for reply.
    indeed, every authentication provider works for every application. so the trick is to use unique application roles in your application.
    The roles can be be eaisly distinguished by providing some prefix against it.
    For example:
    HMS_USER, STATIONERY_USER, HRMS_ADMIN...
    :-)
    Thanks.

    ReplyDelete
  77. Hi Edwin,
    What If i have 2 appliations in a domain, and 2 sqlauthenticators connected to different schema used by both appln.

    Assume co-incidently if both sqlauthenticators have user with same userid, wont it cause problem ???..
    Is there any way to point an application to use a particular sqlauthenticator.
    Can you please provide any pointers for this type of problem.


    Thanks & Regards,
    Santosh.

    ReplyDelete
  78. Santosh,

    We did it for three applications with no problem at all.

    We defined three jdbc connections then we added three jazn providers and add the right SELECT depends on the user/role tables (config.xml).

    It works well even for the same userid because the userid is under the jazn provider name so no conflict.

    Best regards
    Jamil

    ReplyDelete
  79. Hi jn1234,Edwin

    I have 2 applications and 2 sqlauthenticators, one application uses one sqlauthenticator and other uses other sqlauthenticator for authentication.
    Suppose if both sqlauthenticators have same userid then how can authentication be distinguished between 2 sqlauthenticators for a webapplication.??

    Any pointers..?

    Regards,
    Santosh

    ReplyDelete
  80. Hi,

    Don't know exactly, but I think the userid of the first sql authenticator will be used for authentication and I think the second userid will be ignored or the roles are merged with the first userid.

    Try it out and let me know.

    thanks

    ReplyDelete
  81. Santosh,

    Every sqlauthenticator has a provider name (DB1_users, DB2_users, etc...)

    and every provider has a data-source(JDBC-schema1, JDBC-schema2etc...)

    so no conflict at all between the same names since every name comes from a different provider and datasource.

    Go to console>Security Realms/myrealm>users and Groups

    If you have two or more sqlauthenticator with the same name in the DB you will find these names with a different provider: admin/DB1_users, admin/DB2_users etc...

    I tested all of this and it works well.

    Best regards
    Jamil

    ReplyDelete
  82. Hi Edwin,

    I am testing DB Authentication in Integrated WLS.If I edit config.xml file for Integrated WLS, any application deployed to Int WLS, if configured by ADF Security, will authenticate by DB?

    Is it ok to do DB Authentication in Integrated WLS?

    ReplyDelete
  83. Hi Edwin,
    I was trying your post in Integrated WLS. I am following yr post.I edited config.xml file of Int WLS.Edited web.xml, weblogic.xml with app role, ie.ADMIN_APP, USER_APP.I also created these roles in jazn-data & giving the view permission on page.
    I didnot create enterprise role & any user, as I am thinking user info must be loaded from db."Authorization Check Failed" is coming. Plz guide me.

    ReplyDelete
  84. Hi,

    please read this
    http://blog.whitehorses.nl/2010/01/29/weblogic-web-application-container-security-part-1/

    and this one for adf security
    http://blog.whitehorses.nl/2010/02/01/weblogic-web-application-container-security-part-2-adf-security/

    thanks

    ReplyDelete
  85. Hi Edwin,

    I am experiencing hard time implementing this db security. Everything seems to be ok as i followed yr post even followed the remarks. At the login time, ORA-01005: null password given; logon denied error is coming. My standalone WLS is extended already.SQLAuthenticator is able to locate db tables.Can you point what I am missing here?

    Thanks.

    ReplyDelete
  86. Hi,

    Go to your WLS console and check in security/realm that all your roles/users are well loaded from your DB.

    This can help to know where to check

    Jamil

    ReplyDelete
  87. Hi,

    All users/roles are properly showing in myrealm in WLS console.
    They are matching with db tables values.

    Still in same problem.

    Thanks.

    ReplyDelete
  88. What can I see that your setup is good and you have a problem on Oracle DB side.

    Is your application working when disabling the security authentication?

    Try to change to another Oracle DB installation and test.

    Jamil

    ReplyDelete
  89. I raised this issue on OTN - http://forums.oracle.com/forums/thread.jspa?threadID=2247646&tstart=0

    It is working in integrated wls with security & without security.
    No, I am on prod db.I cannot change this.

