1 Introduction

JDeveloper 11g automatically migrates identities, credentials and policies when it deploys an application to the integrated WebLogic server (WLS), which is the one used by JDeveloper whenever you run or debug a Java EE application from inside the IDE. However, automatic security migration is not available for deployment to a standalone WLS, for example the one your team might use for test or production use. This section explains briefly what credentials, identities, and policies are, helps you understand whether your application depends on them, and highlights the key use cases for which this article provides a simplified approach to migrate credentials and policies to a standalone WebLogic server.

1.1 What Are Credentials, Identities, and Policies?

When building Oracle ADF web-based applications, you will typically use a combination of security features like:

• credentials — encrypted passwords for database and other connections used by the data controls in your application
• identities — users who are allowed to use the application and the roles to which they belong
• policies — grants that affect which roles are allow to perform certain operations in your application

1.2 How Do I Know If My Application Depends on Any Credentials, Identities, or Policies?

Even the simplest ADF application that uses the default JDBC URL connection type to reference an Application Resources database connection for its application module data control depends on at least one credential entry for the connection's encrypted password. If the application includes data controls that reference other kinds of Application Resources connections — for example a Web Services data control, a URL data control, or others — then it will depend on other credentials, too. In contrast, an ADF application whose data control provider is configured to use a container-provided JDBC Datasource by JNDI name like java:comp/env/SomeConnectionNameDS and which does not use any additional data controls requiring their own connection credentials, would not have any credential dependencies.

If the application is configured to use authentication, then it will depend on identities at runtime to secure access to some or all of the pages in the application to appropriate roles and the users who belong to them. Furthermore, if the application using authentication also takes advantage of ADF authorization, then will depend in addition on security policies that grant access to particular operations to appropriate roles.

1.3 Overview of Simplified Credential and Policy Migration to Standalone WLS

JDeveloper 11g includes the Oracle Platform Security Services command-line tool for migrating credentials and policy to standalone WLS. This tool comprises a set of scripts shipped with JDeveloper 11g in the MIDDLEWARE_HOME/jdeveloper/modules/oracle.jps_11.1.1/scripts directory, which are designed to be used in concert with the WebLogic Scripting Tool (WLST) utility. These scripts are explained in detail in the JDeveloper 11g documentation in the Migrating the Security Repository to a Production Environment topic of the Developing Secure Applications section of the JDeveloper online help. However, since many users may find the scripts complicated to use, this document describes a simplified approach to achieve the two most common use cases:

• Migrating the credentials in an application's cwallet.sso file to the standalone WebLogic domain's cwallet.sso file
• Migrating the security policies in an application jazn-data.xml file to the standalone WebLogic domain's system-jazn-data.xml file.

2 Prerequisites

In order to use the tips in this document you need the following prerequisites:

3 Migrating Credentials and Policies to Standalone WebLogic

The techniques described in this section simplify migrating credentials and policies from an application to a standalone WebLogic server.

3.1 Setting Up Standalone WebLogic Server for Simplified Application Credentials and Policy Migration

To migrate credentials and policies from an application to a standalone WebLogic server, do the following:

3.2 Migrating Application Credentials to Standalone WebLogic

To migrate an application's credentials from its cwallet.sso file to the %DOMAIN_HOME%/config/oracle/cwallet.sso file, run the following commands:

$ cd %DOMAIN_HOME%/migration
$ ant -Dapp-credstore=APPWORKSPACEDIR/src/META-INF/cwallet.sso

3.3 Migrating Application Policies to Standalone WebLogic

To migrate an application's policies from its jazn-data.xml file to the % DOMAIN_HOME%/config/oracle/system-jazn-data.xml file, run the following commands. While formatted here for readability, you should enter the ant command on a single line. You can omit -DdstApp= DEPLOYAPPNAME if the deployed application name is the same as the source application name you supplied in the -DsrcApp= APPNAME argument.

$ cd %DOMAIN_HOME%/migration
$ ant -Dapp-jazn-data= APPWORKSPACEDIR/src/META-INF/jazn-data.xml
      -DsrcApp= APPNAME
      -DdstApp=DEPLOYAPPNAME

3.4 Migrating Both Credentials and Application Policies to Standalone WebLogic

To migrate both an application's credentials and policies, run the following commands. While formatted here for readability, you should enter the ant command on a single line. You can omit -DdstApp= DEPLOYAPPNAME if the deployed application name is the same as the source application name you supplied in the -DsrcApp= APPNAME argument.

$ cd %DOMAIN_HOME%/migration
$ ant -Dapp-credstore= APPWORKSPACEDIR/src/META-INF/cwallet.sso
      -Dapp-jazn-data= APPWORKSPACEDIR/src/META-INF/jazn-data.xml
      -DsrcApp= APPNAME
      -DdstApp=DEPLOYAPPNAME

3.5 Manual Changes Required to Policy Grantee Class Names After Migration

Application policy grantee class names must be manually corrected in system-jazn-data.xml after migration. The application's src/META-INF/jazn-data.xml principal and role classes are Oracle Platform Security Services class names. These must be changed to the corresponding WebLogic server class names after policy migration to %DOMAIN_HOME%/config/oracle/system-jazn-data.xml. Please correct the class names in system-jazn-data.xml as follows:

• For Role (Group) Grantees

  • Change: oracle.security.jps.internal.core.principals.JpsXmlEnterpriseRoleImpl
  • To: weblogic.security.principal.WLSGroupImpl

• For User Grantees

  • Change: oracle.security.jps.internal.core.principals.JpsXmlUserImpl
  • To: weblogic.security.principal.WLSUserImpl

3.6 Known Limitation on Credential Migration

Credentials connection names migrated to the standalone WebLogic server domain credential store must be unique. For example, you can have only one connection named Connection1 in the %DOMAIN_HOME%/config/oracle/cwallet.sso file. If a Connection1 credentials key already exists in the credential store, migrating a new Connection1 will overwrite the existing Connection1 credentials. This is not a problem if both Connnection1 credentials are identical. However, if they are different then applications that use the original Connection1 will fail with incorrect credentials.

4 Defining Required Application Identities on Standalone WLS

While JDeveloper 11g migrates identities for an application to the integrated WebLogic server for single-user running and debugging purposes, neither the JDeveloper 11g IDE nor the Oracle Platform Security Services migration tool supports identity store migration to a standalone WLS identity store. You must use WebLogic admin console — by default available at http:// servername:7001/console — to create users and groups required by the deployed app prior to running the deployed application. Of course, an alternative would be to create a custom WebLogic Scripting Tool (WSLT) script to accomplish the job.

Appendix 1: Installing and Configuring a Standalone WebLogic Server for ADF Application Deployment

Revision History