This discussion is archived
2 Replies Latest reply: Apr 29, 2013 8:41 AM by 1005881 RSS

Weblogic Custom Role Mapping provider and ADF security

1005881 Newbie
Currently Being Moderated
Hi,

I am trying a PoC where mapping of users and application role is not fixed but to be derived at run time e.g. based on combination of user's data and entitlements.

In my PoC, I created sample ADF page protected by a application role called ServiceAssociate in jazn-data.xml and I also added this role and the required mapping mapping in web.xml.

jazn-data.xml

<jazn-policy>
<grant>
<grantee>
<principals>
<principal>
<name>ServiceAssociate</name>
<class>oracle.security.jps.service.policystore.ApplicationRole</class>
</principal>
</principals>
</grantee>
<permissions>
<permission>
<class>oracle.adf.share.security.authorization.RegionPermission</class>
<name>com.redsamurai.view.pageDefs.mainPageDef</name>
<actions>view</actions>
</permission>
</permissions>
</grant>
</jazn-policy>

I added a Custom Role Mapping Provider which maps an authenticated user to this test role and that's working fine

SOP of Custom Role Mapping Provider
SimpleSampleRoleMapperProviderImpl.getRoles
     subject     = Subject:
     Principal: serviceuser
     Private Credential: serviceuser

     resource     = type=<url>, application=TablePaginationApp, contextPath=/TablePaginationApp-ViewController-context-root, uri=/adfAuthentication, httpMethod=GET
     roles     = {Anonymous=Anonymous, ServiceAssociate=ServiceAssociate, valid-users=valid-users}

but ADF Security classes throw error even when the application role seem to present in response from Weblogic Security framework layer -->

oracle.adf.controller.security.AuthorizationException: ADFC-0619: Authorization check failed: 'com.redsamurai.view.pageDefs.mainPageDef' 'VIEW'.
     at oracle.adf.controller.internal.security.AuthorizationEnforcer.handleFailure(AuthorizationEnforcer.java:182)
     at oracle.adf.controller.internal.security.AuthorizationEnforcer.internalCheckPermission(AuthorizationEnforcer.java:162)
     at oracle.adf.controller.internal.security.AuthorizationEnforcer.checkPermission(AuthorizationEnforcer.java:116)

I have spent more than a day on this but didn't find hint.. any help on how to resolve this issue or how to debug the response in ADF security layer/classes will help me.

Thanks in advance.
  • 1. Re: Weblogic Custom Role Mapping provider and ADF security
    Frank Nimphius Employee ACE
    Currently Being Moderated
    Hi,

    ADF has nothing to do with what you are trying and only relies on OPSS. The role mapping is a functionality by WLS and dynamically changing the roles in WLS requires OPSS to pick this change up for ADF to be able to check premissions against it (note that ADF should only check permissions and not roles to ensure you implement a level of abstraction between the application and he security provider). So what you need to do is

    1. verify that the dynamic roles are recognized by WLS at runtime
    2. Verify that OPSS acknowledges your dynamic roles

    If 1 and 2 works then it would be okay to look into why ADF doesn't authorize users, which may have to do with when policies are read and how they are cached.

    Frank
    Ps.: Your use case is better handed by Oracle entitlement server (but I think this is the hint you got on the Oracle mailing list already)
  • 2. Re: Weblogic Custom Role Mapping provider and ADF security
    1005881 Newbie
    Currently Being Moderated
    Hi Frank,

    Thanks for clarification but can you be more specific on how to check If OPSS acknoledges the Application role I added at WLS layer. WLS Service provider uses Security Service Provider interfaces (SSPI) which I followed to code my custom Role Mapping provider. Only relevent method in my custom role mapper is getRoles() which returns a map with role code as key and custom SecurityRole impl as value. Whereas OPSS uses different APIs all together(oracle.security.jsp.*). The only common thing connecting them is Application Role code (String). My question is -

    Is there any filter/listner I can hook in OPSS to check If OPSS layer receives the application roles added by custom Application Role code ?


    Thanks!

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points