8 Replies Latest reply: Apr 28, 2012 5:00 AM by Jan Vervecken RSS

    ADF Security - Database user for authentication

    915091
      Hi there,

      I'm working with JDeveloper 11.1.1.5.0 and at the moment the integrated weblogic.

      I want to use the database users for authentication. I've heard that i can achieve this via Custom LoginModules. But I#m not quite sure how to do this. And whats about the AuthenticationProvider? Do I have to create one, or could I use an existing like the SQLAuthenticator?

      Thanks in advance.
        • 1. Re: ADF Security - Database user for authentication
          Frank Nimphius-Oracle
          Hi,

          no need to re-invent the wheel. You can use the SQL authentication provider

          http://biemond.blogspot.com/2008/12/using-database-tables-as-authentication.html

          see more documentation here:

          http://docs.oracle.com/cd/E21764_01/web.1111/e13707/atn.htm#i1205082

          Frank
          • 2. Re: ADF Security - Database user for authentication
            915091
            So far i assume, that the Custom DBMS Authenticator is more what i'm looking for. The SQL Authenticator needs a set of database tables to be created, is that right?
            I just want to use the existing users without the need of create tables for users, passwords, groups and so on.

            Does someone know in which library or jar i could find the weblogic.security.providers.authentication.CustomDBMSAutheticatorPlugin interface?

            Edited by: Alex on 27.02.2012 14:47
            • 3. Re: ADF Security - Database user for authentication
              Dimitar Dimitrov
              Does someone know in which library or jar i could find the weblogic.security.providers.authentication.CustomDBMSAuthenticatorPlugin interface?
              You can find it in <tt><WLS_HOME/JDEV_HOME>\wlserver_10.3\server\lib\wls-api.jar</tt>

              Dimitar
              • 4. Re: ADF Security - Database user for authentication
                915091
                Now i've tried it the way like Edwin Biemond has shown it. Instead of the SQLAuthentictor i've used the ReadOnlySQLAuthenticator, because i just want to get the data from the database.
                I've changed the queries to query the dba_users view.
                So do I now have to add the users like Edwin in the Weblogic, because i cant see my Provider (Since it's ReadOnly?), or can i just secure the application and try to login?

                Thanks in advance,
                Alex
                • 5. Re: ADF Security - Database user for authentication
                  Dimitar Dimitrov
                  There is no standard WLS authenticator that can authenticate against native Oracle DB accounts. If you need such authentication, you will have to implement a custom WLS authentication provider.

                  SQLAuthenticator/ReadOnlySQLAuthenticator cannot be used for authentication against native Oracle DB accounts. The reason is that these authentication providers must be configured with a SELECT statement that retrieves the user's password (using the username as an only parameter). This statement is used by the authenticator when it has to retrieve the user's password and to compare it with the credentials supplied by the user in the login form. Neither DBA_USERS nor any other Oracle database view provides access to the passwords of the native DB user accounts, so you are not able to provide such a SELECT statement in the authenticator's configuration.

                  Dimitar
                  • 6. Re: ADF Security - Database user for authentication
                    915091
                    Dimitar Dimitrov wrote:
                    There is no standard WLS authenticator that can authenticate against native Oracle DB accounts. If you need such authentication, you will have to implement a custom WLS authentication provider.

                    SQLAuthenticator/ReadOnlySQLAuthenticator cannot be used for authentication against native Oracle DB accounts. The reason is that these authentication providers must be configured with a SELECT statement that retrieves the user's password (using the username as an only parameter). This statement is used by the authenticator when it has to retrieve the user's password and to compare it with the credentials supplied by the user in the login form. Neither DBA_USERS nor any other Oracle database view provides access to the passwords of the native DB user accounts, so you are not able to provide such a SELECT statement in the authenticator's configuration.

                    Dimitar
                    Thanks for your reply. Do you have by any chance an example of how to implement such an Custom Authentication Provider

                    Edited by: Alex on 29.02.2012 09:14

                    Or would it be sufficient to use the CustomDBMSAuthenticator and create the CustomDBMSAuthenticatorPlugin for my needs?
                    • 7. Re: ADF Security - Database user for authentication
                      Dimitar Dimitrov
                      Do you have by any chance an example of how to implement such an Custom Authentication Provider
                      Unfortunately, I do not have any experience in creation of custom authentication providers and I do not have any examples.

                      In my opinion, custom authentication providers should be implemented only if there is no other feasible option for authentication. My advice to you is to reconsider your requirement (for authentication against native Oracle DB accounts) and to apply some other authentication scheme (which is supported by some of the existing WebLogic authentication providers). For example, why do not you store the user identities and groups/roles in database tables or in an LDAP server and then to utilize the SQLAuthenticator/ReadOnlySQLAuthenticator or some of the existing WLS LDAP authentication providers respectively?

                      If for some important reason you must implement a custom WLS authentication provider, then this document may help you:
                      http://docs.oracle.com/cd/E23943_01/web.1111/e13718/atn.htm#i1154044
                      (and the section How to Develop a Custom Authentication Provider in particular, where you can find some simple examples).

                      Dimitar
                      • 8. Re: ADF Security - Database user for authentication
                        Jan Vervecken
                        fyi
                        Dimitar Dimitrov wrote:
                        ... and then to utilize the SQLAuthenticator ...
                        Be wary when using ADF Security (OPSS) with a SQLAuthenticator.

                        This is feedback I got in SR 3-4124753004 :

                        "If the you want to use DB as the identity store, then the supported way is to buy OVD server license and configure DB adapter in OVD and then configure an OVD authenticator in Weblogic. SQLAuthenticator will not be used as identity store. And, we do not recommend to use LibOVD for DB identity store. OVD server is the recommended and supported way."

                        related bugs are :
                        - bug 13876651, "FMW CONTROL SHOULD NOT ALLOW MANAGING USERS GROUPS FROM SQL AUTHENTICATOR"
                        - enhancement request 12864498, "OPSS : ADDMEMBERSTOAPPLICATIONROLE : THE SEARCH FOR ROLE FAILED"

                        related forum threads are :
                        - "ADF Security : identity store : tables in a SQL database"
                        - "OPSS : addMembersToApplicationRole : The search for role failed"

                        regards
                        Jan Vervecken