Oracle Identity Manager 11g: Implementing OES Permission Checks in ADF Task Flows

 

<Do not delete this text because it is a placeholder for the generated list of "main" topics when run in a browser>

Purpose

This tutorial covers how you can integrate Oracle Entitlements Server (OES) 11g permissions with an ADF-based UI, where you integrate the Oracle Entitlements Server 11g permission check with a new ADF Task Flow in the Oracle Idenity Manager 11g Administration console.

Time to Complete

Approximately 1 hour.

Overview

The objective of this example is to implement secure access to an ADF tab component (a Create User button contained on an custom tab page) using OES permission checking.

Scenario (Optional)

An Oracle customer or system integrator is creating a custom ADF tab page and needs to secure access to the Create User button displayed in the custom ADF tab page by using Oracle Identity Manager 11g and its integration with Oracle Entitlements Server 11g. In this scenario the currently logged in user needs to have access to the User Management - Create permission. If the user has access to that permission the Create User ADF button is enabled, otherwise the Create User ADF button is disabled.

Software and Hardware Requirements (Optional)

The following is a list of software requirements:

Note: Click here to download the zip file to your $HOME or a temporary directory. The zip file contains a sample Oracle JDeveloper workspace, project, and files that are required for this tutorial. The project can used as a starting point for other similar ADF and OES development tasks.

Prerequisites

Before starting this tutorial, you should have installed, configured, and started:

.

The Oracle Database

.

The Oracle WebLogic Server

.

Oracle Identity Manager

About the Sample JDeveloper Project

The sample Oracle JDeveloper project requires a set of ZIP and JAR files added to the project library path (CLASSPATH). The location of the ZIP and JAR files may need to be updated in the JDeveloper Project Properties to match your environment.

About Project Library Dependencies

After you open the ADF-Security.jpr project in JDeveloper you need to configure the library path dependencies, in the project properties, based on your system configuration and environment for libraries listed in the following table:

Table of Library Dependencies
Library File Directory/Location
iam-platform-utils.jar $MW_HOME/Oracle_IDM1/server/platform
iam-platform-context.jar $MW_HOME/Oracle_IDM1/server/platform
iam-platform-authz-service.jar $MW_HOME/Oracle_IDM1/server/platform
iam-features-identity.zip $MW_HOME/Oracle_IDM1/server/features
iam-features-authzpolicydefn.zip $MW_HOME/Oracle_IDM1/server/features

This table can be used as a reference for locating paths to the library files, even though the tutorial provides instructions for configuring the library paths.

Note: In the Table of Library Dependencies, the Middleware home is indicated by the presence of the $MW_HOME environment variable, which must be altered to suit your development and runtime environment. In addition, the Oracle_IDM1 subdirectory represents the directory chosen for installing Oracle Identity Manager 11g, which may also need to be altered to match your installation environment.

OES Security Example Bean

The example project, contains a Java class called oracle.iam.examples.adfsecurity.beans.OESSecurityExampleBean with the following two methods for performing OES permission checks:

Code for the privilegeCheck() method

/*
 * Generic utility method to check if the currently logged
 * in user has access to an Feature/Action combination
 */
private boolean privilegeCheck(String featureId, String actionId) {
  AuthorizationResult authzResult = getAuthorizationService().
                                      hasAccess(getLoggedInUserKey(), featureId, actionId);
  return authzResult.isAllowed();
}

Code for the isHasCreateUserPrivilege() method

/*
 * Example method to check if the currently logged in user
 * has access to the Create privilege on the User Management feature
 *
 * Refer to oracle.iam.authzpolicydefn.api.FeatureManagerContants
 * for the full set of available OES permissions
 */
public boolean isHasCreateUserPrivilege() {
  boolean hasCreateUserPrivilege = privilegeCheck(
                                     FeatureManagerConstants.Features.USER_MGMT.getId()
                                     UserManagerConstants.Privilege.CREATE.getId());
  return hasCreateUserPrivilege;
}

About the FeatureManagerConstants

The code examples shown above, make use of constants that are enumerated in oracle.iam.authzpolicydefn.api.FeatureManagerConstants, which contains the list of Feature, Actions, and Attributes that ship with Oracle Identity Manager 11g.

Integration with ADF UI

The scope of this example shows how to create an ADF command button for creating a new user, and securing that menu item with an OES Permission Check. The ADF Task Flow uses the OES Security Example Bean to determine if the currently logged in user has access to the Create User privilege in User Management.

Note: The sample ADF Task Flow can be expanded on for additional customization.

The following code excerpt is from SecurityView.jsff. The disabled component binding is used to control if the button is disabled or enabled, based on the logged in user’s OES permissions.

