Forum Stats

  • 3,876,226 Users
  • 2,267,082 Discussions
  • 7,912,474 Comments

Discussions

ADF integration with AD

managed BEAN
managed BEAN Member Posts: 948 Silver Badge
edited Feb 29, 2016 11:25AM in JDeveloper and ADF

Hello experts

Very respectfully i come to you wishing some expertise clarifications.

I am researching about users login in ADF application (Jdev 12.1.3, but will update to 12.2.1) with AD credentials.

Standard way to make LDAP calls in ADF

http://java2go.blogspot.pt/2012/05/oracle-adf-with-sso-definitive-guide.html

I´m new at ADF and don´t have a minimal ideia about security logins.

What i need is to know if it´s possible to authenticate in ADF applications with AD username and password.

For what i saw, the answer is yes. But they start mentioning OIM, OID, ADFS, OVD, LDAP, etc..., and this got me confused like: OIM, OID and ADF - Confused!!!

So this got me to the very begining: The only way to achieve the ADF logins with ADUsers is with the above mentioned technologys?

My requirement is to get users login in the ADF application with the same credentials as stored in AD, but without the need to copy them to weblogic (with some provider), nor with the use of any aditional cost expensive tecnhology. Is it possible? How? Any tutorials well detailed would be nice to me.

I also need to be able to manage/create the groups/roles for each user for ADF application wich differ of AD roles/groups.

Hope to made my self clear.

Thanks everyone.

Regards,

Carlos

Tagged:

Answers

  • Shay Shmeltzer-Oracle
    Shay Shmeltzer-Oracle Director of Product Management for Oracle's Cloud Development Tools Posts: 16,880 Employee
    edited Feb 26, 2016 12:05PM

    ADF delegate the authentication to the middleware it is running on.

    So you should actually read about WebLogic/FMW integration with AD - for example:

    https://docs.oracle.com/cd/E21764_01/doc.1111/e16454/ad_integ.htm#OOSAG151

  • SanjeevChauhan
    SanjeevChauhan Member Posts: 1,554 Gold Trophy
    edited Feb 26, 2016 12:15PM

    My assumption is

    you don't want to use ADF security and weblogic configuration of ldap.

    1. Get username/password from login form in your bean. Technology Blog: ADF: Programatic user authentication instead of j_security_check (Password retrieval )

    2. Validate username/password using javax.naming apis. http://stackoverflow.com/questions/2172831/how-do-a-ldap-search-authenticate-against-this-ldap-in-java

        [you can use OPSS also I think to validate username/password but I am not very sure if you can use opss without any configuration in weblogic]

    If you don't find api to validate username/password in javax.naming package, I would say try making connection to ldap using loggedin user/password and if its successful, it means username/password is correct otherwise may be wrong. You can view exact exception message and then conclude.

    Before doing this you must need to ask yourself.

    1. How are you going to make sure that if any page user tries to access, he should be redirected to login page if user is not authenticated and page is secured? May be a phase listener can help here?

    2. I would still say if possible use ADF provided security features. You will get all this out-of-the-box. Only thing you need to configure weblogic provider.

    Thanks

    Sanjeev.

  • managed BEAN
    managed BEAN Member Posts: 948 Silver Badge
    edited Feb 26, 2016 12:25PM

    Hello @Shay Shmeltzer-Oracle

    Thanks for the response, but like that link, that´s were my doubts start:

    1 - In order to integrate with AD it´s MANDATORY to have OID? What are the costs of that, and for whom (developer or client)?

    2 - And when there is a new user added in AD allowed to access 'ADF'? How to automatically allow that?

    3 - The groups of AD may differ from the groups in 'ADF', so there will have to be an administrator with an interface to manage(dinamically) the roles for the users allow by AD to login in 'ADF'.

    Best Regards,

    Carlos

  • managed BEAN
    managed BEAN Member Posts: 948 Silver Badge
    edited Feb 26, 2016 12:45PM

    Hi @879338

    You understood me well.

    The problem for adf security is that the JAZN file is not dinamic, so after deployment if client wants to manage users and roles he can´t do that, so i need to have an outside repository (AD, could be DataBase) where he creates users and assignes roles to the users and the 'ADF' let´s the new users to login.

    The problem of provider in weblogic is that the weblogic administrator (is not supposed to enter in the application) is able to 'see' the application users, and the requirement refers that as a security breach.

    1. If user is not authenticated he must not login in application, therefore he never enters the secured page, rigth?
    2. I also would prefer that, but as explained above, it limitates the client after deployment of application on his environment.

    Thanks for the links, will have a look.

    Best Regards,

    Carlos

  • Shay Shmeltzer-Oracle
    Shay Shmeltzer-Oracle Director of Product Management for Oracle's Cloud Development Tools Posts: 16,880 Employee
    edited Feb 26, 2016 12:50PM

    You might want to watch this video to make sure you understand the ADF security correctly:

    ADF Application Security

  • SanjeevChauhan
    SanjeevChauhan Member Posts: 1,554 Gold Trophy
    edited Feb 26, 2016 12:59PM

    First thing ADF does not have any user/role.

    If you are thinking of user/role you create while configuring ADF security, they are test users/role and they also get created in embedded ldap of weblogic while you deploy your application. This embedded ldap is preconfigured in weblogic security realm.

    For users/role, ADF rely on weblogic configuration of provider.

    Now answer to your question

    1. You don't need OID if you have AD. They both do same thing. They both manage user/password and groups. If client has AD, we generally directly configure AD as provider in weblogic security realm. In your case you don't want to do weblogic configuration so I will ask you to pragmatically validate username/password using javax.naming.

    2. Your javax.naming directly calls AD so if a new user is there javax.naming will directly refer and validate it from there.

