Saturday, January 27, 2007

J2EE Container-Managed Authentication

It was quite long ago, but I still remember my first work with J2EE container-managed authentication. However, now it is more easy, authentication implementation using JDeveloper 10.1.3.1 becomes very simple thing. In fact, there is only two places where authentication related information must be declared to activate authentication process - jazn-data.xml and web.xml files. Below I will describe how to do this and also how to use this.

I have developed sample application - Authentication.zip, which use jazn-data.xml and web.xml files for the authentication logic implementation. This application is developed based on material available in Oracle Application Development Framework Developer's Guide 10.1.3 and Oracle Application Development Framework Tutorial 10.1.3.1. I have tried to aggregate information available in those documents and show how authentication can be used in ADF.

The first thing you should do when enabling authentication for your application is to declare users and their roles. In this sample, I'm using jazn-data.xml for embedded JDeveloper OC4J, to store users/roles. Detailed information about how to create jazn-data.xml and declare users/roles is available in Chapter 6 of Oracle Application Development Framework Tutorial 10.1.3.1.

When users/roles are declared in jazn-data.xml, edit your web.xml using JDeveloper wizard. Add there security roles as you have declared in jazn-data.xml, define security constraints, each constraint can have accessible URL Patterns and can be assigned to one or more roles. Final step is to define login configuration, in this sample I'm using HTTP Basic Authentication. Complete instructions about how to configure web.xml are available in Section 18.3.3 of Oracle Application Development Framework Developer's Guide 10.1.3.

For basic authentication it is enough to pass described two steps. However, if you want to use authentication related information for authorization implementation, you need to have a managed bean, this bean will acquire information from J2EE container and pass it through expressions to ADF Faces components. In my sample, information about user name and his roles is acquired in managed bean class constructor, managed bean also implements getter methods.

I'm using four users (all of them with 'welcome' password) and three roles:
  1. alex (developer)
  2. scott (tester)
  3. diana (developer, tester)
  4. john (manager)
Managed bean code for providing information about user and his roles is straightforward:


ADF Faces components can use authorization information in their properties through expressions like this - #{authRoles.manager}, where authRoles is a name of managed bean. Below I demonstrate results of using authorization information in ADF Faces components.

User with name 'diana' have two roles assigned, developer's and tester's panels will be displayed for her:


While to user 'john' is assigned only one role - 'manager', only manager's panel will be shown:

10 comments:

Anonymous said...

In 10.1.3.2 this doesn't work. Do you know what changes are needed for 10.1.3.2?

Andrejus Baranovskis said...

I will check on 10.1.3.2

Regards,
Andrejus

Andrejus Baranovskis said...

Hi,

I have tested on Oracle JDeveloper 10.1.3.2 - sample works on it as well without any problems.

Don't forget to add adf-faces-impl.jar and jsf-impl.jar into application lib folder from Oracle JDeveloper 10.1.3.2

Regards,
Andrejus

Anonymous said...

Thanks for posting this stuff. I have tested it and it works well.

But how can I make Logout page for this example?

Thanks,
Emir

Andrejus Baranovskis said...

Hi,

Here is sample code for Logout:

public String logoutButton_action() throws IOException{
ExternalContext ectx = FacesContext.getCurrentInstance().getExternalContext();
HttpServletResponse response = (HttpServletResponse)ectx.getResponse();
HttpSession session = (HttpSession)ectx.getSession(false);
session.invalidate();

response.sendRedirect("SRWelcome.jspx");
return null;
}

Regards,
Andrej

Anonymous said...

Thank you very much for answering.

I have tried this code you post for Logout. It seems that it does not working. I am using JDeveloper 10.1.3.3.0. and IE 7. After executing this logout code, I still can access pages that should be protected.

Are there any possible workaround?

Thanks again.
Emir

prc25 said...

can not download authentication.zip.
showing error or may be link not working

Andrejus Baranovskis said...

I will correct URL, Thanks.

Andrejus

Andrejus Baranovskis said...

Fixed, you can download now.

Andrejus

Anonymous said...

I'm just starting to look at security for my application. How would I go about using a database table of users instead of the .xml file?