    ReplyDelete
  90. Hi,

    ORA-01005: null password given

    this is given by the authenticator ( wls side) so some how the password is wrong

    did you copy the authenticator from the integrated config.xml. if so then you need to remove the password field and enter it again. password is machine specific.

    thanks

    ReplyDelete
  91. Hi,

    I didn't copy from intg wls. I am editing the config.xml of standalone wls. however, I re-entered password fields but same error.However, on starting wls, I see a message 'PL/SQL statement ignored' & some truncated logs. Is this causing some problem?

    ReplyDelete
  92. Hi,

    Ok try do it from wlst or in the console.

    thanks

    ReplyDelete
  93. Hi Edwin,
    I have implemented adf security to login with sql authenticator. Now how can I change passwords for my users from the user end. Also I need to create new users(from an admin page). Currently I am doing this from the weblogic server. But our requirement states that it need to be done from the application. Can you please tell me how to do this or provide links for the same?

    Jose

    ReplyDelete
  94. Hi,

    it depends , if you use plain text passwords ( not recommended) then you can generate an ADF page on that table

    else you need to know weblogic does the sha password encryption and do the same from adf on the password field.

    thanks

    ReplyDelete
  95. Hi Edwin
    I have the same problem of Ramesh
    I want to use LDAP for authentication and Database tables for Authorization but I couldn't do that, did u try that

    ReplyDelete
  96. Hi,

    I didn't try to combine two authentication provider, but does WebLogic not merge the users and groups of two authentication provider. maybe the users should have the same password.

    I think the first authenticator will be used for the password.

    let me know what you tried.

    thanks.

    ReplyDelete
  97. I found solution on one forum:
    -login.jspx



















    -welocme.jspx






















    and in the bean of login.jspx

    public void login(javax.faces.event.ActionEvent actionEvent) {
    Subject mySubject;
    FacesContext fctx = FacesContext.getCurrentInstance();
    HttpServletRequest request = null;
    request = (HttpServletRequest)fctx.getExternalContext().getRequest();
    HttpServletResponse response = null;
    response = (HttpServletResponse)fctx.getExternalContext().getResponse();

    UIViewRoot viewRoot = fctx.getViewRoot();
    RichInputText username = (RichInputText)viewRoot.findComponent("usrfield");
    String usernameStr = (String)username.getValue();
    RichInputText password = (RichInputText)viewRoot.findComponent("pwfield");
    String passwordStr = (String)password.getValue();

    //CallbackHandler handler = new SimpleCallbackHandler(usernameStr, passwordStr);

    try {
    int authSuccess = ServletAuthentication.login(usernameStr, passwordStr, request, response);
    if (authSuccess == ServletAuthentication.AUTHENTICATED) {
    try {

    mySubject = Security.getCurrentSubject();
    for (int i = 0; i <= 10; i++) {
    mySubject.getPrincipals().add(new WLSGroupImpl("Role" + i * 10));
    }
    ExternalContext ectx = fctx.getExternalContext();
    ectx.redirect("faces/" + "welcome.jspx");
    } catch (IOException e) {
    e.printStackTrace();
    }
    }

    } catch (LoginException le) {

    String message = le.toString();
    le.printStackTrace();
    fctx.addMessage("usrfield", new FacesMessage(FacesMessage.SEVERITY_ERROR, message, null));
    }
    }


    and this work very good
    what do u think?

    ReplyDelete
  98. Hi Edwin,

    Your post is working for me.
    but I want this to working in my custom login.jspx page.I dont want to use browser login dialog.

    How can I do that?

    Regards.

    ReplyDelete
  99. Hi,

    here we go, it is explained in the oracle documentation
    http://download.oracle.com/docs/cd/E17904_01/web.1111/b31974/adding_security.htm#BABDEICH

    thanks

    ReplyDelete
  100. Thanks a lot for the post.

    It helps in solving my issue

    ReplyDelete
  101. Hi,

    I was wondering if you or anyone out there can offer any advise? I have a simple weblogic domain running one MS and one AS, I have one deployed App.

    The app requires SQL Authentication from a HSQLDB source. I have created the source and that tests OK, I can also use the light hsqlsb gui and run a test statement that lists the users.

    I have setup a provider in the realm and set all my sql statements up (these were checked in the step above)

    However, when I try and log into the application I am getting access denied. The logs aren't telling me too much - I have also noticed that in the realm, when I click users and groups, nothing is displaying from my remote resource. I can provide all source files if anyone is struggling to think what this could be as well as log files.

    Thanks

    Dave

    ReplyDelete
  102. Dave,

    "...I have also noticed that in the realm, when I click users and groups"

    This means you have problem with the setup of the DataSource or the Realm.

    We can start looking to your config.xml file from the location below if you are running the embedded WLS.
    USER\AppData\Roaming\JDeveloper\systemXX.XX.XX.XX\DefaultDomain\config.xml

    Thanks
    Jamil

    ReplyDelete
  103. This comment has been removed by the author.

    ReplyDelete
  104. Hi Jamil,

    Thanks for your response; I guess that confirms my thoughts regarding not listing the remote users. I've substituted code blocks for {} as it seems code and pre blocks are disabled here.


    {realm}
    {sec:authentication-provider xsi:type="wls:default-authenticatorType"}
    {sec:control-flag}SUFFICIENT{/sec:control-flag}
    {/sec:authentication-provider}
    {sec:authentication-provider xsi:type="wls:default-identity-asserterType"}
    {sec:active-type}AuthenticatedUser{/sec:active-type}
    {/sec:authentication-provider}
    {sec:authentication-provider xsi:type="wls:sql-authenticatorType"}
    {sec:name}dqinsight{/sec:name}
    {sec:control-flag}SUFFICIENT{/sec:control-flag}
    {wls:data-source-name}dqinsight{/wls:data-source-name}
    {wls:sql-get-users-password}SELECT accountpassword FROM account WHERE accountname = ?{/wls:sql-get-users-password}
    {wls:sql-user-exists}SELECT accountname FROM account WHERE accountname = ?{/wls:sql-user-exists}
    {wls:sql-list-users}SELECT accountname FROM account WHERE accountname LIKE {/wls:sql-list-users}
    {wls:sql-list-groups}SELECT rolename FROM roles WHERE rolename LIKE ?{/wls:sql-list-groups}
    {wls:sql-group-exists}SELECT rolename FROM roles WHERE rolename = ?{/wls:sql-group-exists}
    {wls:password-algorithm}MD5{/wls:password-algorithm}
    {wls:password-style}HASHED{/wls:password-style}
    {wls:sql-create-user}INSERT INTO account VALUES ( ? , ? , ? {/wls:sql-create-user}
    {wls:sql-remove-user}DELETE FROM account WHERE accountname = ?{/wls:sql-remove-user}
    {wls:sql-set-user-password}UPDATE account SET accountpassword = ? WHERE accountname = ?{/wls:sql-set-user-password}
    {wls:sql-create-group}INSERT INTO roles VALUES ( ? , ? ){/wls:sql-create-group}
    {wls:sql-remove-group}DELETE FROM roles WHERE rolename = ?{/wls:sql-remove-group}
    {/sec:authentication-provider}
    {sec:role-mapper xmlns:xac="http://xmlns.oracle.com/weblogic/security/xacml" xsi:type="xac:xacml-role-mapperType"}{/sec:role-mapper}
    {sec:authorizer xmlns:xac="http://xmlns.oracle.com/weblogic/security/xacml" xsi:type="xac:xacml-authorizerType"}{/sec:authorizer}
    {sec:adjudicator xsi:type="wls:default-adjudicatorType"}{/sec:adjudicator}
    {sec:credential-mapper xsi:type="wls:default-credential-mapperType"}{/sec:credential-mapper}
    {sec:cert-path-provider xsi:type="wls:web-logic-cert-path-providerType"}{/sec:cert-path-provider}
    {sec:cert-path-builder}WebLogicCertPathProvider{/sec:cert-path-builder}
    {sec:name}myrealm{/sec:name}


    To my untrained eye it looks ok but if you see anything obvious please do say :)

    Thanks

    Dave

    ReplyDelete
  105. Hi,

    can you set the all the weblogic logging to debug/ trace and enable debug on jdbc and security section in the debug tab.

    this should give you some glue.

    thanks.

    ReplyDelete
  106. Hi Edwin,

    I'd enabled debug but don't see a huge amount of useful information or a glaring fault. I'll upload the logs to my googledocs space later and share the link.

    Thanks

    Dave

    ReplyDelete
  107. Dave,

    For an unknown reason my post did not pass yesterday.

    Please check our working config.xml (security-configuration) so I hope you can find the cause.

    Note that we have two authentication providers.

    Thanks
    Jamil

    ReplyDelete
  108. Oops I forgot the link
    http://pastebin.com/whC11RAw

    Thanks
    Jamil

    ReplyDelete
  109. Hi,

    I don't see anything wrong , check your jdbc targetting and your database drivers, maybe you need to replace it

    thanks

    ReplyDelete
  110. Edwin,

    Yes my config.xml is working well but I sent it to Dave to let him compare with his not working file.

    Hope it will help

    Thanks
    Jamil

    ReplyDelete
  111. Hi Edwin,

    Thanks very much for this article.

    Is it possible to map enterprise roles and users to application roles at runtime?

    Many thanks,
    Laurence.

    ReplyDelete
  112. Hi,

    Don't think so you need to update the jazn-data.xml of the WebLogic , this can be done with deployment or in the Enterprise manager and maybe wlst.

    But not on runtime. This has to be done in a session which effects every other user session, It will be a bit messy.

    Maybe you can do something with the wls enterprise roles , change them and reload it.

    Thanks
    Thanks

    ReplyDelete
  113. Apologies for the disappearing act; we got to the root of our issues. Our HSQLDB.jar was corrupt. Despite showing in the console and the connection testing correctly, also being able to open it and view files there was something corrupt in there somewhere.

    Needless to say the service is running and we're sorted.

    Thanks for your help; I'll keep checking in to see if I can offer any help along the way!

    Dave

    ReplyDelete
  114. Hi Edwin,

    Is it possible to skip authentication part, and use only authorization implementation using SQL Provider. In ADF it by default comes with Authentication and Authorization.

    What if the application authentication is done from SSO which provides a payload and based on the payload there are some tables with roles and user. I know you will advise to use WLS Identity Assender. Do you have any example on WLS Identity Assender or can we achieve this using SQL Provider. If yes how?

    Thanks for a wonderful blog.
    Jack.

    ReplyDelete
  115. Hi,

    I think you can use both, sso and sql authenticator.

    I do the same with saml , saml authenticator will check the password and it is combined with the user and roles of the internal wls ldap.

    the roles of the two authenticators will be combined.

    thanks

    ReplyDelete
  116. Hi Edwin.
    I've done. But Login denied error occur when i use on osb web service for authenticaton user.
    How to set application user role for db table users as a weblogic application users.

    thanks
    juddi

    ReplyDelete
    Replies
    1. Hi,

      What did you do on the osb proxy for the security part. and does it work with the internal ldap users and roles.

      thanks

      Delete
  117. Hi Edwin I followed this post but when I restart my weblogic and again go to myrealms. I am only seeing Default Authenticator users. I am not able to see db_users

    ReplyDelete
  118. Recheck your config.xml and make sure you have your db_users there with the right format.

    This is a working realm tag from config.xml

    http://pastebin.com/CXe7Qz80

    Jamil

    ReplyDelete
  119. Thanks for the post. It helped. Now I want to authenticate the same database users in ADF Pages. How I am going to do it? Do I need to add same database users and roles in jazn-data.xml. And do I need to change web.xml. Currently I am follwoing this post http://blog.whitehorses.nl/2010/02/01/weblogic-web-application-container-security-part-2-adf-security/ but in vain. As I want to achieve in jdeveloper 11.1.1.5. As there are 5 steps in adf security. Please help me

    ReplyDelete
    Replies
    1. Hi,

      the database roles are the enterprise roles in the jazn. you need to add all db roles to the enterprise section, then you can map this to your own application roles.

      for the adf pages , you need to have a pagedef and add the right application roles to it.

