JDeveloper and Virtual Private Database(VPD) Help Needed - JDeveloper and ADF

A vpd allows different users to log into a system and retrieve
information commensurate with their security role. We would like
to use JDeveloper to build a JSP application running off an
oracle database(8.1.7) with a VPD.
Is there a way we can use the jbo datatags to allow different
users to log into the application. this would effect the
jbo:application tags as well as the business components which
are tied to a particular connection.
Any help is greatly appreciated :)


Jdev 10g & authentication in a Struts application

I'm a Struts newbie trying to implement authentication for a Struts application (jdev 10.1.3 EA). JAAS doesn't seem to be useful for the application so, I'm planning on implementing custom, form-based (username + password) authentication logic. The initial authentication can use username + password but once the credentials have been verified session cookies can be used for request authentication.
Access to application content (static html, jsps, servlets) must to be available only for authorized parties except for some exceptions such as the login page.
What kinds of solutions are typically being employed for this?
By the way, which version of Struts is included with jdev 10.1.3 EA? 1.1?
-- aspa 
this document shows you how to use a pluggable login module which integrates into the framework:
if you use this it will handle all of your authentication and authorisation needs including session management and automatically populating audit columns in ADF. As it uses a standard J2EE based authorisation mechanism all of your role/access is defined in web.xml.
it may seem complex at first, but worth investing the time in getting it working.
take two on that URL :)
ps: this is an older paper, but may be helpful for some background:
I read the article you referenced, thanks for the pointer.
I need to support both http basic authentication for system to system as well as form based authentication for regular users simultaneusly in the same application. The user information is stored a database while passwords are in an Apache password file. From what I read from the article it seems that a custom login module could be written for this case based on the DBTableLoginModule presented. But what about supporting http basic authentication and form based authentication in the same time?
In my application users can belong to from 0 to n groups. Group membership is not global however, a user can belong to groups x and y in workspace A and to groups p and q in workspace B. Navigation between workspaces happens without the user having to relogin. How do I extend JAAS to handle this scenario?
Access control decisions are based on user identity (group membership) and data object access control lists (ACL). It seems that the declarative part of JAAS seems to be more geared toward authorizing access to web resources (web pages, JSPs etc.) than data objects. The programmatic part (request.isUserInRole("valid_user") doesn't seem to help much either with data object access control since the question that needs to be asked is more of the form "does user U belong to any of the groups that would grant him access R to object D".
I'm a JAAS novice but based on my current understanding I don't really understand what extending JAAS would buy me in this case.
-- aspa 
you would need to decide on one or the other. If you use JAAS then you could dump the Apache security and use JAAS for authentication and the web.xml for authorisation. I beleve that the security control can extend in the model layer (see second document i posted). Remember that JAAS is J2EE based on the configuration in your web.xml and struts-config.xml
Having set up JAAS on a number of small apps I wouldn't consider a custom approach now. Like any framework bending it to fit your approach isn't usually easy; whereas if you use the framework with it's built in mechanisms you can save a lot of time and effort.
Using the second paper as a reference, one thing that you might try is using JAZN in the embedded OC4J that comes with JDev on a test project. Add the security constraints to the web.xml of your application as described on page 5. Then configure the embedded OC4J in Jdev: Tools->Embedded OC4J Server Preferences
Under Current Workspace(project)->Authentication add a login configuration
You can choose basic or jsp style login method. Almost everything should be in the second paper (J2EE Security in Oracle ADF Web Applications)
Not knowing much about your project and design it would be worth trying this first.
now i've read the second paper as well but i still have the following issues i'm unable to solve based on the JAAS articles i've read so far:
- i need to be able to support different authentication mechanisms for the resources simultaneusly. i need to support at least the following mechanisms: HTTP basic authentication, form based (username & password + session cookie) and MS NTLM. how is this requirement handled with JAAS?
- user's can have different group memberships in different workspaces in my application. users are not re-authenticated when they navigate from one workspace to another. how do i set group memberships dynamically with JAAS for the user so that group memberships are automatically updated when switching between workspaces?
- how portable are JAAS login modules? e.g. can i run the DBTableLoginModule on non-Oracle application server?
- access control is data object based (vs. web resource based), for each data object there's a list of groups and operations that each group can perform on the object. there can be millions of data objects so access should be authorized in a database query (performance will hurt if e.g. 5 million objects are loaded from the database and isUserInRole() is called for each). How do i get a list of roles which the user currently has so that i can include that list in the database query for authorization purposes?
any feedback to these issues would be appreciated.
-- aspa