<af:commandButton id="actionCreate" text="Create User"
    disabled="#{pageFlowScope.oesSecurityBean.hasCreateUserPrivilege}"/>

In this tutorial, your tasks include:

Open and Configure the Sample Project in Oracle JDeveloper

In this section, you open the sample project by opening the supplied Oracle JDeveloper Workspace that contains the project, and configure the project library CLASSPATH. To do complete these tasks , perform the following steps:

.

In a Terminal window (or by using the File Browser application), navigate to the folder that contains the oes_in_oim_ui_adf_task_flows.zip file, and extract the contents of the file into a subdirectory, of your $HOME directory, where the subdirectory has the same name as the zip file. For example:

$ mkdir $HOME/oes_in_oim_ui_adf_task_flows
$ unzip oes_in_oim_ui_adf_task_flows.zip -d oes_in_oim_ui_adf_task_flows

Note: Alternatively, you can use the File Browser to create the new folder, open the JAR file in the Archive Manager from which you can extract the contents of the zip file into the new folder.

.

From your desktop or file system, if you have an desktop icon, double-click the desktop icon to launch Oracle JDeveloper. Alternatively, execute the following command line to start Oracle JDeveloper:

$ /opt/oracle/Middleware/jdeveloper/jdev/bin/jdev & 

Note: This command line example assumes you have installed Oracle JDeveloper in the /opt/oracle/Middleware/jdeveloper folder, where /opt/oracle/Middleware is your Middleware home (possibly defined in the MW_HOME environment variable).

.

In the Oracle JDeveloper window, click Open Application.

.

In the Open Application dialog box, browse to the $HOME/oes_in_oim_ui_adf_task_flows directory, select the oes_oim_adf_app.jws file and click Open:

Note: After opening the oes_omi_adf_app.jws workspace file, the Oracle JDeveloper Application Navigator panel should display the project called ADF-Security in the oes_omi_adf_app workspace. See the next step for an example.

In addition, If you are using a newer version of Oracle JDeveloper to the one used to create the JDeveloper workspace and project file and its sources, then when the Open Warning dialog box is displayed, to migrate the files into the new format compatible with the version of Oracle JDeveloper being used, click Yes.

When the Migration Status dialog box is displayed, click OK.

.

In the Oracle JDeveloper Application Navigator panel, double-click the ADF-Security project node to open its Project Properties window, or select the ADF-Security project node and click the Project Properties () icon.

.

In the Project Properties dialog box, select the Libraries and Classpath node in the left panel, select all the highlighted (iam-*.jar or iam-*.zip) file entries (as show in the next image) and click Remove.

Note: Oracle JDeveloper does not support modifying the path for existing JAR and ZIP file entries. Therefore you first remove existing entries, and add each of the JAR and ZIP files again with the directory paths that match your Oracle Identity Manager 11g installation environment.

.

In the Project Properties dialog box, in the Libraries and Classpath section click Add JAR/Directory:

.

In the Add Archive or Directory dialog box, navigate to the $MW_HOME/Oracle_IDM1/server/platform folder (where $MW_HOME is the expanded path representing where your Oracle Middleware home directory is, and Oracle_IDM1 is the directory in which you installed Oracle Identity Manager), select the iam-platform-utils.jar file, and click Select.

Note: For these example paths, replace $MW_HOME with the appropriate directory path for your installation of Oracle WebLogic Server Fusion Middleware home, and the Oracle_IDM1 subdirectory with the name of your directory in which you installed Oracle Identity Manager 11g.

.

In the Project Properties dialog box in the Libraries and Classpath section, verify that the Classpath Entries list contains the iam-platform-utils.jar file, and repeat the process of clicking "Add JAR/Directory" for each of the following files:

  • $MW_HOME/Oracle_IDM1/server/platform/iam-platform-context.jar
  • $MW_HOME/Oracle_IDM1/server/platform/iam-platform-authz-service.jar
  • $MW_HOME/Oracle_IDM1/server/features/iam-features-identity.zip
  • $MW_HOME/Oracle_IDM1/server/features/iam-features-authzpolicydefn.zip

Note: For these example paths, replace $MW_HOME with the appropriate directory path for your installation of Oracle WebLogic Server Fusion Middleware home, and the Oracle_IDM1 subdirectory with the name of your directory in which you installed Oracle Identity Manager 11g.

.

In the Project Properties dialog box in the Libraries and Classpath section, verify that the Classpath Entries list contains all the files highlighted in the following image, and click OK to close the Project Properties dialog box:

.