      No need to change for web.xml, only need to have valid-users entry.

      thanks

      Delete
  120. fyi

    Several OTN forum threads refer to this blog post.

    Be wary when using ADF Security (OPSS) with a SQLAuthenticator.

    This is feedback I got in SR 3-4124753004 :

    "If the you want to use DB as the identity store, then the supported way is to buy OVD server license and configure DB adapter in OVD and then configure an OVD authenticator in Weblogic. SQLAuthenticator will not be used as identity store. And, we do not recommend to use LibOVD for DB identity store. OVD server is the recommended and supported way."

    related bugs are :
    - bug 13876651, "FMW CONTROL SHOULD NOT ALLOW MANAGING USERS GROUPS FROM SQL AUTHENTICATOR"
    - enhancement request 12864498, "OPSS : ADDMEMBERSTOAPPLICATIONROLE : THE SEARCH FOR ROLE FAILED"

    related forum threads are :
    - "ADF Security : identity store : tables in a SQL database"
    at https://forums.oracle.com/forums/thread.jspa?threadID=2297519
    - "OPSS : addMembersToApplicationRole : The search for role failed"
    at https://forums.oracle.com/forums/thread.jspa?threadID=2255413

    regards
    Jan Vervecken

    ReplyDelete
    Replies
    1. hi jan,

      indeed it should only be used for authentication or authorization in a weblogic web application with or without adf security.
      when you use webcenter , soa suite you should use a ldap server like oid or ad and maybe openldap. my experience is opss only works great with ldap.

      so dont try to create or lookup user with the opss classes. just use it for container security.

      thanks edwin

      Delete
  121. Hi Edwin,

    Is it necessary to use Basic authentication with the sql authenticator? or can we use form based authentication also?

    Thanks,
    Rakesh

    ReplyDelete
    Replies
    1. Hi,

      No problem , you can do what you want , authentication is handled by the container . After login then the container will check the authentication providers.

      Thanks

      Delete
  122. Hi Edwin,

    Thanks for the reply.

    But when i tried to use SQL authenticator first with BASIC authentication.

    I have a custom login page and a protected page.

    On successful login myrealm popups up asking for my credentials again.. only if i give my credentials again in the popup its redirecting to the protected page.. do u know why this is happening so ? I have both the authentication provider as sufficient in weblogic.


    Thanks
    Rakesh

    ReplyDelete
    Replies
    1. Hi,

      with custom you should use form in the web.xml and not basic.
      <login-config>
      <auth-method>FORM</auth-method>
      <form-login-config>
      <form-login-page>/faces/login</form-login-page>
      <form-error-page>/faces/noRights</form-error-page>
      </form-login-config>
      </login-config>

      Delete
    2. Hi Edwin,

      i tried doing the form authentication but after i click log in "login.jspx", the page just refreshes . it does not navigate to the protected page(home.jsf) at all.

      my web.xml looks like this


      FORM

      /faces/login.jspx
      /faces/error.jsf




      and in my login bean i have specified the url also.


      It used to work with BASIC authentication except for above problem
      but with form based it is not navigating at all when i checked the bean it was calling the sendForward method but its returning back to login page itself.

      Thanks.

      Delete
    3. hi,

      check the role mapping in the weblogic.xml and url security patterns of the servlets.

      and then how do you authenticate and redirect in the bean
      like this

      public String doLogin() {
      2 String un = _username;
      3 byte[] pw = _password.getBytes();
      4 FacesContext ctx = FacesContext.getCurrentInstance();
      5 HttpServletRequest request =
      6 (HttpServletRequest)ctx.getExternalContext().getRequest();
      7 CallbackHandler handler = new SimpleCallbackHandler(un, pw);
      8 try {
      9 Subject mySubject = Authentication.login(handler);
      10 ServletAuthentication.runAs(mySubject, request);
      11 ServletAuthentication.generateNewSessionID(request);
      12 String loginUrl = "/adfAuthentication?success_url=/faces" +
      13 ctx.getViewRoot().getViewId();
      14 HttpServletResponse response =
      15 (HttpServletResponse)ctx.getExternalContext().getResponse();
      16 sendForward(request, response, loginUrl);
      17 } catch (FailedLoginException fle) {
      18 FacesMessage msg = new FacesMessage(FacesMessage.SEVERITY_ERROR,
      19 "Incorrect Username or Password",
      20 "An incorrect Username or Password" +
      21 " was specified");
      22 ctx.addMessage(null, msg);
      23 } catch (LoginException le) {
      24 reportUnexpectedLoginError("LoginException", le);
      25 }
      26 return null;
      27 }

