This discussion is archived
1 2 Previous Next 15 Replies Latest reply: Dec 25, 2012 7:01 PM by 929337 RSS

Issues in using Oracle ADF with JAAS for authentication

929469 Newbie
Currently Being Moderated
Hi All,

I have configured AppsDataSource in our Oracle E-business Suite Instance to access EBS database from an external Weblogic node through datasource. I have followed the steps given in the document id: 1446499.1 and patch: 9863609. I have deployed couple of ADF pages on my weblogic server and they can access EBS database through AppsDataSource with out any issues.

But I am facing issue in configuring container-based JAAS security for my ADF pages so that authentication is performed against E-business Suite User name/password.
Essentially, I want all the users who have access to Oracle E-Business suite to have access to ADF pages in my external Oracle Weblogic server. As per the document its called "GLOBAL" access.
I have performed all the JAAS-Weblogic specific setups given in the above document. I tried to configure this by defining "ExtAuthOnlyAuthenticator" and manually adding "GLOBAL" role to ADF application viewcontroller "web.xml" and "weblogic.xml".
But when I try to access the ADF page directly from weblogic server, I get the page directly with out any kind of authentication.
After JAAS-Weblogic setup, I expect that users shouldnt be allowed to access ADF pages directly from weblogic.
But in my case no authentication is being prompted. Should I specify anywhere in my ADF application in Jdeveloper to use J2EE container-security/JAAS?

Can someone please shed some light on the above issue as its a major roadblock for our project?

Greatly appreciate your help.

Thanks,
Murari
  • 1. Re: Issues in using Oracle ADF with JAAS for authentication
    Shay Shmeltzer Employee ACE
    Currently Being Moderated
    See if this helps:
    https://blogs.oracle.com/jruiz/entry/using_the_oracle_e_business
  • 2. Re: Issues in using Oracle ADF with JAAS for authentication
    929469 Newbie
    Currently Being Moderated
    Hi Shay,

    Many thanks for your prompt response. The above blog that you have mentioned gives details only on using AppsDataSource from ADF application to access EBS database through datasource. I was able to accomplish this step successfully. I am stuck in authentication step where only authenticated ebusiness users should have access to my custom ADF pages in weblogic server. Is this possible at all through JAAS?

    My Weblogic Version: 10.3.2
    JDeveloper & ADF Runtime version: 11.1.1.2
    EBusiness Suite: 12.1.3

    Could you please shed some light on this?

    Greatly appreciate your help.

    Thanks,
    Murari
  • 3. Re: Issues in using Oracle ADF with JAAS for authentication
    452071 Journeyer
    Currently Being Moderated
    Hi Murai,

    For the JAAS part you need to create a new Realm on WLS that uses the externalAuthenticator and set it to be the default realm. So the recommendation is that you create a separate domain where you deploy all ADF Applications that use E-Business Suite as its user/roles providers.

    Also if my understanding is right, the notation for defining roles in EBS should be UMX|YOURROLE. This role is mapped to an Enterprise role in your ADF application.

    Check also that when you deploy the ADF Application to WLS, all the deployment options for creating users/roles and policies should be uncked, that is located into the EAR deployment options. I'm will work on a post that that explains the approach but it might take me some time, so for now let's use this thread for clarifying the process.

    Thanks,

    Juan Camilo
  • 4. Re: Issues in using Oracle ADF with JAAS for authentication
    929469 Newbie
    Currently Being Moderated
    Hi Juan,

    Thanks for your inputs. I did setup/create a new domain, new custom security realm with ExtAuthOnlyAuthenticator as recommended in the Oracle Document: ID 1446499.1. I can confidently say that I have performed each and every step given in this document for Oracle Weblogic-JAAS.

    I dont need any role setup because, I want all E-business Suite users to have access to ADF pages in Weblogic irrespective of their roles. Essentially I want to give "GLOBAL" access to my ADF application.

    I have also unchecked all the checkboxes for creating roles/users/policies in my EAR deployment properties.

    I have also performed the following step to enable container based authentication for ADF Business components:
    http://docs.oracle.com/cd/B31017_01/web.1013/b25947/adding_security004.htm

    I have manually added role and constraint entries for "GLOBAL" access into my ADF view controller web.xml and weblogic.xml.

    Even with all these setups, I couldnt enforce authentication for my ADF pages through JAAS. I can access ADF application directly from my browser with out any authentication.

    It would be of great help if you can share your thoughts on the above.

    Appreciate your help.