    3. There is no group in ADF. ADF refer to weblogic security realm configuration for groups. If you are referring to ADF enterprise role then yes there name must match with AD group name. But that is only if you decide to go with ADF security and it will require you to configure weblogic.

    Here is how ADF-security works in general

    You enable security for your ADF application. As part of this a jazn file gets created.

    In this file you mention which resource (page/task-flow) is secured. You also sepcify which application-role can view that resource.

    You create enterprise roles in jazn file and map them in application role.

    Effectively you are saying Enterprize role (manager) has access to Application role (APP_Payroll_Manager, APP_learning_Manager etc). App_Payroll_Manager application role has access to payroll related pages.

    Forget about creating test users in jazn. They simply gets created in embedded ldap of weblogic which is already configured so that a developer can directly start using those users.

    Till now you do not have actual users and their groups anywhere mentioned.

    Now you go to weblogic and configure your security realm. Here you can attach AD or OID or and LDAP which stores user/role information. NOTE: You can directly configure AD in weblogic without any need of OID.

    weblogic will always refer to these configured AD or OID for latest user/group information. Your group name of AD must match with enterprise-role name mentioned in jazn file.


    Ideally there is only one set of users/groups and that is mentioned in AD. Everybody is looking there for source of truth. No need of any syncing.


    Above mentioned scenario is if you decide to use ADF security and I would encourage you to do so.


    Now if you don't use ADF security then also you should look for AD for source of truth but you need to rely on your implementation.

    As I said

    you need to decide which all pages are secured and have that information somewhere in a file (may be a property file)

    In ADF phase listener you need to check which page user is accessing. If its secured then you need to redirect him to login page.

    Have a bean for login page and get username/password as shown in above blogs. Once you have username/password use pure javax.naming apis to connect with AD directly. You need to read AD configuration from a property file and then use javax.naming apis. If you successfully gets connected it means username and password is correct.

    Hope this help

    /* Dont hesitate to mark correct/helpful if you find so */

    Thanks

    Sanjeev.

  • managed BEAN
    managed BEAN Member Posts: 948 Silver Badge
    edited Feb 26, 2016 1:05PM

    Hi @Shay Shmeltzer-Oracle

    I already had watched that video and downloaded the demo.

    It´s what i need, but the problem is that users and roles are defined in JAZN (wich i think it cannot be edit after deployment, or dinamically speaking, by the client), and therefore it doesn´t suits the requirements, because everytime the client wants to add a user (wich he already add in AD) and give it a role he can´t, rigth?

    If it´s possible to adapt the demo to AD or DB users/roles in order to manage authentication and authorization that´s what i need.

    How do i do that @Shay Shmeltzer-Oracle ?

    Thanks

    Best Regards,

    Carlos

  • SanjeevChauhan
    SanjeevChauhan Member Posts: 1,554 Gold Trophy
    edited Feb 26, 2016 1:13PM

    Just saw few of your concerns and here is my take.

    1. You said admin can't do much post deployment.

    Sanjeev: This is not correct. If you have enterpise manager. You can change almost everything that you mentioned in jazn. You can define new policy for resources. Like which application role is going to secure which resource. You can change mapping of enterprise-role and application role. As I said users/groups are always in AD (source of truth) so you should change them there only. They are not even mentioned in jazn if you leave test users aside.

    2. Weblogic admin should not be able to see application user

    Sanjeev: Yes he can see them but he can't change anything. He cant create/edit/delete details of these users. For that someone needs to got to AD. I do not see it a security threat. Yes you may want to make sure that AD authentication is set as required in provider configuration otherwise weblogic admin can create user in embedded ldap and provide them sufficient role. (But yes he can anytime change that required setting as well. So yes with embedded ldap in place, weblogic admin is security threat for application. My question to weblogic security experts would be "Is there a way to make sure that weblogic admin is not able to use embedded ldap? Sorry I don't know about it.)

    /* Dont hesitate to mark correct/helpful if you find so */

  • managed BEAN
    managed BEAN Member Posts: 948 Silver Badge
    edited Feb 29, 2016 10:30AM

    Hello @879338-Sanjeev

    1. I don´t know much of this, but i thought it was not possible to edit JAZN after deployment. Yes, i have EM. So you´re saying that i can use it to create new roles (and define wich pages they access, or not) and add users from AD to that new roles?


    2. Now Weblogic Admin can enter the Application but we want only users allowed from AD to authenticate in Application. And AD must only allow Weblogic Admin to authenticate in weblogic. If that is not possible, it´s not possible... . But if it is possible how do i do it?


    Regards

    Carlos

  • SanjeevChauhan
    SanjeevChauhan Member Posts: 1,554 Gold Trophy
    edited Feb 29, 2016 11:25AM

    1. Using EM weblogic admin can do stuff but not end user. He can only change information of jazn.

        In jazn we don't have user information (leave test users aside), we don't have user and group mapping. So these information can not be changed using EM.

        What we can change is --> Application role to resource mapping. Enterprise role to Application role mapping.

        Ideally saying which resource (page) can be accessed by which application role/enterprise role that is called policy and that policy can be defined at runtime using EM console by weblogic admin.

       User and their group mapping resides in AD and we should change them in AD only. EM console can not do it.

       I have seen usecases where end user want ability to create new user and assign then a group through ADF UI so that they can manage whole user management using ADF screen. We achieved it using OPSS apis. In a nutshell you need to configure your weblogic security policy for active directly. Then you need to write OPSS apis to search-user/create-new-user/assign-user-to-a-group. Then you need to create ADF pages which will use these OPSS apis.

    2. This is my guess: While configuring AD provider in weblogic if you make that as required, I believe weblogic admin will not be able to login to application. But you need to check if he is still able to login to weblogic console.

    Thanks

    Sanjeev

    managed BEAN
This discussion has been closed.