Saturday, April 16, 2011

Practical Guide for Oracle WebCenter PS3 Security Implementation

This article is about best practices for WebCenter PS3 security implementation. Provided information is not necessarily complete, I will post updates in my future posts. Main goal is to give sample start-up application, it should help to jump start your WebCenter PS3 project and avoid certain level of beginner confusion. Sample application - EnterprisePortalApp_v1.zip, is focused around secured landing page implementation and Login/Logout functionality. By default, auto-generated sample application based on WebCenter PS3 template from JDeveloper 11g doesn't have secured landing page. Every customer is wondering, where is a point to have landing page with anonymous access, this article will explain in detail how to fix this.

First, let's look more closely into problem I'm talking about. Typical WebCenter PS3 application contains navigation model, it renders menu structure on runtime:


When accessing landing page, user is redirected directly into home page with menu structure - anonymous access is enabled:


User can login directly inside home page, authentication will be performed and same home page will render authorized items:


What we want to achieve, is to redirect all anonymous users to Login page first and only then after successful authentication process to home page. If we check web.xml, Form-Based authentication is configured by default for WebCenter PS3 application:


The question is, how to enable it? As you can see, Login page is registered as login.html. We can open and check login.html after it will be removed from excluded items:


All looks good, there is redirect to actual login.jspx:


Real thing we are looking for is inside pages.xml file, it is where page hierarchy is defined:


Home page is defined to be accessible for anonymous users, its why redirect to login page is not happening when accessing landing Home page:


Click Delegate Security option and remove anonymous grant for Home page access:


Run portal application, you will get resource not found error:


From URL we can see it points to pages_home resource, this is basically home page from pages.xml hierarchy. Now since we disabled anonymous access, this resource is not accessible anymore. Open index.html file, where landing URL is defined:


Change it to point to home.jspx directly:


ADF Security will redirect anonymous users to login.jspx:


Login and enter inside portal:


From first look, all seems to work now. But believe, we need to apply few more fixes. For example, if user will try to logout now, again will get resource not found error:


First attempt to resolve this issue is to set logout_success URL in faces-config.xml:


Login/Logout works now for landing home page:


But it still doesn't work when current selected menu item points to ADF Task Flow.

Let's do some heavy refactoring for auto-generated WebCenter PS3 application and ensure Login/Logout works in all cases. First things I would recommend is to disable page hierarchy, especially when you are using combination of ADF Task Flows in the same menu structure. Open pages.xml file and remove Home page:


Once page is removed from pages hierarchy, it appears in jazn-data.xml and can be defined with ADF Security permissions as any other ADF resource:


Define required permissions:


Remove page Page Hierarchy from navigation model:


Add page link pointing to Home page inside navigation model:


In order Home page menu item to be selected by default, add externalId attribute to Home page link:


Open faces-config.xml and reference externalId of Home page as login_success URL, this allow to select Home menu item by default after successful authentication - /wcnav_externalId/defaultMenu:


One more thing, you need to extend WebCenter PS3 View Handler class. Otherwise it gets confused with navigation model items during Login/Logout actions. I have received extended WebCenter PS3 View Handler class from Oracle support, same class is available inside provided sample application. You can check in faces-config.xml, it is specified to point to extended View Handler:


Method from extended class filters and validates every navigation request, see comments inside:


Now we are done, all should work smooth. Just one more small but important best practice, make sure you protect external menu items. Its all good if menu item points to ADF page or ADF Task Flow, it will inherit security permissions from ADF Security. But if menu item points to external resources, this menu item by default is directly accessible by app-context-root/faces/menuItemId:


Open navigation model and change external resource Visible property from default #{true}:


To authenticated:


24 comments:

Viswanath G said...

Hi,
I created a simple webcenter app. Followed the steps mentioned in your blog and deployed it on weblogic server (10.3.4).

Now when i try to access the home.jspx, it redirects to login.html, then it redirects to login.jspx and finally this goes into infinite loop and i cannot see login.jspx or home.jspx.

Can you please suggest what i can probably do to solve this?

Andrej Baranovskij said...

Hi,

Check if login.jspx is granted with anonymous permission in jazn-data.xml

Andrejus

Viswanath G said...

Hi,
I checked in jazn-data.xml and login.jspx has anonymous permission.

When i run home.jspx, it goes into loop between these two urls:

http://:8892/UITestApp/faces/oracle/webcenter/portalapp/pages/login.jspx

http://:8892/UITestApp/login/login.html

Please suggest.

Andrej Baranovskij said...

Send me your sample app, I will fix.

Andrejus

Viswanath G said...

Thank you...
I just mailed my app to your gmail id.

Andrej Baranovskij said...

Answered, you have default auto generated WebCenter app with anonymous security - Login page is never invoked.

Andrejus

Viswanath G said...

Hi,

Followed the steps in your blog, in an attempt to solve the redirect loop issue in my application.

But it still gives the same error. Any other steps which i am missing? Please suggest.

Andrej Baranovskij said...

Send me that application, where you implement steps from blog post, please. I will let you know, missing part.

Andrejus

Viswanath G said...

Hi,
The login.jspx redirect loop issue was solved by recreating managed server using oracle documentation.

The ViewHandler class in your app in blog has also solved my login-logout issues.

Thanks...

Andrej Baranovskij said...

Thats great !

Jordan Williams said...

A great post Andrejus, cheers!

Amit Seth said...

Hi,
How was issue regarding the looping of Login page resolved ?

Thanks/Amit

Andrej Baranovskij said...

This issue is random, probably you would need to compare file by file with my sample app to resolve it.

Andrejus

Baby Pooh said...

Hi

I followed the steps and it's really helpful. But I have two landing pages. I want to redirect to different landing page after logged in according to the user role. What should I do?

Thanks

Andrej Baranovskij said...

You should code this logic in ApplicationViewHandler class.

Regards,
Andrejus

Baby Pooh said...

Hi

I'm really a beginner. So, can you please show me an example or tutorial for this.

Thanks

Andrej Baranovskij said...

Hi,

I will put this on my todo list, to post a blog.

Andrejus

Anonymous said...

Hi Andrejus,

I have used your example blog to achieve the login/logout functionality. Its a great post and helped me a lot.

Also, I have this requirement of different landing pages based on the user role.

I tried to set the Viewid in ApplicationViewHandler based on the userrole,but it takes the default page which was set in the default navigation model.

Can you please give me a hint on the same and waiting for your blog entry on the same.

Thanks,
Morgan.

Andrej Baranovskij said...

Hi Morgan,

This is on my todo list, I will post sample soon.

Thanks,
Andrejus

Brian Harrison said...

Andrejus,

I am trying to go through your steps but I am running into a problem. I am doing it with JDev 11.1.1.5.0 and when I change the path within the index.html to the home.jspx I get a 500 internal error on that page and the project never redirects to the login page. In addition, if I do go to the login page, I get the same 500 NullPointerException error. Any ideas why this might be happening with a completely fresh WebCenter Portal Application.

Brian

Andrej Baranovskij said...

Yes, sometimes this happens for me too - WebCenter security is not predictable. In most of the cases, I'm able to resolve it, by cleaning pages.xml file - removing all entries. And defining security permissions manually in jazn-data.xml

Andrejus

Brian Harrison said...

Andrejus,

I was able to get things working, but only by switching to my Mac and using the exact same project. For whatever reason, I cannot get my Windows machine to run the project correctly.

Brian

Andrej Baranovskij said...

WebCenter is Windows not friendly (joking :-))

Andrejus

Ramesh Reddy said...

Hi Andrejus, I want to configure gmail as an external application can you help me reg this

Thanks in advance