3 Replies Latest reply: Aug 7, 2013 8:16 PM by Frank.Hampshire-Oracle RSS

    User Authentication/Security


      I would like to implement User authentication/Security into Web Determinations.  What I would like to do is loosely based around this forum post https://forums.oracle.com/message/10413671#10413671


      This pseudo-code would be something along the lines of


      • Global Attributes for username and password and valid_user (Boolean) in rule-base.
      • User starts a session and inputs these values.
      • An event handler is fired
      • the user is authenticated against the database or LDAP.
      • A new session is created populating the username into the session URI & the valid user Boolean is set to true or false
      • Using a screen-flow each screen will only be displayed if the valid user Boolean is true.


      Does anybody have any comments/suggestions on the merits of this approach or whether there would be a better way of doing it?

      Does anybody have any suggested about what event could be used to implement this approach?


      I have considered using the OnRequireSession event but this would not allow user's to input username and password.

      I have also experimented with using the OnRequest event but seem to get errors when trying to alter the session data or instantiate com.oracle.determinations.engine.Session and com.oracle.determinations.engine.Rulebase objects (which would be reuired to interrogate the rule-base data.

      The OnSubmit events also state that these are not to be used to alter session data.


      Many Thanks

        • 1. Re: User Authentication/Security

          A couple of things here.


          If you re collecting username and password in the interview both the OnRequireSession and OnInvestigationStartedEvent will have fired before the user has the chance to enter their details:


          If you use a page outside of Web Determinations to collect User name and Passwod and then redirect to web determinations with these values you can then call the start session action with the user Id and password in the URL. Then your LDAP Authentication can be done as a event handler, probably extending "OnInvestigationStartedEvent".


          You can use an OnRequest event. I would look at storing the successful (or not) LDAP login as a HttpSession attribute. You can get the HttpSession from the OnRequestEvent (eg: event.getHttpRequest().getSession() )


          Hope this helps


          • 2. Re: User Authentication/Security

            Hi Frank,


            Thanks for getting back to me.


            Ideally for this solution I would like to keep it all in OPA rather than be passing URL parameters from a different page.

            Otherwise I would be attempted to perform the authentication through the other page and use that to control access to the rule-base.


            What I had planned to do was perform authentication and then control access to further screens through a Boolean attribute in the rule-base.

            If I stored the successful login as a HttpSession attribute I don't think I would be able to have conditional control in the rule-base using this attribute, is that correct? & from my understanding there would be no way to get the httpSession attribute into the rule-base?


            Also because the OnRequest event is throwing errors when I try to instantiate com.oracle.determinations.engine.Session and com.oracle.determinations.engine.Rulebase objects there is no way of accessing the user data if they inputted it through the rule-base screens.

            So therefore I wouldn't be able to authenticate that user.


            An alternative approach I considered was to create a goal in the rulebase 'the user has entered their login details', then fire an OnInvestigationEnded when the user has inputted their details i.e. the goal is known. This event would then authenticate the user details and then set a Boolean attribute in the rule-base. This boolean attribute would then display access to further goals in the rule-base through the summary screen and screen display could be validated against through this attribute. Can you see any problems with this approach?




            Robert North

            • 3. Re: User Authentication/Security



              Session data can be got from an OnRequestEvent in the following way:


              RuleSession ruleSession = null;

              InterviewSession interviewSession = event.getSessionContext().getInterviewSession();

              if (interviewSession != null) {

                   ruleSession  = interviewSession.getRuleSession();



              if (ruleSession != null) {




              Be sure to check for null because I think OnRequestEvent can fire before a session has been created. In this case you shouldn't need to do anything.