You can use this SQL authenticator for your container security or use it for your JDeveloper 11G ADF security. For more info over ADF security see my previous blog. This SQL authenticator replaces the dbloginmodule of the OC4J container which was available in the Technical Previews of JDeveloper 11g.
First we need to have some authorization tables. I will use the user and roles tables of JHeadstart. Here is the ddl with some sample users.
-- Create two users SKING and AHUNOLD
select jhs_seq.nextval,'SKING','SKING','DEFAULT','SKING', 'Steven King'
from dual
where not exists (select '1' from jhs_users where username='SKING');
select jhs_seq.nextval,'AHUNOLD','AHUNOLD','DEFAULT','AHUNOLD', 'Alexander Hunold'
from dual
where not exists (select '1' from jhs_users where username='AHUNOLD');
-- set up two roles: Administrator and User
insert into jhs_roles(id, SHORT_NAME, name)
select jhs_seq.nextval, 'ADMIN','Administrator'
from dual
where not exists (select '1' from jhs_roles where short_name='ADMIN');
insert into jhs_roles(id, SHORT_NAME, name)
select jhs_seq.nextval, 'USER','User'
from dual
where not exists (select '1' from jhs_roles where short_name='USER');
-- Make Steven King Administrator
insert into jhs_user_role_grants (id,rle_id,usr_id)
select jhs_seq.nextval,,
from jhs_roles rle, jhs_users usr
where rle.short_name='ADMIN'
and usr.username='SKING'
and not exists (select '1' from jhs_user_role_grants urg2
where urg2.usr_id =
and urg2.rle_id =;
-- Make Alexander Hunold User
insert into jhs_user_role_grants (id,rle_id,usr_id)
select jhs_seq.nextval,,
from jhs_roles rle, jhs_users usr
where rle.short_name='USER'
and usr.username='AHUNOLD'
and not exists (select '1' from jhs_user_role_grants urg2
where urg2.usr_id =
and urg2.rle_id =;
Now we can add the SQL authenticator provider in WebLogic. First we need to create a datasource for the database connection and remember the datasource name ( not the jndi name) We needs this value for the provider.
Select the Security Realms link then I will select the default realm "myrealm" and go to providers tab. Here we can create a new authentication provider.

Go to this folder MiddlewareJdev11g\jdeveloper\system\system11.\DefaultDomain\config and change the config.xml file where you can replace your values with this
<sec:authentication-provider xsi:type="wls:sql-authenticatorType">
<wls:sql-get-users-password>SELECT password FROM jhs_users WHERE username = ?</wls:sql-get-users-password>
<wls:sql-user-exists>SELECT username FROM jhs_users WHERE username = ?</wls:sql-user-exists>
<wls:sql-list-member-groups>SELECT short_name FROM jhs_user_role_grants g ,jhs_roles r,jhs_users u WHERE g.usr_id = and g.rle_id = and u.username = ?</wls:sql-list-member-groups>
<wls:sql-list-users>SELECT username FROM jhs_users WHERE username LIKE ?</wls:sql-list-users>
<wls:sql-get-user-description>SELECT display_name FROM jhs_users WHERE username = ?</wls:sql-get-user-description>
<wls:sql-list-groups>SELECT short_name FROM jhs_roles WHERE short_name LIKE ?</wls:sql-list-groups>
<wls:sql-group-exists>SELECT short_name FROM jhs_roles WHERE short_name = ?</wls:sql-group-exists>
<wls:sql-is-member>SELECT u.username FROM jhs_user_role_grants g ,jhs_users u WHERE = g.usr_id and rle_id = ( select id from jhs_roles where short_name = ? ) AND usr_id = ( select id from jhs_users where username = ? )</wls:sql-is-member>
<wls:sql-get-group-description>SELECT name FROM jhs_roles WHERE short_name = ?</wls:sql-get-group-description>
<wls:sql-create-user>INSERT INTO jhs_users ( id,username , password , display_name) VALUES (jhs_seq.nextval, ? , ? , ? )</wls:sql-create-user>
<wls:sql-remove-user>DELETE FROM jhs_users WHERE username = ?</wls:sql-remove-user>
<wls:sql-remove-group-memberships>DELETE FROM jhs_user_role_grants WHERE rle_id = ( select id from jhs_roles where short_name = ? ) or usr_id = ( select id from jhs_users where username = ? )</wls:sql-remove-group-memberships>
<wls:sql-set-user-description>UPDATE jhs_users SET display_name = ? WHERE username = ?</wls:sql-set-user-description>
<wls:sql-set-user-password>UPDATE jhs_users SET password = ? WHERE username = ?</wls:sql-set-user-password>
<wls:sql-create-group>insert into jhs_roles(id, short_name, name) values (jhs_seq.nextval, ?, ?)</wls:sql-create-group>
<wls:sql-set-group-description>UPDATE jhs_roles SET name = ? WHERE short_name = ?</wls:sql-set-group-description>
<wls:sql-add-member-to-group>INSERT INTO jhs_user_role_grants (id,rle_id,usr_id) VALUES( jhs_seq.nextval , ( select id from jhs_roles where short_name = ?),(select id from jhs_users where username = ?))</wls:sql-add-member-to-group>
<wls:sql-remove-member-from-group>DELETE FROM jhs_user_role_grants WHERE rle_id = ( select id from jhs_roles where short_name = ? ) AND usr_id = ( select id from jhs_users where username = ? )</wls:sql-remove-member-from-group>
<wls:sql-remove-group>DELETE FROM jhs_roles WHERE short_name = ?</wls:sql-remove-group>
<wls:sql-remove-group-member>DELETE FROM jhs_user_role_grants WHERE rle_id = ( select id from jhs_roles where short_name = ? )</wls:sql-remove-group-member>
<wls:sql-list-group-members>SELECT username FROM jhs_user_role_grants g ,jhs_roles r,jhs_users u WHERE g.usr_id = and g.rle_id = and r.short_name = ? and u.username like ?</wls:sql-list-group-members>
We need to restart the WebLogic server. After the reboot we can go the User and Group tab of your default security realm where we can change or add users and roles. Here is an overview where we can see SKING

Hi Edwin,
ReplyDeleteI've done a similar thing (except I made the SQLProvider optional) but I run into something... It seams that the authentication goes well,but not authorization part... Every new user that is added to myrealm (same group as one defined in won't authorize, but it authenticate. What have you choosed in ADF Security wizard, ADf Authentication and Authorization or just ADf Authentication?
Thanks F
lorin POP
ReplyDeleteI use ADf Authentication and Authorization and after that I choosed LDAP ( so ADF will not use the jazn-data users ).
I change the standard provider to sufficient and the sql provider also to sufficient .
and you have to map the wls to the adf roles in weblogic.xml.
See my previous post
then it works.
