|Oracle® Fusion Middleware Tutorial for Oracle WebCenter Developers
11g Release 1 (11.1.1)
Part Number E10273-03
In this lesson, you will add basic security to your custom WebCenter application, then create three different sample users who can log into the application. You will also add elements to the header of MyPage, so that users can click a login link to access your application, as well as a login page that displays the username and password fields.
By enabling security in the development environment of your application, you can test security-based features, such as logging in as a particular user to check email, or logging in as the administrator to make a change to the overall application. This chapter shows you how to set up security; in the next chapter, you will see how you can leverage WebCenter services that rely on security.
At the end of this lesson, the page you created in Chapter 3, "Creating a WebCenter Application with a Customizable Page" will look like Figure 4-1.
Figure 4-1 MyPage.jspx in the Browser
This lesson contains the following steps:
Before you begin the steps in this lesson, ensure you have followed the steps up to this point in the Tutorial.
To add ADF security:
In JDeveloper, while the application is open, choose Application from the main menu, then select Secure, and Configure ADF Security to display the Configure ADF Security wizard.
Figure 4-2 Configure ADF Security Menu Option
On the Enable ADF Security page, ensure ADF Authentication and Authorization is selected. Choose this option when securing any ADF web application, such as a custom WebCenter application (Figure 4-3).
Figure 4-3 Configure ADF Security - Step 1 of 5
On the Select authentication type page, ensure Form-Based Authentication is selected. Choosing this option generates a login page where users can enter their username and password for the application.
Select Generate Default Pages, and leave the default page names:
/error.html (Figure 4-4).
Figure 4-4 Configure ADF Security - Step 2 of 5
On the Enable automatic policy grants page, ensure Grant to All Objects is selected. Doing so enables the
test-all role in your application View access to any pages you create in the application (Figure 4-5).
Figure 4-5 Configure ADF Security - Step 3 of 5
On the Specify authenticated welcome page, click Next. You can learn more about this option in the Oracle Fusion Middleware Fusion Developer's Guide for Oracle Application Development Framework.
On the Summary page, notice the files that the wizard will create or modify based on your selections, then click Finish. If a dialog displays, click OK.
In the Application Navigator notice that two new pages display in the ViewController project, under WebContent: error.html and login.html.
Figure 4-6 Security Files in the Application Navigator
For more information about testing security during development and WebCenter application security, see Chapter 3, "Securing Your WebCenter Application" in Oracle Fusion Middleware Developer's Guide for Oracle WebCenter.
Now that you have set up basic ADF security for the application, you can create the users and roles.
Now that we have added basic ADF security to our application, we can create sample users to test the authentication. In this section, you will create three users: a user with administrative privileges who can make changes to the entire application, a user who can only make modifications to his own view of the application, and a user who can make some modifications to the application in addition to his own view. This step introduces you to the
jazn-data.xml file, which contains the security information for your application.
To create users for the application:
From the Application menu, choose Secure, then Users to display the
Figure 4-7 Creating Users
jazn-data.xml file, ensure that the Users tab is selected.
In the Users list, click the New User icon (Figure 4-8) to add a user temporarily named "NewUser" to the Users list.
Figure 4-8 New Users Icon
While NewUser is selected, notice that the right pane updates so that you can modify the properties of the user (Figure 4-9).
Figure 4-9 NewUser Properties
In the Name field, enter
In the password field, enter
welcome1 then click on the Display Name field to make sure the password is accepted. Leave the rest of the fields blank for now.
Create two more users by following steps 3 through 5:
Figure 4-10 New Users in the jazn-data.xml File
Now that we have created our sample users, we can create roles for the application, then assign the users to the roles. In the left pane, click the Application Roles tab (Figure 4-11). Notice that a role is already listed, called
test-all. This role is automatically generated by the Configure ADF Security wizard. You can use this role for testing purposes, but you will create your own roles for this application.
Figure 4-11 Application Roles Tab
In the Roles list, click the New Application Role icon.
While NewApplicationRole is selected, in the Name field to the right, enter
In the Display Name field, enter
Click the Members tab, then click the Add User or Role icon, then select Add User from the menu.
In the Select Users dialog, click Lisa, then click OK.
Figure 4-12 Select Users Dialog
The new role displays with the user
Figure 4-13 Admin-Role
Create another role called
user-role and set the Display Name to
Add the users Dan and Alex to this role.
Save all your files.
For more information about users and roles, see Oracle Fusion Middleware Developer's Guide for Oracle WebCenter and Chapter 3, "Securing Your WebCenter Application" in Oracle Fusion Middleware Fusion Developer's Guide for Oracle Application Development Framework.
Once you set up ADF security for your application using the Configure ADF Security wizard and set up your users, you must create the ADF security policies for your application. When you add ADF security policies to your application, you apply them to the page that requires authentication. The ADF security policies indicate the permissions for the application roles you set in the previous step. That is, the security policies define the actions that different users can perform on various objects in the application, such as pages and task flows. For example, you can set MyPage to be viewable by any user who is a member of the
user-role and customizable by any user who is a member of the
To add ADF security policies to your application:
Before we can add ADF security policies to the application, we must first create a page definition for MyPage. Then, we will add the application roles and set their permissions on that page.
While MyPage is displaying in the Design view (you may need to click its tab to bring it into focus), right-click the page, then choose Go to Page Definition.
If the Confirm Create New Page Definition dialog displays, click Yes. The page definition file, called
MyPagePageDef.xml displays. You can close this tab for now.
Click the MyPage.jspx tab to bring it into focus.
From the Application menu, choose Secure, then ADF Policies to display the ADF Security Policies section of the
jazn-data.xml file, as shown in Figure 4-14.
Figure 4-14 ADF Security Policies
Before adding the ADF security policies to our application, take a quick look at the Task Flows you currently have in the application. Select the Show task flows imported from ADF libraries checkbox.
Figure 4-15 ADF Security Policies for Task Flows
These task flows are generated by default for your application. Once you start adding task flows in Chapter 5, "Adding Oracle WebCenter Services to Your Application," this list will automatically be updated with the new task flows.
Next, add the necessary ADF Security Policies to the application. At the top of the section, click the Web Pages tab.
In the Page Definition list, click MyPage (Figure 4-16).
Figure 4-16 MyPage on the ADF Security Policies Section
Next to the Granted To Roles column, click the Add Application Role icon.
In the Select Roles dialog, select admin-role, authenticated-role, and user-role, then click OK (Figure 4-17).
Figure 4-17 Select Roles Dialog
The three roles now display on the Web Pages tab of the ADF Security Policies page (Figure 4-18).
Figure 4-18 MyPage ADF Security Policies
Next, assign the permissions each role has for MyPage. While
admin-role is selected, under Actions, select View and Customize, as shown in Figure 4-19.
Figure 4-19 Assigning the View and Customize Actions to the admin-role
Doing so allows any user with the admin-role (in our example, Lisa) to view the page and customize it. Any customizations that Lisa makes will proliferate to the views of all users. Customizations are different from personalizations; the latter can only be viewed by the currently authenticated user.
Select the authenticated-role and ensure the role has View permissions for MyPage.
Select the user-role and select the View and Personalize actions.
Finally, we must make one change to the
adf-config.xml file to set any customizations that the user makes to the user level and not the site or application level.
In the Application Navigator, in the Application Resources panel, expand Descriptors, then ADF META-INF.
Figure 4-20 adf-config.xml File in the Application Resources Panel
adf-config.xml file, and switch to the Source view by clicking the Source tab at the bottom of the page.
Locate the following code snippet (as shown in Figure 4-21), which only displays if you have added customizable components from Oracle Composer to your page, as you did in Chapter 3, "Creating a WebCenter Application with a Customizable Page":
<cust-config> <match> <customization-class name="oracle.adf.share.config.SiteCC"/> </match> </cust-config>
Figure 4-21 Section to Overwrite in the adf-config.xml File
Replace the code snippet with the following code snippet:
<cust-config> <match> <customization-class name="oracle.adf.share.config.UserCC"/> </match> </cust-config>
Save all your files.
For more information about ADF Security Policies, see Oracle Fusion Middleware Developer's Guide for Oracle WebCenter.
Now that you have set up security for your application, you can enable users to log in and out of the application by adding a link to MyPage.
To enable your users to log in and out of the application, in this step, you will add a Login/Logout link to the upper right corner of the header that toggles depending on whether the user is authenticated.
Figure 4-22 Logout Link in the Header
To add a login/logout link:
In Oracle JDeveloper, bring
MyPage.jspx into focus.
In the Structure window for
MyPage.jspx, navigate to the Panel Splitter, then open the
first facet. Remember that you can use the pushpin in the Structure window to freeze the current view. For this step, you click MyPage in the Design view, then ensure the pushpin is in the "freeze" position (pressed).
first facet, expand af:panelStretchLayout, open the Panel Stretch Layout facets folder, then open the end folder.
First, organize the components you already have into a layout so that we can add the login/logout link. Place a Panel Group Layout onto the existing vertical Panel Group Layout that contains the Change Mode Link you added in "Step 5: Add Oracle Composer to the Page to Enable Customization" in Chapter 3, "Creating a WebCenter Application with a Customizable Page."
To do so, in the Component Palette, select ADF Faces from the list.
Under Layout, drag and drop Panel Group Layout onto the
af:panelGroupLayout-vertical, and set the Layout property to horizontal.
Figure 4-23 New Panel Group Layout with Horizontal Layout
Drag and drop the Change Mode Link, Spacer, and Status Indicator into the new horizontal Panel Group Layout.
Figure 4-24 Horizontal Panel Group Layout with the Components
Drag and drop another Panel Group Layout onto the vertical Panel Group Layout and set its Layout property to horizontal.
Move the new Panel Group Layout above the existing horizontal Panel Group Layout that contains the Change Mode Link, Spacer, and Status Indicator (Figure 4-25).
Figure 4-25 Second Horizontal Panel Group Layout
To lay out the components in the header, add a Spacer component between the two Panel Group Layout components. From the Component Palette, under ADF Faces, expand Layout.
Drag and drop a Spacer component onto the Structure window between the two horizontal Panel Group Layout components (Figure 4-26).
Figure 4-26 Spacer Component in the Structure Window
Add a Welcome message that displays the name of the currently authenticated user.
Drag and drop an Output Text (Active) component from the Component Palette (under ADF Faces, Common Components) onto the first
In the Property Inspector for the Output Text, in the Value field, enter the following code snippet, as shown in Figure 4-27:
Figure 4-27 Output Text Value
Add a spacer after the Welcome text. From the Component Palette, under ADF Faces, drag and drop the Spacer component onto the Structure window.
Next, add a Logout link. From the Component Palette, under ADF Faces, drag and drop a Go Link component just below the Spacer component in the Structure window, and set the Text property to
Figure 4-28 Go Link
Set the Destination property to the following, as shown in Figure 4-28:
Figure 4-29 Destination Property for the Go Link Component
Save the page. The structure for the
first facet should look like:
Figure 4-30 Structure WIndow with the Output Text and Logout Link
When you implemented security using the ADF Security Wizard in "Step 1: Add ADF Security to Your Application", you generated two pages:
error.html file displays a message if a user tried to log into the application, but is unsuccessful. The
login.html file displays a username and password field where the user can authenticate with the application.
In JDeveloper, in the ViewController project, open the Web Content folder. You should see the
login.html page display just above
Open the login.html file (Figure 4-31). This login page should display when you run
MyPage.jspx to your browser.
Figure 4-31 Default Login.html Page
Instead of using this default page, you can use the login page you added to your application resources in Chapter 3, "Creating a WebCenter Application with a Customizable Page."
In the Application Navigator, under ViewController, expand the WEB-INF folder.
While viewing the Overview of this file, click the Security tab on the left side.
Figure 4-32 Security Tab of the web.xml File
Under Login Authentication, ensure Form-Based Authentication is selected.
Next to the Login Page field, click the Browse... icon.
Navigate to the public_html folder containing
mylogin.html and select the file.
Click OK. The Security page updates to use the new
Figure 4-33 Security Tab of the web.xml File Showing the New Login Page
Take a look at security at runtime. Run
MyPage.jspx to your browser.
In your browser, in the Username field, enter
Lisa with the password
welcome1 (Figure 4-34) and click Submit.
Figure 4-34 Logging into Your Application
The page displays in your browser (Figure 4-35):
Figure 4-35 MyPage.jspx in the Browser
Now that you have implemented security on the application, you can add content to the page in Chapter 5, "Adding Oracle WebCenter Services to Your Application."