These notes describe my research and (finally successful) efforts to:
Build a standalone WebLogic Server (WLS) 10.13 server
Follow my instructions via my previous post: Configuring WebLogic Server Domain/Machine/Server instances with the JDeveloper 11g ADF installer
That post was inspired by:Duncan Mill's A Rough Guide To Installing and Setting up WebLogic 10.3 Production for Running ADF Applications
Configuring JDeveloper's connection to the WLS server
I'll assume it's fairly easy for readers to setup a connection in JDeveloper to your standalone WLS server. Note that the WLS domain option must match the domain you created in the previous section (ie. ADFDomain), and the port number that of the AdminServer (ie. 7001).
Build an ADF Fusion Application
I wont bother to describe creating a basic ADF Fusion Application using ADF BC and ADF Faces RC. The following screenshot of the Application Navigator shows the basic project files for my sample. Note the 2 web pages: ViewClients.jspx and ViewClientNames.jspx.
Configuring your Fusion Application to run with ADF Security
A useful link for understanding this section: Frank Nimphius's ADF Security Part 2: Setup and Authentication
Via the Tools -> Configure ADF Security option invokes the ADF Security wizard. The following screen shots show the configuration for my application.
Step 1 of 6 – Enable ADF Security page
Step 2 of 6 – Select authentication type page
Step 3 of 6 – Select identify store page
Step 4 of 6 – Enable automatic policy grants page
Step 5 of 6 – Specify authenticated welcome page
Step 6 of 6 – Summary page
Mapping MS-Active Directory roles against Application Roles
A useful link for understanding this section: Andrejus's Baranovskis's Practical ADF Security Deployment on WebLogic Server
Before completing this section you need to:
1) Think about the roles of your application – say, admin, hr, sales etc
2) Thing about how these will map to your MS-Active Directory (MS-AD) roles
We'll refer to #1 as Application Roles, and #2 as Enterprise Roles.
These could have the same names with a 1 to 1 mapping, or different names, or even a 1 to many mapping.
For purposes of this post we'll assume there is a single MS-AD enterprise role Corporate Services that we want to map against our single application role AppCorporateServices.
As per Andrejus's post above we configure Enterprise Roles to Application Role mappings in our application's jazn-data.xml file. It is accessible via the jazn-data.xml file created by the ADF Security wizard, located in Application Navigator -> Application Resources -> Descriptors -> META-INF -> jazn-data.xml.
On opening the jazn-data.xml file, select the Overview tab at the bottom of the editor window, then the Manage Users and Roles button top right of the editor. This invokes the Edit JPS Identity & Policy Store dialog.
We define our Enterprise Roles under the Identify Store -> jazn.com -> Roles section as follows:
We define our Application Roles under the Application Policy Store option. You'll first need to create the store, then you define the individual Application Roles as follows:
Note that under the Member Roles tab we map the Enterprise Role against the Application Role:
Restricting access to web pages through the Application Roles
A useful link for understanding this section: Andrejus's Baranovskis's Practical ADF Security Deployment on WebLogic Server
Returning to the jazn-data.xml file's Overview tab, and selecting the Web Pages option, add the Application Role with View privileges against the ViewClientNames page:
Note that Andrejus's post goes on to tell you about configuring the weblogic.xml file. This should have been done by default via the ADF Security wizard.
Deploying the app to a standalone WebLogic Server
Assuming you've created a connection to your standalone WLS server in JDeveloper and the WLS server is up and running, select the Application Navigator -> Application Menu (top right drop down) -> Deploy -> To -> (your connection name).
During the deployment you'll see the following dialog offering you which server to deploy to, I'll assume you've setup 2 servers, so deploy to ADFServer:
Wait for a successful deployment.
Post deployment steps
Useful links in understanding this section:
Follow Steve's steps 1, 2 and 3 on the WLS server.
Copy your application code to a directory accessible via the standalone WLS server.
Assuming you've configured the app with a database connection and jazn-data.xml entries, follow his step 3.4. Note that:
Follow Steve's step 3.5. For the record I usually only have an instance of JpsXmlEnterpriseRoleImpl to replace, not JpsXmlUserImpl.
Restart the WLS server
Testing before configuring for MS-Active Directory
At this stage before configuring WLS to use MS-Active Directory for authentication, it's worth checking that your deployed application is correctly deployed and configured to use security. As such we'll create a temporary role and user account to test access to our webpages.
Login to the WLS console.
Navigate to Security Realms -> myrealm -> User and Groups tab -> Groups, and create a group called Corporate Services.
Create 2 users test1 and test2. Allocate user test1 to the new Corporate Services group.