Hi Edwin,
ReplyDeleteDid you try to deploy this application on a standalone Weblogic?
It is working with me from jdev 11g on the embeded weblogic but not on the standalone. Any idea?
Note that I migrated security as explained by Steve but still can't login.
Hi , it should work.
ReplyDeletemaybe you have to change the default security provider to sufficient default is required. so it will the other provider too
Thank you
ReplyDeleteIt is working after changing the default security provider to sufficient.
Hi Edwin,
ReplyDeleteI need to insert/verify the password into DB as encrypted. Right now it works fine with a plain text password. What should I do to enable the encryption from my application and from Weblogic?.
The scenario I can see is that before insert a user from my application I need to encrypt the password using a JCE algorithm like SHA-1. In this case how I can tell weblogic to verify the password as encrypted?
ReplyDeletenormally your encrypt the password with sha1 once then when the user logs in, this password is encrypted again and compared with the db value.
it is never decrypted only compared.
thanks Edwin
How weblogic will do the job and encrypt the password to compare it if I am using this blog method to authenticate?
ReplyDeleteuncheck the "Plaintext Passwords Enabled" seems not working.
ReplyDeleteDo you have your own login page or use the standard login box of your browser. In this case wls will capture this and encrypt the password with sha1 en compare this with the db password column.
maybe this can help you
ReplyDeleteI am using the Form-Based Authentication with my own login.jspx which use j_security_check to check the authentication.
Right now there in no encryption when sending the password and it works.
My question is how to tell wls to encrypt the password before compare it with the password column into DB?
I am sure there is a property to set to tell wls to encrypt or not ans which algorithm to use. No?
Where is this property?
ReplyDeletemaybe you better make a post in the wls or jdev forum, in the meanwhile I will test this.
thanks Edwin
Hi Edwin,
ReplyDeleteI need your help about weblogic security of database table .
I was tried to do according to your posting but I am getting error and I had tried different way to run weblogic domain but did not find any solution, please reply me.
here :
ReplyDeleteWhen you delete the provider , is it working again?
How did you create the provider , console or in the config.xml
thanks Edwin
ReplyDeleteI had created the provider by console. server failed to start after do this.
Is may need create RDBMS Security Store first? I am in confusion how can SQL authentication work.
I tried to do RDBMS Security configuration what I found in config.xml nad getting exception
see sec:rdbms-security-store in
when I deleted this tag sec:rdbms-security-store then it start sucessfully.
ReplyDeleteIs may need create RDBMS Security Store first?
No you don't need this. the rdbms security is only for the store all keys / passwords etc. in a database instead of the file system.
you need to go to myrealm security realm -> providers / authentication and add a new sql authenticator.
If you still want to create a rdbms security store , then use the configuration wizard for this.
thanks Edwin
Hi Edwin,
ReplyDeleteThank you for your clearification.
I have another question is how to get connection peticular database ? because there is no any option to define connection parameter in sql authenticator providers. So what is the mechanism to access database?
Hi Edwin,
ReplyDeleteIt works fine. after creating JDBC data source by Users and Groups >Summary of Services: JDBC >Summary of JDBC Data Sources
ReplyDeleteDid you ever figure out the encryption part? I'm having the exact issue.
Hi Edwin
ReplyDeleteIs there any reason in this post why you modified the config.xml directly rather than using the console? A bug or just easier to work with the config.xml file?
Hi Chris.
ReplyDeleteNo, it was too much work to type in the wls console, next time I will use a wslt script.
Thanks Edwin, really useful post.
Hi Edwin,
ReplyDeletehow did u get the DB roles on the .jspx page?
I'm trying that
for ( String role : ADFContext.getCurrent().getSecurityContext().getUserRoles() ) {
System.out.println("role "+role);
but only thing what I get is anonymous-role! and authenticated-role!!
There is another problem that I cannot point the application to the correct realm(the second I created), it keeps taking the default realm...
ReplyDeleteHi Renan,
ReplyDeleteHi make a backing bean with a method which return a string
public String getRoles() {
String roles = null;
for ( String role : ADFContext.getCurrent().getSecurityContext().getUserRoles() ) {
roles = roles + role;
System.out.println("role "+role);
return roles;
and when you create a second realm did you also use this as the default realm, I think it is domain setting.
thanks Edwin
Hi Edwin,
ReplyDeleteThanks for your useful post.
I have the following requirement for user authentication and authorization. This is an enterprise web application which includes BPEL, Web Services, BRE and etc. The application is build using ADF, Jdeveloper 11g and Jheadstart as well. The end user should have a user managment pannel to define users, roles, and grant permissions to roles.
Based on this architecture I have two quetions:
1. It seems that we should choose the JAAS model, so BPEL and the other technologies can integrate with the core application authentication and authorization mechanism, is it right or we can have a better choice?
2. If we switch to JAAS, we can not deliver a user managment that the end user can work with. So, if we store the credential and grants information in the database tables, we can easily write the user management module. On the other hand, we need to be JAAS, so is there any way to have a Database JAAS Privoder or Database LDAP Provider.
Thank you in advance
Farnoush (
Hi Farnoush,
ReplyDeletesee below
The end user should have a user managment pannel to define users, roles, and grant permissions to roles.
Based on this architecture I have two quetions:
1. It seems that we should choose the JAAS model, so BPEL and the other technologies can integrate with the core application authentication and authorization mechanism, is it right or we can have a better choice?
yep , that will work and are you using bpel 10.1.3 ( maybe then ldap is better then sqlauthenticator ) and adf can use jaas and in wls still use the sql authenticator
2. If we switch to JAAS, we can not deliver a user managment that the end user can work with.
in wls console you still can add or change users and roles
or use the wls sql authenticator and for example use the default adf views of jheadstart to change the users and roles.
So, if we store the credential and grants information in the database tables, we can easily write the user management module. On the other hand, we need to be JAAS, so is there any way to have a Database JAAS Privoder or Database LDAP Provider.
use the wls sql authenticater
thanks Edwin
Dear Edwin,
ReplyDeleteThanks for your reply.
It seems that the sql authenticator will support only the authentication part, I mean it will only retrieve the user name and passwords for authentication from the database.
But I need to save the grants and permissions and all the authorization information in the database as well.
My native end user can not work with wls console or any other IDE like JDeveloper and I should build a custom user management application module based on the database that I hope to be able to save both authentication and authorization data in it as well.
ReplyDeleteIt seems that the sql authenticator will support only the authentication part,
it does both , you will get the roles too and map this in the weblogic.xml to the applications roles
My native end user can not work with wls console or any other IDE like JDeveloper and I should build a custom user management application module based on the database that I hope to be able to save both authentication and authorization data in it as well.
yep that is easy when you jheadstart you will get the datamodel and adf views out of the box.
thanks Edwin
Hi Edwin,
DeleteIs this approach supported in 12C?