      Delete
  123. weblogic
    {code}

    valid-users
    users


    {code}

    My login bean

    FacesContext ctx = FacesContext.getCurrentInstance();
    HttpServletRequest request = (HttpServletRequest)ctx.getExternalContext().getRequest();
    BindingContainer bindings = getBindings();
    ExternalContext ectx = ctx.getExternalContext();
    HttpServletResponse response = (HttpServletResponse)ectx.getResponse();
    -----
    String loginUrl = "/adfAuthentication?success_url=/faces/home.jsf";
    sendForward(request, response, loginUrl);
    ------
    ans send forward method is

    private void sendForward(HttpServletRequest request, HttpServletResponse response, String forwardUrl) {
    FacesContext ctx = FacesContext.getCurrentInstance();
    ExternalContext ectx = ctx.getExternalContext();
    forwardUrl = request.getContextPath() + forwardUrl;
    try {
    ectx.redirect(forwardUrl);
    } catch (IOException ioe) {
    reportUnexpectedLoginError("IOException", ioe);
    }
    }
    and url pattern is
    --
    -- Faces Servlet
    --/faces/*
    --

    ReplyDelete
  124. Hi Edwin,

    It is now actually navigating to the next page when the page is given anonymous role. but when i provide security for the page it is doing a redirect to the page and moving back to login page.

    Thanks,
    Rakesh

    ReplyDelete
    Replies
    1. Hi,

      first I think you need to add the Error, Home and Login jsf pages to the adfc-config ( unbounded TF ) else they will run outside the adf controller
      also add a pagedef ( can be almost empty ) to these pages , open page, right click and go to page definition. This way you can set security in jazn

      Do you use a user with the weblogic role APPLICATION USER

      Now go the jazn-data.xml

      add view permission to the pages , login can be anonymous and home -> authenticated or application role.
      also add authenticated or application role to the Task Flows.

      thanks

      Delete
  125. Hi Edwin,

    We have a requirement for our application to use LDAP(AD)server for authentication and DB for group authorization.
    We tried the suggestion posted above to configure two security providers one for LDAP AD and another one (SQL Authenticator) for the groups.
    We created the same user in GROUPMEMBERS table in the DB which is present in the LDAP server.Unfortunately this setup is not working.Can you please provide any suggestions.

    Thanks,
    Ravi

    ReplyDelete
    Replies
    1. Hi,

      Ok that is a bummer , What do you see, always the roles of the first authenticator. And did you use the same passwords.

      Then the only thing what can work is to use OVD or something like that. Outside for weblogic you have one ldap and with OVD you can use tables and other LDAP servers.

      Or maybe you can write your own authenticator which connect to ldap and SQL.

      good luck.

      Delete
  126. If you had some way of rating posts I would for sure give you a high rating my friend!

    ReplyDelete
  127. Hi edwin,

    Thanks for great tutorial.

    I have a problem with getting users from database table.

    I configured data source and provider.

    Configuration was tested and user added.

    But when goto Users and Groups my database user will not present and it gives error in log.

    I tested on database user sys it worked perfect.But new defined user it is not working.

    I am using oracle Database 11gr2, Jdeveloper.

    log will be:

    ServletContainerAdapter manager not initialized correctly.




    (DBMSAuthenticatorUsersNameList.java:19)
    at weblogic.security.providers.authentication.DBMSSQLReadOnlyAuthenticatorDelegateImpl.listUsers(DBMSSQLReadOnlyAuthenticatorDelegateImpl.java:351)
    ... 119 more
    >

    ReplyDelete
    Replies
    1. Hi,

      please check your sql query, maybe add the schema user, add private or public synonyms and off course check the database permissions.

      Thanks

      Delete
  128. I just want to say Thank You! Your tutorial saved me.