    Thanks,
    Murari
  • 5. Re: Issues in using Oracle ADF with JAAS for authentication
    452071 Journeyer
    Currently Being Moderated
    Hi Murari,

    A couple of comments, is there any reason why you are using container managed security? If you are in ADF you can leverage ADF Security together with the EBS JAAS authentication, with ADF security you'd have a more granular security control of your application, on top of that, the setup is declarative and you would not need to edit the web.xml file directly. With container managed security you need to manually work on session management and other security-related aspects of your application. The recommended security approach to be used with ADF applications is ADF Security.

    I understand however, that at this point you don't need/want anything other constraint than just making sure a user can log in using credentials. If you still insist on not using ADF Security, can you share your web.xml file content where you've set up the security constraint? Also I need you to provide me with the relative path to the page that you are trying to access.

    Thanks,

    Juan C.
  • 6. Re: Issues in using Oracle ADF with JAAS for authentication
    929469 Newbie
    Currently Being Moderated
    Hi Juan,

    Thanks for your response. I am not using ADF security because Oracle Document on EBS JAAS setup: 1446499.1 clearly specifies to remove ADF security using "ADF Security Wizard". Document recommends to use container managed secuirty. I was just trying to implement the steps recommended in that document. I dont mind using ADF security if I can achieve the desired functionality. Were you able to achieve this using ADF security?

    Yes. All I want is global access to all E-Business Suite users and if someone tries to access the ADF page directly then authentication should be prompted which should be performed against Oracle EBS users.

    Below is the content of my web.xml

    <context-param>
    <param-name>javax.faces.STATE_SAVING_METHOD</param-name>
    <param-value>client</param-value>
    </context-param>
    <context-param>
    <description>If this parameter is true, there will be an automatic check of the modification date of your JSPs, and saved state will be discarded when JSP's change. It will also automatically check if your skinning css files have changed without you having to restart the server. This makes development easier, but adds overhead. For this reason this parameter should be set to false when your application is deployed.</description>
    <param-name>org.apache.myfaces.trinidad.CHECK_FILE_MODIFICATION</param-name>
    <param-value>false</param-value>
    </context-param>
    <context-param>
    <description>Whether the 'Generated by...' comment at the bottom of ADF Faces HTML pages should contain version number information.</description>
    <param-name>oracle.adf.view.rich.versionString.HIDDEN</param-name>
    <param-value>false</param-value>
    </context-param>
    <filter>
    <filter-name>JpsFilter</filter-name>
    <filter-class>oracle.security.jps.ee.http.JpsFilter</filter-class>
    <init-param>
    <param-name>enable.anonymous</param-name> // Does this attribute have any impact on this issue??
    <param-value>false</param-value>
    </init-param>
    </filter>
    <filter>
    <filter-name>trinidad</filter-name>
    <filter-class>org.apache.myfaces.trinidad.webapp.TrinidadFilter</filter-class>
    </filter>
    <filter>
    <filter-name>adfBindings</filter-name>
    <filter-class>oracle.adf.model.servlet.ADFBindingFilter</filter-class>
    </filter>
    <filter-mapping>
    <filter-name>JpsFilter</filter-name>
    <servlet-name>Faces Servlet</servlet-name>
    <dispatcher>FORWARD</dispatcher>
    <dispatcher>REQUEST</dispatcher>
    <dispatcher>INCLUDE</dispatcher>
    </filter-mapping>
    <filter-mapping>
    <filter-name>trinidad</filter-name>
    <servlet-name>Faces Servlet</servlet-name>
    <dispatcher>FORWARD</dispatcher>
    <dispatcher>REQUEST</dispatcher>
    </filter-mapping>
    <filter-mapping>
    <filter-name>adfBindings</filter-name>
    <servlet-name>Faces Servlet</servlet-name>
    <dispatcher>FORWARD</dispatcher>
    <dispatcher>REQUEST</dispatcher>
    </filter-mapping>
    <listener>
    <listener-class>oracle.adf.mbean.share.connection.ADFConnectionLifeCycleCallBack</listener-class>
    </listener>
    <listener>
    <listener-class>oracle.adf.mbean.share.config.ADFConfigLifeCycleCallBack</listener-class>
    </listener>
    <listener>
    <listener-class>oracle.bc4j.mbean.BC4JConfigLifeCycleCallBack</listener-class>
    </listener>
    <servlet>
    <servlet-name>Faces Servlet</servlet-name>
    <servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
    <load-on-startup>1</load-on-startup>
    </servlet>
    <servlet>
    <servlet-name>resources</servlet-name>
    <servlet-class>org.apache.myfaces.trinidad.webapp.ResourceServlet</servlet-class>
    </servlet>
    <servlet>
    <servlet-name>BIGRAPHSERVLET</servlet-name>
    <servlet-class>oracle.adfinternal.view.faces.bi.renderkit.graph.GraphServlet</servlet-class>
    </servlet>
    <servlet>
    <servlet-name>BIGAUGESERVLET</servlet-name>
    <servlet-class>oracle.adfinternal.view.faces.bi.renderkit.gauge.GaugeServlet</servlet-class>
    </servlet>
    <servlet>
    <servlet-name>MapProxyServlet</servlet-name>
    <servlet-class>oracle.adfinternal.view.faces.bi.renderkit.geoMap.servlet.MapProxyServlet</servlet-class>
    </servlet>
    <servlet>
    <servlet-name>GatewayServlet</servlet-name>
    <servlet-class>oracle.adfinternal.view.faces.bi.renderkit.graph.FlashBridgeServlet</servlet-class>
    </servlet>
    <servlet-mapping>
    <servlet-name>Faces Servlet</servlet-name>
    <url-pattern>/faces/*</url-pattern>
    </servlet-mapping>
    <servlet-mapping>
    <servlet-name>resources</servlet-name>
    <url-pattern>/adf/*</url-pattern>
    </servlet-mapping>
    <servlet-mapping>
    <servlet-name>resources</servlet-name>
    <url-pattern>/afr/*</url-pattern>
    </servlet-mapping>
    <servlet-mapping>
    <servlet-name>BIGRAPHSERVLET</servlet-name>
    <url-pattern>/servlet/GraphServlet/*</url-pattern>
    </servlet-mapping>
    <servlet-mapping>
    <servlet-name>BIGAUGESERVLET</servlet-name>
    <url-pattern>/servlet/GaugeServlet/*</url-pattern>
    </servlet-mapping>
    <servlet-mapping>
    <servlet-name>MapProxyServlet</servlet-name>
    <url-pattern>/mapproxy/*</url-pattern>
    </servlet-mapping>
    <servlet-mapping>
    <servlet-name>resources</servlet-name>
    <url-pattern>/bi/*</url-pattern>
    </servlet-mapping>
    <servlet-mapping>
    <servlet-name>GatewayServlet</servlet-name>
    <url-pattern>/flashbridge/*</url-pattern>
    </servlet-mapping>
    <resource-ref>
    <res-ref-name>jdbc/workingds</res-ref-name>
    <res-type>javax.sql.DataSource</res-type>
    <res-auth>Container</res-auth>
    </resource-ref>

    // Below are the lines I have manually added for global access as per Oracle document
    <security-role>
    <role-name>GLOBAL</role-name>
    </security-role>
    <security-constraint>
    <web-resource-collection>
    <web-resource-name>RevenueDBPOC</web-resource-name>
    <url-pattern>/RevenueDBPOC/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
    <role-name>GLOBAL</role-name>
    </auth-constraint>
    </security-constraint>

    // end of manual changes

    Below is the content of my viewcontroller weblogic.xml:

    <security-role-assignment>
    <role-name>GLOBAL</role-name>
    <externally-defined/>
    </security-role-assignment>

    Would really appreciate if you can let me know your inputs on the above.

    Edited by: 926466 on Apr 10, 2012 12:25 PM
  • 7. Re: Issues in using Oracle ADF with JAAS for authentication
    452071 Journeyer
    Currently Being Moderated
    Hi there,

    The note 1446499.1 does not include the latest revision of the document that we have worked with the E-Business Suite, however, if you go to Note 974949.1 and download the PDF with version 2.0 that is attached within that note, you can access the latest instructions to get the JAAS functionality working with ADF Security. Check the PDF, section 3.1.1. In the meantime I´ll try to do an entry on my blog that provides guidance on this topic as well.

    I would highly suggest to use ADF Security. If you are using plain Java EE then use container managed security, check the document and give it a try.

    I think the only element to correct on your application, to get container managed is that you should put the faces context as the url constrants in the following way:

    <security-role>
              <role-name>GLOBAL</role-name>
    </security-role>
    <security-constraint>
    <web-resource-collection>
    <web-resource-name>JavaEE Welcome Page</web-resource-name>
    <url-pattern>/faces/secured/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
    <role-name>GLOBAL</role-name>
    </auth-constraint>
    </security-constraint>

    That should make it work, but again highly recommended, use ADF Security!

    Thanks,

    Juan C.
  • 8. Re: Issues in using Oracle ADF with JAAS for authentication
    929469 Newbie
    Currently Being Moderated
    Hi Juan,

    Many thanks for your detailed inputs. I did go through the latest pdf document on EBS-JAAS for my setup. In this document, section 3.2.4 refers to "Set Up Global Access for All Authenticated Oracle
    E-Business Suite Users" which is exactly the flow that I wanted to implement. In this section, setup info is provided only for "Container Managed" GLOBAL access.

    Only one line is mentioned in this section on implementing "GLOBAL" access using ADF Security: "For an ADF application, you would configure global access within the ADF Security Wizard instead of in the web.xml file."

    I have gone through entire document, but I couldnt find exact steps to implement "GLOBAL" access using ADF Security Wizard? I would definitely prefer to use ADF Security if I can achieve "GLOBAL" access through that. So can you please let me know the steps to setup e-business authentication and global access through ADF security wizard? This would be of tremendous help for my project.

    Regarding your other suggestion to change url constraints, I am trying that as we speak. I would update you with my results.

    Greatly appreciate all your inputs and recommendations.

    Thanks a ton,
    Murari
  • 9. Re: Issues in using Oracle ADF with JAAS for authentication
    929469 Newbie
    Currently Being Moderated
    Hi Juan,

    I tried modifying the url constraint as "/faces/security/*". Redeployed by ear file but still no luck. I can access the adf page with out any authentication. My url looks like this:
    http://127.0.0.1:7002/RevenueDBPOC/faces/RevenueDBPOC.jspx

    I am little skeptical if the url constraint "/faces/security/*" would work with the above url. Any thoughts??

    Thanks much,
    Murari
  • 10. Re: Issues in using Oracle ADF with JAAS for authentication
    452071 Journeyer
    Currently Being Moderated
    Murari,

    The /faces/security/* was just my sample it not mandatory to always be that way. That's why I ask you for the path (which you just provided) to the web page you are trying to access. In your case the constraint should be
    /faces/*

    You should be prompted for credentials right away.

    Juan C.
  • 11. Re: Issues in using Oracle ADF with JAAS for authentication
    929469 Newbie
    Currently Being Moderated
    Hi Juan,

    Thanks for that tip. I now get the credentials page when I access the ADF page. But when I enter a valid E-Business Suite User Name/password, I get the following:

    Error 403--Forbidden
    From RFC 2068 Hypertext Transfer Protocol -- HTTP/1.1:
    10.4.4 403 Forbidden
    The server understood the request, but is refusing to fulfill it. Authorization will not help and the request SHOULD NOT be repeated. If the request method was not HEAD and the server wishes to make public why the request has not been fulfilled, it SHOULD describe the reason for the refusal in the entity. This status code is commonly used when the server does not wish to reveal exactly why the request has been refused, or when no other response is applicable

    Looks like I am still missing some setups in Weblogic server. For "GLOBAL" access, apart from Authentication : ExtAuthOnlyAuthenticator, do we also need to setup the following entities for my custom security realm?
    Authorization
    Adjudication
    Role Mapping
    Credential Mapping
    Certification Path

    The above steps have been given in the EBS-JAAS setup document for Authenticator: ExtAuthenticator

    Can you please throw some light on the above error in the last step of my setup?

    Note: I got the credentials page only once. Next time when I access the ADF page from a new browser window, I directly get the 403 forbidden error.

    Thanks soo much,
    Murari
  • 12. Re: Issues in using Oracle ADF with JAAS for authentication
    452071 Journeyer
    Currently Being Moderated
    Murari,

    I'll work on the blog entry today, hopefully I can get a video that illustrates the process as well. I'll keep you posted.

    And yes, you need to run the entire setup on the realm, not only just the ExtAuthenticator part.

    Juan C.
  • 13. Re: Issues in using Oracle ADF with JAAS for authentication
    929469 Newbie
    Currently Being Moderated
    Hi Juan,

    Many thanks for getting the blog entry ready. Can you think of any reason for 403 forbidden error even though all the other setups in Weblogic? Do I need to setup Default Identity Asserter for my custom realm?Are there any typical scenarios when weblogic throws 403 error?

    Greatly appreciate your help.

    Thanks,
    Murari
  • 14. Re: Issues in using Oracle ADF with JAAS for authentication
    929469 Newbie
    Currently Being Moderated
    Hi Juan,

    Any pointers on 403 Forbidden error? Appreciate your help.

    Thanks,
    Murari
1 2 Previous Next

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points