Monday, July 23, 2012

ADF Security - Part 2


Configuring ADF security using Database tables:

(Create the required tables as provided at end of this blog.Also create the required Data Source)

1.Select the Security Realms link > select the default realm "myrealm" .


2.Go to Providers tab. Here we can create a new authentication provider. 


3.Give a suitable name and select 'SQLAuthenticator' in the Type of authentication provider selection. Click OK.


4.Select your just created provider ('db_users') and change the Control flag to 'Sufficient'. Click Save.


The control flag determines how the SQL Authenticator will behave if the Login Module Succeeds or fails. The possible values and outcomes are as follows:

  • A REQUIRED value specifies this LoginModule must succeed. Even if it fails, authentication proceeds down the list of LoginModules for the configured Authentication providers.
  • A REQUISITE value specifies this LoginModule must succeed. If other Authentication providers are configured and this LoginModule succeeds, authentication proceeds down the list of LoginModules. Otherwise, control is return to the application.
  • A SUFFICIENT value specifies this LoginModule need not succeed. If it does succeed, return control to the application. If it fails and other Authentication providers are configured, authentication proceeds down the LoginModule list.
  • An OPTIONAL value specifies this LoginModule need not succeed. Whether it succeeds or fails, authentication proceeds down the LoginModule list. This setting is the default.

5.Go to the 'Provider Specific' tab where we can add the details of the provider.



Other Settings for detail fields are listed as follows:

data-source-name : HRDS (Whatever DS you want to use for security)

plaintext-passwords-enabled:true (Checkbox)

password-style : PLAINTEXT

sql-get-users-password : SELECT password FROM jhs_users WHERE username = ?

sql-set-user-password : UPDATE jhs_users SET password = ? WHERE username = ?

sql-user-exists : SELECT username FROM jhs_users WHERE username = ?

sql-list-users : SELECT username FROM jhs_users WHERE username LIKE ?

sql-create-user : INSERT INTO jhs_users ( id,username , password , display_name) VALUES (jhs_seq.nextval, ? , ? , ? )

sql-remove-user: DELETE FROM jhs_users WHERE username = ?

sql-list-groups : SELECT short_name FROM jhs_roles WHERE short_name LIKE ?

sql-group-exists : SELECT short_name FROM jhs_roles WHERE short_name = ?

sql-create-group: insert into jhs_roles(id, short_name, name) values (jhs_seq.nextval, ?, ?)

sql-remove-group: DELETE FROM jhs_roles WHERE short_name = ?

sql-is-member : SELECT u.username FROM jhs_user_role_grants g ,jhs_users u WHERE u.id = g.usr_id and rle_id = ( select id from jhs_roles where short_name = ? ) AND usr_id = ( select id from jhs_users where username = ? )

sql-list-member-groups : SELECT short_name FROM jhs_user_role_grants g ,jhs_roles r,jhs_users
u WHERE g.usr_id = u.id and g.rle_id = r.id and u.username = ?

sql-list-group-members: SELECT username FROM jhs_user_role_grants g ,jhs_roles r,jhs_users u
WHERE g.usr_id = u.id and g.rle_id = r.id and r.short_name = ? and u.username like ?

sql-remove-group-memberships: DELETE FROM jhs_user_role_grants WHERE rle_id = ( select id
from jhs_roles where short_name = ? ) or usr_id = ( select id from jhs_users where username = ? )

sql-add-member-to-group : INSERT INTO jhs_user_role_grants (id,rle_id,usr_id) VALUES( jhs_seq.nextval , ( select id from jhs_roles where short_name = ?),(select id from jhs_users where username = ?))

sql-remove-member-from-group: DELETE FROM jhs_user_role_grants WHERE rle_id = ( select id
from jhs_roles where short_name = ? ) AND usr_id = ( select id from jhs_users where username =
? )

sql-remove-group-member: DELETE FROM jhs_user_role_grants WHERE rle_id = ( select id from
jhs_roles where short_name = ? )

sql-get-user-description : SELECT display_name FROM jhs_users WHERE username = ?

sql-set-user-description: UPDATE jhs_users SET display_name = ? WHERE username = ?

sql-get-group-description: SELECT name FROM jhs_roles WHERE short_name = ?

sql-set-group-description : UPDATE jhs_roles SET name = ? WHERE short_name = ?


After saving the changes listed above, restart the Weblogic server (mandatory).

After the reboot ,Go the 'User and Group' tab of your default security realm ('myrealm') where we can change or add users and roles. This is similar to adding the roles and users in jazn-data.xml.