Hi again Edwin,
ReplyDeleteit is possible to use that 'table' roles to grant and block pages on jazn-data.xml?
If yes, how I can do it? Because I don't see the table roles on app level roles...
ReplyDeletewhat do you mean exactly , I know you can disable a table by checking #{securityContext.userInRole['roleList']}
And take a look at this adf security policies document.
and adf bc has support for security on the transaction level.
hope this helps
Hi Farnoush,
ReplyDeletecan you take a look at this document. chapter 30.11.2
Only I don't think you can do it dynamicly.
I dont mean adf tables, I mean the database tables... The problem is that I can't use my database roles on jazn-data.xml.
ReplyDeleteyou can always make your weblogic authenticator.
Hi Edwin
ReplyDeleteThanks for your link, but I do not want the custom permissions, the permission set is defined at design time. What I need to be dynamic at runtime is the ability to define new roles and assign permissions to those roles by the end user(user management administrator). It is something like what happened in Jheadstart Custom Security.
By the way, the authentication works properly with this method that you've mentioned in this post, I am searching for a mechanism that support authorization as well.
Hi Farnoush,
ReplyDeleteYou can make your own Weblogic security provider or post a question in the weblogic security forum of OTN, maybe they can help you.
Thanks Edwin
Hi Edwin,
ReplyDeleteNice topic. I tried the same but in vein. Below is the step details I followed -
I was using Jdeveloper with the integrated weblogic 10.3.
I had four below pages -
1. Login.html (created during ADF Security configuration)
2. Logut.html (created during ADF Security Configuration)
3. welcome.jsp (Also I choose to create it during ADF Security Configuration)
4. My own jspx(main.jspx).
Before ADF security configuration I was able to browse this main.jspx.
Next I set up ADF Security configuration - and I created two below user
1. aaa
2. bbb
Next I setup my ADF Policies to secure mt page main.jspx. and run my application from JDeveloper IDE. It's ran successfully as expected. It ask me for login. After login I got into welcome.jsp. next I try to visit main.jspx i got the displayed.
Next as per your blog I uncheck those option so that application do the credential check against my DB table.
DB table of mine was different than you, It was as per weblogic recomendation as below -
In user table I filled below sample data
'aaa','information', 'Test User'
In Groups table below is my sample data
'valid_users','Test Group'
'users','Test Group'
In groupmembers table below is my sample data -
I created My provider with SQL Authentication and made it SUFFICIENT. By The way I made it SUFFICIENT fro default Authenticator too.
Now I started my server and was able to see all the users and groups defined in DB table.
I deployed my .ear, i visited my login.html. provided the credentials(UID and PWD) but in vein. I did not get my welcome.jsp. To make you more clear I am attaching my console error here-
Error 403--Forbidden
From RFC 2068 Hypertext Transfer Protocol -- HTTP/1.1:
10.4.4 403 Forbidden
The server understood the request, but is refusing to fulfill it. Authorization will not help and the request SHOULD NOT be repeated. If the request method was not HEAD and the server wishes to make public why the request has not been fulfilled, it SHOULD describe the reason for the refusal in the entity. This status code is commonly used when the server does not wish to reveal exactly why the request has been refused, or when no other response is applicable.
Now I tried to access the main.jspx on the same browser just typing the url i got below error in console -
on:V2.0]] Servlet failed with Exception
java.lang.RuntimeException: Cannot find FacesContext
at javax.faces.webapp.UIComponentClassicTagBase.getFacesContext(UICompon
at javax.faces.webapp.UIComponentClassicTagBase.setJspId(UIComponentClas
at jsp_servlet.__main_jspx._jspx___tag0(
at jsp_servlet.__main_jspx._jspService(
at weblogic.servlet.jsp.JspBase.service(
Truncated. see log file for complete stacktrace
By the way I got one statement in my console while start up my server -
Overwriting credentials is allowed in application credential store migration with Weblogic server running in Development Mode and system property '' set to true
Could you please help me out where i am going wrong. I am sure some where i am missing the configuration.
Thanks in advance for your time to read my message.
Subrata B.
ReplyDeleteI tried the same. With it works fine. but the time I tried the same wirh DB tables i got error. I am sending a details mail to you to give you a clear idea, about the issue i faced. I was trying to post the same here but i feel due to some max char restriction it was not getting published. Please have a look of my mail and provide your valuable suggession.
Thanks in advance
Subrata B.
ReplyDeleteI think you forgot the map the wls roles to your application roles. you can do this in the weblogic.xml located in web-inf/ folder.
else the wls db user don't have the right application roles
sorry, but how can do the mapping the wls roles to my application roles?
ReplyDeleteHere an example of the weblogic.xml located in your WEB-INF folder
<?xml version = '1.0' encoding = 'windows-1252'?>
<weblogic-web-app xmlns:xsi="" xsi:schemaLocation="" xmlns="">
Edwin, After I modified "config.xml" I have restarted WL server. But, it automatically revert the changes I had made. I am confused. Please let me know. Thakns.
ReplyDeletestrange , maybe you add it in the wrong place, can you add a sql authenticator from the console and after that stop the wls and add the rest of the stuff in the config.xml
thanks Edwin
hello Edwin!
ReplyDeleteIs necessary LDAP for authentication with a provider SQLAuthenticator?
If your answer is not. Then, How i can configure ADF security in my application?
Oh no you don't need LDAP, I used the same ldap webapp to test this sqlauthenticator. For this you only need a database with some tables.
ReplyDeletehere you got more info over ADF
Dear Edwin,
ReplyDeleteI have follow-up the step and also I have read all the comment many people like me have the problem that the authentication part is done but the authorization is not done.
I also have checked the weblogic-application.xml.
I would be really appreciated if you provide us the sample application for your post in latest version
ReplyDeleteI am just making some blogs about the subject.
but basically
run the adf security wizard.
and you only need have to have the valid user mapping in weblogic.xml, and the same role in web.xml
then you should add the wls roles you need in the enterprise role part in jazn.
then add some application roles in jazn , map enterprise role to application role.
then add adf security to the pages by adding a application role with view right to the page or fragment.
Hi I just finished a test case when I have 3 roles approles (manager, coordinator, analyst) and I create 3 enterprise roles wlsmanager, wlscoordinator and wlsanalyst too. I modified weblogic.xml to register the enterprise roles and principals (in this case principals are approles). After that I add the enterprise roles in web.xml and in the section I add too these roles.
ReplyDeleteLater in jazn.xml I add enterprise roles and approles, to approles I associate enterprise roles previously created and finally create one page and grant view access to manager and coordinator approles.
Previously I register the sql authenticator provider and Follow the steps that you share in others of your posts.
Result: It´s working !! but ...
I login with 3 diferent users:
user1 had role manager
user2 had role coordinator
user3 had role analyst
I expect that user3 can not see the page (because he don´t have view acces) But he can view. I show the roles that have the user and give me that only have authenticated-role anonymous-role and analyst. What's wrong?
Please I hope you could help me.
Hi Edwin,
ReplyDeleteWe have a requirement to build the security module for our application using OPSS and ADF 11g. We have to develop a custom screen in the application to perform user administration and not thru weblogic console or fusion middleware control, can you show us the link or some materials which does it? we have to do it thru db authentication and not thru ldap or flat file.
Hi oscarmjv
ReplyDeleteCan you check the page authorization.
when you have anonymous or authenticated then this explains this. when you remove these app roles from the page then this can not log in.
Hi Sara,
ReplyDeleteDon't kown OPPS but I think you can use this blog in combination with ADF Security and add a login page. This is described in the ADF documentation
Thanks a lot for your answer, I finally make run my example, the problem was a confusion between enterprise roles and application roles. Now I try to follow your example about dynamic menus based in roles. And about this I have a question. Can I have two tables one with enterprise roles and other with application roles, and make my menu over application roles? Because in my previous example I make a mapping one to one between roles.
ReplyDeleteyou can only have one table for the enterprise roles ( sqlauthenticator in wls ) , the application roles are only added by ADF Security in the jazn xml or in the weblogic.xml
thanks Edwin
In my current project where you helped me to understand and clarify better the concepts of authentication and providers, I created an SQLauthenticator and everything goes ok, until my boss told me that I use the project with some BPEL processes. The problem here is that if I create, configure and use some properties accounts of the LDAP embeded like mail, notifications work well. I want to use the SQLauthenticator in SOA Suite Server too but I see that with this provider does not exists the properties section in the console's weblogic. What can I do?
ReplyDeleteCould you help me?
ReplyDeleteIndeed Human workflow and the SQL authenticator does not work well together. it relays on a LDAP repos with all the attributes. You can use the internal LDAP or use AD / OID etc.
But you can use the same LDAP provider in your Web application. this works perfectly.
ReplyDeleteMarc Kelderman has a solution to use the SQL Authenticator with Human Workflow
Thanks a lot for your answer, I'll check the sites that you mentioned, but I have another question, I read in your post "Creating Users and Groups in Weblogic with WLST" a great way for create users, but based on your example I was looking in weblogic's documentation a way of configure properties like "mail", but I can´t found information or an example, please could you help me again (I am sorry :( )
ReplyDeleteFirst when you use a ldap authenticator, like the internal one of weblogic, you can set these properties in the wls console at a user ( myrealm security realm) or you can do it in java and maybe this can help you
dont think you can set email with a sql authenticator.
Thanks a lot again !! I read the post that you told me and I think it contains a good approach and it can work for me. Java World is new to me and SOA concepts too, but with your guide and pointers everything goes Ok.
ReplyDeleteI have two applications on the same domain and security realm running on different JDBC Data sources and Authentication Providers.
The problem is, my users are getting confused between applications, for example, I can log with weblogic/weblogic on my application...
Do you know how I can solve this????
ReplyDeleteDo you only have authenticated users as your security in your apps. Then this explains this.
you should use specific unique groups in your authenticators and map this to the adf enterprise roles & adf application roles of your ADF Application. These applications roles can be the role for the jsf pages and task flows and don't use authenticated role.
for more information see this.
Could we have LDAP for authentication and Database tables for Authorization?
ReplyDeleteCould we have LDAP for authentication and Database tables for Authorization?
I never tried it but I think it is possible. Add two authenticators , all authenticators on sufficient and the user must exists in both authenticators. and let's hope that Weblogic will merge these authenticators
Thanks for quick reply. I'll try your suggestion. If not I am assuming that I should implement custom JAAS module. Do you agree?
ReplyDeleteHi, i follow this example i could create user and groups on wls using sql authenticator, the problem i found is when i use my login:
ReplyDeletebyte[] pw = _password.getBytes();
HttpServletRequest request =
CallbackHandler handler = new SimpleCallbackHandler(_username, pw);
try {
Subject mySubject = Authentication.login(handler);
ServletAuthentication.runAs(mySubject, request);
String loginUrl = "/adfAuthentication?success_url=/faces/TextoVuo";
HttpServletResponse response =
sendForward(request, response, loginUrl);
if my user use DefaultAuthenticator it works ok, but when my user use the sql authenticator db_users it goes trough FailedLoginException.
any ideas? thanks!!
ReplyDeletePlease check if all your authenticator have sufficient as control flag,
and then follow this especially the part about enterprise roles and application roles
Hi Edwin,
ReplyDeleteI've configured my application to work with my custom authentication tables based on your proposed solution,
Do you have any clue that how I can config SOA Suite workflow service to use my custom authentication tables as well?
Marc Kelderman 's solution which you have mentioned is a file based configuration for SOA Suite
Farnoush (
hi edwin
ReplyDeletei create some tables for user management and defined security realms provider for it in weblogic console but when i want to enable adf security in my application i can not find ldap connection in adf security wizard.
in first page of the wizard i select adf authentication and authorization in second page i chooose form based authentication and select viewcontroller.jpr as a web project but in third screen of the wizard there is no ldap for selecting and finally my application only use jazn.xml as provider.
my jdeveloper version is
thank you
ReplyDeleteNo need for a LDAP connection , just complete the wizard and manually add your enterprise , application roles and add security to your pages , task flows .
please follow this guide, especially the part about enterprise roles and application roles
hi edwin
ReplyDeletethanks for your reply
i do what you say and my application now authonticate users with oracle user table but there is one more problem . security context load user data and it's roles from tables properly but when i define security policy for jsf page in jazn-data.xml it is not work .
for example test_user has admin role based on oracle tables . in application following statement return true when i login with test_user
but when i grant untitled1(jsf page) to admin role in jazn-data.xml i cannot view this page by test_user
thank you
ReplyDeletedid you map all the enterprise roles to the application roles.
And do a system out of the user applications roles. And the pages need to have a Page Definitions.
thanks for your reply edwin
ReplyDeletei find the source of my problem
every time i run my application in integrated welogic , jdeveloper insert jazn enterprise role in roles table with new id .
i want to create user managment form for end user to assisgn role to user in run time but i can not assign role to user correctly because role id change evey time that application run. i know this problem is come from tag in default domain config file.
you write insert command in this tag so every time application deploy on weblogic this command insert enterprise role in roles table with new id
i dont know how write insert in this tag to dont change existing roles.
current insert role statement in config file is :
insert into jhs_roles(id, short_name, name) values (jhs_seq.nextval, ?, ?)
thanks for your help
ReplyDeleteyou can disable the role creation in the application settings.
or when you use jheadstart this is also a option.
hi edwin
ReplyDeletethanks for your help
i unchecked deploy user and group check box in jdeveloper security configuration windows and my previous problem solved .
but i face to another problem
i have some jsf forms in web content root and some forms in test folder that place inside of web content . all of my root forms work based on jazn policy (i can see them after login ) but when i want to access test folder forms i always get Error 401--Unauthorized
even i set anonymous for test folder forms in jazn but i get same error.
the complete error message is :
The request requires user authentication. The response MUST include a WWW-Authenticate header field (section 14.46) containing a challenge applicable to the requested resource. The client MAY repeat the request with a suitable Authorization header field (section 14.8). If the request already included Authorization credentials, then the 401 response indicates that authorization has been refused for those credentials. If the 401 response contains the same challenge as the prior response, and the user agent has already attempted authentication at least once, then the user SHOULD be presented the entity that was given in the response, since that entity MAY include relevant diagnostic information. HTTP access authentication is explained in section 11.
Hi Edwin,
ReplyDeleteI am using jdeveloper
I have done adf security as shown in this link
I want to use database tables as authentication provider with respect to a particular application.
For example: I have a wls domain which has numerous applications all use adf security and use different schema for roles and user management..
you have defined defined the database tables and schema in the domain config.xml so i think which will be common to all applications...
So can you provide me some links to tutorials or blogs that teaches me how to do this...
ReplyDeleteindeed, every authentication provider works for every application. so the trick is to use unique application roles in your application.
so then it does not matter.
ReplyDeleteThanks for reply.
indeed, every authentication provider works for every application. so the trick is to use unique application roles in your application.
The roles can be be eaisly distinguished by providing some prefix against it.
For example:
Hi Edwin,
ReplyDeleteWhat If i have 2 appliations in a domain, and 2 sqlauthenticators connected to different schema used by both appln.
Assume co-incidently if both sqlauthenticators have user with same userid, wont it cause problem ???..
Is there any way to point an application to use a particular sqlauthenticator.
Can you please provide any pointers for this type of problem.
Thanks & Regards,
ReplyDeleteWe did it for three applications with no problem at all.
We defined three jdbc connections then we added three jazn providers and add the right SELECT depends on the user/role tables (config.xml).
It works well even for the same userid because the userid is under the jazn provider name so no conflict.
Best regards
Hi jn1234,Edwin
ReplyDeleteI have 2 applications and 2 sqlauthenticators, one application uses one sqlauthenticator and other uses other sqlauthenticator for authentication.
Suppose if both sqlauthenticators have same userid then how can authentication be distinguished between 2 sqlauthenticators for a webapplication.??
Any pointers..?
ReplyDeleteDon't know exactly, but I think the userid of the first sql authenticator will be used for authentication and I think the second userid will be ignored or the roles are merged with the first userid.
Try it out and let me know.
ReplyDeleteEvery sqlauthenticator has a provider name (DB1_users, DB2_users, etc...)
and every provider has a data-source(JDBC-schema1, JDBC-schema2etc...)
so no conflict at all between the same names since every name comes from a different provider and datasource.
Go to console>Security Realms/myrealm>users and Groups
If you have two or more sqlauthenticator with the same name in the DB you will find these names with a different provider: admin/DB1_users, admin/DB2_users etc...
I tested all of this and it works well.
Best regards
Hi Edwin,
ReplyDeleteI am testing DB Authentication in Integrated WLS.If I edit config.xml file for Integrated WLS, any application deployed to Int WLS, if configured by ADF Security, will authenticate by DB?
Is it ok to do DB Authentication in Integrated WLS?
Hi Edwin,
ReplyDeleteI was trying your post in Integrated WLS. I am following yr post.I edited config.xml file of Int WLS.Edited web.xml, weblogic.xml with app role, ie.ADMIN_APP, USER_APP.I also created these roles in jazn-data & giving the view permission on page.
I didnot create enterprise role & any user, as I am thinking user info must be loaded from db."Authorization Check Failed" is coming. Plz guide me.
ReplyDeleteplease read this
and this one for adf security
Hi Edwin,
ReplyDeleteI am experiencing hard time implementing this db security. Everything seems to be ok as i followed yr post even followed the remarks. At the login time, ORA-01005: null password given; logon denied error is coming. My standalone WLS is extended already.SQLAuthenticator is able to locate db tables.Can you point what I am missing here?
ReplyDeleteGo to your WLS console and check in security/realm that all your roles/users are well loaded from your DB.
This can help to know where to check
ReplyDeleteAll users/roles are properly showing in myrealm in WLS console.
They are matching with db tables values.
Still in same problem.
What can I see that your setup is good and you have a problem on Oracle DB side.
ReplyDeleteIs your application working when disabling the security authentication?
Try to change to another Oracle DB installation and test.
I raised this issue on OTN -
ReplyDeleteIt is working in integrated wls with security & without security.
No, I am on prod db.I cannot change this.
ReplyDeleteORA-01005: null password given
this is given by the authenticator ( wls side) so some how the password is wrong
did you copy the authenticator from the integrated config.xml. if so then you need to remove the password field and enter it again. password is machine specific.
ReplyDeleteI didn't copy from intg wls. I am editing the config.xml of standalone wls. however, I re-entered password fields but same error.However, on starting wls, I see a message 'PL/SQL statement ignored' & some truncated logs. Is this causing some problem?
ReplyDeleteOk try do it from wlst or in the console.
Hi Edwin,
ReplyDeleteI have implemented adf security to login with sql authenticator. Now how can I change passwords for my users from the user end. Also I need to create new users(from an admin page). Currently I am doing this from the weblogic server. But our requirement states that it need to be done from the application. Can you please tell me how to do this or provide links for the same?
ReplyDeleteit depends , if you use plain text passwords ( not recommended) then you can generate an ADF page on that table
else you need to know weblogic does the sha password encryption and do the same from adf on the password field.
Hi Edwin
ReplyDeleteI have the same problem of Ramesh
I want to use LDAP for authentication and Database tables for Authorization but I couldn't do that, did u try that
ReplyDeleteI didn't try to combine two authentication provider, but does WebLogic not merge the users and groups of two authentication provider. maybe the users should have the same password.
I think the first authenticator will be used for the password.
let me know what you tried.
