Sunday, November 14, 2010

Things You Must Know About ADF Faces Login Page

Oracle ADF 11g Developer Guide is primary source of information for every Oracle Fusion 11g developer. About security implementation, you can read from chapter 30.7 Creating a Login Page. What is the difference between smart and regular developer? Smart developer is proactive and always knows more than it is described in developer guide :) I will present today few aspects of ADF Login Page implementation you should keep in mind, when working with ADF Security.

I will use typical ADF Faces page to implement login screen - /faces/login.jspx:


I was using ADF Security wizard to define login page, just following documentation steps and I got strange behavior. When I'm running application, it redirects to login page - opening it, but just hangs and never brings login screen:


There are no errors or warnings in the log:


However, you should know - when ADF Faces page is defined as login page, even there is no page definition defined - it will be generated automatically:


When there is page definition, page will be automatically protected by ADF Security. Because there are no any grants by default for login page, it will be not accessible:


At the same time this page is defined as login page - framework is trying to load it, but fails because no permission defined. Its why application simply hangs.

In order to make it work, you need to specify anonymous role for login page - this will allow to render login screen:


When we are implementing ADF Faces login page, we can process username and password data, before doing authentication. We can set username to lower case, some LDAP systems are case sensitive - this will allow user to login, even he will type username in upper case:


If you are already working with new JDeveloper 11g PS3 beta release,  probably you have noticed that SimpleCallbackHandler class is deprecated:


Documentation still references deprecated SimpleCallbackHandler class for login action. Probably it will be update later with URLCallbackHandler class. Sample application for this post is using that class:


In order to test login functionality, I'm using mix of upper and lower case for username:


Login action is performed successfully with URLCallbackHandler class, username is converted to lower case:


Download sample application for this post - SecurityFormLogin.zip

35 comments:

Anonymous said...

Hi,

at first very nice blog!

But "JDeveloper 11g PS3 beta release" exists a public download-source for the beta release or is this "private"?

Best regards

Andrejus Baranovskis said...

Hi,

Its private...

Andrejus

Anonymous said...

Hi,

first excellent blog :) i'm looking at your code for Login class and i'm wondering is it possible to call my own authentication servlet and not adf security servlet..i have a little project where i must use sso for authentication..i can use SSO.isAuthenticated(req, resp) to check if user is valid..and also i have a logout servlet which just sets logout url and it invalidates session..user informations are stored in database and i can't add them on wls (about 10 000 users)..i found some documentation about custom security but it worked only with 0c4j/jazn..can You give me any directions???

Andrejus Baranovskis said...

Hi,

Its not calling ADF authentication servlet, its doing pure WebLogic authentication (weblogic.security). In your case, probably you could define your own security provider in WebLogic and use it for authentication. ADF application completely relies on WebLogic in this case, there is no ADF specific.

Regards,
Andrejus

Erdenebayar said...

Hello,

I'm facing similar problem.
And i found you post. I configured everything same as your step.

But I can't see pages as anonymous-role.

I don't know what is wrong.

I created index.jspx with anonymous-role and run page. But it goes to login.jspx.

Thank you,
Erdenebayar

Andrejus Baranovskis said...

Hi,

It will redirect to Login page only from pages set with authenticated permission. Most probably you are trying to access page with authenticated permission.

Regards,
Andrejus

Erdenebayar said...

Hi,

Thank you for your quick reply.

How to set page with not authenticated? Is it anonymous-role?
Because i'm new of ADF Security.

Thank you,
Erdenebayar

Andrejus Baranovskis said...

Yes, just assign anonymous role. It must work.

Andrejus

Erdenebayar said...

Hi,

I assigned anonymous-role, But not working. Same result.

I attached my configurations, I think something wrong or corrupted.
http://bit.ly/fX4QDd
Can you review it?

Erdenebayar,

erdenebayar said...

Hi,

Maybe my anonymous provider not working.

Also I deleted cwallet, jazn-data, jps-config, weblogic, weblogic-application. And When i again enable security, i get same result.

But when i'm creating new application, it is working.

Erdenebayar

Andrejus Baranovskis said...

This can happen only if jps-config file is corrupted, you can copy most of the contents for that file from another working application and it should work fine.

Andrejus

erdenebayar said...

Hmmm, Also not working.

Are any anything for check? (Files).

Is it possible to send you my application (ViewController)?
If possible, please send me your mail.

Because this security issue very urgent for me.

Erdenebayar.

Andrejus Baranovskis said...

Hi,

You should compare two applications, you have one working?

Andrejus

Patrik Frankovic said...

Hi Andrejus,
I've succesfully implemented your login page and it's working fine, except one problem. If enter wrong credentials and hit login you'll get error message abot wrong un/pw, but if you hit button again without entering new credentials you'll get null pointer exception.I'm using Jdev 11.1.2.
Thanx and regards,
Patrik

Andrejus Baranovskis said...

Sounds like a bug of 11.1.2

Andrejus

Patrik Frankovic said...

Hi again,
reseting Password field after bad login attempt solve the problem. :)

setPassword(null);

Thanx & regards,
Patrik

Andrejus Baranovskis said...

Good fix :)

Andrejus

Andrejus Baranovskis said...

Or you can set both username and password fields to be required - this will prevent login attempt with empty password.

Andrejus

Anonymous said...

I tried to deploy your application to weblogic after migrating it to release 2, then deploy to managed weblogic but it kept stuck on a loop trying to resolve login page. I also developed a sample application from scratch on release 2 and enabled adf security with same error.

Any help?

Andrejus Baranovskis said...

Can you send me migrated source code you was trying to deploy?

Thanks,
Andrejus

Wendy Tromp said...

I'd like to know if you found a solution to the problem the last poster had. I have the same problem....

Andrejus Baranovskis said...

I never received sample app from reader.

When loop happens, make sure to remove anonymous autogenerated role from jazn-data. Restart JDev and assign anonymous role manually to the Login page def.

Andrejus

Anonymous said...

Thanks Andrejus, this tutorial will help me a lot.

Xahar Hassan said...

I tried your application.
But then it's giving me this exception:
Caused by: java.lang.InstantiationException: weblogic.wsee.jaxws.client.async.AsyncTransportProvider

Andrejus Baranovskis said...

JDeveloper version?

Andrejus

Anonymous said...

"When loop happens, make sure to remove anonymous autogenerated role from jazn-data. Restart JDev and assign anonymous role manually to the Login page def."

This helps me a lot. Thanks!

Anonymous said...

Hello Andrejus, your post is reaaly helpfull; i just have a question about dispatcher redirection; When i submit my authentification form , i want to stay on the same page without reloading it.
at same time display the authenticated username.
is there a way to do that ?

Andrejus Baranovskis said...

Yes, may be you can redirect to the same Login page.

Andrejus

ector M said...

Hello,
thanks for the example...

could you please help me, i need to get the attributes added in weblogic console, like phone number, email addres, etc

im new on ADF, so everything you can tell me will be useful...

thanks in advance
regards
ESM

Murat Kalın said...

Hi,

I'm facing with image rendering problem when try to customize login.html page. Tried to assign anonymous role to it but can't see it in jazn-data.xml. Any suggestion?

Thank you
Murat

sekharbabu atmakuri said...

excellent post

fakhri kharrat said...

Hi Andrejus,

for logout in weblogic server :
/adfAuthentication?logout=true&end_url=/faces/index.jsf

it's not the same when i use Glassfish.

Anonymous said...

hi,
I followed your application for login page. actually I migrated my project developed in JDeveloper11.1.1.2 to JDeveloper11.1.2.0 . login page is displaying but I am entering username and password . it failed with the error incorrect username or password . and in console I got the following exception :javax.security.auth.login.FailedLoginException: [Security:090304]Authentication Failed: User SYS javax.security.auth.login.FailedLoginException: [Security:090302]Authentication Failed: User SYS denied.
so please tell me where I did wrong thing. need to some settings in realm??

Andrejus Baranovskis said...

Hi,

You should define your user in jazn-data.xml and test it. User SYS is not available by default in ADF.

Andrejus

Inu said...

Hi,
while am trying to configuring the formbased authentication in webcenter portal application,it is taking defualtAuthentication.I have given grant to some page but while loging it is taking default authenticated password.what i need to do.please suggest me?