ADF Authentication and Authorization

Oracle ADF Security delegates authentication to the web container. The most commonly used types of authentication methods are HTTP Basic Authentication and Form-Based Authentication. Basic authentication uses the browser login dialog for the user to enter a user name and password. Note that with basic authentication, the browser caches credentials from the user, thus preventing logout. Basic authentication is useful when you want to test the application without requiring a custom login page.

After you run the Configure ADF Security wizard with the default ADF Authentication and Authorization option and all other default values, you will have:

• Enabled ADF authentication to prompt the user to log in
• Enabled ADF authorization to enforce permission checking so that only authorized users will have access to ADF resources

The wizard will also:

• Create the jazn-data.xml file and store it in the /src/META-INF folder relative to the application workspace
• Create the weblogic.xml and store it in the /public_html/WEB-INF folder relative to the application workspace
• Update all security-related configuration files such as jps-config.xml, web.xml, and adf-config.xml.

For example, in adf-config.xml the sec:adf-security-child element will be updated with the following child element:

                               
<sec:JaasSecurityContext
 initialContextFactoryClass="oracle.adf.share.security.JAASInitialContextFactory"
 jaasProviderClass="oracle.adf.share.security.providers.jps.JpsSecurityContext"
 authorizationEnforce="true"
 authenticationRequire="true"/>
                            

                               
<servlet>
  <servlet-name>adfAuthentication</servlet-name>
  <servlet-class>oracle.adf.share.security.authentication.AuthenticationServlet</servlet-class>
  <load-on-startup>1</load-on-startup>
</servlet>
                            

                               
<servlet-mapping>
  <servlet-name>adfAuthentication</servlet-name>
  <url-pattern>/adfAuthentication</url-pattern>
</servlet-mapping>
<security-constraint>
  <web-resource-collection>
    <web-resource-name>adfAuthentication</web-resource-name>
    <url-pattern>/adfAuthentication</url-pattern>
  </web-resource-collection>
  <auth-constraint>
    <role-name>valid-users</role-name>
  </auth-constraint>
</security-constraint>
<login-config>
  <auth-method>BASIC</auth-method>
  <realm-name>jazn.com</realm-name>
</login-config>
<security-role>
  <role-name>valid-users</role-name>
</security-role>
                            

The initialization parameter remove.anonymous.role will be added to the JpsFilter filter setting, as shown here:

                               
<filter>
  <filter-name>JpsFilter</filter-name>
  <filter-class>oracle.security.jps.ee.http.JpsFilter</filter-class>
  <init-param>
    <param-name>enable.anonymous</param-name>
    <param-value>true</param-value>
  </init-param>
  <init-param>
    <param-name>remove.anonymous.role</param-name>
    <param-value>false</param-value>
  </init-param>
</filter>
                            

As the ADF Authentication and Authorization option enables ADF authorization to enforce permission checking against security policies that you define for ADF security-aware resources (such as ADF bounded task flows), this means you have to define application roles and assign explicit grants to those roles to manage access to the ADF resources.

Copyright © 1997, 2009, Oracle. All rights reserved.