As such, because test1 has the Corporate Services enterprise role, mapped to the AppCorporateServices application role, that grants access to the ViewClientNames page, only user test1 should be able to access that page.
On attempting to access the ViewClientNames page as test2 you should get a 403 forbidden if you logged in successfully.
On attempting to access the same page as test1, it should correctly show.
On attempting to access the ViewClients page, as either authenticated user, neither have access so you should get a 403 forbidden response.
Remove the test users and test group.
Configuring MS-Active Directory on your standalone WLS
Follow my instructions via my previous post: Configuring WLS With MS Active Directory
Other useful posts to aid understanding of configuring WLS authentication providers:
At this point you should have everything in place.
Post note
Thanks to all parties above, in particular Andrejus, Frank, Steve and Edwin, who either posted blog entries or forums posts as well as talking to me offline, your assistance in getting this together is appreciated.
- Build a standalone WebLogic Server (WLS) 10.3 server
- Build an ADF Fusion Application using ADF Security
- Deploy to a standalone WebLogic Server (WLS) 10.3 server
- Configure WLS 10.3 to use MS-Active Directory (MS-AD) for user authentication
Build a standalone WebLogic Server (WLS) 10.13 server
Follow my instructions via my previous post: Configuring WebLogic Server Domain/Machine/Server instances with the JDeveloper 11g ADF installer
That post was inspired by:Duncan Mill's A Rough Guide To Installing and Setting up WebLogic 10.3 Production for Running ADF Applications
Configuring JDeveloper's connection to the WLS server
I'll assume it's fairly easy for readers to setup a connection in JDeveloper to your standalone WLS server. Note that the WLS domain option must match the domain you created in the previous section (ie. ADFDomain), and the port number that of the AdminServer (ie. 7001).
Build an ADF Fusion Application
I wont bother to describe creating a basic ADF Fusion Application using ADF BC and ADF Faces RC. The following screenshot of the Application Navigator shows the basic project files for my sample. Note the 2 web pages: ViewClients.jspx and ViewClientNames.jspx.
Configuring your Fusion Application to run with ADF Security
A useful link for understanding this section: Frank Nimphius's ADF Security Part 2: Setup and Authentication
Via the Tools -> Configure ADF Security option invokes the ADF Security wizard. The following screen shots show the configuration for my application.
Step 1 of 6 – Enable ADF Security page
Step 2 of 6 – Select authentication type page
Step 3 of 6 – Select identify store page
Step 4 of 6 – Enable automatic policy grants page
Step 5 of 6 – Specify authenticated welcome page
Step 6 of 6 – Summary page
Mapping MS-Active Directory roles against Application Roles
A useful link for understanding this section: Andrejus's Baranovskis's Practical ADF Security Deployment on WebLogic Server
Before completing this section you need to:
1) Think about the roles of your application – say, admin, hr, sales etc
2) Thing about how these will map to your MS-Active Directory (MS-AD) roles
We'll refer to #1 as Application Roles, and #2 as Enterprise Roles.
These could have the same names with a 1 to 1 mapping, or different names, or even a 1 to many mapping.
For purposes of this post we'll assume there is a single MS-AD enterprise role Corporate Services that we want to map against our single application role AppCorporateServices.
As per Andrejus's post above we configure Enterprise Roles to Application Role mappings in our application's jazn-data.xml file. It is accessible via the jazn-data.xml file created by the ADF Security wizard, located in Application Navigator -> Application Resources -> Descriptors -> META-INF -> jazn-data.xml.
On opening the jazn-data.xml file, select the Overview tab at the bottom of the editor window, then the Manage Users and Roles button top right of the editor. This invokes the Edit JPS Identity & Policy Store dialog.
We define our Enterprise Roles under the Identify Store -> jazn.com -> Roles section as follows:
We define our Application Roles under the Application Policy Store option. You'll first need to create the store, then you define the individual Application Roles as follows:
Note that under the Member Roles tab we map the Enterprise Role against the Application Role:
Restricting access to web pages through the Application Roles
A useful link for understanding this section: Andrejus's Baranovskis's Practical ADF Security Deployment on WebLogic Server
Returning to the jazn-data.xml file's Overview tab, and selecting the Web Pages option, add the Application Role with View privileges against the ViewClientNames page:
Note that Andrejus's post goes on to tell you about configuring the weblogic.xml file. This should have been done by default via the ADF Security wizard.
Deploying the app to a standalone WebLogic Server
Assuming you've created a connection to your standalone WLS server in JDeveloper and the WLS server is up and running, select the Application Navigator -> Application Menu (top right drop down) -> Deploy -> To -> (your connection name).
During the deployment you'll see the following dialog offering you which server to deploy to, I'll assume you've setup 2 servers, so deploy to ADFServer:
Wait for a successful deployment.
Post deployment steps
Useful links in understanding this section:
- Steve Muench's Simplified ADF 11g Application Credential and Policy Migration to Standalone WebLogic Servers
- Andrejus's Baranovskis's Practical ADF Security Deployment on WebLogic Server
Follow Steve's steps 1, 2 and 3 on the WLS server.
Copy your application code to a directory accessible via the standalone WLS server.
Assuming you've configured the app with a database connection and jazn-data.xml entries, follow his step 3.4. Note that:
- The APPWORKSPACEDIR is where you copied the application code to in the previous step
- The APPNAME is configured in JDeveloper as your Application name (ie. TestStandaloneWLSSecurity)
- The DEPLOYAPPNAME is configured in JDev under Application Properties -> Deployment -> Edit -> General -> Application Name, and will be the enterprise application when the application is deployed to WLS (ie. TestStandaloneWLSSecurity_application1)
Follow Steve's step 3.5. For the record I usually only have an instance of JpsXmlEnterpriseRoleImpl to replace, not JpsXmlUserImpl.
Restart the WLS server
Testing before configuring for MS-Active Directory
At this stage before configuring WLS to use MS-Active Directory for authentication, it's worth checking that your deployed application is correctly deployed and configured to use security. As such we'll create a temporary role and user account to test access to our webpages.
Login to the WLS console.
Navigate to Security Realms -> myrealm -> User and Groups tab -> Groups, and create a group called Corporate Services.
Create 2 users test1 and test2. Allocate user test1 to the new Corporate Services group.
As such, because test1 has the Corporate Services enterprise role, mapped to the AppCorporateServices application role, that grants access to the ViewClientNames page, only user test1 should be able to access that page.
On attempting to access the ViewClientNames page as test2 you should get a 403 forbidden if you logged in successfully.
On attempting to access the same page as test1, it should correctly show.
On attempting to access the ViewClients page, as either authenticated user, neither have access so you should get a 403 forbidden response.
Remove the test users and test group.
Configuring MS-Active Directory on your standalone WLS
Follow my instructions via my previous post: Configuring WLS With MS Active Directory
Other useful posts to aid understanding of configuring WLS authentication providers:
- Frank Nimphius's How-to configure OID for authentication in WebLogic Server
- Edwin Biemond's Using OpenLDAP as security provider in WebLogic
At this point you should have everything in place.
Post note
Thanks to all parties above, in particular Andrejus, Frank, Steve and Edwin, who either posted blog entries or forums posts as well as talking to me offline, your assistance in getting this together is appreciated.
11 comments:
I done migration exactly as you did it but I am getting this WARNING: No identity store associate with policy store found, do you maybe know what is causing this problem ?
Sorry, you'd be best to ask such a question on the JDev OTN forum.
CM.
thanks a lot Chris
related to : Configure WLS 10.3 to use MS-Active Directory (MS-AD) for user authentication
i success to configure it for user authentication
but i found in case of using some restriction in AD like (if we make this user only can logon only from some machine)( from AD)
the authentication fail. even he try from his machine
otherwise authentication pass
are you try/test some issues like this? and what did you think the reason causes this?
(is from AD or some thing not configured in WLS)
thanks
Sorry, can't say I have. In this case my recommendation to you is to lodge a support request with Oracle Support to see if WLS supports this particular AD feature.
CM.
thanks i will do
Hi Chris,
I have a requirement to use Active Directory for Authentication as you described so that fits the bill. Followup question I have is is there a way to use custom dabase store for authorization for fusion application?
Thanks,
Dipal
I don't believe WLS Authorization supports the db, though I'm about 32% sure, please check.
CM.
Hi,
Do you have an update link to Steve's article as per the following part of your post:
"Steve Muench's Simplified ADF 11g Application Credential and Policy Migration to Standalone WebLogic Servers"
I appreciate your help in this regard,
Hannes.
Hi Hannes
A quick Google reveals this.
However I'm not sure this article is relevant anymore, JDev should now take care of this, since at least 11.1.1.2.0 if not earlier.
Regards,
CM.
Hi all,
I have a requirement to use SiteMinder authentication provider (SM ASA r12 agent for Weblogic) I have a SM Authentication provider configured in WLS ... worked on 10g np
has anyone else managed to map ADF roles to Siteminder provider groups?
thanks
Ed
Hi Zed
Can't say I have. Probably a good question for the OTN WLS Security Forums. (Sorry I can't give you the link at the moment as the forums seems to be down for maintenance).
CM.
Post a Comment