Tuesday, May 1, 2012

Using JMX Data Control in Oracle ADF to manage users in Weblogic LDAP

One of key concepts in Oracle ADF is a binding layer and Data Controls. In this post the readers are going to  find an example usage of:
  • ADF JMX Data Control used to create a user in Weblogic server embedded LDAP  a declarative way.
  • Custom JSF2 exception factory and handler implementation to handle exceptions coming from JMX MBean and JMX ADF Data Control
Some basic features of ADF built-in easy to configure authentication and authorization are also touched in the post.

Use case “User Registration”

The application, available to download  and run in JDeveloper R2,  implements a simplified use case “User Registration”. It contains one secured page protected by configuring ADF security in order to test a login of a user after successful registration:

Two links are displayed on a home page:
 The first link navigates to user registration form:
One click on Submit registration - new user with a given name and password is going to be created in Weblogic embedded LDAP Server:
Well, something went wrong. In this case, password validation policy (deep in Weblogic security configuration) is not satisfied, so we modify a new password (testpassword1) according to the policy and give another try. New user is created successfully:

Following the links Go home and Go to protected area (from home page)  we can try to access a protected area now, by using credentials of a user created in a previous step:

The expected result is a successful authentication and access granted to the area, protected by ADF Security (which is based on JAAS):
 Let’s take a look into Weblogic default security configuration. Open a integrated Weblogic Administrative Console , for example direct from JDeveloper like this:
We can find our user in Weblogic console (Security Realms > myrealm > Users  and Groups):

Please refer to Weblogic Server documentation for further information about security configuration and security concepts of it.

The steps used to create a sample application in JDeveloper (fast forward)

Start JDeveloper, create a new Custom Application named UserRegistrationApp with project named JMXDataControlSample, create Java (bean) class UserBean.java with properties username and password, note a usage of  @ManagedBean configured in a @ViewScope (one of new JSF2 scopes). 
Create ADF bounded Task Flow named register-user-task-flow-definition.xml. The unbounded task flow adfc-config.xml is created implicitly.
As a further step, three views were created by D&D and wired like this:
A view home (page home.jsf)  in unbounded task flow adfc-config.xml serves as an entry point.

A control flow case protected navigates to a page, protected by ADF Authentication and Authorization. An access to protected page is granted to authenticated-role (one of built-in roles provided by Oracle Platform Security Services). HTTP Basic Authentication was chosen in JDeveloper wizard Configure ADF Security.

The page named protected is aimed to show a secured area protected by ADF security, so an empty page definition was created by doing right-click on it and selecting “Go to Page Definition” in a context menu. Pages with a page definition are automatically protected by ADF security once it is enabled, so  view access for other pages and user registration flow was granted to to anonymous-role.

The page registerUser is a container for a bounded task flow register-user-task-flow-definition.xml  (embedded as a region doing D&D) to provide a user registration form.   

Register User task flow

A bounded task flow register-user-task-flow-definition.xml  contains one view with a page fragment userRegistrationForm.jsff  to display new user registration form.
Basic layout was used to put it into a shape together with input fields bind to attributes of UserBean and buttons for an appropriate actions.

Control flow case submitRegistration navigates to method binding createUser provided by the JMX Data Control.  The following chapter describes a steps used to create it in more detail.

Creating JMX Data Control to access embedded LDAP server in Weblogic

NOTE: start integrated Weblogic and check if it is up and running before doing the following steps.

In JDeveloper menu File -> New choose a JMX Data Control in a New Gallery:

Click on Ok. The editor Define JMX Data Source shows up:
 Click on + icon (Add) to add JMX Connection:
 Provide a name for a connection (localWeblogic) , check the Port ( 7101 in this case) , check if integrated Weblogic is running - start it otherwise. Check the connection by click on Test Connection. Ok, Next. Step 2 : Editor “Choose Fully Qualified MBeans “is displayed:
 Choose myrealmDefaultAuthenticator and add it to Selected panel like displayed in a picture.  Attention: pick myrealmDefaultAuthenticator from DefaultServer tree-node (there is also one with the same name a level higher at Security node), otherwise you will get NPE at run time.