Tables required for users and roles:

CREATE TABLE JHS_ROLES
(
ID NUMBER(*, 0) NOT NULL,
ORG_KEY VARCHAR2(30) DEFAULT 'DEFAULT' NOT NULL,
SHORT_NAME VARCHAR2(10) NOT NULL,
NAME VARCHAR2(40) NOT NULL
);

CREATE TABLE JHS_USER_ROLE_GRANTS
(
ID NUMBER(*, 0) NOT NULL,
USR_ID NUMBER(*, 0) NOT NULL,
RLE_ID NUMBER(*, 0) NOT NULL
);

CREATE TABLE JHS_USERS
(
ID NUMBER(*, 0) NOT NULL,
EMAIL_ADDRESS VARCHAR2(240),
USERNAME VARCHAR2(240) NOT NULL,
ORG_KEY VARCHAR2(30) DEFAULT 'DEFAULT',
PASSWORD VARCHAR2(240),
DISPLAY_NAME VARCHAR2(240),
LOCALE VARCHAR2(10)
);

ALTER TABLE JHS_ROLES
ADD CONSTRAINT JHS_RLE_PK PRIMARY KEY
( ID ) ENABLE;

ALTER TABLE JHS_ROLES
ADD CONSTRAINT JHS_RLE_UK1 UNIQUE
( SHORT_NAME,ORG_KEY ) ENABLE;

ALTER TABLE JHS_USER_ROLE_GRANTS
ADD CONSTRAINT JHS_URG_PK PRIMARY KEY
( ID ) ENABLE;

ALTER TABLE JHS_USER_ROLE_GRANTS
ADD CONSTRAINT JHS_URG_UK1 UNIQUE
( RLE_ID, USR_ID ) ENABLE;

ALTER TABLE JHS_USERS
ADD CONSTRAINT JHS_USR_PK PRIMARY KEY
( ID ) ENABLE;

CREATE SEQUENCE JHS_SEQ INCREMENT BY 1 MAXVALUE 999999999999999999999999999 MINVALUE 1 CACHE 20 ;

-- Create two users SKING and AHUNOLD
insert into jhs_users (ID, EMAIL_ADDRESS, USERNAME, ORG_KEY, PASSWORD, DISPLAY_NAME)
select jhs_seq.nextval,'SKING,'SKING','DEFAULT','SKING', 'Steven King'
from dual
where not exists (select '1' from jhs_users where username='SKING');

insert into jhs_users (ID, EMAIL_ADDRESS, USERNAME, ORG_KEY, PASSWORD, DISPLAY_NAME)
select jhs_seq.nextval,'AHUNOLD','AHUNOLD','DEFAULT','AHUNOLD', 'Alexander Hunold'
from dual
where not exists (select '1' from jhs_users where username='AHUNOLD');

-- set up two roles: Administrator and User
insert into jhs_roles(id, SHORT_NAME, name)
select jhs_seq.nextval, 'ADMIN','Administrator'
from dual
where not exists (select '1' from jhs_roles where short_name='ADMIN');

insert into jhs_roles(id, SHORT_NAME, name)
select jhs_seq.nextval, 'USER','User'
from dual
where not exists (select '1' from jhs_roles where short_name='USER');

-- Make Steven King Administrator
insert into jhs_user_role_grants (id,rle_id,usr_id)
select jhs_seq.nextval, rle.id, usr.id
from jhs_roles rle, jhs_users usr
where rle.short_name='ADMIN'
and usr.username='SKING'
and not exists (select '1' from jhs_user_role_grants urg2
where urg2.usr_id = usr.id
and urg2.rle_id = rle.id);

-- Make Alexander Hunold User
insert into jhs_user_role_grants (id,rle_id,usr_id)
select jhs_seq.nextval, rle.id, usr.id
from jhs_roles rle, jhs_users usr
where rle.short_name='USER'
and usr.username='AHUNOLD'
and not exists (select '1' from jhs_user_role_grants urg2
where urg2.usr_id = usr.id
and urg2.rle_id = rle.id);

commit;


For Logout from ADF Security we could also invoke the logout by a redirect performed from an action method in a managed bean as follows :
  1. public String logoutAction() {
  2. FacesContext fctx = FacesContext.getCurrentInstance();
  3. ExternalContext ectx = fctx.getExternalContext();
  4. String url = ectx.getRequestContextPath() + "/adfAuthentication? logout=true&end_url=/faces/Homepage.jspx";
  5. try {
  6. ectx.redirect(url);
  7. }
  8. catch (IOException e) {
  9. e.printStackTrace();
  10. }
  11. fctx.responseComplete();
  12. return null;
  13. }


In the above method, HomePage.jspx refers to a public page in the application that the user is redirected to after successful logout.

1 comment: