4 Adding Security to Your Application

In this lesson, you will add basic security to your custom WebCenter application, then create three different sample users who can log into the application. You will also add elements to the header of MyPage, so that users can click a login link to access your application, as well as a login page that displays the username and password fields.

By enabling security in the development environment of your application, you can test security-based features, such as logging in as a particular user to check email, or logging in as the administrator to make a change to the overall application. This chapter shows you how to set up security; in the next chapter, you will see how you can leverage WebCenter services that rely on security.

At the end of this lesson, the page you created in Chapter 3, "Creating a WebCenter Application with a Customizable Page" will look like Figure 4-1.

Figure 4-1 MyPage.jspx in the Browser

Description of Figure 4-1 follows
Description of "Figure 4-1 MyPage.jspx in the Browser"

Introduction

This lesson contains the following steps:

Before you begin the steps in this lesson, ensure you have followed the steps up to this point in the Tutorial.

Step 1: Add ADF Security to Your Application

Oracle JDeveloper includes an ADF Security wizard that enables you to add basic security to your application. In this step, we use this wizard to add security to our existing application.

To add ADF security:

  1. In JDeveloper, while the application is open, choose Application from the main menu, then select Secure, and Configure ADF Security to display the Configure ADF Security wizard.

    Figure 4-2 Configure ADF Security Menu Option

    Description of Figure 4-2 follows
    Description of "Figure 4-2 Configure ADF Security Menu Option"

  2. On the Enable ADF Security page, ensure ADF Authentication and Authorization is selected. Choose this option when securing any ADF web application, such as a custom WebCenter application (Figure 4-3).

    Figure 4-3 Configure ADF Security - Step 1 of 5

    Description of Figure 4-3 follows
    Description of "Figure 4-3 Configure ADF Security - Step 1 of 5"

  3. Click Next.

  4. On the Select authentication type page, ensure Form-Based Authentication is selected. Choosing this option generates a login page where users can enter their username and password for the application.

  5. Select Generate Default Pages, and leave the default page names: /login.html and /error.html (Figure 4-4).

    Click Next.

    Figure 4-4 Configure ADF Security - Step 2 of 5

    Description of Figure 4-4 follows
    Description of "Figure 4-4 Configure ADF Security - Step 2 of 5"

  6. Click Next.

  7. On the Enable automatic policy grants page, ensure Grant to All Objects is selected. Doing so enables the test-all role in your application View access to any pages you create in the application (Figure 4-5).

    Figure 4-5 Configure ADF Security - Step 3 of 5

    Description of Figure 4-5 follows
    Description of "Figure 4-5 Configure ADF Security - Step 3 of 5"

  8. Click Next.

  9. On the Specify authenticated welcome page, click Next. You can learn more about this option in the Oracle Fusion Middleware Fusion Developer's Guide for Oracle Application Development Framework.

  10. On the Summary page, notice the files that the wizard will create or modify based on your selections, then click Finish. If a dialog displays, click OK.

    In the Application Navigator notice that two new pages display in the ViewController project, under WebContent: error.html and login.html.

    Figure 4-6 Security Files in the Application Navigator

    Description of Figure 4-6 follows
    Description of "Figure 4-6 Security Files in the Application Navigator"

For more information about testing security during development and WebCenter application security, see Chapter 3, "Securing Your WebCenter Application" in Oracle Fusion Middleware Developer's Guide for Oracle WebCenter.

Now that you have set up basic ADF security for the application, you can create the users and roles.

Step 2: Create Users and Roles for the Application

Now that we have added basic ADF security to our application, we can create sample users to test the authentication. In this section, you will create three users: a user with administrative privileges who can make changes to the entire application, a user who can only make modifications to his own view of the application, and a user who can make some modifications to the application in addition to his own view. This step introduces you to the jazn-data.xml file, which contains the security information for your application.

To create users for the application:

  1. From the Application menu, choose Secure, then Users to display the jazn-data.xml file.

    Figure 4-7 Creating Users

    Description of Figure 4-7 follows
    Description of "Figure 4-7 Creating Users"

  2. In the jazn-data.xml file, ensure that the Users tab is selected.

  3. In the Users list, click the New User icon (Figure 4-8) to add a user temporarily named "NewUser" to the Users list.

    Figure 4-8 New Users Icon

    Description of Figure 4-8 follows
    Description of "Figure 4-8 New Users Icon"

  4. While NewUser is selected, notice that the right pane updates so that you can modify the properties of the user (Figure 4-9).

    Figure 4-9 NewUser Properties

    Description of Figure 4-9 follows
    Description of "Figure 4-9 NewUser Properties"

    In the Name field, enter Lisa.

  5. In the password field, enter welcome1 then click on the Display Name field to make sure the password is accepted. Leave the rest of the fields blank for now.

  6. Create two more users by following steps 3 through 5:

    • User: Dan, Password: welcome1

    • User: Alex, Password: welcome1

    Figure 4-10 New Users in the jazn-data.xml File

    Description of Figure 4-10 follows
    Description of "Figure 4-10 New Users in the jazn-data.xml File"

  7. Now that we have created our sample users, we can create roles for the application, then assign the users to the roles. In the left pane, click the Application Roles tab (Figure 4-11). Notice that a role is already listed, called test-all. This role is automatically generated by the Configure ADF Security wizard. You can use this role for testing purposes, but you will create your own roles for this application.

    Figure 4-11 Application Roles Tab

    Description of Figure 4-11 follows
    Description of "Figure 4-11 Application Roles Tab"

  8. In the Roles list, click the New Application Role icon.

  9. While NewApplicationRole is selected, in the Name field to the right, enter admin-role.

  10. In the Display Name field, enter Administrators.

  11. Click the Members tab, then click the Add User or Role icon, then select Add User from the menu.

  12. In the Select Users dialog, click Lisa, then click OK.

    Figure 4-12 Select Users Dialog

    Description of Figure 4-12 follows
    Description of "Figure 4-12 Select Users Dialog"

    The new role displays with the user Lisa listed.

  13. Create another role called user-role and set the Display Name to Users.

  14. Add the users Dan and Alex to this role.

  15. Save all your files.

For more information about users and roles, see Oracle Fusion Middleware Developer's Guide for Oracle WebCenter and Chapter 3, "Securing Your WebCenter Application" in Oracle Fusion Middleware Fusion Developer's Guide for Oracle Application Development Framework.

Step 3: Add ADF Security Policies to Your Application

Once you set up ADF security for your application using the Configure ADF Security wizard and set up your users, you must create the ADF security policies for your application. When you add ADF security policies to your application, you apply them to the page that requires authentication. The ADF security policies indicate the permissions for the application roles you set in the previous step. That is, the security policies define the actions that different users can perform on various objects in the application, such as pages and task flows. For example, you can set MyPage to be viewable by any user who is a member of the user-role and customizable by any user who is a member of the admin-users role.

To add ADF security policies to your application:

  1. Before we can add ADF security policies to the application, we must first create a page definition for MyPage. Then, we will add the application roles and set their permissions on that page.

    While MyPage is displaying in the Design view (you may need to click its tab to bring it into focus), right-click the page, then choose Go to Page Definition.

  2. If the Confirm Create New Page Definition dialog displays, click Yes. The page definition file, called MyPagePageDef.xml displays. You can close this tab for now.

  3. Click the MyPage.jspx tab to bring it into focus.

  4. From the Application menu, choose Secure, then ADF Policies to display the ADF Security Policies section of the jazn-data.xml file, as shown in Figure 4-14.

    Figure 4-14 ADF Security Policies

    Description of Figure 4-14 follows
    Description of "Figure 4-14 ADF Security Policies"

  5. Before adding the ADF security policies to our application, take a quick look at the Task Flows you currently have in the application. Select the Show task flows imported from ADF libraries checkbox.

    Figure 4-15 ADF Security Policies for Task Flows

    Description of Figure 4-15 follows
    Description of "Figure 4-15 ADF Security Policies for Task Flows"

    These task flows are generated by default for your application. Once you start adding task flows in Chapter 5, "Adding Oracle WebCenter Services to Your Application," this list will automatically be updated with the new task flows.

  6. Next, add the necessary ADF Security Policies to the application. At the top of the section, click the Web Pages tab.

  7. In the Page Definition list, click MyPage (Figure 4-16).

    Figure 4-16 MyPage on the ADF Security Policies Section

    Description of Figure 4-16 follows
    Description of "Figure 4-16 MyPage on the ADF Security Policies Section"

  8. Next to the Granted To Roles column, click the Add Application Role icon.

  9. In the Select Roles dialog, select admin-role, authenticated-role, and user-role, then click OK (Figure 4-17).

    Figure 4-17 Select Roles Dialog

    Description of Figure 4-17 follows
    Description of "Figure 4-17 Select Roles Dialog"

    The three roles now display on the Web Pages tab of the ADF Security Policies page (Figure 4-18).

    Figure 4-18 MyPage ADF Security Policies

    Description of Figure 4-18 follows
    Description of "Figure 4-18 MyPage ADF Security Policies"

  10. Next, assign the permissions each role has for MyPage. While admin-role is selected, under Actions, select View and Customize, as shown in Figure 4-19.

    Figure 4-19 Assigning the View and Customize Actions to the admin-role

    Description of Figure 4-19 follows
    Description of "Figure 4-19 Assigning the View and Customize Actions to the admin-role"

    Doing so allows any user with the admin-role (in our example, Lisa) to view the page and customize it. Any customizations that Lisa makes will proliferate to the views of all users. Customizations are different from personalizations; the latter can only be viewed by the currently authenticated user.

  11. Select the authenticated-role and ensure the role has View permissions for MyPage.

  12. Select the user-role and select the View and Personalize actions.

  13. Finally, we must make one change to the adf-config.xml file to set any customizations that the user makes to the user level and not the site or application level.

  14. In the Application Navigator, in the Application Resources panel, expand Descriptors, then ADF META-INF.

    Figure 4-20 adf-config.xml File in the Application Resources Panel

    Description of Figure 4-20 follows
    Description of "Figure 4-20 adf-config.xml File in the Application Resources Panel"

  15. Open the adf-config.xml file, and switch to the Source view by clicking the Source tab at the bottom of the page.

  16. Locate the following code snippet (as shown in Figure 4-21), which only displays if you have added customizable components from Oracle Composer to your page, as you did in Chapter 3, "Creating a WebCenter Application with a Customizable Page":

          <cust-config>
            <match>
              <customization-class name="oracle.adf.share.config.SiteCC"/>
            </match>
          </cust-config>
    

    Figure 4-21 Section to Overwrite in the adf-config.xml File

    Description of Figure 4-21 follows
    Description of "Figure 4-21 Section to Overwrite in the adf-config.xml File"

  17. Replace the code snippet with the following code snippet:

          <cust-config>
            <match>
              <customization-class name="oracle.adf.share.config.UserCC"/>
            </match>
          </cust-config>
    
  18. Save all your files.

For more information about ADF Security Policies, see Oracle Fusion Middleware Developer's Guide for Oracle WebCenter.

Now that you have set up security for your application, you can enable users to log in and out of the application by adding a link to MyPage.

Step 4: Add a Login/Logout Link to Your Application and Update the Login Page

To enable your users to log in and out of the application, in this step, you will add a Login/Logout link to the upper right corner of the header that toggles depending on whether the user is authenticated.

Figure 4-22 Logout Link in the Header

Description of Figure 4-22 follows
Description of "Figure 4-22 Logout Link in the Header"

To add a login/logout link:

  1. In Oracle JDeveloper, bring MyPage.jspx into focus.

  2. In the Structure window for MyPage.jspx, navigate to the Panel Splitter, then open the first facet. Remember that you can use the pushpin in the Structure window to freeze the current view. For this step, you click MyPage in the Design view, then ensure the pushpin is in the "freeze" position (pressed).

  3. Under the first facet, expand af:panelStretchLayout, open the Panel Stretch Layout facets folder, then open the end folder.

  4. First, organize the components you already have into a layout so that we can add the login/logout link. Place a Panel Group Layout onto the existing vertical Panel Group Layout that contains the Change Mode Link you added in "Step 5: Add Oracle Composer to the Page to Enable Customization" in Chapter 3, "Creating a WebCenter Application with a Customizable Page."

    To do so, in the Component Palette, select ADF Faces from the list.

  5. Under Layout, drag and drop Panel Group Layout onto the af:panelGroupLayout-vertical, and set the Layout property to horizontal.

    Figure 4-23 New Panel Group Layout with Horizontal Layout

    Description of Figure 4-23 follows
    Description of "Figure 4-23 New Panel Group Layout with Horizontal Layout "

  6. Drag and drop the Change Mode Link, Spacer, and Status Indicator into the new horizontal Panel Group Layout.

    Figure 4-24 Horizontal Panel Group Layout with the Components

    Description of Figure 4-24 follows
    Description of "Figure 4-24 Horizontal Panel Group Layout with the Components"

  7. Drag and drop another Panel Group Layout onto the vertical Panel Group Layout and set its Layout property to horizontal.

