Oracle ADF 11g Developer Guide is primary source of information for every Oracle Fusion 11g developer. About security implementation, you can read from chapter 30.7 Creating a Login Page. What is the difference between smart and regular developer? Smart developer is proactive and always knows more than it is described in developer guide :) I will present today few aspects of ADF Login Page implementation you should keep in mind, when working with ADF Security.
I will use typical ADF Faces page to implement login screen - /faces/login.jspx:
I was using ADF Security wizard to define login page, just following documentation steps and I got strange behavior. When I'm running application, it redirects to login page - opening it, but just hangs and never brings login screen:
There are no errors or warnings in the log:
However, you should know - when ADF Faces page is defined as login page, even there is no page definition defined - it will be generated automatically:
When there is page definition, page will be automatically protected by ADF Security. Because there are no any grants by default for login page, it will be not accessible:
At the same time this page is defined as login page - framework is trying to load it, but fails because no permission defined. Its why application simply hangs.
In order to make it work, you need to specify anonymous role for login page - this will allow to render login screen:
When we are implementing ADF Faces login page, we can process username and password data, before doing authentication. We can set username to lower case, some LDAP systems are case sensitive - this will allow user to login, even he will type username in upper case:
If you are already working with new JDeveloper 11g PS3 beta release, probably you have noticed that SimpleCallbackHandler class is deprecated:
Documentation still references deprecated SimpleCallbackHandler class for login action. Probably it will be update later with URLCallbackHandler class. Sample application for this post is using that class:
In order to test login functionality, I'm using mix of upper and lower case for username:
Login action is performed successfully with URLCallbackHandler class, username is converted to lower case:
Download sample application for this post - SecurityFormLogin.zip
Hi,
ReplyDeleteat first very nice blog!
But "JDeveloper 11g PS3 beta release" exists a public download-source for the beta release or is this "private"?
Best regards
Hi,
ReplyDeleteIts private...
Andrejus
Hi,
ReplyDeletefirst excellent blog :) i'm looking at your code for Login class and i'm wondering is it possible to call my own authentication servlet and not adf security servlet..i have a little project where i must use sso for authentication..i can use SSO.isAuthenticated(req, resp) to check if user is valid..and also i have a logout servlet which just sets logout url and it invalidates session..user informations are stored in database and i can't add them on wls (about 10 000 users)..i found some documentation about custom security but it worked only with 0c4j/jazn..can You give me any directions???
Hi,
ReplyDeleteIts not calling ADF authentication servlet, its doing pure WebLogic authentication (weblogic.security). In your case, probably you could define your own security provider in WebLogic and use it for authentication. ADF application completely relies on WebLogic in this case, there is no ADF specific.
Regards,
Andrejus
Hello,
ReplyDeleteI'm facing similar problem.
And i found you post. I configured everything same as your step.
But I can't see pages as anonymous-role.
I don't know what is wrong.
I created index.jspx with anonymous-role and run page. But it goes to login.jspx.
Thank you,
Erdenebayar
Hi,
ReplyDeleteIt will redirect to Login page only from pages set with authenticated permission. Most probably you are trying to access page with authenticated permission.
Regards,
Andrejus
Hi,
ReplyDeleteThank you for your quick reply.
How to set page with not authenticated? Is it anonymous-role?
Because i'm new of ADF Security.
Thank you,
Erdenebayar
Yes, just assign anonymous role. It must work.
ReplyDeleteAndrejus
Hi,
ReplyDeleteI assigned anonymous-role, But not working. Same result.
I attached my configurations, I think something wrong or corrupted.
http://bit.ly/fX4QDd
Can you review it?
Erdenebayar,
Hi,
ReplyDeleteMaybe my anonymous provider not working.
Also I deleted cwallet, jazn-data, jps-config, weblogic, weblogic-application. And When i again enable security, i get same result.
But when i'm creating new application, it is working.
Erdenebayar
This can happen only if jps-config file is corrupted, you can copy most of the contents for that file from another working application and it should work fine.
ReplyDeleteAndrejus
Hmmm, Also not working.
ReplyDeleteAre any anything for check? (Files).
Is it possible to send you my application (ViewController)?
If possible, please send me your mail.
Because this security issue very urgent for me.
Erdenebayar.
Hi,
ReplyDeleteYou should compare two applications, you have one working?
Andrejus
Hi Andrejus,
ReplyDeleteI've succesfully implemented your login page and it's working fine, except one problem. If enter wrong credentials and hit login you'll get error message abot wrong un/pw, but if you hit button again without entering new credentials you'll get null pointer exception.I'm using Jdev 11.1.2.
Thanx and regards,
Patrik
Sounds like a bug of 11.1.2
ReplyDeleteAndrejus
Hi again,
ReplyDeletereseting Password field after bad login attempt solve the problem. :)
setPassword(null);
Thanx & regards,
Patrik
Good fix :)
ReplyDeleteAndrejus
Or you can set both username and password fields to be required - this will prevent login attempt with empty password.
ReplyDeleteAndrejus
I tried to deploy your application to weblogic after migrating it to release 2, then deploy to managed weblogic but it kept stuck on a loop trying to resolve login page. I also developed a sample application from scratch on release 2 and enabled adf security with same error.
ReplyDeleteAny help?
Can you send me migrated source code you was trying to deploy?
ReplyDeleteThanks,
Andrejus
I'd like to know if you found a solution to the problem the last poster had. I have the same problem....
ReplyDeleteI never received sample app from reader.
ReplyDeleteWhen loop happens, make sure to remove anonymous autogenerated role from jazn-data. Restart JDev and assign anonymous role manually to the Login page def.
Andrejus
Thanks Andrejus, this tutorial will help me a lot.
ReplyDeleteI tried your application.
ReplyDeleteBut then it's giving me this exception:
Caused by: java.lang.InstantiationException: weblogic.wsee.jaxws.client.async.AsyncTransportProvider
JDeveloper version?
ReplyDeleteAndrejus
"When loop happens, make sure to remove anonymous autogenerated role from jazn-data. Restart JDev and assign anonymous role manually to the Login page def."
ReplyDeleteThis helps me a lot. Thanks!
Hello Andrejus, your post is reaaly helpfull; i just have a question about dispatcher redirection; When i submit my authentification form , i want to stay on the same page without reloading it.
ReplyDeleteat same time display the authenticated username.
is there a way to do that ?
Yes, may be you can redirect to the same Login page.
ReplyDeleteAndrejus
Hello,
ReplyDeletethanks for the example...
could you please help me, i need to get the attributes added in weblogic console, like phone number, email addres, etc
im new on ADF, so everything you can tell me will be useful...
thanks in advance
regards
ESM
Hi,
ReplyDeleteI'm facing with image rendering problem when try to customize login.html page. Tried to assign anonymous role to it but can't see it in jazn-data.xml. Any suggestion?
Thank you
Murat
excellent post
ReplyDeleteHi Andrejus,
ReplyDeletefor logout in weblogic server :
/adfAuthentication?logout=true&end_url=/faces/index.jsf
it's not the same when i use Glassfish.
hi,
ReplyDeleteI followed your application for login page. actually I migrated my project developed in JDeveloper11.1.1.2 to JDeveloper11.1.2.0 . login page is displaying but I am entering username and password . it failed with the error incorrect username or password . and in console I got the following exception :javax.security.auth.login.FailedLoginException: [Security:090304]Authentication Failed: User SYS javax.security.auth.login.FailedLoginException: [Security:090302]Authentication Failed: User SYS denied.
so please tell me where I did wrong thing. need to some settings in realm??
Hi,
ReplyDeleteYou should define your user in jazn-data.xml and test it. User SYS is not available by default in ADF.
Andrejus
Hi,
ReplyDeletewhile am trying to configuring the formbased authentication in webcenter portal application,it is taking defualtAuthentication.I have given grant to some page but while loging it is taking default authenticated password.what i need to do.please suggest me?
Dear Andrejus,
ReplyDeleteHow can I manage weblogic integrated security in my application?
i.e. change password, create new user, assign roles, define new roles, assign resources to roles etc.
Regards,
Gideon.
Hi,
ReplyDeleteYou can do this with OPSS API.
Regards,
Andrejus
Hi Andrejus,
ReplyDeletebased on your experience, do you know if it is possible to "split" authentication and authorization processes via weblogic providers? We are trying by configuring an AD provider to authenticate user credentials only from active directory (which does not have security groups) and then a subsequent SQL provider to only "authorize" (for security groups only) but does not work...
Thanks and Regards!
GB
Hi, Is it possible to do the silent login to an ADF application from another application without jumping to login page as we do with HTTP Post method
ReplyDeleteIf both apps are deployed on the same managed server, i think it should happen.
ReplyDeleteAndrejus
Hi Andrejus,
ReplyDeleteCould you please provide a sample application for silent login to an ADF application from another ADF application without jumping to login page
Hi Andrejus
ReplyDeleteMy name is Vanderlei Souza
I'm trying to implement a logout function in my application.
I'm using an af: button that references a managed bean, but when the application is running on the server returns a message that my MB is null. The application is the PageTemplate type, have some guidance on how to proceed?
I appreciate greatly
1st: Thank you Andrejus!
ReplyDeleteWhat is the difference between smart and regular developer? Smart developer is proactive and always knows more than it is described in developer guide.
AB - "Classic"
Thanks ! :)
ReplyDeleteproblem with downloading Sample application
ReplyDeleteplease update the link
You can download all old samples from Google Archive: https://code.google.com/archive/p/jdevsamples/downloads
ReplyDeleteAndrejus
Hi Andrejus,
ReplyDeleteI have used bookmark / deep link in my application.. while accessing bookmark page if it's not already logged in then it will bring login page but after login it does not forward to bookmark page instead it forwards to default page... please give hint how can I fix this..?
Regards,
GIMISHRA
Hi Andrejus
ReplyDeleteI am new in ADF. I have work on login and logout pages. when my app run first run from jdevelper 12c it ask me for login and after successful login it open all authenticated pages. but after logout and login again on same user or different user it fail to open any page. no error in log. please help me to sort out this issue.
Thanks
Amritpal