Configuring
ADF security using Database tables:
(Create the
required tables as provided at end of this blog.Also create the
required Data Source)
1.Select the
Security Realms link > select the default realm "myrealm"
.
2.Go to Providers
tab. Here we can create a new authentication provider.
3.Give a suitable
name and select 'SQLAuthenticator' in the Type of authentication
provider selection. Click OK.
4.Select your just created provider
('db_users') and change the Control flag to 'Sufficient'.
Click Save.
The control flag determines how the SQL
Authenticator will behave if the Login Module Succeeds or fails. The
possible values and outcomes are as follows:
- A
REQUIREDvalue specifies this LoginModule must succeed. Even if it fails, authentication proceeds down the list of LoginModules for the configured Authentication providers. - A
REQUISITEvalue specifies this LoginModule must succeed. If other Authentication providers are configured and this LoginModule succeeds, authentication proceeds down the list of LoginModules. Otherwise, control is return to the application. - A
SUFFICIENTvalue specifies this LoginModule need not succeed. If it does succeed, return control to the application. If it fails and other Authentication providers are configured, authentication proceeds down the LoginModule list. - An
OPTIONALvalue specifies this LoginModule need not succeed. Whether it succeeds or fails, authentication proceeds down the LoginModule list. This setting is the default.
5.Go to the 'Provider Specific' tab
where we can add the details of the provider.
Other
Settings for detail fields are listed as follows:
data-source-name
: HRDS (Whatever DS you want to use for security)
plaintext-passwords-enabled:true
(Checkbox)
password-style
: PLAINTEXT
sql-get-users-password
: SELECT password FROM
jhs_users WHERE username = ?
sql-set-user-password
: UPDATE jhs_users SET password = ? WHERE username = ?
sql-user-exists
: SELECT username FROM
jhs_users WHERE username = ?
sql-list-users
: SELECT username FROM jhs_users WHERE username LIKE ?
sql-create-user
: INSERT INTO
jhs_users ( id,username , password , display_name) VALUES
(jhs_seq.nextval, ? , ? , ? )
sql-remove-user:
DELETE FROM jhs_users WHERE username = ?
sql-list-groups
: SELECT short_name FROM jhs_roles WHERE short_name LIKE ?
sql-group-exists
: SELECT short_name
FROM jhs_roles WHERE short_name = ?
sql-create-group:
insert into jhs_roles(id, short_name, name) values (jhs_seq.nextval,
?, ?)
sql-remove-group:
DELETE FROM jhs_roles WHERE short_name = ?
sql-is-member
: SELECT u.username
FROM jhs_user_role_grants g ,jhs_users u WHERE u.id = g.usr_id and
rle_id = ( select id from jhs_roles where short_name = ? ) AND usr_id
= ( select id from jhs_users where username = ? )
sql-list-member-groups
: SELECT short_name
FROM jhs_user_role_grants g ,jhs_roles r,jhs_users
u
WHERE g.usr_id = u.id and g.rle_id = r.id and u.username = ?
sql-list-group-members:
SELECT username FROM jhs_user_role_grants g ,jhs_roles r,jhs_users u
WHERE
g.usr_id = u.id and g.rle_id = r.id and r.short_name = ? and
u.username like ?
sql-remove-group-memberships:
DELETE FROM jhs_user_role_grants WHERE rle_id = ( select id
from
jhs_roles where short_name = ? ) or usr_id = ( select id from
jhs_users where username = ? )
sql-add-member-to-group
: INSERT INTO
jhs_user_role_grants (id,rle_id,usr_id) VALUES( jhs_seq.nextval , (
select id from jhs_roles where short_name = ?),(select id from
jhs_users where username = ?))
sql-remove-member-from-group:
DELETE FROM jhs_user_role_grants WHERE rle_id = ( select id
from
jhs_roles where short_name = ? ) AND usr_id = ( select id from
jhs_users where username =
? )
sql-remove-group-member:
DELETE FROM jhs_user_role_grants WHERE rle_id = ( select id from
jhs_roles
where short_name = ? )
sql-get-user-description
: SELECT display_name FROM jhs_users WHERE username = ?
sql-set-user-description:
UPDATE jhs_users SET display_name = ? WHERE username = ?
sql-get-group-description:
SELECT name FROM jhs_roles WHERE short_name = ?
sql-set-group-description
: UPDATE jhs_roles SET
name = ? WHERE short_name = ?
After saving the changes
listed above, restart the Weblogic server (mandatory).
After the reboot ,Go the 'User and
Group' tab of your default security realm ('myrealm') where we can
change or add users and roles. This is similar to adding the roles
and users in jazn-data.xml.