To save the changes to the ADF-Security project , click the Save All icon in the Oracle JDeveloper toolbar.

Create and Configure ADF Task Flow for the Administrative Console


In this section, you perform the following tasks:

To perform the above tasks file, perform the following steps:

Generate and Deploy the ADF Task Flow JAR File


.

To build the project and generate the JAR file, in the JDeveloper Application Navigator, right-click on the ADF-Security node, and select Deploy > oesSecurityExample.

.

In the "Deploy oesSecurityExample" dialog box, observe that the Deployment Action is to "Deploy to ADF Library JAR File," which means that Oracle JDeveloper will create a JAR file in the deployment folder specified by the oesSecurityExample deployment profile. To generate the JAR file, click Finish.

Note: Optionally, if you open the ADF-Security Project Properties, and click Deployment, then select the oesSecurityExample profile and click Edit. In the JAR Options of the Edit ADF Library JAR Deployment Profile Properties you can find the location and name of the generated JAR file.

.

In the JDeveloper Deployment - Log window, you can verify the oesSecurityExample.jar file is created in the deploy subdirectory of the oes_in_oim_ui_adf_task_flows project directory.

.

In a Terminal window (or File Browser application), copy the $HOME/oes_in_oim_ui_adf_task_flows/deploy/oesSecurityExample.jar file to the to Oracle Identity Manager 11g $MW_HOME/Oracle_IDM1/server/apps/oim.ear/admin.war/WEB-INF/lib directory. For example:

$ cd $HOME/oes_in_oim_ui_adf_task_flows/deploy
$ cp oesSecurityExample.jar \
  $MW_HOME/Oracle_IDM1/server/apps/oim.ear/admin.war/WEB-INF/lib

Note: In these commands, replace $HOME with the directory that contains the sample project files, and replace $MW_HOME with the appropriate directory path for your installation of Oracle WebLogic Server Fusion Middleware home, and the Oracle_IDM1 subdirectory with the name of your directory in which you installed Oracle Identity Manager 11g.

 

Modify Oracle Identity Manager 11g Administration Console Configuration Files

To complete the deployment process, you modify (edit) the idmshell-config.xml file, in the $MW_HOME/Oracle_IDM1/server/apps/oim.ear/admin.war/WEB-INF directory, by adding additional XML elements to define the new functionality to be visible in the Administration console. The XMl file can be opened for editing in JDeveloper or your preferred XML editor. The instructions in this section use the gedit command to open and edit the XML file.

Note: Alternatively, if you wish to save time you can download this edited idmshell-config.xml file and replace the existing version in the specified directory (after backing up the original file) and skip the steps in this section.

.

To make a backup of the idmshell-config.xml file and open the file for editing, in a Terminal window, execute the following commands:

$ mkdir $HOME/backup
$ cd $MW_HOME/Oracle_IDM1/server/apps/oim.ear/admin.war/WEB-INF
$ cp idmshell-config.xml $HOME/backups
$ gedit idmshell-config.xml

Note: Remember to replace $MW_HOME and Oracle_IDM1 with the appropriate directory path names that match your installation of Oracle Identity Manager 11g.

.

In the idmshell-config.xml editor window, to add the sample task flow to the Administration console insert the following <taskflow> XML element inside the <taskflows> parent element just before the closing </taskflows> XML element:

<taskflow id="_security_example" closeable="false" indialog="false" 
          taskFlowId="/taskflows/adf-tab-security.xml#adf-tab-security">
  <name>OES Security Example</name>
</taskflow>

.

In the idmshell-config.xml editor window, to define a new module with the new task flow insert the following <module> XML element into the file, just before the closing </modules> XML element:

<module id="security_example_module">
<name>Security Example</name>
<default-taskflow-list>
<!-- The refId needs to equal the id defined in the taskflow above -->
<taskflow refId="_security_example"/>
</default-taskflow-list>
</module>


.

In the idmshell-config.xml editor window, to add the new module to the Identity Administration section of the console insert the a new <module refId="security_example_module"/> child element (as shown below) before the closing </modules> element inside the Identity Administration <console> element (the first <console> element in the <consoles> section):

<console id="/pages/Admin.jspx">
<name>Identity Administration</name>
<path>/pages/Admin.jspx</path>
<modules>
<module refId="admin"/>
<module refId="oes_oim_mgr"/> <!--module refId="org_mgr"/>
<module refId="role_mgr"/-->
<module refId="security_example_module"/>
</modules>
</console>


.

Save the changes to idmshell-config.xml, close the file and editor window.

