Sunday, November 14, 2010

Things You Must Know About ADF Faces Login Page

Oracle ADF 11g Developer Guide is primary source of information for every Oracle Fusion 11g developer. About security implementation, you can read from chapter 30.7 Creating a Login Page. What is the difference between smart and regular developer? Smart developer is proactive and always knows more than it is described in developer guide :) I will present today few aspects of ADF Login Page implementation you should keep in mind, when working with ADF Security.

I will use typical ADF Faces page to implement login screen - /faces/login.jspx:


I was using ADF Security wizard to define login page, just following documentation steps and I got strange behavior. When I'm running application, it redirects to login page - opening it, but just hangs and never brings login screen:


There are no errors or warnings in the log:


However, you should know - when ADF Faces page is defined as login page, even there is no page definition defined - it will be generated automatically:


When there is page definition, page will be automatically protected by ADF Security. Because there are no any grants by default for login page, it will be not accessible:


At the same time this page is defined as login page - framework is trying to load it, but fails because no permission defined. Its why application simply hangs.

In order to make it work, you need to specify anonymous role for login page - this will allow to render login screen:


When we are implementing ADF Faces login page, we can process username and password data, before doing authentication. We can set username to lower case, some LDAP systems are case sensitive - this will allow user to login, even he will type username in upper case:


If you are already working with new JDeveloper 11g PS3 beta release,  probably you have noticed that SimpleCallbackHandler class is deprecated:


Documentation still references deprecated SimpleCallbackHandler class for login action. Probably it will be update later with URLCallbackHandler class. Sample application for this post is using that class:


In order to test login functionality, I'm using mix of upper and lower case for username:


Login action is performed successfully with URLCallbackHandler class, username is converted to lower case:


Download sample application for this post - SecurityFormLogin.zip

48 comments:

  1. Hi,

    at first very nice blog!

    But "JDeveloper 11g PS3 beta release" exists a public download-source for the beta release or is this "private"?

    Best regards

    ReplyDelete
  2. Hi,

    first excellent blog :) i'm looking at your code for Login class and i'm wondering is it possible to call my own authentication servlet and not adf security servlet..i have a little project where i must use sso for authentication..i can use SSO.isAuthenticated(req, resp) to check if user is valid..and also i have a logout servlet which just sets logout url and it invalidates session..user informations are stored in database and i can't add them on wls (about 10 000 users)..i found some documentation about custom security but it worked only with 0c4j/jazn..can You give me any directions???

    ReplyDelete
  3. Hi,

    Its not calling ADF authentication servlet, its doing pure WebLogic authentication (weblogic.security). In your case, probably you could define your own security provider in WebLogic and use it for authentication. ADF application completely relies on WebLogic in this case, there is no ADF specific.

    Regards,
    Andrejus

    ReplyDelete
  4. Hello,

    I'm facing similar problem.
    And i found you post. I configured everything same as your step.

    But I can't see pages as anonymous-role.

    I don't know what is wrong.

    I created index.jspx with anonymous-role and run page. But it goes to login.jspx.

    Thank you,
    Erdenebayar

    ReplyDelete
  5. Hi,

    It will redirect to Login page only from pages set with authenticated permission. Most probably you are trying to access page with authenticated permission.

    Regards,
    Andrejus

    ReplyDelete
  6. Hi,

    Thank you for your quick reply.

    How to set page with not authenticated? Is it anonymous-role?
    Because i'm new of ADF Security.

    Thank you,
    Erdenebayar

    ReplyDelete
  7. Yes, just assign anonymous role. It must work.

    Andrejus

    ReplyDelete
  8. Hi,

    I assigned anonymous-role, But not working. Same result.

    I attached my configurations, I think something wrong or corrupted.
    http://bit.ly/fX4QDd
    Can you review it?

    Erdenebayar,

    ReplyDelete
  9. Hi,

    Maybe my anonymous provider not working.

    Also I deleted cwallet, jazn-data, jps-config, weblogic, weblogic-application. And When i again enable security, i get same result.

    But when i'm creating new application, it is working.

    Erdenebayar

    ReplyDelete
  10. This can happen only if jps-config file is corrupted, you can copy most of the contents for that file from another working application and it should work fine.

    Andrejus

    ReplyDelete
  11. Hmmm, Also not working.

    Are any anything for check? (Files).

    Is it possible to send you my application (ViewController)?
    If possible, please send me your mail.

    Because this security issue very urgent for me.

    Erdenebayar.

    ReplyDelete
  12. Hi,

    You should compare two applications, you have one working?

    Andrejus

    ReplyDelete
  13. Hi Andrejus,
    I've succesfully implemented your login page and it's working fine, except one problem. If enter wrong credentials and hit login you'll get error message abot wrong un/pw, but if you hit button again without entering new credentials you'll get null pointer exception.I'm using Jdev 11.1.2.
    Thanx and regards,
    Patrik

    ReplyDelete
  14. Hi again,
    reseting Password field after bad login attempt solve the problem. :)

    setPassword(null);

    Thanx & regards,
    Patrik

    ReplyDelete
  15. Or you can set both username and password fields to be required - this will prevent login attempt with empty password.

    Andrejus

    ReplyDelete
  16. I tried to deploy your application to weblogic after migrating it to release 2, then deploy to managed weblogic but it kept stuck on a loop trying to resolve login page. I also developed a sample application from scratch on release 2 and enabled adf security with same error.

    Any help?

    ReplyDelete
  17. Can you send me migrated source code you was trying to deploy?

    Thanks,
    Andrejus

    ReplyDelete
  18. I'd like to know if you found a solution to the problem the last poster had. I have the same problem....

    ReplyDelete
  19. I never received sample app from reader.

    When loop happens, make sure to remove anonymous autogenerated role from jazn-data. Restart JDev and assign anonymous role manually to the Login page def.

    Andrejus

    ReplyDelete
  20. Thanks Andrejus, this tutorial will help me a lot.

    ReplyDelete
  21. I tried your application.
    But then it's giving me this exception:
    Caused by: java.lang.InstantiationException: weblogic.wsee.jaxws.client.async.AsyncTransportProvider

    ReplyDelete
  22. "When loop happens, make sure to remove anonymous autogenerated role from jazn-data. Restart JDev and assign anonymous role manually to the Login page def."

    This helps me a lot. Thanks!

    ReplyDelete
  23. Hello Andrejus, your post is reaaly helpfull; i just have a question about dispatcher redirection; When i submit my authentification form , i want to stay on the same page without reloading it.
    at same time display the authenticated username.
    is there a way to do that ?

    ReplyDelete
  24. Yes, may be you can redirect to the same Login page.

    Andrejus

    ReplyDelete
  25. Hello,
    thanks for the example...

    could you please help me, i need to get the attributes added in weblogic console, like phone number, email addres, etc

    im new on ADF, so everything you can tell me will be useful...

    thanks in advance
    regards
    ESM

    ReplyDelete
  26. Hi,

    I'm facing with image rendering problem when try to customize login.html page. Tried to assign anonymous role to it but can't see it in jazn-data.xml. Any suggestion?

    Thank you
    Murat

    ReplyDelete
  27. Hi Andrejus,

    for logout in weblogic server :
    /adfAuthentication?logout=true&end_url=/faces/index.jsf

    it's not the same when i use Glassfish.

    ReplyDelete
  28. hi,
    I followed your application for login page. actually I migrated my project developed in JDeveloper11.1.1.2 to JDeveloper11.1.2.0 . login page is displaying but I am entering username and password . it failed with the error incorrect username or password . and in console I got the following exception :javax.security.auth.login.FailedLoginException: [Security:090304]Authentication Failed: User SYS javax.security.auth.login.FailedLoginException: [Security:090302]Authentication Failed: User SYS denied.
    so please tell me where I did wrong thing. need to some settings in realm??

    ReplyDelete
  29. Hi,

    You should define your user in jazn-data.xml and test it. User SYS is not available by default in ADF.

    Andrejus

    ReplyDelete
  30. Hi,
    while am trying to configuring the formbased authentication in webcenter portal application,it is taking defualtAuthentication.I have given grant to some page but while loging it is taking default authenticated password.what i need to do.please suggest me?

    ReplyDelete
  31. Dear Andrejus,
    How can I manage weblogic integrated security in my application?
    i.e. change password, create new user, assign roles, define new roles, assign resources to roles etc.
    Regards,
    Gideon.

    ReplyDelete
  32. Hi,

    You can do this with OPSS API.

    Regards,
    Andrejus

    ReplyDelete
  33. Hi Andrejus,

    based on your experience, do you know if it is possible to "split" authentication and authorization processes via weblogic providers? We are trying by configuring an AD provider to authenticate user credentials only from active directory (which does not have security groups) and then a subsequent SQL provider to only "authorize" (for security groups only) but does not work...

    Thanks and Regards!
    GB

    ReplyDelete
  34. Hi, Is it possible to do the silent login to an ADF application from another application without jumping to login page as we do with HTTP Post method

    ReplyDelete
  35. If both apps are deployed on the same managed server, i think it should happen.

    Andrejus

    ReplyDelete
  36. Hi Andrejus,

    Could you please provide a sample application for silent login to an ADF application from another ADF application without jumping to login page

    ReplyDelete
  37. Hi Andrejus

    My name is Vanderlei Souza
    I'm trying to implement a logout function in my application.
    I'm using an af: button that references a managed bean, but when the application is running on the server returns a message that my MB is null. The application is the PageTemplate type, have some guidance on how to proceed?
    I appreciate greatly

    ReplyDelete
  38. 1st: Thank you Andrejus!

    What is the difference between smart and regular developer? Smart developer is proactive and always knows more than it is described in developer guide.

    AB - "Classic"

    ReplyDelete
  39. problem with downloading Sample application
    please update the link

    ReplyDelete
  40. You can download all old samples from Google Archive: https://code.google.com/archive/p/jdevsamples/downloads

    Andrejus

    ReplyDelete
  41. Hi Andrejus,

    I have used bookmark / deep link in my application.. while accessing bookmark page if it's not already logged in then it will bring login page but after login it does not forward to bookmark page instead it forwards to default page... please give hint how can I fix this..?

    Regards,
    GIMISHRA

    ReplyDelete
  42. Hi Andrejus

    I am new in ADF. I have work on login and logout pages. when my app run first run from jdevelper 12c it ask me for login and after successful login it open all authenticated pages. but after logout and login again on same user or different user it fail to open any page. no error in log. please help me to sort out this issue.

    Thanks
    Amritpal

    ReplyDelete