The first step in securing an application is to enable Oracle ADF Security. In
the OramagAdfSecurity project, select
Application -> Secure -> Configure ADF
Security to open the Oracle ADF Security
wizard. This wizard is re-entrant, so you can
safely open it and browse security settings
without worrying about losing data.
The first dialog box in the configuration
wizard enables you to define the type of
security you want. The ADF Authentication
and Authorization option, used in the
sample application, enables you to configure
login information as well as access to specific application features. Another option,
ADF Authentication, is for controlling only
who can access the application (via a login
dialog box when a user requests access to
the application). The Remove ADF Security
Configuration option does not delete any
existing policy definitions, but it disables the
enforcement of Oracle ADF Security. This
option can be useful for allowing application
testing while temporarily disabling security.
The next dialog box, Select Authentication
Type, is where you define the type of authentication to use (such as form-based or basic).
The authentication mechanism you choose
depends on whether you want to provide
your own login form or if you want to use
client browser certificates for authentication.
The sample application uses basic
authentication, which performs programmatic authentication leveraging a specific
Oracle WebLogic Server–proprietary API.
If you select form-based authentication
instead, Oracle JDeveloper will generate a
login form for you. The login form, built in
H TML, is configured in the web.xml file of
your Web project.
The next dialog box, Enable Automatic
Policy Grants, enables you to define how to
protect existing resources, views, and task
flows in your project.
For large projects, you would ideally
choose the No Automatic Grants option,
which basically locks the application down
until you explicitly grant access permissions
to application roles and then map those
application roles to users and enterprise
roles defined in the jazn-data.xml file.
Alternatively, the Grant to Existing Objects
Only option enables authentication and
authorization for an Oracle ADF application
while ensuring that the application remains
accessible to everyone. Use this option to
enable security for an existing application
without interrupting the current development
process. With this option, pages and task
flows created after security is enabled are not
accessible, by default. To make them accessible, you need to explicitly grant them to
application roles defined in the application.
The Grant to All Objects option is similar
to Grant to Existing Objects Only, except
that it also grants all users access to new
pages and task flows created after security
is enabled. Use this option to add security to
an application for which you don’t have any
application roles or user identities defined.
The next wizard dialog box, Specify
Authentication Welcome Page, is where
you define a landing pad—a page to which
all authenticated users are redirected after
login. If this option is not set, the redirect will
go to the protected view that triggered the
authentication process.
When you are done, click Finish to close
the Specify Authentication Welcome Page
dialog box and the Oracle ADF Security wizard.
CREATING USERS, ENTERPRISE ROLES,
AND APPLICATION ROLES
Before building authorization into Oracle
ADF applications, you need to create users,
enterprise roles, and application roles for
testing. Oracle JDeveloper provides a declar-
ative configuration console where you can
easily create users and enterprise roles that
simulate identities as they would exist in the
identity management system in a produc-
tion environment.
ENABLING SECURI T Y IN ORACLE ADF
BUSINESS COMPONENTS
When you enable Oracle ADF Security
for an application, the change does not
immediately affect Oracle ADF Business
Components. To enforce authorization on
an Oracle ADF Business Component entity