security advice

I developed an application with Jdev 9.0.2. It contains JSP pages which uses bc4j library and business components. I deployed it on a stand alone OC4J and it works fine.
I am not so familiar with security issues. In my project, I use a login page, I get user name and pwd, check them(I hold the values in the database) and create a session object. Then other jsp pages check the session in their fist lines, if the session object is OK then the code runs, otherwise the page redirects to the login page.
Thats all I do about security.
Is it enough? must I add some code,services, etc. to the project. Does anyone use some other security controls in the projects like mine? Any advices ...?
Thansk a lot... 
Would you mind telling me how you get your login page to work on the application. I'm also new to security and I'm trying to implement a user login using JAAS or CustomUserManager, or an equivalent method. Many thanks. 
Hi Jaafar,
I am not using JAAS. I use the database's encyrption methods to encyript and decyript the values. I take the uid/pwd, connect to the database and check. Thats all. It is a good way for password checking but I am not sure if it is a good way or it is enough for whole application's security.
Any advices please ???
Hi Tolga,
From my limited experience with security, I don't see any problems with using the method you described, except that your users are accessing the database directly when they log in. If you use JAAS/JAZN you have an extra layer of security because users log-on to an application-specific realm, which allows to customise security roles and authorisation for each of your applications. If you have the time to configure JAAS or a custom UserManager, it is an advisable security precaution.

Security in an BC4J application

we built an application in a 3 tier architecture with BC4J and deployed this as an EJB on an OC4J (standalone).
At this point we want to make our application more secure. On the application level, we helped us with the standard J2EE security mechanism (EJB security, method access etc).
On the view level we want to implement "database like" security. For example an admin is logged in and for him it is allowed to see all datas and change all datas. But a normal user only see some datas and can only update a few of them.
We found out that a view object is not secured at all. When the user has access rights to the main application module, he can traverse through all child application modules and use any of the view objects that are provided by them. He can operate on the view objects independent from the user who is logged in.
Is there a standard to implement view-level security? Is there any possibility to do this in a declarative manner? Doing this in the client would offend the n-tier principals. We think that this is a server task.
Otherwise someone can write a client which is able to use any view that is provided by an application module and its childs.
JDeveloper: (Build 1347)
OC4J: Oracle Application Server Containers for J2EE 10g (
C. Diemer 
I would also like to hear any ideas on this question. We intend to implement roles in our application. Some roles will allow full access (read/write), some can only read, and some cannot read or write. It looks like we will have to implement this security in the web tier, but ideally we would like to have it in the business tier, securing the view objects themselves.
No specific app server, but we are interested in any solutions, even if they are app server specific. 
sorry, typo there.. Meant version 
We currently have a very clumsy way of doing this and would also appreciate some insight on how to accomplish protecting view objects (or entity objects) based on Database users or roles.
Currently, we are simply querying the current logged in user (logged in using dynamic JDBC credentials) to see if they have a specified role (we have four different roles for our app). If that query returns results we can make descisions on what content to display. Like I said, sloppy but it works! 
You could use Oracle JAAS application security with BC4J. This feature is supported since 9.0.4. If you are using 9.0.5, go to help doc title "Implementing Security in Oracle ADF business Component".
You can define read/update/update_while_new on entity columns based on application roles. See the section "Restricting Access to Database Tables".
Basically just goto Help tab, Full text search on 'Security' or 'JAAS'.
If you have 9.0.4, goto Help Navigator,"Working with Security in BC4J", under section "Developing Business Component"
If you are using >= Oracle 8.1 database you can use the Virtual Private Database feature (VPD, fine grained access control).
Have a look at
- http://govt.oracle.com/~tkyte/article2/
- http://otn.oracle.com/products/jdev/howtos/bc4j/bc4jvpdjaas.html
regards, Markus 
C. Diemer,
I have a whitepaper for review that explains how you can use J2EE secruity roles to make the view dependent from teh user's role memberships. Basically this paper explains how to use and modify Struts tag libraries to make this happen. The paper should be on OTN within the next two weeks.
Using VPD to protect data is a good idea and worth to follow. Using JAAS, compared to J2EE security, is a completely different model that allows to protect attribute sfor read, write and update but doesn't have an impact to how the view renders the secured information.

