Saturday, January 8, 2011

Fusion Middleware 11g Security - Retrieve Users by Security Groups

I will describe how inside ADF 11g application you can retrieve users assigned to specific security group. My previous post provides information about Oracle OPSS API, this API is used to retrieve security information from WLS Security Provider (it can be Oracle OID or Active Directory) - Fusion Middleware 11g Security - Retrieve Security Groups from ADF 11g. Today I will use information from my previous post and will implement slightly more complex use case with the same Oracle OPSS API.

Download sample application - SecurityGroupsCustomAppRoleUsers.zip. This sample extends previous post functionality and provides list of users assigned to selected security group:


I select another security group, users table is refreshed:


Both tables are based on programmatic VO's. Security groups table row selection event is overridden and invokes Bind Variable setter method for Users VO:


Overridden table row selection method - performs row selection and calls Bind Variable setter method for Users VO:


Setter method gets currently selected security group name and sets it as Bind Variable value for Users VO:


Programmatic Users VO implements executeQueryForCollection method and checks if Bind Variable value is NULL. In case if it is NULL, first row of parent Roles programmatic VO is retrieved to initialize Bind Variable value. Bind Variable is used to filter User VO by selected security group:


Bind Variable value is stored and retrieved from User Data available in Session scope:


Generic VO implementation class contains getUsers method. This method is using Oracle OPSS API to retrieve all users for current security group:


As you can see, first we need to find RoleProfile for current security group. Then we are searching for all direct grantees and retrieving only users (another security group can be grantee as well).

9 comments:

sunil ravinder said...

Hi Andrejus,

That seem to work, Thanks. That means the IdentityStoreService is touching the first identitystore with the highest priority. Given that we plan to create two realms, each one with the required OID provider.

I tried it on my IntegratedWeblogicServer by creating two realms and tried to fetch OIDs by realm name

for eg : getIdmStore("myrealm")

it throws

java.lang.UnsupportedOperationException
at oracle.security.jps.internal.idstore.AbstractIdmIdentityStore.getIdmStore(AbstractIdmIdentityStore.java:199)

Moreover, isMultipleRealms() is giving false

Any ideas of why this would be happening ?

Anonymous said...

Connection with WebLogic Security Provider is established through ADF Security connection:

Can you please help us how the above mentioned activity is achieved. I guess its the same reason for the above exception on credential store and

javax.naming.NamingException [Root exception is oracle.adf.share.security.ADFSecurityRuntimeException: Unable to initialize the credential store.
]



Many Thanks.

Andrej Baranovskij said...

You mean in your case, security groups are not fetched from WLS?

Andrejus

ಆಶ್ವಿನ್ ಆಲ್ಮೆಡ (Ashwin Almeida) said...

Hi Andrejus,

Thanks for detailing the fetch of users. I have question w.r.t to Spaces and roles.

Currently Space can have user associated with only one application role. Can extend this in some way to assign multiple application roles to a user.

tester said...

thanks for your great post I want to ask is it possible to use Active Directory for Authentication and DataBase for Authorization and how?

Andrej Baranovskij said...

Authorization is always done for you by ADF Security.

Andrejus

swathi said...

Hi,

I am trying to implement Fusion Securiy on a programmatic VO. During Security Enabling process there is a step to enable security on EO : Read, Update and Remove Current Row. But My VO does not have EO. Please let me know how to enable the Security on my View Object.
Thanks,
Swathi

Nirav said...

Hi Andrejus,
This is a great post and kudos to you for sharing the sample app. I tried your sample app in our environment where we have 2 providers configured. First one is AD (for Active Directory) and second one is DefaultAuthenticator.
This sample app will fetch roles only from the first provider which is AD. Is there a way to fetch roles for each of the Providers configured?
Thanks.

Unknown said...

Hello, I'm using your post to retrieve users information from WLS. I use jdeveloper 12c and ADF 12.2.1. I get list of roles but when passing role name to users VO to set the bind variable I get error and seems bind variable is not set and is not available i user data list. I have followed your instruction and everything is the same.

thanks for our help in advance,