I found solution on one forum:
and in the bean of login.jspx
public void login(javax.faces.event.ActionEvent actionEvent) {
Subject mySubject;
FacesContext fctx = FacesContext.getCurrentInstance();
HttpServletRequest request = null;
request = (HttpServletRequest)fctx.getExternalContext().getRequest();
HttpServletResponse response = null;
response = (HttpServletResponse)fctx.getExternalContext().getResponse();
UIViewRoot viewRoot = fctx.getViewRoot();
RichInputText username = (RichInputText)viewRoot.findComponent("usrfield");
String usernameStr = (String)username.getValue();
RichInputText password = (RichInputText)viewRoot.findComponent("pwfield");
String passwordStr = (String)password.getValue();
//CallbackHandler handler = new SimpleCallbackHandler(usernameStr, passwordStr);
try {
int authSuccess = ServletAuthentication.login(usernameStr, passwordStr, request, response);
if (authSuccess == ServletAuthentication.AUTHENTICATED) {
try {
mySubject = Security.getCurrentSubject();
for (int i = 0; i <= 10; i++) {
mySubject.getPrincipals().add(new WLSGroupImpl("Role" + i * 10));
ExternalContext ectx = fctx.getExternalContext();
ectx.redirect("faces/" + "welcome.jspx");
} catch (IOException e) {
} catch (LoginException le) {
String message = le.toString();
fctx.addMessage("usrfield", new FacesMessage(FacesMessage.SEVERITY_ERROR, message, null));
and this work very good
what do u think?
Hi Edwin,
ReplyDeleteYour post is working for me.
but I want this to working in my custom login.jspx page.I dont want to use browser login dialog.
How can I do that?
ReplyDeletehere we go, it is explained in the oracle documentation
Thanks a lot for the post.
ReplyDeleteIt helps in solving my issue
ReplyDeleteI was wondering if you or anyone out there can offer any advise? I have a simple weblogic domain running one MS and one AS, I have one deployed App.
The app requires SQL Authentication from a HSQLDB source. I have created the source and that tests OK, I can also use the light hsqlsb gui and run a test statement that lists the users.
I have setup a provider in the realm and set all my sql statements up (these were checked in the step above)
However, when I try and log into the application I am getting access denied. The logs aren't telling me too much - I have also noticed that in the realm, when I click users and groups, nothing is displaying from my remote resource. I can provide all source files if anyone is struggling to think what this could be as well as log files.
ReplyDelete"...I have also noticed that in the realm, when I click users and groups"
This means you have problem with the setup of the DataSource or the Realm.
We can start looking to your config.xml file from the location below if you are running the embedded WLS.
This comment has been removed by the author.
ReplyDeleteHi Jamil,
ReplyDeleteThanks for your response; I guess that confirms my thoughts regarding not listing the remote users. I've substituted code blocks for {} as it seems code and pre blocks are disabled here.
{sec:authentication-provider xsi:type="wls:default-authenticatorType"}
{sec:authentication-provider xsi:type="wls:default-identity-asserterType"}
{sec:authentication-provider xsi:type="wls:sql-authenticatorType"}
{wls:sql-get-users-password}SELECT accountpassword FROM account WHERE accountname = ?{/wls:sql-get-users-password}
{wls:sql-user-exists}SELECT accountname FROM account WHERE accountname = ?{/wls:sql-user-exists}
{wls:sql-list-users}SELECT accountname FROM account WHERE accountname LIKE {/wls:sql-list-users}
{wls:sql-list-groups}SELECT rolename FROM roles WHERE rolename LIKE ?{/wls:sql-list-groups}
{wls:sql-group-exists}SELECT rolename FROM roles WHERE rolename = ?{/wls:sql-group-exists}
{wls:sql-create-user}INSERT INTO account VALUES ( ? , ? , ? {/wls:sql-create-user}
{wls:sql-remove-user}DELETE FROM account WHERE accountname = ?{/wls:sql-remove-user}
{wls:sql-set-user-password}UPDATE account SET accountpassword = ? WHERE accountname = ?{/wls:sql-set-user-password}
{wls:sql-create-group}INSERT INTO roles VALUES ( ? , ? ){/wls:sql-create-group}
{wls:sql-remove-group}DELETE FROM roles WHERE rolename = ?{/wls:sql-remove-group}
{sec:role-mapper xmlns:xac="" xsi:type="xac:xacml-role-mapperType"}{/sec:role-mapper}
{sec:authorizer xmlns:xac="" xsi:type="xac:xacml-authorizerType"}{/sec:authorizer}
{sec:adjudicator xsi:type="wls:default-adjudicatorType"}{/sec:adjudicator}
{sec:credential-mapper xsi:type="wls:default-credential-mapperType"}{/sec:credential-mapper}
{sec:cert-path-provider xsi:type="wls:web-logic-cert-path-providerType"}{/sec:cert-path-provider}
To my untrained eye it looks ok but if you see anything obvious please do say :)
ReplyDeletecan you set the all the weblogic logging to debug/ trace and enable debug on jdbc and security section in the debug tab.
this should give you some glue.
Hi Edwin,
ReplyDeleteI'd enabled debug but don't see a huge amount of useful information or a glaring fault. I'll upload the logs to my googledocs space later and share the link.
ReplyDeleteFor an unknown reason my post did not pass yesterday.
Please check our working config.xml (security-configuration) so I hope you can find the cause.
Note that we have two authentication providers.
Oops I forgot the link
ReplyDeleteI don't see anything wrong , check your jdbc targetting and your database drivers, maybe you need to replace it
ReplyDeleteYes my config.xml is working well but I sent it to Dave to let him compare with his not working file.
Hope it will help
Hi Edwin,
ReplyDeleteThanks very much for this article.
Is it possible to map enterprise roles and users to application roles at runtime?
Many thanks,
ReplyDeleteDon't think so you need to update the jazn-data.xml of the WebLogic , this can be done with deployment or in the Enterprise manager and maybe wlst.
But not on runtime. This has to be done in a session which effects every other user session, It will be a bit messy.
Maybe you can do something with the wls enterprise roles , change them and reload it.
Apologies for the disappearing act; we got to the root of our issues. Our HSQLDB.jar was corrupt. Despite showing in the console and the connection testing correctly, also being able to open it and view files there was something corrupt in there somewhere.
ReplyDeleteNeedless to say the service is running and we're sorted.
Thanks for your help; I'll keep checking in to see if I can offer any help along the way!
Hi Edwin,
ReplyDeleteIs it possible to skip authentication part, and use only authorization implementation using SQL Provider. In ADF it by default comes with Authentication and Authorization.
What if the application authentication is done from SSO which provides a payload and based on the payload there are some tables with roles and user. I know you will advise to use WLS Identity Assender. Do you have any example on WLS Identity Assender or can we achieve this using SQL Provider. If yes how?
Thanks for a wonderful blog.
ReplyDeleteI think you can use both, sso and sql authenticator.
I do the same with saml , saml authenticator will check the password and it is combined with the user and roles of the internal wls ldap.
the roles of the two authenticators will be combined.
Hi Edwin.
ReplyDeleteI've done. But Login denied error occur when i use on osb web service for authenticaton user.
How to set application user role for db table users as a weblogic application users.
DeleteWhat did you do on the osb proxy for the security part. and does it work with the internal ldap users and roles.
Hi Edwin I followed this post but when I restart my weblogic and again go to myrealms. I am only seeing Default Authenticator users. I am not able to see db_users
ReplyDeleteRecheck your config.xml and make sure you have your db_users there with the right format.
