Pages

Monday, December 15, 2008

Using a WebLogic provider as authentication for ADF Security in 11G

With ADF Security of Jdeveloper 11g you can use ldap or a table as authentication provider in WebLogic. To make for example a new ldap provider see my blog or the one of Frank Nimphius.
Next blog I will show you how can use user and group tables as a provider in WLS.

First before we the ADF Security wizard we first need to configure WebLogic. I will using the internal WLS server of JDeveloper 11G. Start the instance and go to http://localhost:7101/console/ Go to the security realms. Default is your realm 'myrealm' and not jazn.com.



Go to your security provider and change the Control flag from optional to sufficient. Then this provider is used in the authentication process

Change the default authenticator from required to sufficient else the provider will never be used.


Now we can run the ADF Security wizard in JDeveloper 11g

Just use a authentication type


Now choose LDAP


Just fill in some values, it does not matter. ADF wil use the WebLogic LDAP provider

And we are finished with the wizard.

Change the weblogic.xml where we will map valid-users to users (Users is a role in WLS )




<?xml version = '1.0' encoding = 'windows-1252'?>

<weblogic-web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.bea.com/ns/weblogic/weblogic-web-app.xsd" xmlns="http://www.bea.com/ns/weblogic/weblogic-web-app">

<security-role-assignment>

<role-name>valid-users</role-name>

<principal-name>users</principal-name>

</security-role-assignment>

</weblogic-web-app>





Now we have tto change the jazn-data.xml where we will add the realm and add the roles.

These roles will be used in the page authorization.

We need to use myrealm as realm and not jazn.com. Create the valid-users role



Create a valid-users application role

Now open the pagedef of the JSF page and add a security policy to this page or you can open the jazn-data.xml and select the page.

Select the page and select a role where we add actions to this role.

Now run your application and authenticate against the WebLogic provider





Here is the final result.


Probably this will change in other 11G versions where the ADF Security wizard will configure WLS.

41 comments:

  1. Hi,

    In jazn-data.xml you are using 'authenticated-role' - its why WL user is authorized to open page. I have tried to leave only application role, it throws Authorization error, because it looks like WL can't map authentication user with application roles for authorization.

    Did you faced similar problem?

    Regards,
    Andrejus

    ReplyDelete
  2. Hi Andrejus

    still in greece,

    Did you map the wls roles to the jazn roles. You can do this in weblogic.xml.

    can you send me a test case. So I know what you mean

    biemond at gmail dot com

    thanks Edwin

    ReplyDelete
  3. Hi Edwin,

    Yea, Greece became my second home :) You're in WhiteHorses now.

    I found solution, exactly - roles were mapped incorrectly. I was using Application role, not Enterprise one. Will post a blog about it...

    Thanks,
    Andrejus

    ReplyDelete
  4. Hi Andrejus
    I have the same problem... it doesn't authorize the user (although the Principal is in role). I think it is some mapping problem but i couldn't figure out.

    Edwin could you please post all ldif... i got oracle.security.jps.service.idstore.IdentityStoreException: Failed to initialize identity store.

    javax.naming.NameNotFoundException: [LDAP: error code 32 - No Such Object]; remaining name 'cn=common, cn=products, cn=oraclecontext'

    when using BC browser ( I see in an image that you have more entities under the root DN)

    thanks, Florin POP
    (I will really like to hear from you two, I must deliver some security strategy by January and 'till now nothing seams to work (except the file provider))

    ReplyDelete
  5. Hi Florin.

    see this post for the ldif http://biemond.blogspot.com/2008/10/using-openldap-as-security-provider-in.html

    first you must lookup the users and roles in WLS , when you can see the users in WLS then you can move to the ADF application and use the ADF Security Wizard.


    thanks Edwin

    ReplyDelete
  6. Hi,

    I have solved my problem like this:

    1) In weblogic.xml I have only one mapping, its enough to have valid-users mapped to users

    2) In jazn-data.xml I have declared Enterprise role and Application role. I have included Enterprise role into Application role. The trick is - Enterprise role will be visible by WebLogic

    3) I have migrated my Policies for Authorization using Steve Muench article - http://www.oracle.com/technology/products/jdev/tips/muench/credmig111100/index.html

    4) I have defined in WebLogic, my users with appropriate Enterprise roles

    Regards,
    Andrejus

    ReplyDelete
  7. Hi Edwin,

    In this post you said:
    "Just fill in some values, it does not matter. ADF wil use the WebLogic LDAP provider"

    I filled a not existing openLdap inside jdev when creating the ADFSecurity because I am using your method of "database tables as authentication".

    The problem I have is when trying to run ApplicationModule service for some testing I have asked to enter credentials from JAAS and after entering a user into DB I have the exception below.

    It seems JAAS tries to check the user into the not existance openLdap server, no?

    Any solution

    Thank you

    Jamil

    May 12, 2009 8:25:42 PM oracle.adf.share.security.authentication.AuthenticationCallbackHandler handle
    INFO: PasswordCallback
    [JpsAuth] For permisson (oracle.security.jps.service.credstore.CredentialAccessPermission context=SYSTEM,mapName=ldap.credentials,keyName=JPS read), domain that failed: ProtectionDomain cs(file:/C:/Oracle/Middleware/jdeveloper/modules/oracle.jps_11.1.1/jps-api.jar), []
    May 12, 2009 8:25:44 PM oracle.security.jps.internal.idstore.util.IdentityStoreUtil getIdentityStoreFactory
    WARNING: Failed to initialize identity store.
    May 12, 2009 8:25:44 PM oracle.security.jps.internal.jaas.module.idstore.IdStoreLoginModule initializeLM
    WARNING: Failed to initialize identity store.
    javax.security.auth.login.LoginException: oracle.security.jps.JpsRuntimeException: Failed to initialize identity store.
    at oracle.security.jps.internal.jaas.module.idstore.IdStoreLoginModule.initializeLM(IdStoreLoginModule.java:634)
    at oracle.security.jps.internal.jaas.module.idstore.IdStoreLoginModule.initialize(IdStoreLoginModule.java:210)

    ReplyDelete
  8. Hi,

    Do you mean the bc4j tester or do you get this error when you run the webapp.

    thanks Edwin

    ReplyDelete
  9. Yes the bc4j tester only gives this exception.

    The webapp is working well

    Thanks
    Jamil

    ReplyDelete
  10. Ok that explains.

    The bc4j tester is a swing client that does not use wls. Can you make a custom application module configuration to bypass this jaas authentication.

    thanks Edwin

    ReplyDelete
  11. Hi Edwin,

    I have a question regarding the EJB3 role permission in ADF application. i am using the ADF security and configured the application roles and used those to define the jspx page access. Now i want to configure the method level permission for the EJB tier. Once i tired to use the same application role along with @RolesAllow annotation i am getting the permission denied exception. How can i define the method level permission based on the application roles in ADF.

    Thank you
    Thiva

    ReplyDelete
  12. Hi

    Don't worry about ADF security if you got this working with j2ee container security then ADF will also work.

    I will take a look how to do this

    thanks

    ReplyDelete
  13. Hi Thiva

    Did you configure this in ejb-jar.xml and weblogic-ejb-jar.xml so you Map Security Role Names to a Security Realm

    and do you use remote ejb on the same wls domain

    Do you have the ejb tier working with ADF. please let me know the details

    mail me biemond at gmail dot com

    thanks Edwin

    ReplyDelete
  14. Hi Edwin,
    excuse me for my english. I had reading your post and I believe very interesting. I'm make an application and use authentication ADF but I not want use LDAP, I have all user and password in a table in my database.
    My question is: I can do it with option application XML or is necessary LDAP?
    Thanks for your time.

    ReplyDelete
  15. Hi,

    maybe this can help you http://biemond.blogspot.com/2008/12/using-database-tables-as-authentication.html

    thanks

    ReplyDelete
  16. Hi Lain,

    i have the same problem like you. Have you success? I follow the link for the other blog but he uses LDAP in the WLS console.
    My problem is when i log, i'm going directly to error login page. I would like to know where is my error.
    I don't know exactly how fill the jazn-data. Users? Roles (which? in my database or 'valid-users'?)

    Thank you for this blog

    Regards

    ReplyDelete
  17. Hi Please,


    I doesn't matter what you choose
    check your roles and make a match between the application roles and weblogic roles.

    and make sure the pages or taskflows has view rights on the roles you are using.

    thanks Edwin

    ReplyDelete
  18. HI! If You use this for authentication then the windows appear when you run app. but if I want my app. some sections without login and some with it? What to do!?

    Best regards, Kristaps!

    ReplyDelete
  19. Hi,


    just don't add security on that page or taskflow and you can use the anonymous user.

    thanks Edwin

    ReplyDelete
  20. You need to design your application to have secure or open pages (taskflows).
    This link may help you

    http://wiki.oracle.com/page/ADF+Security

    Jamil

    ReplyDelete
  21. "We need to use myrealm as realm and not jazn.com. "

    I would like to have more information on this, it seems I've something missing because I get :
    Security:090304]Authentication Failed: User THE_USERNAME javax.security.auth.login.FailedLoginException: [Security:090302]Authentication Failed: User THE_USERNAME denied


    The users are loaded from the database since I see them in the weblogic console but when I try to log on my login.html I get the error message, it sounds like it keeps using jazn.com instead of myrealm, I've tried to change it to myrealm.
    Via few settings in web.xml :

    jazn-data.xml :


    But no success, I suspect somethign is wrong in jps-config.xml, a post of a complete example would be really appreciated

    Thanks in advance,
    JP

    ReplyDelete
  22. Hi,

    no need to change this , can you please check these steps

    http://blog.whitehorses.nl/2010/02/01/weblogic-web-application-container-security-part-2-adf-security/

    thanks Edwin

    ReplyDelete
  23. Hi Edwin,
    I was trying to authenticate database users in weblogic deployed application. I could import the database users in to the weblogic realm by following your blog (http://biemond.blogspot.com/2008/12/using-database-tables-as-authentication.html).
    But I am not able to get them to autheticate even with simple JSP application. (http://biemond.blogspot.com/2008/12/using-weblogic-provider-as.html) Any pointers. Please help.

    ReplyDelete
  24. Hi,

    just a few checks, do all the authentication providers have the sufficient control flag.

    do you see the users in the users/ groups and if you are using ADF then you can follow this http://blog.whitehorses.nl/2010/02/01/weblogic-web-application-container-security-part-2-adf-security/

    thanks

    ReplyDelete
  25. still the provider specific settings are missing from the post..

    the provider specific setting are the settings that need to match with the AD specific data and needs a guidance on how to configure the ADF security with WLS!

    ReplyDelete
  26. Hi Edwin,

    I am trying ADF security feture to secure a sample page.
    I followed the steps to create my own SQL authenticator provider in myrealm and made it as SUFFICIANT and reorder the providers so that it is first in the list of providers.I have created a group in this provider as admin and assigned a new user ravi to this group.

    Now I am not sure of what changes I have to do in ADF application files like web.xml,weblogic.xml etc.
    Please let me know the details to be entered in these files. I tried following option

    ReplyDelete
  27. Hi,

    Can you follow this , this explains everything
    http://blog.whitehorses.nl/2010/02/01/weblogic-web-application-container-security-part-2-adf-security/

    good luck

    ReplyDelete
  28. Hi Edwin, I dont see the option of LDAP after Basic authentication in Jdev 11.1.1.6. I checked for any additional updates but none are available on LDAP/Authentication. Can you please let me know if i am missing anything here.

    Thanks,
    Kalyan.

    ReplyDelete
    Replies
    1. Hi,

      Indeed they changed it, Just add your favorite authenticator provider to the weblogic myrealm security realm. put all providers on sufficient control flag and follow the normal adf security flow. like in this blog
      http://blog.whitehorses.nl/2010/02/01/weblogic-web-application-container-security-part-2-adf-security/

      thanks

      Delete
    2. Thanks Edwin, i was able to configure LDAP. In addition to that, when I give a default page say welcome.jspx as the landing page after authenciation, in an application where we have multiple pages. If I invoke the application with a URL different from that of the landing page, the control after authentication is going to the page I give rather than the default page.

      Any inputs if I'm missing anything here.

      Thanks,
      Kalyan.

      Delete
    3. Hi,

      that is normal for a web application. After login it returns to the requested page. When you go to login page directly it uses the succes url on the adf authentication servlet.

      but maybe with a custom login page you can handle the authentication in a managed bean and always do a re-direct.

      thanks

      Delete
  29. Hi Edwin, I have a requirement where I we need to use LDAP for authentication and authorization like the roles and responsibilities we need to pull from database. Any recommendations.

    Thanks,
    --KC.

    ReplyDelete
    Replies
    1. Hi,

      you can only do this in 2 steps, the responsibilities should be done somewhere in the applications after the login. or use OID of oracle where you have one ldap and behind this you can do what you want.

      thanks

      Delete
  30. Hi
    I am using Jdeveloper 11G R2.
    I was going through your blog for registering LDAP.

    Got stucked in middle..

    I clicked configured security wizard,
    there I coudlnt able to find Identity Store and LDAP Identity Store..
    Is there a problem with my Jdeveloper or I am missing something ?

    Please help me..

    ReplyDelete
    Replies
    1. Hi,

      you need to do this in the weblogic console and the adf security wizard is only used to setup security in your project and for the mapping between the adf enterprise roles and weblogic roles.

      Thanks

      Delete
  31. Hi
    I want to create a user for testing purpose only. I am creating a user with AppTesters role but when I log from that user I am getting this error "Access Forbidden. The server is refusing to fulfill the request"

    Kindly help

    ReplyDelete
    Replies
    1. Hi,

      Did you create an Enterprise and Application role called AppTesters and also assign this to the pages and task flows.

      I think you can also create test users from the jazn dialog and also enable create users and groups on the application level ear deployment

      Thanks

      Delete
  32. Hi,Thanks for the nice tutorial..
    I'm able to configure the ADProvider,and I'm also able to see the AD users and groups in my console,but when i try to login to the ADF application,it does not allow me to login.All i see is a pop up on the screen which says "Specify correct username and password." Can anyone help me in resolving this?

    ReplyDelete
  33. Hi,
    I downloaded form based login content from the net that code is working fine. In that content some users are created in jazn-data.xml file, by using those users am able to login into the application. I created my own users but am not able login the page is redirecting to error page. Can anyone help me in resolving this.

    ReplyDelete
    Replies
    1. Hi,

      Users in jazn is only meant for testing, you can add users in the security realm of the weblogic domain, and make sure you add the right roles to these users.

      Delete
  34. hi
    are configuration same in wls12.1.2

    ReplyDelete