    ReplyDelete
  129. HI,

    I have configured security as u have explained in this blog ...but can u plz tell me how can i map my application to sqlauthentication provided which i have create ???

    Thanks
    Nitesh

    ReplyDelete
    Replies
    1. Hi,

      this is done in WebLogic as an authenticator. Your application does not know this.
      when you use ADF then you can use ADF Security and setup jazn and with java you can configure the web.xml.

      Thanks

      Delete
  130. Hi,

    Thanks for the reply, This post is really very helpful. But whenever i redeploying my application it is recreating the roles.
    here is log messages

    [10:36:12 AM] Uploading jazn-data roles.
    [10:36:12 AM] Removing existing group "ADMIN".
    [10:36:12 AM] Creating group for role "ADMIN".
    [10:36:12 AM] Removing existing group "USER".
    [10:36:12 AM] Creating group for role "USER".

    I dont want this to be happen, hw can i prevent this ..

    Thanks
    Nitesh

    ReplyDelete
    Replies
    1. Hi,

      you can de-select these creation properties in the deployment part of your application properties.

      thanks

      Delete
  131. This comment has been removed by a blog administrator.

    ReplyDelete
  132. Hi Edwin,
    Thank you for your tutorial.
    I have defined sql authenticator in weblogic 12c and my dbms is oracle.
    New user information is saved in the DB but I can only login with default "weblogic" user!
    I have already reordered the providers I also set default authenticator's contol flag to "OPTIONAL" and mine to "SUFFICIENT" but still can not login?
    I am a bit confused! I am new to javaee and I would like to develope an online store with the ability to create users.
    I would appreciate if you can help me.
    best regards

    ReplyDelete
    Replies
    1. Hi,

      Strange, how about your roles or groups, do you see them at the user/group tabs of the myrealm security realm

      I think you need a weblogic.xml to map the enterprise roles to your local roles and match them with the security defined in the web.xml

      here check this
      http://blog.whitehorses.nl/2010/01/29/weblogic-web-application-container-security-part-1/

      thanks

      Delete
  133. Hi Edwin,

    Thank you for your reply.
    No, I can not see them at the user/group tabs of my realm?
    I have already mapped the roles!
    I have googled around and find the following link
    http://docs.oracle.com/cd/E13222_01/wls/docs81b/dvspisec/atn.html
    It has mentioned that inorder to develop new provider following steps should be taken:

    1.Create Runtime Classes Using the Appropriate SSPIs
    2.Generate an MBean Type Using the WebLogic MBeanMaker
    3.Configure the Custom Authentication Provider Using the Administration Console

    I have found the topic advanced for me and I have implemented JAAS authentication class instead.
    I would like to know which solution meets my need? as I mentioned before I have decided to setup and online marketplace with the ability of defining username and password for customers.
    I am sure your advice will help me alot.
    Once again thank you for your reply.
    looking forward to hearing from you.

    Best regards

    ReplyDelete
    Replies
    1. Hi,

      the first step is that you should see them in the user/group tabs of my realm. This means the sqlauthenticator does not work.
      Try to find the error and change the log levels of weblogic and add some debug tracing to jdbc and security part

      Thanks

      Delete
  134. Hi Edwin, i tried to create an authentication provider for my web applications following your great tutorial.

    All things goes right until i have to add the SQL authenticator provider in WebLogic via Weblogic administration console. More specifically, i do create my SQLAuthenticator provider correctly (at this point i also reboot my application server), but when i click the Provider Specific Tab to setting datasource name, password algorithm etc..., i get this exception:

    javax.servlet.ServletException: javax.xml.transform.TransformerException: javax.xml.transform.TransformerException: com.sun.org.apache.xml.internal.utils.WrappedRuntimeException: The element type "inline-help" must be terminated by the matching end-tag "".

    ReplyDelete
  135. Hi!

    Do you ever has Performance Issues with Read Only SQL Authenticator?
    Our first call per User needs in the meantime up to 1 minute with the combination Kerberos / Read Only SQL Authenticator and ADF Security.
    Do you know some specific trace possibilities to analyze such porblems?

    Kind regards
    Torsten

    ReplyDelete
    Replies
    1. Hi,

      strange,

      but you can change the log level of the managed server and enable debug on kerberos and jdbc.

      Thanks

      Delete
  136. Hi Edwin, i still have the issue that i describe in my previous post....can you help me?

    ReplyDelete
    Replies
    1. Hi,

      can you take a look at the config.xml , there should be something wrong with the xml or it is not complete.

      Thanks

      Delete
  137. Hi Edwin,
    I have implement SQLAuthentication as you describe in the post above. I've tried to provide a configured JDBC data source name but this does not work as the DS is not yet initialized when the security is initialized (not able to start the console anymore). Here is my stack trace

    (DBMSSQLAuthenticatorDelegateImpl.java:77)

    at weblogic.security.providers.authentication.DBMSAuthenticatorDelegateImpl.getInstance(DBMSAuthenticatorDelegateImpl.java:459)

    at weblogic.security.providers.authentication.DBMSSQLAuthenticationProviderImpl.initialize(DBMSSQLAuthenticationProviderImpl.java:55)

    Truncated. see log file for complete stacktrace

    ReplyDelete
  138. Hi Edwin, Do you know how I can add an email attribute of my database table of valid users and see it in weblogic console for soa suite and therefore use this user (and its mail) in the notification section and ensure that the participant in a human workflow can receive an actionable email.

    ReplyDelete
  139. This comment has been removed by the author.

    ReplyDelete
  140. Hi Edwin, We have couple of webservices developed in 12c, whcih we need to expose to outside users for their point of sale systems. The request coming from the POS system contains username and password in URI format. How can we restrict the unauthorized users even before entering the service. Is it possible to do in the em console. We have around 200 - 300 users, does the SQL authenticator method would work in our case ?

    ReplyDelete
  141. Hi Edwin,

    Can we use OWSM policy for the provide "DATABASE AUTHENTICATE".

    if yes can u pls send any link or steps .

    Currently i created users in db and able to populate in weblogic with db authenticator
    .

    but the users are not working when i am testing from service. only the users as default authenticates only working

    could you please help us.

    ReplyDelete
  142. hi Edwin,

    How to use owsm policy to look up user in weblogic as database authenticator

    ReplyDelete
  143. Please find the accurate details about above query .

    Any suggestion would be really appriciated.

    Subject:-
    Unable to integrate OWSM policy with SQL Authentication provider

    Current Design:-
    1. Created a Sample OSB service based on WSDL which will add 2 numbers.
    2. Service is deployed & tested. Its working fine.
    3. Required to secure the service using username/password token policy from OWSM. We are using oracle/wss_username_token_service_policy on our proxy service.
    4. Created a custom SQL Authentication Provider in weblogic under myrealm and have set the control flag to SUFFICENT for both SQLAuthenticator and DefaultAuthenticator.
    5. Created tables, users, Groups & Roles for SQLAuthenticator, which is getting sync with the tables. No issues faced regarding the synch from tables to weblogic and vice-versa.
    6. We have also re-ordered the provider to use it before the DefaultAuthenticator.

    Users created and provider details:-
    1. TestDefaultUser --- pointing to DefaultAuthenticator (created in weblogic, no groups or roles attached)
    2. TestSQLUser --- pointing to SQLAuthenticator (Custom RDMS Authentication)


    Problem Statement:
    1. when we attach oracle/wss_username_token_service_policy policy to our OSB service and use TestDefaultUser as username/password, then the service is working absolutely fine with that user.
    2. But when we use the same policy to our OSB service and use TestSQLUser as username/password (re-Deployed the service) then the service is throwing an Error message. "OSB-386200: General web service security error". the service was unable to take the users created under the custom SQLAuthenticator Provider.


    Attempted options:
    a. Tried re-setting the control flag to OPTIONAL & SUFFICENT also, but no success.
    b. Also tried to set virtualize flag to true in em console, but no success.
    c. Tried adding the global roles and conditions in console for groups and users, but no success

    Queries:-
    1. Is there any way or settings where we direct the OWSM policy to also point to SQLAuthenticator provider.
    2. Can you please give a detail steps for it.
    3. Also, If we need to give grants to the users then how shall we do that.

    ReplyDelete