ReplyDeleteThis is a working realm tag from config.xml
Thanks for the post. It helped. Now I want to authenticate the same database users in ADF Pages. How I am going to do it? Do I need to add same database users and roles in jazn-data.xml. And do I need to change web.xml. Currently I am follwoing this post but in vain. As I want to achieve in jdeveloper As there are 5 steps in adf security. Please help me
Deletethe database roles are the enterprise roles in the jazn. you need to add all db roles to the enterprise section, then you can map this to your own application roles.
for the adf pages , you need to have a pagedef and add the right application roles to it.
No need to change for web.xml, only need to have valid-users entry.
ReplyDeleteSeveral OTN forum threads refer to this blog post.
Be wary when using ADF Security (OPSS) with a SQLAuthenticator.
This is feedback I got in SR 3-4124753004 :
"If the you want to use DB as the identity store, then the supported way is to buy OVD server license and configure DB adapter in OVD and then configure an OVD authenticator in Weblogic. SQLAuthenticator will not be used as identity store. And, we do not recommend to use LibOVD for DB identity store. OVD server is the recommended and supported way."
related bugs are :
related forum threads are :
- "ADF Security : identity store : tables in a SQL database"
- "OPSS : addMembersToApplicationRole : The search for role failed"
Jan Vervecken
hi jan,
Deleteindeed it should only be used for authentication or authorization in a weblogic web application with or without adf security.
when you use webcenter , soa suite you should use a ldap server like oid or ad and maybe openldap. my experience is opss only works great with ldap.
so dont try to create or lookup user with the opss classes. just use it for container security.
thanks edwin
Hi Edwin,
ReplyDeleteIs it necessary to use Basic authentication with the sql authenticator? or can we use form based authentication also?
DeleteNo problem , you can do what you want , authentication is handled by the container . After login then the container will check the authentication providers.
Hi Edwin,
ReplyDeleteThanks for the reply.
But when i tried to use SQL authenticator first with BASIC authentication.
I have a custom login page and a protected page.
On successful login myrealm popups up asking for my credentials again.. only if i give my credentials again in the popup its redirecting to the protected page.. do u know why this is happening so ? I have both the authentication provider as sufficient in weblogic.
Deletewith custom you should use form in the web.xml and not basic.
Hi Edwin,
Deletei tried doing the form authentication but after i click log in "login.jspx", the page just refreshes . it does not navigate to the protected page(home.jsf) at all.
my web.xml looks like this
and in my login bean i have specified the url also.
It used to work with BASIC authentication except for above problem
but with form based it is not navigating at all when i checked the bean it was calling the sendForward method but its returning back to login page itself.
Deletecheck the role mapping in the weblogic.xml and url security patterns of the servlets.
and then how do you authenticate and redirect in the bean
like this
public String doLogin() {
2 String un = _username;
3 byte[] pw = _password.getBytes();
4 FacesContext ctx = FacesContext.getCurrentInstance();
5 HttpServletRequest request =
6 (HttpServletRequest)ctx.getExternalContext().getRequest();
7 CallbackHandler handler = new SimpleCallbackHandler(un, pw);
8 try {
9 Subject mySubject = Authentication.login(handler);
10 ServletAuthentication.runAs(mySubject, request);
11 ServletAuthentication.generateNewSessionID(request);
12 String loginUrl = "/adfAuthentication?success_url=/faces" +
13 ctx.getViewRoot().getViewId();
14 HttpServletResponse response =
15 (HttpServletResponse)ctx.getExternalContext().getResponse();
16 sendForward(request, response, loginUrl);
17 } catch (FailedLoginException fle) {
18 FacesMessage msg = new FacesMessage(FacesMessage.SEVERITY_ERROR,
19 "Incorrect Username or Password",
20 "An incorrect Username or Password" +
21 " was specified");
22 ctx.addMessage(null, msg);
23 } catch (LoginException le) {
24 reportUnexpectedLoginError("LoginException", le);
25 }
26 return null;
27 }
My login bean
FacesContext ctx = FacesContext.getCurrentInstance();
HttpServletRequest request = (HttpServletRequest)ctx.getExternalContext().getRequest();
BindingContainer bindings = getBindings();
ExternalContext ectx = ctx.getExternalContext();
HttpServletResponse response = (HttpServletResponse)ectx.getResponse();
String loginUrl = "/adfAuthentication?success_url=/faces/home.jsf";
sendForward(request, response, loginUrl);
ans send forward method is
private void sendForward(HttpServletRequest request, HttpServletResponse response, String forwardUrl) {
FacesContext ctx = FacesContext.getCurrentInstance();
ExternalContext ectx = ctx.getExternalContext();
forwardUrl = request.getContextPath() + forwardUrl;
try {
} catch (IOException ioe) {
reportUnexpectedLoginError("IOException", ioe);
and url pattern is
-- Faces Servlet
Hi Edwin,
ReplyDeleteIt is now actually navigating to the next page when the page is given anonymous role. but when i provide security for the page it is doing a redirect to the page and moving back to login page.
Deletefirst I think you need to add the Error, Home and Login jsf pages to the adfc-config ( unbounded TF ) else they will run outside the adf controller
also add a pagedef ( can be almost empty ) to these pages , open page, right click and go to page definition. This way you can set security in jazn
Do you use a user with the weblogic role APPLICATION USER
Now go the jazn-data.xml
add view permission to the pages , login can be anonymous and home -> authenticated or application role.
also add authenticated or application role to the Task Flows.
Hi Edwin,
ReplyDeleteWe have a requirement for our application to use LDAP(AD)server for authentication and DB for group authorization.
We tried the suggestion posted above to configure two security providers one for LDAP AD and another one (SQL Authenticator) for the groups.
We created the same user in GROUPMEMBERS table in the DB which is present in the LDAP server.Unfortunately this setup is not working.Can you please provide any suggestions.
DeleteOk that is a bummer , What do you see, always the roles of the first authenticator. And did you use the same passwords.
Then the only thing what can work is to use OVD or something like that. Outside for weblogic you have one ldap and with OVD you can use tables and other LDAP servers.
Or maybe you can write your own authenticator which connect to ldap and SQL.
good luck.
If you had some way of rating posts I would for sure give you a high rating my friend!
ReplyDeleteHi edwin,
ReplyDeleteThanks for great tutorial.
I have a problem with getting users from database table.
I configured data source and provider.
Configuration was tested and user added.
But when goto Users and Groups my database user will not present and it gives error in log.
I tested on database user sys it worked perfect.But new defined user it is not working.
I am using oracle Database 11gr2, Jdeveloper.
log will be:
ServletContainerAdapter manager not initialized correctly.
... 119 more
Deleteplease check your sql query, maybe add the schema user, add private or public synonyms and off course check the database permissions.
