ADF security in action

In my previous blog we enabled the project for adf security. Now is time to see it in action. I will show how you can add security to a page and to specific button actions. I use in this example the system-jazn-data.xml of the embedded oc4j. You can edit this from the menu tools / embedded oc4j server preferences.

First we make a region with security info so we can see on every page what the security settings are. This region also contains a login and logout button.

I use a backing bean to do this. The login action is done redirecting to this url /adfAuthentication?succes_url=/faces/dept.jspx and the logout is done by this /adfAuthentication?logout=true&end_url=/faces/start.jspx

public class SecurityBean {
    public SecurityBean() {
    }
    
    public String getSecurityEnabled() {
        if (ADFContext.getCurrent().getSecurityContext().isAuthorizationEnabled()){
          return "true";
        } 
        return "false";
    }
    
    public String getIsAuthenticated() {
        if (ADFContext.getCurrent().getSecurityContext().isAuthenticated()){
            return "true";
        }
        return "false";
    }

    public boolean isAuthenticated() {
        return ADFContext.getCurrent().getSecurityContext().isAuthenticated();
    }


    public String getCurrentUser() {
        return ADFContext.getCurrent().getSecurityContext().getUserName(); 
    }
 
    public String doLogOut() throws IOException{
        ExternalContext ectx = FacesContext.getCurrentInstance().getExternalContext();
        HttpServletResponse response = (HttpServletResponse)ectx.getResponse();
        String url = ectx.getRequestContextPath()+"/adfAuthentication?logout=true&end_url=/faces/start.jspx";
        response.sendRedirect(url);
        
        return null;
    }

    public String doLogIn() throws IOException{
        ExternalContext ectx = FacesContext.getCurrentInstance().getExternalContext();
        HttpServletResponse response = (HttpServletResponse)ectx.getResponse();
        String url = ectx.getRequestContextPath()+"/adfAuthentication?succes_url=/faces/dept.jspx"  ;
        response.sendRedirect(url);
                
      return  null;      
    }
     
    
}

In this example I have two pages , the first page start.jspx doesn't have any security so adf security uses the anomynous account.

the second page have security on the page , you need to have the role users to see this page and the navigation buttons are enabled if the user belows to the oc4j-administrators role.

Now let see how we can add page security to a page. To view this page you need to have view right. We can do this by opening the pagedef.

the next step is to add the view rights to the roles users and oc4j-administrators. We now go the pagedef structure window and select the pagedef node and with the right button we open the authorization window.


These security entries are put in system-jazn-data.xml and jazn use the pagedef name as unique entry so make sure you don't have the same pagedef twice on the production server else both pages has the same security.
You can do this also for the binding actions like next, first etc. Now we make sure that you need to have oc4j-administrator role to press next etc.
<br /> <grant><br /> <grantee><br /> <principals><br /> <principal><br /> <realm-name>jazn.com</realm-name><br /> <type>role</type><br /> <class>oracle.security.jazn.spi.xml.XMLRealmRole</class><br /> <name>oc4j-administrators</name><br /> </principal><br /> </principals><br /> </grantee><br /> <permissions><br /> <permission><br /> <class>oracle.adf.share.security.authorization.RegionPermission</class><br /> <name>nl.ordina.adfsec.view.pageDefs.deptPageDef</name><br /> <actions>customize,edit,grant,personalize,view</actions><br /> </permission><br /> <permission><br /> <class>oracle.adf.share.security.authorization.MethodPermission</class><br /> <name>Previous</name><br /> <actions>invoke</actions><br /> </permission><br /> <permission><br /> <class>oracle.adf.share.security.authorization.MethodPermission</class><br /> <name>First</name><br /> <actions>invoke</actions><br /> </permission><br /> <permission><br /> <class>oracle.adf.share.security.authorization.MethodPermission</class><br /> <name>Last</name><br /> <actions>invoke</actions><br /> </permission><br /> <permission><br /> <class>oracle.adf.share.security.authorization.MethodPermission</class><br /> <name>Next</name><br /> <actions>invoke</actions><br /> </permission><br /> </permissions><br /> </grant><br /> <grant><br /> <grantee><br /> <principals><br /> <principal><br /> <realm-name>jazn.com</realm-name><br /> <type>role</type><br /> <class>oracle.security.jazn.spi.xml.XMLRealmRole</class><br /> <name>users</name><br /> </principal><br /> </principals><br /> </grantee><br /> <permissions><br /> <permission><br /> <class>oracle.adf.share.security.authorization.RegionPermission</class><br /> <name>nl.ordina.adfsec.view.pageDefs.deptPageDef</name><br /> <actions>view</actions><br /> </permission><br /> </permissions><br /> </grant><br /><br />
and we ready to test it.

Here you have the example project and the system-jazn-data.xml which you have to put in the config dir of the embedded oc4j . this are the users oc4jadmin / welcome , test / test

ADF security in your project

ADF Security implementation can be viewed as an extension to the standard J2EE container security and is executed after the standard security constraints have been processed. It is integrated in ADF of jdeveloper 11g and is implemented dynamically. This gives us many advantages such as changes in roles are immediately active and you can have different permissions in one page. For example in the pagedef you can add rights to roles on specific attributes, pages and methods. In your applications, you can also use Expression Language (EL) to show or hide items on a page based on a user's permissions, which are defined in the run time policy store.

If you use adf security in your application and you also selected anonymous access in the adf wizard then you automatically are logged in as anonymous if this page does not have security and if you go to a page where there is no anonymous security defined then you get a login window or you can start the following url /project-context/adfAuthentication to get the login windows.

Here you define in the pagedef of the page that to see the page you have to have the view permission.

If you run the adf security wizard then the following files are created or changed

workspace_home/.adf/META-INF/adf-config.xml

element sec:JaasSecurityContext added

<br /><?xml version="1.0" encoding="windows-1252" ?><br /><adf-config xmlns="http://xmlns.oracle.com/adf/config"<br /> xmlns:sec="http://xmlns.oracle.com/adf/security/config"><br /> <sec:adf-config-child xmlns="http://xmlns.oracle.com/adf/security/config"><br /> <CredentialStoreContext credentialStoreClass="oracle.adf.share.security.providers.jazn.JAZNCredentialStore"<br /> credentialStoreDefaultUser="anonymous"<br /> credentialStoreLocation="./credential-jazn-data.xml"/><br /> <sec:JaasSecurityContext initialContextFactoryClass="oracle.adf.share.security.JAASInitialContextFactory"<br /> jaasProviderClass="oracle.adf.share.security.providers.jazn.JAZNSecurityContext"<br /> authorizationEnforce="true"<br /> authenticationRequire="true"/><br /> </sec:adf-config-child><br /></adf-config><br />

