| Oracle® Application Development Framework Developer's Guide For Forms/4GL Developers 10g (10.1.3.1.0) Part Number B25947-01 |
|
|
View PDF |
| Oracle® Application Development Framework Developer's Guide For Forms/4GL Developers 10g (10.1.3.1.0) Part Number B25947-01 |
|
|
View PDF |
You can set authorization policies against resources and users. For example, you can allow only certain groups of users the ability to view, create, or change certain data or invoke certain methods. Or, you can prevent components from rendering based on the group a user belongs to. Because the user has been authenticated, the application can determine whether or not to allow that user access to any object that has an authorization restraint configured against it.
The application can reference roles programmatically to determine whether a specific user belongs to a role. In the SRDemo application this is accomplished using the method isUserInRole() defined by the FacesContext interface (and also available from the HttpServletRequest interface).
The SRDemo application uses three core roles to determine who will have access to perform specific functions. Each user is classified with by the roles: user, technician, or manager. The remoteUser value (obtained from the Faces Context) matches the email address in the SRDemo application's USERS table. These criteria are implemented using container-managed, Form-based authentication provided by Oracle Application Server as described in Section 30.3.1, "How to Enable J2EE Container-Managed Authentication".
Once the security container is set up, performing authorization is a task of:
Reading the container security attributes the first time the application references it
Making the key security information available in a form that can be accessed through the expression language
To accomplish this, the JSF web application can make use of a managed bean that is registered with session scope. The managed beans are Java classes that you register with the application using the faces-config.xml file. When the application starts, it parses this configuration file and the beans are made available and can be referenced in an EL expression, allowing access by the web pages to the bean's content.
For detailed information about working with managed beans, see Section 17.2, "Using a Managed Bean to Store Information".
This sample from SRList.jspx controls whether the web page will display a button that the manager uses to display an edit page.
<af:commandButton text="#{res['srlist.buttonbar.edit']}"
actionListener="#{bindings.setCurrentRowWithKey.execute}"
action="Edit"
rendered="#{userInfo.manager}">
<af:setActionListener from="#{row.rowKeyStr}"
to="#{processScope.rowKeyStr}"/>
<af:setActionListener from="#{'GlobalHome'}"
to="#{userState.returnNavigationRule}"/>
</af:commandButton>
This sample from SRCreateConfirm.jspx controls whether the web page will display a user name based on the user's authentication status.
<f:facet name="infoUser">
<!-- Show the Logged in user -->
<h:outputFormat value="#{res['srdemo.connectedUser']}"
rendered="#{userInfo.authenticated}" escape="false">
<f:param value="#{userInfo.userName}"/>
</h:outputFormat>
</f:facet>
The managed bean's properties allow you to invoke methods in a class that contains the code needed to validate users and to determine the available roles. This class should be created before you create the managed bean so you know the property names to use when you define the managed bean.
To create the Java class:
In the New Gallery select the General category and the Java Class item.
In the Create Java Class dialog, enter the name of the class and accept the defaults to create a public class with a default constructor.
Example 30-7 shows the key methods that the SRDemo application implements:
Example 30-7 SRDemo Application UserInfo.java Sample
/**
* Constructor
*/
public UserInfo() {
FacesContext ctx = FacesContext.getCurrentInstance();
ExternalContext ectx = ctx.getExternalContext();
//Ask the container who the user logged in as
_userName = ectx.getRemoteUser();
//Default the value if not authenticated
if (_userName == null || _userName.length()==0) {
_userName = "Not Authenticated";
} //Set the user role flag...
//Watch out for a tricky bug here:
//We have to evaluate the roles Most > Least restrictive
//because the manager role is assigned to the technician and user roles
//thus checking if a manager is in "user" will succeed and we'll stop
//there at the lower level of priviledge
for (int i=(ROLE_NAMES.length-1);i>0;i--) {
if (ectx.isUserInRole(ROLE_NAMES[i])){
_userRole = i;
break;
}
}
} /**
* @return the String role name
*/
public String getUserRole() {
return ROLE_NAMES[_userRole];
} /**
* Get the security container user name of the current user.
* As an additional precaution make it clear when we are running in
* Dev mode.
* @return users login name which in this case is also their email id. */
public String getUserName() {
StringBuffer name = new StringBuffer(_userName);
if (_devMode) {
name.append(" (Development Mode)");
}
return name.toString();
} /**
* Function designed to be used from Expression Language
* for swiching UI Features based on role.
* @return boolean
*/
public boolean isCustomer() {
return (_userRole==USER_ROLE);
} /**
* Function designed to be used from Expression Language
* for switching UI Features based on role.
* @return boolean
*/
public boolean isTechnician() {
return (_userRole==TECHNICIAN_ROLE);
} /**
* Function designed to be used from Expression Language
* for switching UI Features based on role.
* @return boolean
*/
public boolean isManager() {
return (_userRole==MANAGER_ROLE);
} /**
* Function designed to be used from Expression Language
* for switching UI Features based on role.
* This particular function indicates if the user is either
* a technician or manager
* @return boolean
*/
public boolean isStaff() {
return (_userRole>USER_ROLE);
} /**
* Function designed to be used from Expression Language
* for switching UI Features based on role.
* This particular function indicates if the session is actually authenticated
* @return boolean
*/
public boolean isAuthenticated() {
return (_userRole>NOT_AUTHENTICATED);
}
}
The UserInfo bean is registered as a managed bean named userInfo in the JSF faces-config.xml file. The managed bean uses expressions for managed properties which the UserInfo.java class implements.
For example, in the SRDemo application the following expressions appear in the UserInfo managed bean:
#{userInfo.userName} either returns the login Id or the String "Not Authenticated"
#{userInfo.userRole} returns the current user's role in its String value, for example, manager
#{userInfo.staff} returns true if the user is a technician or manager
#{userInfo.customer} returns true if the user belongs to the role user
#{userInfo.manager} returns true if the user is a manager
To define the managed bean properties and expressions:
In the Application Navigator, open the faces-config.xml file in the user interface WEB-INF folder.
In the window, select the Overview tab.
In the element list on the left, select Managed Beans and click New.
In the Create Managed Bean dialog specify the class information for the managed bean. If you have not created the class, see Section 30.8.1.1, "Creating a Class to Manage Roles".
To permit the security information defined by the managed bean to accessible by multiple web pages, set Scope to Session. For example, the SRDemo application defines the managed bean name userInfo, corresponding to the UserInfo.java class.
Example 30-8 shows the portion of the faces-config.xml file that defines the managed bean userInfo to hold security information for the SRDemo application.
Example 30-8 Managed Beans in the SRDemo faces-config.xml File
<!-- The managed bean used to hold security information -->
<managed-bean>
<managed-bean-name>userInfo</managed-bean-name>
<managed-bean-class>oracle.srdemo.view.UserInfo</managed-bean-class>
<managed-bean-scope>session</managed-bean-scope>
</managed-bean>
