Thursday 15 January 2009

Configuring a JDev 11g ADF Security app on standalone WLS against MS Active Directory

These notes describe my research and (finally successful) efforts to:
  • Build a standalone WebLogic Server (WLS) 10.3 server
  • Build an ADF Fusion Application using ADF Security
  • Deploy to a standalone WebLogic Server (WLS) 10.3 server
  • Configure WLS 10.3 to use MS-Active Directory (MS-AD) for user authentication
The following describes the numerous steps to get to this point, mainly for my documentation purposes, but possible useful to readers.  Usual caveat: your mileage may vary.

Build a standalone WebLogic Server (WLS) 10.13 server

Follow my instructions via my previous post: Configuring WebLogic Server Domain/Machine/Server instances with the JDeveloper 11g ADF installer

That post was inspired by:Duncan Mill's A Rough Guide To Installing and Setting up WebLogic 10.3 Production for Running ADF Applications

Configuring JDeveloper's connection to the WLS server

I'll assume it's fairly easy for readers to setup a connection in JDeveloper to your standalone WLS server.  Note that the WLS domain option must match the domain you created in the previous section (ie. ADFDomain), and the port number that of the AdminServer (ie. 7001).

Build an ADF Fusion Application

I wont bother to describe creating a basic ADF Fusion Application using ADF BC and ADF Faces RC.  The following screenshot of the Application Navigator shows the basic project files for my sample.  Note the 2 web pages: ViewClients.jspx and ViewClientNames.jspx.



Configuring your Fusion Application to run with ADF Security

A useful link for understanding this section: Frank Nimphius's ADF Security Part 2: Setup and Authentication

Via the Tools -> Configure ADF Security option invokes the ADF Security wizard.  The following screen shots show the configuration for my application.

Step 1 of 6 – Enable ADF Security page



Step 2 of 6 – Select authentication type page



Step 3 of 6 – Select identify store page



Step 4 of 6 – Enable automatic policy grants page



Step 5 of 6 – Specify authenticated welcome page



Step 6 of 6 – Summary page



Mapping MS-Active Directory roles against Application Roles

A useful link for understanding this section: Andrejus's Baranovskis's Practical ADF Security Deployment on WebLogic Server

Before completing this section you need to:

1) Think about the roles of your application – say, admin, hr, sales etc
2) Thing about how these will map to your MS-Active Directory (MS-AD) roles

We'll refer to #1 as Application Roles, and #2 as Enterprise Roles.

These could have the same names with a 1 to 1 mapping, or different names, or even a 1 to many mapping.

For purposes of this post we'll assume there is a single MS-AD enterprise role Corporate Services that we want to map against our single application role AppCorporateServices.

As per Andrejus's post above we configure Enterprise Roles to Application Role mappings in our application's jazn-data.xml file.  It is accessible via the jazn-data.xml file created by the ADF Security wizard, located in Application Navigator -> Application Resources -> Descriptors -> META-INF -> jazn-data.xml.

On opening the jazn-data.xml file, select the Overview tab at the bottom of the editor window, then the Manage Users and Roles button top right of the editor.  This invokes the Edit JPS Identity & Policy Store dialog.

We define our Enterprise Roles under the Identify Store -> jazn.com -> Roles section as follows:



We define our Application Roles under the Application Policy Store option.  You'll first need to create the store, then you define the individual Application Roles as follows:



Note that under the Member Roles tab we map the Enterprise Role against the Application Role:



Restricting access to web pages through the Application Roles

A useful link for understanding this section: Andrejus's Baranovskis's Practical ADF Security Deployment on WebLogic Server

Returning to the jazn-data.xml file's Overview tab, and selecting the Web Pages option, add the Application Role with View privileges against the ViewClientNames page:



Note that Andrejus's post goes on to tell you about configuring the weblogic.xml file.  This should have been done by default via the ADF Security wizard.

Deploying the app to a standalone WebLogic Server


Assuming you've created a connection to your standalone WLS server in JDeveloper and the WLS server is up and running, select the Application Navigator -> Application Menu (top right drop down) -> Deploy -> To -> (your connection name).

During the deployment you'll see the following dialog offering you which server to deploy to, I'll assume you've setup 2 servers, so deploy to ADFServer:



Wait for a successful deployment.

Post deployment steps

Useful links in understanding this section:
As per Steve's article, as of JDev 11g build 5188 the JDeveloper deployment tools doesn't migrate your application's security completely to WLS.  As such you need to follow these further steps:

Follow Steve's steps 1, 2 and 3 on the WLS server.

Copy your application code to a directory accessible via the standalone WLS server.

Assuming you've configured the app with a database connection and jazn-data.xml entries, follow his step 3.4.  Note that:
  • The APPWORKSPACEDIR is where you copied the application code to in the previous step
  • The APPNAME is configured in JDeveloper as your Application name (ie. TestStandaloneWLSSecurity)
  • The DEPLOYAPPNAME is configured in JDev under Application Properties -> Deployment -> Edit -> General -> Application Name, and will be the enterprise application when the application is deployed to WLS (ie. TestStandaloneWLSSecurity_application1)
On your WLS server locate the file system-jazn-data.xml.  It's typically located under (WLS_HOME)\user_projects\domains\(your domain name)\config\oracle.

Follow Steve's step 3.5.  For the record I usually only have an instance of JpsXmlEnterpriseRoleImpl to replace, not JpsXmlUserImpl.

Restart the WLS server

Testing before configuring for MS-Active Directory

At this stage before configuring WLS to use MS-Active Directory for authentication, it's worth checking that your deployed application is correctly deployed and configured to use security.  As such we'll create a temporary role and user account to test access to our webpages.

Login to the WLS console.

Navigate to Security Realms -> myrealm -> User and Groups tab -> Groups, and create a group called Corporate Services.



Create 2 users test1 and test2.  Allocate user test1 to the new Corporate Services group.

As such, because test1 has the Corporate Services enterprise role, mapped to the AppCorporateServices application role, that grants access to the ViewClientNames page, only user test1 should be able to access that page.

On attempting to access the ViewClientNames page as test2 you should get a 403 forbidden if you logged in successfully.

On attempting to access the same page as test1, it should correctly show.

On attempting to access the ViewClients page, as either authenticated user, neither have access so you should get a 403 forbidden response.

Remove the test users and test group.

Configuring MS-Active Directory on your standalone WLS

Follow my instructions via my previous post: Configuring WLS With MS Active Directory

Other useful posts to aid understanding of configuring WLS authentication providers:
Note as per the following OTN post it is important to reorder the authenticators such that the AD authenticator comes first in the list, and it's control flag is set = SUFFICIENT.

At this point you should have everything in place.

Post note

Thanks to all parties above, in particular Andrejus, Frank, Steve and Edwin, who either posted blog entries or forums posts as well as talking to me offline, your assistance in getting this together is appreciated.

11 comments:

Unknown said...

I done migration exactly as you did it but I am getting this WARNING: No identity store associate with policy store found, do you maybe know what is causing this problem ?

Chris Muir said...

Sorry, you'd be best to ask such a question on the JDev OTN forum.

CM.

Unknown said...

thanks a lot Chris

related to : Configure WLS 10.3 to use MS-Active Directory (MS-AD) for user authentication


i success to configure it for user authentication


but i found in case of using some restriction in AD like (if we make this user only can logon only from some machine)( from AD)
the authentication fail. even he try from his machine
otherwise authentication pass

are you try/test some issues like this? and what did you think the reason causes this?
(is from AD or some thing not configured in WLS)

thanks

Chris Muir said...

Sorry, can't say I have. In this case my recommendation to you is to lodge a support request with Oracle Support to see if WLS supports this particular AD feature.

CM.

Unknown said...

thanks i will do

adf said...

Hi Chris,

I have a requirement to use Active Directory for Authentication as you described so that fits the bill. Followup question I have is is there a way to use custom dabase store for authorization for fusion application?

Thanks,

Dipal

Chris Muir said...

I don't believe WLS Authorization supports the db, though I'm about 32% sure, please check.

CM.

freakentwig said...

Hi,

Do you have an update link to Steve's article as per the following part of your post:
"Steve Muench's Simplified ADF 11g Application Credential and Policy Migration to Standalone WebLogic Servers"

I appreciate your help in this regard,
Hannes.

Chris Muir said...

Hi Hannes

A quick Google reveals this.

However I'm not sure this article is relevant anymore, JDev should now take care of this, since at least 11.1.1.2.0 if not earlier.

Regards,

CM.

zed said...

Hi all,

I have a requirement to use SiteMinder authentication provider (SM ASA r12 agent for Weblogic) I have a SM Authentication provider configured in WLS ... worked on 10g np
has anyone else managed to map ADF roles to Siteminder provider groups?

thanks

Ed

Chris Muir said...

Hi Zed

Can't say I have. Probably a good question for the OTN WLS Security Forums. (Sorry I can't give you the link at the moment as the forums seems to be down for maintenance).

CM.