Saturday, January 10, 2009

Practical ADF Security Deployment on WebLogic Server

When it will come time for you to deploy your application, you may face problems with ADF Security Policies migration to standalone WebLogic server. If this step is described in Steve Muench article - Simplified ADF 11g Application Credential and Policy Migration to Standalone WebLogic Servers, second thing is not described clearly in documentation - how to make work authorization when application is deployed on standalone WebLogic server. I got useful hints after watching Frank Nimphius ADF Code Corner Internet TV - ADF Security Authorization, recommend to check as well.

In this post I will describe step-by-step how to deploy your Web application with ADF Security enabled on standalone WebLogic server. You can download my sample application, I was deploying and testing - ADFSecurityWL.zip. ADF BC Application Module is configured to use JDBC DataSource - java:comp/env/jdbc/HrDS, dont forget to define jdbc/HrDS JNDI on your server, before running application.

So, what is not clearly described in documentation is that standalone WebLogic server can see only so called Enterprise roles defined with following class:
  • oracle.security.jps.internal.core.principals.JpsXmlEnterpriseRoleImpl defined in jazn-data.xml
  • weblogic.security.principal.WLSGroupImpl converted to WebLogic class after Policies migration
During development, Enterprise roles can be defined in jazn.com identity store:


You need to know, that Enterprise roles are not used to define policies. For ADF Policies are used Application class roles. During development, those roles are defined under Application Policy Store.


And its very important - if you want your Application class role to be functional on standalone WebLogic server with Authentication Provider, you need to map Application role to appropriate Enterprise role. This mapping can be done in jazn-data.xml file. In this example, Application class role - managers is mapped to Enterprise class role - managersApplication:


Enterprise role later will be defined in standalone WebLogic server Authentication Provider. This will allow to define new application users, not only those used during development.

Here is an example of Application class role usage to define ADF Security Policy related to a Web page access:


I'm using second Application role - managers, in order to disable/enable specific button in my application:


You should now, there is no need in this case to map your Enterprise class roles to WebLogic roles in weblogic.xml. Its enough to have mapping generated by ADF Security wizard - valid-users to users:


ADF Security role - valid-users, charachterize defined Enterprise class roles.

When roles are defined, its time to deploy your application. I have configured Application Module to use JDBC DataSource - java:comp/env/jdbc/HrDS:


I should mention very funny bug here. Its impossible to define JDBC DataSource with different name comparing to your defined name for database connection. Let's say if we have defined DB connection with a name Hr, when you will choose JDBC DataSource option, JDeveloper automatically will supply following JDBC DataSource - java:comp/env/jdbc/HrDS. JDeveloper takes DB connection name Hr and adds DS. If you will change this JDBC DataSource name to anything else, for example - java:comp/env/jdbc/HrDSMY and will define same JDBC DataSource on standalone WebLogic - it will not work. Why??? Simply, because during EAR generation process, JDeveloper adds additional JDBC DataSource configuration to web.xml file. And no difference what name you have specified, it will always put into web.xml JNDI name constructed by default from your DB connection name. Here is this entry in web.xml, it is added only during EAR generation process and is not available in application under development:


I wish, Oracle will fix this bug.

Ok, when application is deployed, you can migrate your ADF Security Policies as it is described in Steve Muench article. After migration, in your system-jazn-data.xml on standalone WebLogic domain, you will have similar entries:


You can see two Enterprise class roles, visible to WebLogic, defined:
  1. employeesApplication
  2. managersApplication
Two Application class roles are dependent:
  1. employees
  2. managers
After you will restart standalone WebLogic server, you can define your users and their roles with default Authenticaton Provider. For my application, I have defined two users. First is - sking:


Second is - anuhold:


First user have both two roles, second is assigned with only one role.

On runtime, if application will be accessed by anuhold:


User will be authorized to open a page, however - Salary Graph button will be disable, since user is not assigned with managersApplication role:


When opening application with sking user:


Authorization is passed for both - page and Salary Graph button:


Here is a graph with Salary values:


Spanish Summary:

Titulo: Como desplegar aplicaciones ADF (que usan la característica de seguridad ADF Security) en servidores BEA WebLogic.