Other JMX MBeans of Weblogic server are also listed and accessible this way. Refer to documentation of Weblogic server , like Developing Custom Management Utilities with JMX, for the further description and the usage of them.

Next: default settings were taken for all next steps.  We have got a new JMX Data Control as the result:
 The operation createUser is available for D&D in ADF.  Of course, all  other operations provided by MBean can be used  the same way, for example to integrate user management functionality (addMemberToGroup, changeUserPassword etc.)  into a custom  ADF application.

As referenced  in James Bayer blog, the embedded Weblogic LDAP can be used to manage a “reasonably small environments (10,000 or fewer users)”. 

The usage of JMX Data Control  is also described in a blog of Edwin Biemond. One comment in the blog points to some problems related to Weblogic embedded LDAP access, so i proceed with description of my sample application in order to show how to achieve that.

Drag a method createUser and drop it on a flow diagram of register-user-task-flow-definition.xml. The following dialog shows up:

Note: we need to type value expressions for input parameters manually (unfortunately, EL Expression Builder in JDeveloper R2 leaks at this place yet - our bean is not visible in it):
  •  userName: #{userBean.username}
  • password: #{userBean.password}
  • description: static text was used in a sample..
Click on OK and open the page definition with bindings for createUser  (JDeveloper created it behind the scenes).  It is supposed to look like this (after doing a D&D):

Action binding createUser  points to a method iterator myrealmDefaultAuthenticatorIterator which  points to our JMXDataControl.
There is one additional iterator in a Panel Executables: createUserIterator.
Delete it :) Otherwise the operation createUser gets executed twice.

The section bindings and executables should  look like this:

 By doing these steps we integrated some functionality of JMX Provider (embedded LDAP server in Weblogic)  in ADF declarative way.

Dealing with exceptions

New  facility provided by JSF2 (described in blog post JSF2 global exception handling) was used to create and configure a global exception handler in a sample application to deal with ADF-specific exceptions thrown by JMX Data Control.
Especially, in our sample use case the information transported by exception is also meaningful for users: password validation rules etc.
The source code of CustomExceptionHandlerFactory.java together with comments provides  additional implementation details.

JSF2 custom exception handler factory is configured in faces-config.xml:


Global exception handling provided by JSF2  is  powerful option worth to explore and consider in ADF applications (from JDeveloper R2) in order to consolidate the application specific error processing at a single global place.


The sources of sample application are available at github to explore, modify and use for your specific project needs.

7 comments:

  1. Thanks for the great effort but after i created a user i can't enter

    the protected page !!!

    ReplyDelete
  2. Hi Mahmoud,

    it looks like ADF security works by protecting the page:)
    Ok, lets walk through to check it.
    1) User is created - you can find it in weblogic console?
    Please assign the user to Administrators group in weblogic console
    and test a login to weblogic console using credentials of the user. In case of success the password of the user is validated.
    2) ADF Security - it is basically the simplest configuration used in a sample and it is well documented at Oracle® Fusion Middleware Fusion Developer's Guide for Oracle Application Development Framework
    11g Release 2, 35 Enabling ADF Security in a Fusion Web Application -
    http://docs.oracle.com/cd/E29049_01/web.1112/e16182/adding_security.htm#BGBCEDDD

    So, one possibility without knowing an exact environment is to run ADF Security wizard and re-enable ADF secrity (choose HTTP basic Authentification in a wizzard)

    The second part might be to check Authorization Grants (Jdeveloper Menu - Application -> Security -> Resource Grants etc). An access to protected page should be granted to Application-role authenticated-role.

    Hope that helps, Regards Donatas

    ReplyDelete
  3. nice post :) , is there a way to retrieve all the users to select which one to remove user?

    ReplyDelete
  4. hello, this sample run on integrated weblogic but not run on remote web logic. Why?

    ReplyDelete