Tables
required for users and roles:
CREATE
TABLE JHS_ROLES
(
ID
NUMBER(*, 0) NOT NULL,
ORG_KEY
VARCHAR2(30) DEFAULT 'DEFAULT' NOT NULL,
SHORT_NAME
VARCHAR2(10) NOT NULL,
NAME
VARCHAR2(40) NOT NULL
);
CREATE
TABLE JHS_USER_ROLE_GRANTS
(
ID
NUMBER(*, 0) NOT NULL,
USR_ID
NUMBER(*, 0) NOT NULL,
RLE_ID
NUMBER(*, 0) NOT NULL
);
CREATE
TABLE JHS_USERS
(
ID
NUMBER(*, 0) NOT NULL,
EMAIL_ADDRESS
VARCHAR2(240),
USERNAME
VARCHAR2(240) NOT NULL,
ORG_KEY
VARCHAR2(30) DEFAULT 'DEFAULT',
PASSWORD
VARCHAR2(240),
DISPLAY_NAME
VARCHAR2(240),
LOCALE
VARCHAR2(10)
);
ALTER
TABLE JHS_ROLES
ADD
CONSTRAINT JHS_RLE_PK PRIMARY KEY
(
ID ) ENABLE;
ALTER
TABLE JHS_ROLES
ADD
CONSTRAINT JHS_RLE_UK1 UNIQUE
(
SHORT_NAME,ORG_KEY ) ENABLE;
ALTER
TABLE JHS_USER_ROLE_GRANTS
ADD
CONSTRAINT JHS_URG_PK PRIMARY KEY
(
ID ) ENABLE;
ALTER
TABLE JHS_USER_ROLE_GRANTS
ADD
CONSTRAINT JHS_URG_UK1 UNIQUE
(
RLE_ID, USR_ID ) ENABLE;
ALTER
TABLE JHS_USERS
ADD
CONSTRAINT JHS_USR_PK PRIMARY KEY
(
ID ) ENABLE;
CREATE
SEQUENCE JHS_SEQ INCREMENT BY 1 MAXVALUE 999999999999999999999999999
MINVALUE 1 CACHE 20 ;
--
Create two users SKING and AHUNOLD
insert
into jhs_users (ID, EMAIL_ADDRESS, USERNAME, ORG_KEY, PASSWORD,
DISPLAY_NAME)
select
jhs_seq.nextval,'SKING,'SKING','DEFAULT','SKING', 'Steven King'
from
dual
where
not exists (select '1' from jhs_users where username='SKING');
insert
into jhs_users (ID, EMAIL_ADDRESS, USERNAME, ORG_KEY, PASSWORD,
DISPLAY_NAME)
select
jhs_seq.nextval,'AHUNOLD','AHUNOLD','DEFAULT','AHUNOLD', 'Alexander
Hunold'
from
dual
where
not exists (select '1' from jhs_users where username='AHUNOLD');
--
set up two roles: Administrator and User
insert
into jhs_roles(id, SHORT_NAME, name)
select
jhs_seq.nextval, 'ADMIN','Administrator'
from
dual
where
not exists (select '1' from jhs_roles where short_name='ADMIN');
insert
into jhs_roles(id, SHORT_NAME, name)
select
jhs_seq.nextval, 'USER','User'
from
dual
where
not exists (select '1' from jhs_roles where short_name='USER');
--
Make Steven King Administrator
insert
into jhs_user_role_grants (id,rle_id,usr_id)
select
jhs_seq.nextval, rle.id, usr.id
from
jhs_roles rle, jhs_users usr
where
rle.short_name='ADMIN'
and
usr.username='SKING'
and
not exists (select '1' from jhs_user_role_grants urg2
where
urg2.usr_id = usr.id
and
urg2.rle_id = rle.id);
--
Make Alexander Hunold User
insert
into jhs_user_role_grants (id,rle_id,usr_id)
select
jhs_seq.nextval, rle.id, usr.id
from
jhs_roles rle, jhs_users usr
where
rle.short_name='USER'
and
usr.username='AHUNOLD'
and
not exists (select '1' from jhs_user_role_grants urg2
where
urg2.usr_id = usr.id
and
urg2.rle_id = rle.id);
commit;
For Logout from ADF Security we could
also invoke the logout by
a redirect performed from an action method in a managed bean as
follows :
public String logoutAction() {FacesContext fctx = FacesContext.getCurrentInstance();ExternalContext ectx = fctx.getExternalContext();String url = ectx.getRequestContextPath() + "/adfAuthentication? logout=true&end_url=/faces/Homepage.jspx";try {ectx.redirect(url);}catch (IOException e) {e.printStackTrace();}fctx.responseComplete();return null;}
In
the above method, HomePage.jspx
refers
to a public page in the application that the user is redirected to
after successful logout.
Excellent post. Thank you.
ReplyDelete