I just want to say Thank You! Your tutorial saved me.
ReplyDeleteI have configured security as u have explained in this blog ...but can u plz tell me how can i map my application to sqlauthentication provided which i have create ???
Deletethis is done in WebLogic as an authenticator. Your application does not know this.
when you use ADF then you can use ADF Security and setup jazn and with java you can configure the web.xml.
ReplyDeleteThanks for the reply, This post is really very helpful. But whenever i redeploying my application it is recreating the roles.
here is log messages
[10:36:12 AM] Uploading jazn-data roles.
[10:36:12 AM] Removing existing group "ADMIN".
[10:36:12 AM] Creating group for role "ADMIN".
[10:36:12 AM] Removing existing group "USER".
[10:36:12 AM] Creating group for role "USER".
I dont want this to be happen, hw can i prevent this ..
Deleteyou can de-select these creation properties in the deployment part of your application properties.
This comment has been removed by a blog administrator.
ReplyDeleteHi Edwin,
ReplyDeleteThank you for your tutorial.
I have defined sql authenticator in weblogic 12c and my dbms is oracle.
New user information is saved in the DB but I can only login with default "weblogic" user!
I have already reordered the providers I also set default authenticator's contol flag to "OPTIONAL" and mine to "SUFFICIENT" but still can not login?
I am a bit confused! I am new to javaee and I would like to develope an online store with the ability to create users.
I would appreciate if you can help me.
best regards
DeleteStrange, how about your roles or groups, do you see them at the user/group tabs of the myrealm security realm
I think you need a weblogic.xml to map the enterprise roles to your local roles and match them with the security defined in the web.xml
here check this
Hi Edwin,
ReplyDeleteThank you for your reply.
No, I can not see them at the user/group tabs of my realm?
I have already mapped the roles!
I have googled around and find the following link
It has mentioned that inorder to develop new provider following steps should be taken:
1.Create Runtime Classes Using the Appropriate SSPIs
2.Generate an MBean Type Using the WebLogic MBeanMaker
3.Configure the Custom Authentication Provider Using the Administration Console
I have found the topic advanced for me and I have implemented JAAS authentication class instead.
I would like to know which solution meets my need? as I mentioned before I have decided to setup and online marketplace with the ability of defining username and password for customers.
I am sure your advice will help me alot.
Once again thank you for your reply.
looking forward to hearing from you.
Best regards
Deletethe first step is that you should see them in the user/group tabs of my realm. This means the sqlauthenticator does not work.
Try to find the error and change the log levels of weblogic and add some debug tracing to jdbc and security part
Hi Edwin, i tried to create an authentication provider for my web applications following your great tutorial.
ReplyDeleteAll things goes right until i have to add the SQL authenticator provider in WebLogic via Weblogic administration console. More specifically, i do create my SQLAuthenticator provider correctly (at this point i also reboot my application server), but when i click the Provider Specific Tab to setting datasource name, password algorithm etc..., i get this exception:
javax.servlet.ServletException: javax.xml.transform.TransformerException: javax.xml.transform.TransformerException: The element type "inline-help" must be terminated by the matching end-tag "".
ReplyDeleteDo you ever has Performance Issues with Read Only SQL Authenticator?
Our first call per User needs in the meantime up to 1 minute with the combination Kerberos / Read Only SQL Authenticator and ADF Security.
Do you know some specific trace possibilities to analyze such porblems?
Kind regards
but you can change the log level of the managed server and enable debug on kerberos and jdbc.
Hi Edwin, i still have the issue that i describe in my previous post....can you help me?
Deletecan you take a look at the config.xml , there should be something wrong with the xml or it is not complete.
Hi Edwin,
ReplyDeleteI have implement SQLAuthentication as you describe in the post above. I've tried to provide a configured JDBC data source name but this does not work as the DS is not yet initialized when the security is initialized (not able to start the console anymore). Here is my stack trace
Truncated. see log file for complete stacktrace
Hi Edwin, Do you know how I can add an email attribute of my database table of valid users and see it in weblogic console for soa suite and therefore use this user (and its mail) in the notification section and ensure that the participant in a human workflow can receive an actionable email.
ReplyDeleteThis comment has been removed by the author.
ReplyDeleteHi Edwin, We have couple of webservices developed in 12c, whcih we need to expose to outside users for their point of sale systems. The request coming from the POS system contains username and password in URI format. How can we restrict the unauthorized users even before entering the service. Is it possible to do in the em console. We have around 200 - 300 users, does the SQL authenticator method would work in our case ?
ReplyDeleteHi Edwin,
ReplyDeleteCan we use OWSM policy for the provide "DATABASE AUTHENTICATE".
if yes can u pls send any link or steps .
Currently i created users in db and able to populate in weblogic with db authenticator
but the users are not working when i am testing from service. only the users as default authenticates only working
could you please help us.
hi Edwin,
ReplyDeleteHow to use owsm policy to look up user in weblogic as database authenticator
Please find the accurate details about above query .
ReplyDeleteAny suggestion would be really appriciated.
Unable to integrate OWSM policy with SQL Authentication provider
Current Design:-
1. Created a Sample OSB service based on WSDL which will add 2 numbers.
2. Service is deployed & tested. Its working fine.
3. Required to secure the service using username/password token policy from OWSM. We are using oracle/wss_username_token_service_policy on our proxy service.
4. Created a custom SQL Authentication Provider in weblogic under myrealm and have set the control flag to SUFFICENT for both SQLAuthenticator and DefaultAuthenticator.
5. Created tables, users, Groups & Roles for SQLAuthenticator, which is getting sync with the tables. No issues faced regarding the synch from tables to weblogic and vice-versa.
6. We have also re-ordered the provider to use it before the DefaultAuthenticator.
Users created and provider details:-
1. TestDefaultUser --- pointing to DefaultAuthenticator (created in weblogic, no groups or roles attached)
2. TestSQLUser --- pointing to SQLAuthenticator (Custom RDMS Authentication)
Problem Statement:
1. when we attach oracle/wss_username_token_service_policy policy to our OSB service and use TestDefaultUser as username/password, then the service is working absolutely fine with that user.
2. But when we use the same policy to our OSB service and use TestSQLUser as username/password (re-Deployed the service) then the service is throwing an Error message. "OSB-386200: General web service security error". the service was unable to take the users created under the custom SQLAuthenticator Provider.
Attempted options:
a. Tried re-setting the control flag to OPTIONAL & SUFFICENT also, but no success.
b. Also tried to set virtualize flag to true in em console, but no success.
c. Tried adding the global roles and conditions in console for groups and users, but no success
1. Is there any way or settings where we direct the OWSM policy to also point to SQLAuthenticator provider.
2. Can you please give a detail steps for it.
3. Also, If we need to give grants to the users then how shall we do that.