workspace_home/.adf/META-INF/credential-jazn-data.xml

anonymous login account

<br /><?xml version="1.0" encoding="UTF-8" standalone='yes'?><br /><jazn-data<br /> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"<br /> xsi:noNamespaceSchemaLocation="http://xmlns.oracle.com/oracleas/schema/jazn-data-10_0.xsd"<br /> schema-major-version="10"<br /> schema-minor-version="0"<br />><br /><!-- JAZN Realm Data --><br /><jazn-realm><br /> <realm><br /> <name>jazn.com</name><br /> <users><br /> <user><br /> <name>anonymous#scott</name><br /> <guid>BE3C4D009DFA11DCBF99798553FFE673</guid><br /> <credentials>{903}9UaHhfBMZ20NuY3e1s0Gpc9jSvCqSQtjhJcdQPDwZoz13Y/DbuqxieMIkpUqo0bT9zk1mvNPsVi1<br />PLd5s8wAqjLTBoF7DvPZTH17WaaMMll3Sst5GQuBcUGMi5+DRJx4cwDVElMfQTPaF7JNmFFjdc1U<br />lSNmCoRZRFXQGUfzbSJqhzkdJZBlvS6tiTeprmMLoW5PicrkSFt5UkPIimbHB7lDmNamwr74IE3L<br />/FtNdlroVMSJ3AowWGTxpZweECbzSCIZmJ8TQVIAV8c62mM2vlaA/4lKRnr8xuSxXIDClM32JF7B<br />LfqzSNPcWfuF8tUIcg7SC/jhd4POF+GNtinLTkLEQ+rovkHHQsoiMVOOHLfWkohdYbYUPtHNpmqS<br />gglDNDKxfXGYBjx8t263k21Yi4+viwSVGMct21nYjn/I7XzM8iBvqQ8v9gs6VcG+6hIyQUrFCy71<br />2mntyBByd0mdfIFv8eGMgGXP0C4PIHwgBNSsZVg8QGI1lUzE6LMSSkmF+xRLX+DZtq8Ys29Vt3D4<br />daVyIOfrfk1MyIJJifZAeA1gUnIi5Af9HPx9fg/Ba5HsPtE+6a6Hu04=</credentials><br /> </user><br /> </users><br /> <roles><br /> </roles><br /> </realm><br /></jazn-realm><br /><!-- JACC Repository Data --><br /><jacc-repository><br /></jacc-repository><br /><jazn-permission-classes><br /></jazn-permission-classes><br /></jazn-data>

workspace_home\src\META-INF\orion-application.xml
workspace_home\src\META-INF\jps-config.xml
workspace_home\src\META-INF\jazn-data.xml

and of course the web.xml
<br /><?xml version = '1.0' encoding = 'windows-1252'?><br /><web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" version="2.5" xmlns="http://java.sun.com/xml/ns/javaee"><br /> <servlet><br /> <servlet-name>adfAuthentication</servlet-name><br /> <servlet-class>oracle.adf.share.security.authentication.AuthenticationServlet</servlet-class><br /> <init-param><br /> <param-name>success_url</param-name><br /> <param-value>dept.jspx</param-value><br /> </init-param><br /> <load-on-startup>1</load-on-startup><br /> </servlet><br /> <servlet-mapping><br /> <servlet-name>adfAuthentication</servlet-name><br /> <url-pattern>/adfAuthentication/*</url-pattern><br /> </servlet-mapping><br /> <session-config><br /> <session-timeout>35</session-timeout><br /> </session-config><br /> <security-constraint><br /> <web-resource-collection><br /> <web-resource-name>adfAuthentication</web-resource-name><br /> <url-pattern>/adfAuthentication</url-pattern><br /> </web-resource-collection><br /> <auth-constraint><br /> <role-name>valid-users</role-name><br /> </auth-constraint><br /> </security-constraint><br /> <login-config><br /> <auth-method>BASIC</auth-method><br /> <realm-name>jazn.com</realm-name><br /> </login-config><br /> <security-role><br /> <role-name>valid-users</role-name><br /> </security-role><br /></web-app><br />

If you start the adf security wizard yourself then select no identity store by step 4. Then you use the jazn of the embedded oc4j, the other options gives jazn errors


Make sure if you run on windows xp that you start jdeveloper in single user mode ( jdeveloper -singleuser) else the jazn editor in the embedded oc4j does nothing.

In the next adf security blog I will demostrate the different security options in a page.

JDeveloper 11g single user mode

I discovered that the jazn configuration (Identity Store) in 11g tp2 of the embedded oc4j didn't work, so I googled a bit and saw the solution of Steve Muench. It seems that jdeveloper 11g is started by default in multiuser mode. That's why it creates a jdeveloper directory with the embedded oc4j in your user folder. The jazn error is caused by a space in the folder name of the user. On windows xp you have your user data in this folder C:\Documents and Settings\ebi15170. You can solve this by starting jdeveloper with the -singleuser option or set the JDEV_USER_DIR environment variable to a folder name with no spaces.

Steve Muench hold a jdeveloper 11g page with more tip so check this out.