Sunday, November 14, 2010

Things You Must Know About ADF Faces Login Page

Oracle ADF 11g Developer Guide is primary source of information for every Oracle Fusion 11g developer. About security implementation, you can read from chapter 30.7 Creating a Login Page. What is the difference between smart and regular developer? Smart developer is proactive and always knows more than it is described in developer guide :) I will present today few aspects of ADF Login Page implementation you should keep in mind, when working with ADF Security.

I will use typical ADF Faces page to implement login screen - /faces/login.jspx:


I was using ADF Security wizard to define login page, just following documentation steps and I got strange behavior. When I'm running application, it redirects to login page - opening it, but just hangs and never brings login screen:


There are no errors or warnings in the log:


However, you should know - when ADF Faces page is defined as login page, even there is no page definition defined - it will be generated automatically:


When there is page definition, page will be automatically protected by ADF Security. Because there are no any grants by default for login page, it will be not accessible:


At the same time this page is defined as login page - framework is trying to load it, but fails because no permission defined. Its why application simply hangs.

In order to make it work, you need to specify anonymous role for login page - this will allow to render login screen:


When we are implementing ADF Faces login page, we can process username and password data, before doing authentication. We can set username to lower case, some LDAP systems are case sensitive - this will allow user to login, even he will type username in upper case:


If you are already working with new JDeveloper 11g PS3 beta release,  probably you have noticed that SimpleCallbackHandler class is deprecated:


Documentation still references deprecated SimpleCallbackHandler class for login action. Probably it will be update later with URLCallbackHandler class. Sample application for this post is using that class:


In order to test login functionality, I'm using mix of upper and lower case for username:


Login action is performed successfully with URLCallbackHandler class, username is converted to lower case:


Download sample application for this post - SecurityFormLogin.zip

48 comments:

Anonymous said...

Hi,

at first very nice blog!

But "JDeveloper 11g PS3 beta release" exists a public download-source for the beta release or is this "private"?

Best regards

Andrej Baranovskij said...

Hi,

Its private...

Andrejus

Anonymous said...

Hi,

first excellent blog :) i'm looking at your code for Login class and i'm wondering is it possible to call my own authentication servlet and not adf security servlet..i have a little project where i must use sso for authentication..i can use SSO.isAuthenticated(req, resp) to check if user is valid..and also i have a logout servlet which just sets logout url and it invalidates session..user informations are stored in database and i can't add them on wls (about 10 000 users)..i found some documentation about custom security but it worked only with 0c4j/jazn..can You give me any directions???

Andrej Baranovskij said...

Hi,

Its not calling ADF authentication servlet, its doing pure WebLogic authentication (weblogic.security). In your case, probably you could define your own security provider in WebLogic and use it for authentication. ADF application completely relies on WebLogic in this case, there is no ADF specific.

Regards,
Andrejus

Unknown said...

Hello,

I'm facing similar problem.
And i found you post. I configured everything same as your step.

But I can't see pages as anonymous-role.

I don't know what is wrong.

I created index.jspx with anonymous-role and run page. But it goes to login.jspx.

Thank you,
Erdenebayar

Andrej Baranovskij said...

Hi,

It will redirect to Login page only from pages set with authenticated permission. Most probably you are trying to access page with authenticated permission.

Regards,
Andrejus

Unknown said...

Hi,

Thank you for your quick reply.

How to set page with not authenticated? Is it anonymous-role?
Because i'm new of ADF Security.

Thank you,
Erdenebayar

Andrej Baranovskij said...

Yes, just assign anonymous role. It must work.

Andrejus

Unknown said...

Hi,

I assigned anonymous-role, But not working. Same result.

I attached my configurations, I think something wrong or corrupted.
http://bit.ly/fX4QDd
Can you review it?

Erdenebayar,

Unknown said...

Hi,

Maybe my anonymous provider not working.

Also I deleted cwallet, jazn-data, jps-config, weblogic, weblogic-application. And When i again enable security, i get same result.

But when i'm creating new application, it is working.

Erdenebayar

Andrej Baranovskij said...

This can happen only if jps-config file is corrupted, you can copy most of the contents for that file from another working application and it should work fine.

Andrejus

Unknown said...

Hmmm, Also not working.

Are any anything for check? (Files).

Is it possible to send you my application (ViewController)?
If possible, please send me your mail.

Because this security issue very urgent for me.

Erdenebayar.

Andrej Baranovskij said...

Hi,

You should compare two applications, you have one working?

Andrejus

Patrik Frankovic said...

Hi Andrejus,
I've succesfully implemented your login page and it's working fine, except one problem. If enter wrong credentials and hit login you'll get error message abot wrong un/pw, but if you hit button again without entering new credentials you'll get null pointer exception.I'm using Jdev 11.1.2.
Thanx and regards,
Patrik

Andrej Baranovskij said...

Sounds like a bug of 11.1.2

Andrejus

Patrik Frankovic said...

Hi again,
reseting Password field after bad login attempt solve the problem. :)

setPassword(null);

Thanx & regards,
Patrik

Andrej Baranovskij said...

Good fix :)

Andrejus

Andrej Baranovskij said...

Or you can set both username and password fields to be required - this will prevent login attempt with empty password.

Andrejus

Anonymous said...

