Oracle ADF makes authentication and authorization easy via a nice graphical interface. During development, you can use the builtin file-based policy store called jazn-data.xml. You can then later swap out your authentication provider, using something a bit more scalable such as an LDAP server or custom database store. ADF also provides a default HTML-based login form that can be automatically generated for you. It calls an authentication servlet behind the scenese, which in turn looks at your data store. Although this default login.html page is easy to work with, since it is NOT ADF-based, it doesn’t have that “ADF” look and feel.
In this ADF training video tutorial, we show you how to bypass the “default” login.html page and instead create our own custom ADF login page. Our page will have fields for the user to enter their credentials, and when the user clicks the submit button, it calls the adfAuthenticationServlet for us. *** There are two part to the video tutorial. Part 1 shows you how to create the Login Bean, and part 2 shows you how to create the users and roles and to configure the authorization.
To create the custom ADF Login form:
- Create a new .jspx page called “login.jspx”. Place 2 input text components on the page for the user name and password, as well as command button with the label “Log in”. Set the password’s ‘secret’ attribute to ‘true’.
- You’ll need a managed bean to capture the username and password, as well as call the authentication servlet. In the ViewController project, create a Java class called “loginBean.java”. Create 2 private String variables – _username and _password. Provide public getters and setters for these as well. The complete Java code is provided for you below. It contains a doLogin method that explicitly calls the adfAuthentication servlet. Be sure to register the LoginBean in your adfc-config.xml file using request scope.
- The Java code depends on three .jar files that you must add to the project’s classpath: %MIDDLEWARE_HOME%modulescom.bea.core.weblogic.security.auth_xxxx.jar, %MIDDLEWARE_HOME%modulescom.bea.core.weblogic.security.identity_xxxxx.jar, %WLSERVER%serverlibwls-api.zip
- Create an error page the ViewController layer – call it error.jspx. For now, just put a text output component on the page that says “error”.
- Configure ADF security for your application. Go to Application -> Secure -> Configure ADF Security. Choose the first option – ADF Authentication and Authorization. On the next screen choose form-based authentication. Be sure to point the login and error pages to the pages you just created. The paths should look like this: /faces/login.jspx, /faces/error.jspx.
- On the next page, choose the first option – No Automatic Grants.
- On the next page, do not choose “Redirect Upon Successful Authentication”. The managed bean’s doLogin method programmatically provides the redirection for you.
- Open the login.jspx file in design mode. Set the username and password text fields’ ‘value’ properties to the managed bean’s username and password fields, respectively.
- Set the command button’s ‘action’ attribute to the managed bean’s doLogin method. Use the Expression Builder to help you correctly build the EL.
- Let’s now create the users. Go to Application -> Secure -> Users. Hit the green plus icon to add a couple users. Let’s create ‘bob’ and ‘julie’. Set both of their passwords to ‘password1’ so it’s easy to remember.
- Now create an enterprise role called ‘managerGroup’. Add Bob to the group, but don’t add Julie.
- Create an application role called ‘managers’. Add the managerGroup to managers. The effect here is that Bob is a manager, but Julie is not.
- Create a page called managerPage.jspx. Place a panelHeader on the page with the text set to: Welcome, #{securityContext.userName}! Since you are a manager, you can access this page!
- From the Application Navigator, right-click on the managerPage.jspx and create a page definition file. This will force authentication to be performed on the page.
- Go to Application -> Secure -> Resource Grants. Select “Web Page” for the resource type. Select the managerPage from the list on the left. In the middle page, add the managers application role. This means only authenticated users who belong to this role can access the page. Stick with the defaults for the Actions in the right-hand pane.
- Run the managerPage. Try logging in first as “bob”, then as “julie”.
package com.fireboxtraining.view;
import javax.faces.application.FacesMessage;
import javax.faces.context.FacesContext;
import javax.security.auth.Subject;
import javax.security.auth.login.FailedLoginException;
import javax.security.auth.login.LoginException;
import javax.servlet.RequestDispatcher;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import weblogic.security.URLCallbackHandler;
import weblogic.security.services.Authentication;
import weblogic.servlet.security.ServletAuthentication;
public class LoginBean {
private String _username, _password;
public void setUsername(String _username) { this._username = _username; }
public String getUsername() { return _username; }
public void setPassword(String _password) { this._password = _password; }
public String getPassword() { return _password; }
public String doLogin() throws LoginException {
String un = _username;
byte[] pw = _password.getBytes();
FacesContext ctx = FacesContext.getCurrentInstance();
HttpServletRequest request = (HttpServletRequest)ctx.getExternalContext().getRequest();
Subject mySubject;
try {
mySubject = Authentication.login(new URLCallbackHandler(un, pw));
ServletAuthentication.runAs(mySubject, request);
ServletAuthentication.generateNewSessionID(request);
String loginUrl = "/adfAuthentication?success_url=/faces/protectedPage.jspx";
HttpServletResponse response = (HttpServletResponse)ctx.getExternalContext().getResponse();
RequestDispatcher dispatcher = request.getRequestDispatcher(loginUrl);
dispatcher.forward(request, response);
} catch (FailedLoginException e) {
FacesMessage msg = new FacesMessage(FacesMessage.SEVERITY_ERROR, "Invalid username or password", "Invalid username or password");
ctx.addMessage(null, msg);
} catch(Exception e){
System.err.println(e.getMessage());
}
return null;
}
}
Click here to take a look at our Oracle ADF training courses. We have created our own custom course curriculum and can fit it to your focus projects.
Please Share This Knowledge With Others!