I have developed sample application - Authentication.zip, which use jazn-data.xml and web.xml files for the authentication logic implementation. This application is developed based on material available in Oracle Application Development Framework Developer's Guide 10.1.3 and Oracle Application Development Framework Tutorial 10.1.3.1. I have tried to aggregate information available in those documents and show how authentication can be used in ADF.
The first thing you should do when enabling authentication for your application is to declare users and their roles. In this sample, I'm using jazn-data.xml for embedded JDeveloper OC4J, to store users/roles. Detailed information about how to create jazn-data.xml and declare users/roles is available in Chapter 6 of Oracle Application Development Framework Tutorial 10.1.3.1.
When users/roles are declared in jazn-data.xml, edit your web.xml using JDeveloper wizard. Add there security roles as you have declared in jazn-data.xml, define security constraints, each constraint can have accessible URL Patterns and can be assigned to one or more roles. Final step is to define login configuration, in this sample I'm using HTTP Basic Authentication. Complete instructions about how to configure web.xml are available in Section 18.3.3 of Oracle Application Development Framework Developer's Guide 10.1.3.
For basic authentication it is enough to pass described two steps. However, if you want to use authentication related information for authorization implementation, you need to have a managed bean, this bean will acquire information from J2EE container and pass it through expressions to ADF Faces components. In my sample, information about user name and his roles is acquired in managed bean class constructor, managed bean also implements getter methods.
I'm using four users (all of them with 'welcome' password) and three roles:
- alex (developer)
- scott (tester)
- diana (developer, tester)
- john (manager)
ADF Faces components can use authorization information in their properties through expressions like this - #{authRoles.manager}, where authRoles is a name of managed bean. Below I demonstrate results of using authorization information in ADF Faces components.
User with name 'diana' have two roles assigned, developer's and tester's panels will be displayed for her:
While to user 'john' is assigned only one role - 'manager', only manager's panel will be shown:
In 10.1.3.2 this doesn't work. Do you know what changes are needed for 10.1.3.2?
ReplyDeleteI will check on 10.1.3.2
ReplyDeleteRegards,
Andrejus
Hi,
ReplyDeleteI have tested on Oracle JDeveloper 10.1.3.2 - sample works on it as well without any problems.
Don't forget to add adf-faces-impl.jar and jsf-impl.jar into application lib folder from Oracle JDeveloper 10.1.3.2
Regards,
Andrejus
Thanks for posting this stuff. I have tested it and it works well.
ReplyDeleteBut how can I make Logout page for this example?
Thanks,
Emir
Hi,
ReplyDeleteHere is sample code for Logout:
public String logoutButton_action() throws IOException{
ExternalContext ectx = FacesContext.getCurrentInstance().getExternalContext();
HttpServletResponse response = (HttpServletResponse)ectx.getResponse();
HttpSession session = (HttpSession)ectx.getSession(false);
session.invalidate();
response.sendRedirect("SRWelcome.jspx");
return null;
}
Regards,
Andrej
Thank you very much for answering.
ReplyDeleteI have tried this code you post for Logout. It seems that it does not working. I am using JDeveloper 10.1.3.3.0. and IE 7. After executing this logout code, I still can access pages that should be protected.
Are there any possible workaround?
Thanks again.
Emir
can not download authentication.zip.
ReplyDeleteshowing error or may be link not working
I will correct URL, Thanks.
ReplyDeleteAndrejus
Fixed, you can download now.
ReplyDeleteAndrejus
I'm just starting to look at security for my application. How would I go about using a database table of users instead of the .xml file?
ReplyDelete