I tried to deploy your application to weblogic after migrating it to release 2, then deploy to managed weblogic but it kept stuck on a loop trying to resolve login page. I also developed a sample application from scratch on release 2 and enabled adf security with same error.

Any help?

Andrej Baranovskij said...

Can you send me migrated source code you was trying to deploy?

Thanks,
Andrejus

Wendy Tromp said...

I'd like to know if you found a solution to the problem the last poster had. I have the same problem....

Andrej Baranovskij said...

I never received sample app from reader.

When loop happens, make sure to remove anonymous autogenerated role from jazn-data. Restart JDev and assign anonymous role manually to the Login page def.

Andrejus

Anonymous said...

Thanks Andrejus, this tutorial will help me a lot.

Xahar Hassan said...

I tried your application.
But then it's giving me this exception:
Caused by: java.lang.InstantiationException: weblogic.wsee.jaxws.client.async.AsyncTransportProvider

Andrej Baranovskij said...

JDeveloper version?

Andrejus

Anonymous said...

"When loop happens, make sure to remove anonymous autogenerated role from jazn-data. Restart JDev and assign anonymous role manually to the Login page def."

This helps me a lot. Thanks!

Anonymous said...

Hello Andrejus, your post is reaaly helpfull; i just have a question about dispatcher redirection; When i submit my authentification form , i want to stay on the same page without reloading it.
at same time display the authenticated username.
is there a way to do that ?

Andrej Baranovskij said...

Yes, may be you can redirect to the same Login page.

Andrejus

ector M said...

Hello,
thanks for the example...

could you please help me, i need to get the attributes added in weblogic console, like phone number, email addres, etc

im new on ADF, so everything you can tell me will be useful...

thanks in advance
regards
ESM

Murat Kalın said...

Hi,

I'm facing with image rendering problem when try to customize login.html page. Tried to assign anonymous role to it but can't see it in jazn-data.xml. Any suggestion?

Thank you
Murat

Unknown said...

excellent post

Votre future présentation... said...

Hi Andrejus,

for logout in weblogic server :
/adfAuthentication?logout=true&end_url=/faces/index.jsf

it's not the same when i use Glassfish.

Anonymous said...

hi,
I followed your application for login page. actually I migrated my project developed in JDeveloper11.1.1.2 to JDeveloper11.1.2.0 . login page is displaying but I am entering username and password . it failed with the error incorrect username or password . and in console I got the following exception :javax.security.auth.login.FailedLoginException: [Security:090304]Authentication Failed: User SYS javax.security.auth.login.FailedLoginException: [Security:090302]Authentication Failed: User SYS denied.
so please tell me where I did wrong thing. need to some settings in realm??

Andrej Baranovskij said...

Hi,

You should define your user in jazn-data.xml and test it. User SYS is not available by default in ADF.

Andrejus

Inu said...

Hi,
while am trying to configuring the formbased authentication in webcenter portal application,it is taking defualtAuthentication.I have given grant to some page but while loging it is taking default authenticated password.what i need to do.please suggest me?

Anonymous said...

Dear Andrejus,
How can I manage weblogic integrated security in my application?
i.e. change password, create new user, assign roles, define new roles, assign resources to roles etc.
Regards,
Gideon.

Andrej Baranovskij said...

Hi,

You can do this with OPSS API.

Regards,
Andrejus

Anonymous said...

Hi Andrejus,

based on your experience, do you know if it is possible to "split" authentication and authorization processes via weblogic providers? We are trying by configuring an AD provider to authenticate user credentials only from active directory (which does not have security groups) and then a subsequent SQL provider to only "authorize" (for security groups only) but does not work...

Thanks and Regards!
GB

Anonymous said...

Hi, Is it possible to do the silent login to an ADF application from another application without jumping to login page as we do with HTTP Post method

Andrej Baranovskij said...

If both apps are deployed on the same managed server, i think it should happen.

Andrejus

Unknown said...

Hi Andrejus,

Could you please provide a sample application for silent login to an ADF application from another ADF application without jumping to login page

Rogelio said...

Hi Andrejus

My name is Vanderlei Souza
I'm trying to implement a logout function in my application.
I'm using an af: button that references a managed bean, but when the application is running on the server returns a message that my MB is null. The application is the PageTemplate type, have some guidance on how to proceed?
I appreciate greatly

Paul said...

1st: Thank you Andrejus!

What is the difference between smart and regular developer? Smart developer is proactive and always knows more than it is described in developer guide.

AB - "Classic"

Andrej Baranovskij said...

Thanks ! :)

Anonymous said...

problem with downloading Sample application
please update the link

Andrej Baranovskij said...

You can download all old samples from Google Archive: https://code.google.com/archive/p/jdevsamples/downloads

Andrejus

Govind Mishra said...

Hi Andrejus,

I have used bookmark / deep link in my application.. while accessing bookmark page if it's not already logged in then it will bring login page but after login it does not forward to bookmark page instead it forwards to default page... please give hint how can I fix this..?

Regards,
GIMISHRA

Amrit said...

Hi Andrejus

I am new in ADF. I have work on login and logout pages. when my app run first run from jdevelper 12c it ask me for login and after successful login it open all authenticated pages. but after logout and login again on same user or different user it fail to open any page. no error in log. please help me to sort out this issue.

Thanks
Amritpal