A.2 Integrating Access Manager With Web Applications Using Oracle ADF Security and the OPSS SSO Framework

This section describes how to integrate a Web application that uses Oracle ADF security and the OPSS SSO Framework with an Access Manager SSO security provider for user authentication.

Before the Web application can be run, you must configure the domain-level jps-config.xml file on the application's target Oracle WebLogic Server for the Access Manager security provider.

The domain-level jps-config.xml file is in the following path and should not be confused with the deployed application's jps-config.xml file:

$DOMAIN_HOME/config/fmwconfig/jps-config.xml

Note:

Do not confuse the domain-level jps-config.xml file with the deployed application's jps-config.xml file.

You can use an Oracle JRF WLST script to configure the domain-level jps-config.xml file, either before or after the Web application is deployed. This Oracle JRF WLST script is named as follows:

Linux: wlst.sh

Windows: wlst.cmd

The Oracle JRF WLST script is available in the following path if you are running through JDev:

     $JDEV_HOME/oracle_common/common/bin/

In a standalone JRF WebLogic installation, the path is:

     $MW_HOME/oracle_common/wlst

Note:

The Oracle JRF WLST script is required. When running WLST for Oracle Java Required Files (JRF), do not use the WLST script under $JDEV_HOME/wlserver_10.3/common/bin.

Command Syntax

addOAMSSOProvider(loginuri, logouturi, autologinuri)

Run the addOAMSSOProvider command as in the following example.

cd $MW_HOME/oracle_common/common/bin
 
./wlst.sh
 
.......after running ./wlst.sh............
Welcome to WebLogic Server Administration Scripting Shell
Type help() for help on available commands

addOAMSSOProvider(loginuri="/${app.context}/adfAuthentication",
 logouturi="/oamsso/logout.html", autologinuri="/obrar.cgi")
addOAMSSOProvider(loginuri="/testapp/adfAuthentication",
 logouturi="/oamsso/logout.html", autologinuri="/obrar.cgi")
wls:/offline> addOAMSSOProvider(loginuri="/${app.context}/adfAuthentication", logouturi="/oamsso/logout.html", autologinuri="/obrar.cgi")

Table A-1 defines the expected value for each argument.

Table A-1 addOAMSSOProvider Command-line Arguments

Argument Definition

loginuri

Specifies the URI of the login page

Note: For ADF security enabled applications, "/<context-root>/adfAuthentication" should be provided for the 'loginuri' parameter. Here is the flow:

  1. User accesses a resource that has been protected by authorization policies in OPSS, fox example.

  2. If the user is not yet authenticated, ADF redirects the user to the URI configured in 'loginuri'.

  3. Access Manager, should have a policy to protect the value in 'loginuri': for example, "/<context-root>/adfAuthentication.

  4. When ADF redirects to this URI, Access Manager displays a Login Page (depending on the authentication scheme configured in Access Manager for this URI).

logouturi

Specifies the URI of the logout page

Note: For ADF security enabled applications, logouturi should be configured based on logout guidelines in Configuring Centralized Logout for Sessions Involving 11g WebGates. For the:

  • 11g WebGate the value of the logouturi should be sought from the 11g WebGate Administrator.

  • 10g WebGate requires a logouturi value of "/oamsso/logout.html

autologinuri

Specifies the URI of the autologin page.

The procedure to configure domain-level jps-config.xml for a Fusion Web application with Oracle ADF Security enabled is part of a larger task. With the exception of the command syntax, all tasks are the same for Access Manager 10g and 11g.

See:

See Also:

A.2.1 Sample SSO Configuration for Access Manager

The SSO service configuration entered with the procedure described in Securing Applications with Oracle Platform Security Services for all tasks involving Access Manager SSO providers and an OAM Configuration Example is written to the file jps-config.xml. The data specified includes:

  • A particular SSO service

  • The auto-login and auto-logout URIs

  • The authentication level

  • The query parameters contained in the URLs returned by the selected SSO service

  • The appropriate settings for token generation

The following fragment of a jps-config.xml file illustrates the configuration of an Access Manager SSO provider. Some values are merely placeholders for actual content. Your configuration should contain values for your implementation.

See Also:

"SSO Provider Configuration Details"

Sample SSO Configuration for Access Manager

<propertySets>
  <propertySet name = "props.auth.url">
    <property name = "login.url.BASIC" value = "http://host:port/oam_login.cgi?level=BASIC"/>
    <property name = "login.url.FORM" value = "http://host:port/oam_login.cgi?level=FORM"/>
    <property name = "login.url.DIGEST" value = "http://host:port/oam_login.cgi?level= DIGEST"/>
    <property name = "autologin.url" value = " http://host:port/obrar.cgi"/>
    <property name = "logout.url" value = "http://host:port/logout.cgi"/>
    <property name = "param.login.successurl"  value = "successurl"/>
    <property name = "param.login.cancelurl"   value = "cancelurl"/>
    <property name = "param.autologin.targeturl" value = "redirectto"/>
    <property name = "param.autologin.token"   value = "cookie"/>
    <property name = "param.logout.targeturl"   value = "targeturl"/>
  </propertySet>

  <propertySet name="props.auth.uri">
    <property name="login.url.BASIC" value="/${app.context}/adfAuthentication?level=BASIC" /> 
    <property name="login.url.FORM" value="/${app.context}/adfAuthentication?level=FORM" /> 
    <property name="login.url.DIGEST" value="/${app.context}/adfAuthentication?level=DIGEST" /> 
    <property name="autologin.url" value="/obrar.cgi" /> 
    <property name="logout.url" value="/${oamsso/logout.html" /> 
  </propertySet>

  <propertySet name = "props.auth.level">
    <property name = "level.anonymous" value = "0"/>
    <property name = "level.BASIC"    value = "1"/>
    <property name = "level.FORM"    value = "2"/>
    <property name = "level.DIGEST"   value = "3"/>
  </propertySet>
<propertySets>

<serviceProviders>
  <serviceProvider name = "sso.provider"
    class = "oracle.security.jps.internal.sso.SsoServiceProvider" 
    type = "SSO">
    <description>SSO service provider</description>
  </serviceProvider>
</serviceProviders>

<serviceInstances>
  <serviceInstance name = "sso" provider = "sso.provider">
    <propertySetRef ref = "props.auth.url"/>
    <propertySetRef ref = "props.auth.level"/>
    <property name = "default.auth.level" value = "2"/>
    <property name = "token.type" value = "OAMSSOToken"/>
    <property name = "token.provider.class" value = "oracle.security.wls.oam.providers.sso.OAMSSOServiceProviderImpl"/>
  </serviceInstance>
</serviceInstances>

<jpsContexts default = "default">
  <jpsContext name = "default">
    <serviceInstanceRef ref = "sso"/>
  </jpsContext>
</jpsContexts>

A.2.2 SSO Provider Configuration Details

Note the following important points:

  • Any SSO provider must define the URI for at least the FORM login with the property login.url.FORM. The value need not be a URL.

  • If the application supports a self-registration page URI or URL, it must be specified with the property autologin.url.

  • If the SSO solution supports a global logout URI or URL, it must be specified with the property logout.url. The OAM solution supports global logout.

  • The following properties, illustrated in Example A–1, are optional:

    • param.login.successurl

    • param.login.cancelurl

    • param.autologin.targeturl

    • param.login.token

    • param.logout.targeturl

  • The use of the variable app.context in URI specifications, in values within the property set props.auth.uri for instance, is allowed for only ADF applications when integrating with the Access Manager solution.

  • The property set props.auth.level is required.

  • The reference to props.auth.url is required.

  • The property sso.provider.class within a service instance of the SSO provider is the fully qualified name of the class implementing a specific SSO solution.

    In the case of the OAM solution, the provided class name is oracle.security.wls.oam.providers.sso.OAMSSOServiceProviderImpl.

  • The property name default.auth.level within a service instance of the SSO provider must be set to "2", as illustrated in Example A–1.

  • The property token.type within a service instance of the SSO provider is required.

    This token type identifies the token set on the HTTP request by the SSO provider upon a successful authentication; the SSO provider uses this token, after the first time, to ensure that the user does not need to be reauthenticated and that his sign-on is still valid. In the case of the OAM solution, the token type must be OAMSSOToken, as illustrated in Example A–1.

  • The property token.provider.class within a service instance of the SSO provider is the fully qualified name of the token class, and it is provider-specific.

  • An application that implements a self-registration logic and wants to auto login a user after successful self-registration, it must call the OPSS autoLogin API; in turn, to allow this call, it must grant that application a code source permission named CredentialMapping with class JpsPermission.

    The following fragment of the file system-jazn-data.xml illustrates the specification of this permission to the application MyApp:

    <grant>
  <grantee>
    <codesource>
      <url>file:${domain.home}/servers/MyApp/-</url>
    </codesource>
  </grantee>
  <permissions>
    <permission>
      <class>oracle.security.jps.JpsPermission</class>
      <name>CredentialMapping</name>
    </permission>
  </permissions>
</grant>