2 Replies Latest reply: Apr 29, 2013 10:41 AM by 1005881 RSS

    Weblogic Custom Role Mapping provider and ADF security

    1005881
      Hi,

      I am trying a PoC where mapping of users and application role is not fixed but to be derived at run time e.g. based on combination of user's data and entitlements.

      In my PoC, I created sample ADF page protected by a application role called ServiceAssociate in jazn-data.xml and I also added this role and the required mapping mapping in web.xml.

      jazn-data.xml

      <jazn-policy>
      <grant>
      <grantee>
      <principals>
      <principal>
      <name>ServiceAssociate</name>
      <class>oracle.security.jps.service.policystore.ApplicationRole</class>
      </principal>
      </principals>
      </grantee>
      <permissions>
      <permission>
      <class>oracle.adf.share.security.authorization.RegionPermission</class>
      <name>com.redsamurai.view.pageDefs.mainPageDef</name>
      <actions>view</actions>
      </permission>
      </permissions>
      </grant>
      </jazn-policy>

      I added a Custom Role Mapping Provider which maps an authenticated user to this test role and that's working fine

      SOP of Custom Role Mapping Provider
      SimpleSampleRoleMapperProviderImpl.getRoles
           subject     = Subject:
           Principal: serviceuser
           Private Credential: serviceuser

           resource     = type=<url>, application=TablePaginationApp, contextPath=/TablePaginationApp-ViewController-context-root, uri=/adfAuthentication, httpMethod=GET
           roles     = {Anonymous=Anonymous, ServiceAssociate=ServiceAssociate, valid-users=valid-users}

      but ADF Security classes throw error even when the application role seem to present in response from Weblogic Security framework layer -->

      oracle.adf.controller.security.AuthorizationException: ADFC-0619: Authorization check failed: 'com.redsamurai.view.pageDefs.mainPageDef' 'VIEW'.
           at oracle.adf.controller.internal.security.AuthorizationEnforcer.handleFailure(AuthorizationEnforcer.java:182)
           at oracle.adf.controller.internal.security.AuthorizationEnforcer.internalCheckPermission(AuthorizationEnforcer.java:162)
           at oracle.adf.controller.internal.security.AuthorizationEnforcer.checkPermission(AuthorizationEnforcer.java:116)

      I have spent more than a day on this but didn't find hint.. any help on how to resolve this issue or how to debug the response in ADF security layer/classes will help me.

      Thanks in advance.
        • 1. Re: Weblogic Custom Role Mapping provider and ADF security
          Frank Nimphius-Oracle
          Hi,

          ADF has nothing to do with what you are trying and only relies on OPSS. The role mapping is a functionality by WLS and dynamically changing the roles in WLS requires OPSS to pick this change up for ADF to be able to check premissions against it (note that ADF should only check permissions and not roles to ensure you implement a level of abstraction between the application and he security provider). So what you need to do is

          1. verify that the dynamic roles are recognized by WLS at runtime
          2. Verify that OPSS acknowledges your dynamic roles

          If 1 and 2 works then it would be okay to look into why ADF doesn't authorize users, which may have to do with when policies are read and how they are cached.

          Frank
          Ps.: Your use case is better handed by Oracle entitlement server (but I think this is the hint you got on the Oracle mailing list already)
          • 2. Re: Weblogic Custom Role Mapping provider and ADF security
            1005881
            Hi Frank,

            Thanks for clarification but can you be more specific on how to check If OPSS acknoledges the Application role I added at WLS layer. WLS Service provider uses Security Service Provider interfaces (SSPI) which I followed to code my custom Role Mapping provider. Only relevent method in my custom role mapper is getRoles() which returns a map with role code as key and custom SecurityRole impl as value. Whereas OPSS uses different APIs all together(oracle.security.jsp.*). The only common thing connecting them is Application Role code (String). My question is -

            Is there any filter/listner I can hook in OPSS to check If OPSS layer receives the application roles added by custom Application Role code ?


            Thanks!