Test the new ADF Task Flow in the Administration Console

In this section, after you restart the Oracle Identity Manager 11g Managed WebLogic Server instance to make the new Security Example tabbed page available, you perform the following tests:

To complete these tasks perform the following steps:

Test Case 1: Verify that the Create User Button is Enabled for xelsysadm

.

Restart the Oracle Identity Manager server by performing the following commands in a Terminal window:

$ export MW_HOME=/opt/oracle/Middleware
$ cd $MW_HOME/user_projects/domains/base_domain/bin
$ ./stopManagedWebLogic.sh oim_server1

Note: The command line syntax shown is Borne shell syntax, please use equivalent commands for your shell or command line environment.

Wait for the Oracle Identity Manager WebLogic Managed Server instance to be shutdown, and then execute the following command to restart it.

$ cd $MW_HOME/user_projects/domains/base_domain/bin
$ ./startManagedWebLogic.sh oim_server1 &

Note: Wait until the Oracle Identity Manager 11g server instance is running. Remember to replace the usages of MW_HOME, base_domain, and oim_server1 with path or instance names that match your installation.

.

Open a web browser window, and enter the URL to access your Oracle Identity Manager 11g Administration Console sign in page, for example http://localhost:14000/oim. On the Sign In page, enter the credentials for the Oracle Identity Manager 11g administration. For example User Login xeladmsys and Password Welcome1 and click Sign In.


.

After you successfully sign in, if the Oracle Identity Manager - Self Service page is displayed, click the Administration icon or link.


.

On the Oracle Identity Manager - Delegated Administration page, verify that the Security Example tab appears to the right of the Authorizations Policy tab, and click the Security Example tab.


.

On the Oracle Identity Manager - Delegated Administration page > Security Example tabbed page, verify that the Create User button in the OES Security Example subtabbed page is enabled.

Note: Clicking the Create User button does not do anything because there us no implementation or functionality associated with clicking the Create User button.

 

Test Case 2: Create a New User for which the Create User Button is Disabled

In this section, as the xelsysadm user you create a new non-privileged delegated administration called Jedi Yoda for whom the Create User button should be disabled.

.

While signed in as the xelsysadm user, on the Oracle Identity Manager - Delegated Administration page click the Administration tab, in the Welcome subtab under the Users section click the Create User link.

.

On the Oracle Identity Manager - Delegated Administration > Administration > Create User tabbed page, and after entering the following field values and click Save:

In the Basic User Information section:

  • First: Jedi
  • Last: Yoda
  • Organization: Click the search icon and select Requests from the search dialog box.
  • User Type: Select Full-Time Employee from the drop-down list.

In the Account Settings section:

  • User Login: jyoda
  • Password: Welcome1
  • Confirm Password: Welcome1

Note: Leave all other fields as their default settings.


.

On the Oracle Identity Manager - Delegated Administration > Administration > Jedi Yoda tabbed page, verify that the message "The User has been created successfully." is displayed, and click the Sign Out link at the top right-side of the page.


.

On the Sign In page, enter the credentials for the newly created user User Login jyoda and Password Welcome1 and click Sign In.


.

When a new user signs in for the first time they are prompted to change their password and set some challenge questions as part of the Oracle Identity Manager 11g security policy settings. Therefore, after you sign in on the Oracle Identity Manager > Password Management tabbed page, enter the field values listed below and click Submit:

In the "Provide a new password." section enter:

  • Old Password: Welcome1
  • New Password and Re-Type New Password: Enter the same value in these fields (anything of your choice, for example Lightsaber1).

In the "Register challenge questions for your account" section make the following selections and enter associated answers:

  • Question 1: Select "What is the name of your pet?"
  • Answer 1: chewy
  • Question 2: Select "What is the city of your birth?"
  • Answer 2: dagobah
  • Question 3: Select "What is your favorite color?"
  • Answer 3: green


.

After you submitted your new user password and challenge question details, on the Oracle Identity Manager - Delegated Administration > Administration tab page, which is displayed first, click on the Security Example tab and verify that the Create User button is disabled in the OES Security sub tabbed page.


.

On the Oracle Identity Manager - Delegated Administration page, click the Sign Out link, and close the web browser window.

Note: You can terminate Oracle JDeveloper as well, by clicking File > Exit in the Oracle JDeveloper menu.

 

Summary

In this tutorial, you implemented a customized security tab that is added to the Oracle Identity Manager 11g Administration Console that contains a button whose availability is controlled by the administrator being granted the appropriate OES permission to enable the button. In this tutorial, you learned how to accomplished the following tasks:

Resources

Credits (Optional)

Hardware and Software Engineered to Work Together Copyright © 2011, Oracle and/or its affiliates. All rights reserved