  8. Move the new Panel Group Layout above the existing horizontal Panel Group Layout that contains the Change Mode Link, Spacer, and Status Indicator (Figure 4-25).

    Figure 4-25 Second Horizontal Panel Group Layout

    Description of Figure 4-25 follows
    Description of "Figure 4-25 Second Horizontal Panel Group Layout"

  9. To lay out the components in the header, add a Spacer component between the two Panel Group Layout components. From the Component Palette, under ADF Faces, expand Layout.

  10. Drag and drop a Spacer component onto the Structure window between the two horizontal Panel Group Layout components (Figure 4-26).

    Figure 4-26 Spacer Component in the Structure Window

    Description of Figure 4-26 follows
    Description of "Figure 4-26 Spacer Component in the Structure Window"

  11. Add a Welcome message that displays the name of the currently authenticated user.

    Drag and drop an Output Text (Active) component from the Component Palette (under ADF Faces, Common Components) onto the first af:panelGroupLayout-horizontal.

  12. In the Property Inspector for the Output Text, in the Value field, enter the following code snippet, as shown in Figure 4-27:

    #{'Welcome '}#{securityContext.userName}
    

    Figure 4-27 Output Text Value

    Description of Figure 4-27 follows
    Description of "Figure 4-27 Output Text Value"

  13. Add a spacer after the Welcome text. From the Component Palette, under ADF Faces, drag and drop the Spacer component onto the Structure window.

  14. Next, add a Logout link. From the Component Palette, under ADF Faces, drag and drop a Go Link component just below the Spacer component in the Structure window, and set the Text property to Logout.

  15. Set the Destination property to the following, as shown in Figure 4-28:

    #{'/adfAuthentication?logout=true&end_url=/faces/MyPage.jspx'}
    

    Figure 4-29 Destination Property for the Go Link Component

    Description of Figure 4-29 follows
    Description of "Figure 4-29 Destination Property for the Go Link Component"

  16. Save the page. The structure for the first facet should look like:

    Figure 4-30 Structure WIndow with the Output Text and Logout Link

    Description of Figure 4-30 follows
    Description of "Figure 4-30 Structure WIndow with the Output Text and Logout Link"

  17. When you implemented security using the ADF Security Wizard in "Step 1: Add ADF Security to Your Application", you generated two pages: error.html and login.html. The error.html file displays a message if a user tried to log into the application, but is unsuccessful. The login.html file displays a username and password field where the user can authenticate with the application.

    In JDeveloper, in the ViewController project, open the Web Content folder. You should see the login.html page display just above MyPage.jspx.

  18. Open the login.html file (Figure 4-31). This login page should display when you run MyPage.jspx to your browser.

    Figure 4-31 Default Login.html Page

    Description of Figure 4-31 follows
    Description of "Figure 4-31 Default Login.html Page"

  19. Instead of using this default page, you can use the login page you added to your application resources in Chapter 3, "Creating a WebCenter Application with a Customizable Page."

  20. In the Application Navigator, under ViewController, expand the WEB-INF folder.

  21. Open the web.xml file.

  22. While viewing the Overview of this file, click the Security tab on the left side.

    Figure 4-32 Security Tab of the web.xml File

    Description of Figure 4-32 follows
    Description of "Figure 4-32 Security Tab of the web.xml File"

  23. Under Login Authentication, ensure Form-Based Authentication is selected.

  24. Next to the Login Page field, click the Browse... icon.

  25. Navigate to the public_html folder containing mylogin.html and select the file.

  26. Click OK. The Security page updates to use the new mylogin.html file.

    Figure 4-33 Security Tab of the web.xml File Showing the New Login Page

    Description of Figure 4-33 follows
    Description of "Figure 4-33 Security Tab of the web.xml File Showing the New Login Page"

  27. Take a look at security at runtime. Run MyPage.jspx to your browser.

  28. In your browser, in the Username field, enter Lisa with the password welcome1 (Figure 4-34) and click Submit.

    Figure 4-34 Logging into Your Application

    Description of Figure 4-34 follows
    Description of "Figure 4-34 Logging into Your Application"

    The page displays in your browser (Figure 4-35):

    Figure 4-35 MyPage.jspx in the Browser

    Description of Figure 4-35 follows
    Description of "Figure 4-35 MyPage.jspx in the Browser"

Now that you have implemented security on the application, you can add content to the page in Chapter 5, "Adding Oracle WebCenter Services to Your Application."