What to do, when you need to access security information directly from ADF 11g application. If there is a requirement to retrieve security groups or system users from WebLogic Security Provider. Every production system is using some kind of LDAP product to store security groups and system users. From what I saw, in the most of the cases, customers are using Active Directory. WebLogic server is configured with Security Provider to point and consume Active Directory connection, deployed ADF application automatically authenticates against configured Security Provider on WebLogic server. Instead of connecting to LDAP server directly, we can use Oracle Platform Security (OPSS) API and retrieve Security Provider information directly through ADF Security connection.
Please read Oracle Fusion Middleware Security blog, in order to get fundamental information about Oracle OPSS - OPSS Sample Application. I did one step forward and explained how you can use Oracle OPSS API inside ADF BC and implement functional requirement to bring security groups. Download sample application - SecurityGroupsCustomApp.zip. My next blog post will explain how to bring system users for selected security group.
Sample application implements Oracle OPSS API logic inside Model project, this allows to build programmatic VO and isolate complex Oracle OPSS logic from ViewController. I have created VO implementation extension IdentityStoreAccess class, this contains Oracle OPSS API methods to connect and retrieve security groups from WebLogic Security Provider:
All complex Oracle OPSS API logic is isolated inside Model project, this allows to expose it to ViewController through standard Data Control, based on programmatic VO:
VO implementation extension class - IdentityStoreAccess, contains method to retrieve role(-s) by specified pattern using Oracle OPSS API. If pattern is specified as wildcard, all available security groups will be retrieved:
This method is using Oracle OPSS SimpleSearchFiler class with ROLE_NAME SearchParameter object.
IdentityStoreAccess class is defined to override base implementation class of programmatic VO:
RolesView programmatic VO is constructed based on security groups collection retrieved from configured WebLogic Security Provider. Connection with WebLogic Security Provider is established through ADF Security connection:
RolesView VO row is populated programmatically, from security groups collection:
When RolesView VO is being initialized, instead of constructing SQL query, overridden executeQueryForCollection method is retrieving information from WebLogic Security Provider. This information is being used to populate programmatic VO:
Programmatic VO is included into AM and allows to consume alternative data source through standard Data Control, there is no difference in ViewController:
ADF Faces table component brings security groups defined inside WebLogic Default Authenticator Provider (for test purpose only). It will retrieve security groups from LDAP exactly in the same way, without any changes for ADF application:
Nice out of the box features provided by ADF Faces table component - filtering and sorting, can be applied for programmatic VO as well:
The same security groups are defined be WebLogic Security Provider:
Default Authenticator in this example is the only one available Security Provider. You can define LDAP connection, security groups will be retrieved as well: