This discussion is archived
5 Replies Latest reply: Jul 3, 2012 1:12 AM by 943549 RSS

Enabling Security

Enno Newbie
Currently Being Moderated
I created a Standard Fusion Webabpplication with Basic Authentication to serve as Application Login Server. When I use a browser to open the URL I get the prompt for username and password and can access the page.
Now I enabled the security of my mobile app in the adfmf-application.xml and enabled the security for my feature in the adfm-feature.xml. When I open the application, I get the prompt for username and password. But every time I try to log in, I get a "Invalid username/password" error message.

Here is my connections.xml
<?xml version = '1.0' encoding = 'UTF-8'?>
<References xmlns="http://xmlns.oracle.com/adf/jndi">
<Reference name="SteakMobileWS" className="oracle.adf.model.connection.url.HttpURLConnection" credentialStoreKey="SteakMobileWS" xmlns="">
<Factory className="oracle.adf.model.connection.url.URLConnectionFactory"/>
<RefAddresses>
<XmlRefAddr addrType="SteakMobileWS">
<Contents>
<urlconnection name="SteakMobileWS" url="http://10.1.201.241:7003/steakREST/jersey">
<authentication style="challange">
<type>basic</type>
<realm>myrealm</realm>
</authentication>
</urlconnection>
</Contents>
</XmlRefAddr>
<SecureRefAddr addrType="username"/>
<SecureRefAddr addrType="password"/>
</RefAddresses>
</Reference>
<Reference name="Mobile Webservices Server" className="oracle.adf.model.connection.adfmf.LoginConnection" adfCredentialStoreKey="Mobile Webservices Server" partial="false" manageInOracleEnterpriseManager="true" deployable="true" xmlns="">
<Factory className="oracle.adf.model.connection.adfmf.LoginConnectionFactory"/>
<RefAddresses>
<XmlRefAddr addrType="adfmfLogin">
<Contents>
<login url="http://10.1.201.241:7003/SteakMobileLogin/faces/login.jsf"/>
<logout url="http://10.1.201.241:7003/SteakMobileLogin/faces/logout.jsf"/>
<accessControl url=""/>
<idleTimeout value="300"/>
<sessionTimeout value="28800"/>
<cookieNames>
<cookie name="JSessionID"/>
</cookieNames>
<userObjectFilter/>
</Contents>
</XmlRefAddr>
</RefAddresses>
</Reference>
<Reference name="SteakMobileLogin" className="oracle.adf.model.connection.adfmf.LoginConnection" adfCredentialStoreKey="SteakMobileLogin" partial="false" manageInOracleEnterpriseManager="true" deployable="true" xmlns="">
<Factory className="oracle.adf.model.connection.adfmf.LoginConnectionFactory"/>
<RefAddresses>
<XmlRefAddr addrType="adfmfLogin">
<Contents>
<login url="http://10.1.201.241:7003/SteakMobileLogin/faces/login.jsf"/>
<logout url="http://10.1.201.241:7003/SteakMobileLogin/faces/logout.jsf"/>
<accessControl url=""/>
<idleTimeout value="300"/>
<sessionTimeout value="28800"/>
<cookieNames/>
<userObjectFilter/>
</Contents>
</XmlRefAddr>
</RefAddresses>
</Reference>
</References>

And this is my adfmf-application.xml
<?xml version="1.0" encoding="UTF-8" ?>
<adfmf:application xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:adfmf="http://xmlns.oracle.com/adf/mf"
name="Steak" id="com.opitz.SteakMobile" appControllerFolder="ApplicationController" version="0.1">
<adfmf:featureReference id="com.opitz.steak.mobile.orderOverview" loginConnRefId="Mobile Webservices Server"
showOnSpringboard="true" showOnNavigationBar="true" allowDeviceAccess="true"/>
<adfmf:featureReference id="com.opitz.steak.mobile.order"/>
<adfmf:navigation>
<adfmf:springboard enabled="true" showSpringboardAtStartup="false"/>
<adfmf:navigationBar enabled="false"/>
</adfmf:navigation>
<adfmf:login defaultConnRefId="SteakMobileLogin"/>
</adfmf:application>
  • 1. Re: Enabling Security
    Enno Newbie
    Currently Being Moderated
    Additionally the debugger isn't able to connect after enabling the security feature.
  • 2. Re: Enabling Security
    Joe Huang Journeyer
    Currently Being Moderated
    Hi, Enno, sorry about the delay in response. Just to double check - when you try to access this site on your desktop browser, you are getting the default browser Basic HTTP Auth dialog box, correct? You are not using a login page, correct?

    Assuming that's the case, have you upgraded your extension to the Update 1 build that became available about 2 weeks ago? There are some security related fixes in the update that might help.

    Also, some other things to double check:

    - Try cookie name JSESSIONID - I typically use the all upper case version of the name. You may want to double check the cookie name that gets returned from the REST service, to make sure the name is correct. It is most likely JSESSIONID.
    - There are two entries for the login server - that should not matter but you may want to clean one up.
    - The security realm: is it myrealm or is it jazn.com? It is specified in the URL DC - probably does not matter but good to double check.

    Please let me know if any of that made a difference.

    Thanks,

    Joe Huang
  • 3. Re: Enabling Security
    Enno Newbie
    Currently Being Moderated
    Thx Joe, it was not working because of the cookie name. It has to be upper case to work for me. The realm was not changing anything.

    Unfortunately the only reference in the developers guide, related to this problem, is 16.4.2 and there it is only figure 16-6 which gives a hint. In the figure the cookie is named JSessionID.

    Thanks,
    Enno
  • 4. Re: Enabling Security
    Joe Huang Journeyer
    Currently Being Moderated
    Hi, Enno, another item that we perhaps mis-documented is the importance of having "credentialStoreKey" setting match "adfCredentialStoreKey" setting in the URL Connection and in the Login Server settings. They should be the same, or it may also cause security issues.

    Thanks,

    Joe Huang
  • 5. Re: Enabling Security
    943549 Newbie
    Currently Being Moderated
    Hi Joe,

    We are also trying to enable security using the default login feature in ADF Mobile. The steps we did so far
    1. Created a sample ADF application with login.jsf and logout.jsf
    2. Deployed the Sample ADF application to the embedded weblogic server
    3. After deployment, we mapped the deployed application URL (URL of the login / logout page) in the adfmf-application.xml while defining the connection.
    4. The test connection to the URL works fine. Also under Security tab, default option is selected for the login page.
    5. Now we run the application and it displays the default login page. We are good so far

    The problem which we are facing is in terms of understanding how to add users? and which credential store to map to at run time. As the security uses any HTTP authentication, in this it looks like it uses the default security realm of the embedded web logic server i.e. my realm
    Is our understanding correct?
    Second thing is, in the Application Server Login connection, what should be the Access Control URL under the Authorization tab?

    In the same post it also its suggested to use adfCredentialStore, can you please provide inputs in this regard.

    Thanks & Regards,
    Shibani

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points