the best option is to
- not use pages in the unbounded task flow
- have a single home page
- expose all other content in bounded task flow in a region
- use ADF Security to authorize task flows based on Application roles (map application roles to the group name returned from the database)
- you can now use EL to check if task flow is viewable
thanks a lot for your response..
i'm watching your video now, but do u have the sample project ?
for now, i'm developing a template with page navigation from menu item. is that possible to use menu bar and then display the page in the region ?
and from your sample, if you want to assign existing page to existing role (add new page access - productReport - to userJUW), you have to add it from jdeveloper and then re-deploy it right ?
hi frank and all others oracle adf enthusiast..
continuing yesterday discussion, how if i create a custom login form and then authenticate the user and password from the login page like this andrejusb tutorial (Andrejus Baranovskis's Blog: Things You Must Know About ADF Faces Login Page) after successfully authenticate it, i will check to DB what pages the user can access, and then i store the page id to the session.
i will add a custom servlet filter to check if the requested page match with the list of page that the user can access from the session.
if the page match then i will forward the requested page. if not i will invalidate the session and redirect to login page.
if there's any side effect or weaknesses with this kind of solution ?
I am sorry to interrupt. I am courious about why, if you are using ADF Security, map your enterprise roles salesInput, salesReport to application roles and then you assign permissions to the pages, so in case the user is not authorize then you get the screen saying that it is unauthorized? (then you will need to implement the redirection to your login page)
my answer is because i can't find way to configure the user and application roles without re-deploying my application.
userJUW has role as sales and have access to salesInput page. but when i want to grant the sales roles to access purchasingReport page, i have to do it from jazn-data.xml and then redeploy my application. is it correct ?
if i can configure it in DB and apply servlet filter, after updating the role and page, i just re-login from my application and the user already get access to the new page.
Yes I understand. But I think you should think to apply roles dynamically to the user rather to authorisations of pages. I mean, is easier for you if your purchasingReport page has a predefined granted role, and then, you your user, you assign dynamically the role that will allow it to see the purchasingReport page.
Is this an option for you?
Yes, you can do it using OPSS API.
I worked before but I had a LDAP based authenticator in weblogic. I am not sure if OPSS requires you having an LDAP authenticator though. But if everything is OK you can get users and assign roles programmatically and persist them in your provider.
Other option but less attractive and depends on your analysis and solution architecture could be as you said at the begging, having the roles in DB, and querying the roles once the user logs in and assign them programatically depending on the information in the DB,
So you need to do some homework this weekend hehe have fun.
i've seen your post at this thread https://forums.oracle.com/thread/2498913
my question is, can we just assign the logged in user with the application role ?
instead we have to map the enterprise role to the application role.
the question is what you mean with dynamic role association. What is the application use case that requires impromptu role assignments to a user. Usually users and roles are provisioned, either by an administrator or through self-provisioning. Once a user is authenticates, all his/her enterprise roles are added to the authenticated user subject. The application security requirements don't change and are expressed in application roles and permissions, which then associate with enterprise roles (which also don't change in the course of running an application). So what you probably are looking for is for a way to get users and enterprise role from the database, which you can using the WLS SQL authenticator (see Configuring Authentication Providers ).
What you need to know about the RDBMS authentication provider is the the enterprise role names must match the application role names because OPSS wont map them (so they must be identical in the naming). This allows you to create users in the database and also dynamically provision enterprise roles (they are stored in a database table). Once the user is authenticated. all changes to the role provisioning will not take effect until the user logs off and on again.