Resumen: Andrejus en este capitulo, no muestra de manera practica como crear un repositorio de usuarios y roles en BEA WebLogic y aplicarlos a las politicas de seguridad de nuestras aplicaciones ADF.

68 comments:

  1. Hi!
    Thanks for the article, but I have a question. What about the anonymous-role? If I grant View action to this role to make the page public the standalone WLS brings up the login form (if I run the application from JDEV11 everything is ok). What should I do with the anonymous-role?

    ReplyDelete
  2. Hi,

    I will check, and will post comment.

    Regards,
    Andrejus

    ReplyDelete
  3. I did migration exactly as you described in your article but one problem occurs when I run ant script i get WARNING: No identity store associate with policy store found but at end script says Build Successful.
    But when I open myrealm inside web console users and roles aren't there. Do you maybe know why is this happening?

    Thank you for Your help

    ReplyDelete
  4. Andrejus,

    even after reading your article and Steve's article, we can't get this to work.

    How did you manage to have your application roles in the list of available groups? Do you have to enter the groups first? Whatever we do, the roles are just not there.

    Thanks for any further info.

    ReplyDelete
  5. Hi,

    When you migrate security, you migrate only policies. Users and roles from your development environment will not appear in WebLogic console under myrealm. You will need to define those users in WebLogic console manually if you are using Default Authenticator or to use LDAP.

    Security migration transfers roles and policies from development jazn-data.xml into system-jazn-data.xml available on standalone WebLogic. However, additionally to this you will need to define users/roles in WebLogic console or take from LDAP. So, WebLogic will compare user roles from myrealm with roles and policies in system-jazn-data.xml

    Your mentioned warning is not related to problem, you can skip it.

    Regards,
    Andrej

    ReplyDelete
  6. H, Andrejus. Your article has been very helpful. I still had some troubles, so it turned out that there4 i one little thing you have to take into account, and that is adf-config.xml, which has to be pointed out for those that maybe don't use JDeveloper for creating deployment EAR (like me). I wrote it in my article here: http://hardnoxjava.blogspot.com/2009/02/how-we-handled-adf-security.html

    ReplyDelete
  7. Hi Milos,

    Thanks for your blog post!

    I didnt encountered described issue, however I believe someone else highly possible can encounter and will find answer.

    Regards,
    Andrejus

    ReplyDelete
  8. Hi! I deploy my application on Weblogic 10.3 server. I can see my form and navigate records, but when I tried to use navigation between pages then nothing happen. And I can't see element which is in my form - panelCollection!

    Can you help me?

    Best regards!

    ReplyDelete
  9. Hi,

    Most probably you have put af:commandButton component into af:panelCollection toolbar facet without putting at first af:toolbar. You can use buttons in af:panelCollection toolbar facet, only if you drag and drop there af:toolbar component at first.

    Regards,
    Andrejus

    ReplyDelete
  10. Thanks for reply. That I know! But exactly problem is folowing.

    What is difference between ADF Task Flow and Faces-Config? When I create navigation between pages with ADF task flow then the navigation don't work when I deploy my application to Weblogic 10.3. When I use default server then navigation works fine. With Faces_config in both situations all works ok - on Stanalone server and default.

    I hope You help me!

    Best regards!

    ReplyDelete
  11. Hi,

    I'm not sure, I never experienced similar problem, for me ADF Task Flow works well when deployed on WebLogic 10.3. May be your WebLogic is not configured with ADF libraries?

    Regards,
    Andrejus

    ReplyDelete
  12. I have active adf.oracle.domain(1.0,11.1.1.0.0). This is the right ADF library. If Yes, then maybe some other recommendations? If no then what I need to do?

    Best regards!

    ReplyDelete
  13. You generate EAR using JDeveloper, or you are using custom Ant scripts?

    Regards,
    Andrejus

    ReplyDelete
  14. First of all, I foun solution in this problem! :)

    I had address which contain "AUGI-ViewController-context-root"

    but when I changet this context root to "augi" then the navigation works ok with ADF.

    Secondly, I want to ask question about domain:

    I have registred domain www.augi.lv, there I need to write IP address. How can I get to my application where is written weblogic port and context root -
    http://85.254.224.235:7001/augi/ ?

    What I need to configure and how?

    Can you explain this in details?

    Best regards! Waiting for your replly...

    ReplyDelete
  15. hi Andrejus, your Blog is so great i write you from Colombia.
    I've had been read your blog so many times because i'm doing my degree work for the university, my Question is How I can do if i want to manage the users and roles on a database?

    Regards,
    Alejandro

    ReplyDelete
  16. Hi Aleto,

    You can use Database Provider in WebLogic. Potentially, you can be interested in this blog - http://biemond.blogspot.com/2008/12/using-database-tables-as-authentication.html

    Regards,
    Andrej

    ReplyDelete
  17. Hi Andre

    I followed the steps on steve article.

    I step: 3.2 Migrating Application Credentials to Standalone WebLogic

    I ran the script:
    ant-Dapp-credstore=APPWORKSPACEDIR/src/META-INF/cwallet.sso

    I get the below error:
    migration/build.xml:43: Warning: Could not find file /scratch/software/mw_local/sm/FMWTOOLS_DROP7.APPS_GENERIC_090530.1629.D07B07A/mw_home/jdeveloper/modules/oracle.jps_11.1.1/scripts/migrateSecurityStore.py to copy.

    Are you aware of this error?

    regards
    sameer

    ReplyDelete
  18. No, didnt faced this before...

    Andrejus

    ReplyDelete
  19. Hi, Andrejus!

    Users and roles are defined in my own DB tables.
    In this case, should i define any Security roles?

    We successfully deployed my ADF BC - RC (11g) application to WLS 10.3, defined jdbc/dataSource, but it isn't work.
    In log file we see warnings (in Russian, I'll try translate correctly):

    009-07-16T11:23:09.644+04:00] [ADFServer] [WARNING] []
    [oracle.adf.share.security] [tid: 11] [APP: callcenterapp] It's impossible find requisite
    (or accessory??)
    for key ConnKised (it's my DBConnection name, DS named ConnKisedDS) in
    C:\Weblogic\user_projects\domains\Nata\config\oracle.
    [2009-07-16T11:23:09.644+04:00] [ADFServer] [WARNING] []
    [oracle.adf.share.jndi.ReferenceStoreHelper] [tid: 11] [APP: callcenterapp]
    Information about connection isn't full

    What should i doing?

    Thank you for your help

    ReplyDelete
  20. Hi,

    This warning isn't important, you can ignore it. It just that it tries at first to find JDBC URL connection and after this its using JNDI data source. If application retrieves data and authorization works - deployment successful.

    Regards,
    Andrejus

    ReplyDelete
  21. Hi Andrejus,
    I have downloaded your example and added 2 users employee1 and manager1. Associated these users to employeesApplication and managersApplication role respectively. I get below errors in the console when i run in JDeveloper 11.1.1.1.0. Do you have any idea on this?

    [JpsAuth] Check Permission
    PolicyContext: [ADFSecurityWL#V2.0]
    Resource/Target: [sessiondef.lt_andrejusb_view_pageDefs_mainPageDef_EmployeesViewCriteriaQuery_VCTree_Root_internal_vcival_def_475_DynamicRegion]
    Action: [view]
    Permission Class: [oracle.adf.share.security.authorization.RegionPermission]
    Result: [FAILED]
    For more information on this failure, please set -Djps.auth.debug.enable=true

    [JpsAuth] Check Permission
    PolicyContext: [ADFSecurityWL#V2.0]
    Resource/Target: [sessiondef.lt_andrejusb_view_pageDefs_mainPageDef_EmployeesView1_0_DynamicRegion]
    Action: [view]
    Permission Class: [oracle.adf.share.security.authorization.RegionPermission]
    Result: [FAILED]
    For more information on this failure, please set -Djps.auth.debug.enable=true

    Thanks
    JP

    ReplyDelete
  22. Hi,

    I will check this and will answer.

    Thanks,
    Andrejus

    ReplyDelete
  23. Hi,

    I did the same and for me works fine. My steps:

    1. Add user andrejus/welcome1
    2. For Application Role - employees, define user andrejus

    I can successfully login with this user.

    Regards,
    Andrejus

    ReplyDelete
  24. hi

    i want to create a login page.
    but how can i in wls create a group called users and add the users to it.
    thanks

    ReplyDelete
  25. Hi,

    Just create users in WLS and thats it.

    Andrejus

    ReplyDelete
  26. Have someone solutions for :
    migration/build.xml:43: Warning: Could not find file /scratch/software/mw_local/sm/FMWTOOLS_DROP7.APPS_GENERIC_090530.1629.D07B07A/mw_home/jdeveloper/modules/oracle.jps_11.1.1/scripts/migrateSecurityStore.py to copy.

    I have the same error!

    Thanks in advance
    Marko

    ReplyDelete
  27. Hi,
    i have one question..my team is working on application where we need to have user accounts saved in database. can weblogic take those accounts from database ???

    ReplyDelete
  28. Hi,

    You can use Database Security provider in WebLogic. Check Edwin blog - http://biemond.blogspot.com/2008/12/using-database-tables-as-authentication.html

    Regards,
    Andrejus

    ReplyDelete
  29. thanks for this post and last link :)

    ReplyDelete
  30. Hi!

    Everything is still the same in the newest Jdeveloper version too?

    ReplyDelete
  31. Yes, except that jazn-data.xml wizard improved. And you can see now Enterprise and Application roles.

    Regards,
    Andrejus

    ReplyDelete
  32. Hi Andrejus,

    We are developing an adf application using jdeveloper 11g, we have to implement security module using OPSS. We have a screen in the application which is used for user administration and it is not done thru web logic console or fusion middleware control. We have to do the authentication using database,can you show some ideas how to do it or links or materials on this?

    Thanks,
    Sara

    ReplyDelete
  33. Hi Andrejus,

    Thanks for such a nice article, its really very helpful.

    I am working on an application, in which i have to use LDAP(OID) for authentication and OAM (Access Manager) for Authorization. The requirement is that Administrator is allowed to create roles and users at runtime. Provide authorization to different pages, taskflows to a role then assign a role to the user.

    I just started working on the same, i dont have any idea how to achieve the same in Oracel ADF. Please let me know how I can achieve the same.

    ReplyDelete
  34. Hi,

    You can achieve this with Oracle OPSS security. You will need to use these classes:

    import oracle.security.idm.IMException;
    import oracle.security.idm.Identity;
    import oracle.security.idm.IdentityStore;
    import oracle.security.idm.RoleManager;
    import oracle.security.idm.SearchResponse;
    import oracle.security.jps.JpsContext;
    import oracle.security.jps.JpsContextFactory;
    import oracle.security.jps.JpsException;
    import oracle.security.jps.service.idstore.IdentityStoreService;

    Regards,
    Andrejus

    ReplyDelete
  35. Thanks a lot for the reply, can you please point me to some tutorial or link on the sample implementation.
    This will be very helpful.

    Thanks

    ReplyDelete
  36. I am trying to integrate OAM and a custom adf application. But for my case the back end repository is Active Directory. So in cases where samaccountname and cn is same things work fine, but when they are different things dont work as expected.Now after I login via the OAM SSO screen with samaccountname/password I get another prompt which expects cn/password for completion. Can you please provide guidance ?

    ReplyDelete
  37. Hi..,
    I am new to jDeveloper and ADF.
    I am using authentication and authorization in jDev 11g.
    My requirement is user can add Application role at runtime ...
    Is this possible???

    ReplyDelete
  38. Hi Andrejus,

    Do you know about another URL as link to Steve Muench's article on migrating ADF Security to stand-alone Weblogic? The links you've got on your blog is no longer valid or am I doing something wrong?

    Regards,
    Hannes.

    ReplyDelete
  39. Hi,

    I think all this content (from links) was lost during Oracle OTN migration to new platform for content management. You should contact Steve Muench for this content.

    Andrejus

    ReplyDelete
  40. Hi Andrejus,

    We need to authenticate through OID. Users and possibly roles to be created at runtime from the ADF application using OID API. The problem is how to make these new users/roles to be picked from weblogic and do the authentication, basically we cant migrate policies every time whenever a new user or roles is created. Please help...using 11.1.1.4 and 11.1.2.0

    ReplyDelete
  41. Hi,

    And if you define security provider on WebLogic? It should retrieve and synchronize new users/roles from OID automatically.

    Andrejus

    ReplyDelete
  42. Ok great, Thanks. Apart from that can we assign these new roles to authorize task flows at runtime? basically we authorize task flows to roles at design time on jazn-data.xml
    How to do this at runtime on system-jazn-data.xml or can this be done entirely differently?

    ReplyDelete
  43. Hi,

    Yes you can do this, check this post - http://andrejusb.blogspot.com/2010/08/managing-adf-security-permissions-using.html

    Andrejus

    ReplyDelete
  44. Exactly the stuff what I was looking for. Thank you very much.

    ReplyDelete
  45. Hi Andrejus,

    I am working on Jdev 11.1.1.5. Also I created standalone wls in production mode.I was just trying a sample deployment by following your post.
    In jazn-data : Enterprise roles are AdminEnt & UserEnt.The Application roles are admins & users.
    I didnot create any user in jazn-data.
    In wls console, under myrealm,under 'User & Group', I created 2 groups same above - AdminEnt & UserEnt.Also created 2 users & assigned to these groups respectively.
    When I call the page - it showing error
    -ORA-01005: null password given; logon denied
    Error java.lang.NullPointerException.

    Can u plz guide me?

    ReplyDelete
  46. Hi andrejus ,
    I am getting exception while doing searchresponse.next in a while loop, is this a bug ?
    https://gist.github.com/1151035

    ReplyDelete
  47. hey there,

    about sample deployment on WL 10.3.5.
    i can't see data on page main after
    logging in.
    everything's fine on development server.
    what's wrong?

    ReplyDelete
  48. Hi

    I have run this WLST script for security migration.

    migrateSecurityStore(type=”appPolicies”, srcApp=”obi”, configFile=”C:/SecurityMigration/jps-config-policy.xml”, src=”sourceFileStore”, dst=”targetFileStore”, overWrite=”false”)

    It's run successfully but a problem Occurred:


    The roles are not same in source and target instances. (May be that's y)Security migration occurred only for the roles which were common in both the instances. In order to avoid this, are there any other ways to proceed for security migration in OBIEE 11g?

    One more question is:

    To invoke WLST scripting tool before running the Wllst command, which one if pereffered between two of the following and why?

    oraclebi/mwh/oracle_common/common/bin/wlst.sh
    or
    oraclebi/mwh/oracle_common/common/wlst/jpsWlstCmd.py

    Thanks in advance.

    Sri

    ReplyDelete
  49. Hi Andy ,

    As per the steps you mentioned i implemented the Weblogic Authentication in my ADF Login App and it is working ( Created Enterprise roles and Users also ) .
    I have an employee page where there is a Create button and edit button. The problem i am facing is that when i try to edit or create a new row / record for the first time i log in , the showDetail page / new record page is not showing up . if i logout and relogin and try to create a new record then i can see the detail page , and can create/edit a record .

    Could you please let me know why this happens and help me resolvingthis issue .


    Cheers
    Lakshmi

    ReplyDelete
  50. Hi Andy ,

    As per the steps you mentioned i implemented the Weblogic Authentication in my ADF Login App and it is working ( Created Enterprise roles and Users also ) .
    I have an employee page where there is a Create button and edit button. The problem i am facing is that when i try to edit or create a new row / record for the first time i log in , the showDetail page / new record page is not showing up . if i logout and relogin and try to create a new record then i can see the detail page , and can create/edit a record .

    Could you please let me know why this happens and help me resolvingthis issue .


    Cheers
    Lakshmi

    ReplyDelete
  51. Hi Andrejus,
    We have an ADF application that uses SOA human workflow so we are deploying our application on SOA server but we need to deploy our application on Admin server also for security because of which Admin server is also serving requests but Admin server has space issues please let us know what we can do on this , can we stop admin server from serving requests or is there any other way?

    ReplyDelete
  52. You can restrict Admin Server access by IP filtering may be.

    Andrejus

    ReplyDelete
  53. Hi Andrejus,

    I have the ADF security implemented properly and it works fine. The problem that I am facing is with the nested(indirect) group membership i.e. Assign a user to group A and then assign Group A to Group B, now Group B is assigned to Application Role(approle). With this setup if I check the isUserInRole(approle) it always return false.

    -Thanks
    Tanmai

    ReplyDelete
  54. Hi,

    What version of ADF it would be?

    Regards,
    Andrejus

    ReplyDelete
  55. Hi Andrejus,
    i usually followup ur blogs .and i have a question that how could i use adf security in wb logic where passwords are in the database are in encrypted format.

    ReplyDelete
  56. Hi Andrejus,

    Nice blog .

    I actually have all my user and roles based on the database tables. I created the weblogic sql authenticator and all my users and groups in my database are visible in the weblogic .

    I created the enterprise role in the application with the same name of the group in the weblogic and assigned it as a member for application role. Then i assigned this application role to the page definition under resource grants.

    I have a custom log in defined in my application and on successful authentication it moves to the protected page but that i get the myrealm popup asking for username and password and it then says ERROR:401 unauthorized.

    Do u know why this is happening?

    Thanks,
    Rakesh

    ReplyDelete
  57. Hi,

    May be you should try to print out from ADF security, what roles your user is granted in ADF application, on runtime. This will show you, if user really is granted with role on runtime.

    Andrejus

    ReplyDelete
  58. Hi ANdrejus,


    Ya the above problem was due to different hashing technique in my WLS and my default login.

    Thanks,
    Rakesh.

    ReplyDelete
  59. Andrejus, Thanks for the Article. Can you please let us know how to check the role of a another user (Not the authenticated one) using SecurityContext API ? We have the requirement to check the role of a user, which is different than logged in user and compare, if it is same role as logged-in user. SecurityContext API is not providing such methods. Will appreciate any pointers in this regard. Thanks.

    ReplyDelete
  60. Hi,

    You should try to use OPSS security, more info: http://andrejusb.blogspot.com/2011/01/fusion-middleware-11g-security-retrieve_08.html

    Andrejus

    ReplyDelete
  61. Is there an Java API to add the enterprise role to the application role?
    I want to be able to add this role from an application which can read all the enterprise roles from LDAP and add them to the portal application role.

    ReplyDelete
  62. Take a look, may be JPS API will help: http://andrejusb.blogspot.com/2011/01/fusion-middleware-11g-security-retrieve_08.html

    Andrejus

    ReplyDelete
  63. Hi,

    I am trying a PoC where runtime mapping of users and application role is not fixed but to be derived at run time e.g. based on combination of user's data and entitlements.

    I have a sample ADF page protected by a test role in jazn-data.xml and I also added this role and mapping in web.xml.

    I have written a Custom Role Mapping Provider which maps an authenticated user to this test role and that's working fine(SOP shows this mapping) but ADF Security classes throw error -->

    oracle.adf.controller.security.AuthorizationException: ADFC-0619: Authorization check failed: 'com.redsamurai.view.pageDefs.mainPageDef' 'VIEW'.
    at oracle.adf.controller.internal.security.AuthorizationEnforcer.handleFailure(AuthorizationEnforcer.java:182)
    at oracle.adf.controller.internal.security.AuthorizationEnforcer.internalCheckPermission(AuthorizationEnforcer.java:162)
    at oracle.adf.controller.internal.security.AuthorizationEnforcer.checkPermission(AuthorizationEnforcer.java:116)

    I spent around 1 day googling but no luck!

    Thanks in advance.

    ReplyDelete
  64. I would use OPSS API to develop such POC. I have implemented such requirement in one of the projects.

    Andrejus

    ReplyDelete
  65. I am also in similar situation as previous post.

    I need to associate my custom weblogic role mapper to adf security. Those roles are not appearing in ADF security resulting the error ADFC-0619: Authorization check failed: .

    Can you elaborate more on how can
    OPSS used to access custom role mapper and associate in page authorization in ADF ?

    Raju

    ReplyDelete
  66. Hi,

    May be this post will be helpful: http://andrejusb.blogspot.com.es/2011/01/fusion-middleware-11g-security-retrieve_08.html

    Regards,
    Andrejus

    ReplyDelete
  67. Hi Andrejus,

    Suppose I have define some role and group in weblogic server and I want to fetch this role and group in adf application.How to do that. If I am wrong Please suggest the correct way.

    Regards,
    Manoj

    ReplyDelete
  68. Hi Andrejus,

    I am new to adf security.I have to implement it in my application. We have used ldap for users.
    My requirement is to restrict application for two users and for others as readonly view.

    Please suggest the how i should achieve it without creating a seperate group in ldap and users asigned to it. Can i do it by application and enterprise roles defined. ?

    ReplyDelete