ADF UIX Role Based Access Control Implementation

Can anybody suggest a detailed example or tutorials of how to implement a role based access control for my ADF UIX application.
The application users can be dymanically added to specific roles (admin, Secretary, Guest). Based on the roles, they should be allowed to access only certain links or ADF entity/view operations. Can this be implemented in a centralized way.
Can this be done using JAZN or JAAS. If so, Please provide me references to simple tutorial on how to do this.
Thanks a lot.
the approach i have used is to define all the users, roles and functions in database tables.
I have subclassed the DataActionForward class (called SecureDataActionForward) and overriden the prepareModel method. The prepareModel method does all the necessary security checks using session and role assignments defined in the database.
All UIX action classes extend SecureDataActionForward so that the security logic is only in one class.
the benefit of this approach is that everything can be configured/maintained via the application and ties in well with audit info etc. 
Hi Brenden,
I'm new to customizing the ADF model. Could you please forward me some samples or tutorials which would help me in customizing the ADF life cycle. Also, How could you restrict access to certain ADF view or entity objects by defining users and their roles in database tables ?
Please clarify and advise.
Thanks a lot.
You can customize the lifecycle itself like we did
That way you dont need to worry about the DataForwardAction,
your lifecycle implementation can handle security and everything else...
Take a look in the ADF Development Guidelines
it explains how to do it, and when to subclass the DataForwardAction or the lifecycle...
Hope it helps...
Eduardo M. Sasso 
That's a really usefull document Eduardo.
I guess the difference is that the processing Lifecyle happens higher up the event model (prior) than the DataForward action, so it is probably more appropriate to do security model checks there.
see page 88 Sathya.
my security model is based on the following tables:
a user may be assigned role(s) in USER_ROLES
a role may have multiple functions (ROLE_FUNCTIONS)
a function equates to a URI such as /xms-app/ManageProfile.do
when the user successfully logs into the app set session variables such as username and role eg.
request.getSession(true).setAttribute(USERNAME, username);
request.getSession(true).setAttribute(ROLE, role);
In the DataAction or LifeCyle classes you have overriden check in the database tables to see if the requested URI exists in the role assigned to the user. get the requested URI using:
if they don't have the required access then forward them appropriately using:
this is the way i have done it. i wanted a security model which is fully configurable my the system admins which is why i created the secutity model in the db.
can you comment on your approach Eduardo? 
I think you are following a valid approach. The default security in J2EE and JAAS (JAZN) is to configure roles and users in either static files (jazn-data.xml) or the Oracle Internet Directory and then use either jazn admin APIs or the OID APIs to programmatically access users, groups and Permissions (your role_functions are Permissions in a JAAS context).
If you modelled your security infrastructure in OID than the database, an administrator would be able to use the Delegated Administration Service (DAS), as web based console in Oracle Application Server. To configure security this way, you would have two options:
1. Use J2EE declarative security and configure all you .do access points in web.xml and constrain it by a role name (which is a user group name in OID). The benefit of this approach is that you can get Struts actions working dirctly with it because Struts actions have a roles attribute.
The disadvantage is that you can't dynamically create new roles because they have to be mapped in web.xml
2. Use JAAS and check Permissions on individual URLs. This allows you to perform finer grained and flexible access control, but also requires changes to Struts. Unlike the approach of subclassing the DataActionForward class, I would subclass the Struts RequestProcessor and change the processRoles method to evaluate JAAS permissions.
The disadvantage of this approach is that it requires coding that should be done carefully not to lock you in to your own implementation of Struts so that you couldn't easily upgrade to newer versions.
1 - 2 have the benefit of that the policies can be used by all applications in an enterprise that use Oracle Application Server and e.g. SSO.
Your approach - as said - is valid and I think many customers will look for the database first when looking at implementing security (so would I).
Two links that you might be interested in to read are:
http://sourceforge.net/projects/jguard/ --> an open source JAAS based security framework that stores the user, roles and permissions in database tables similar to your approach
http://www.oracle.com/technology/products/jdev/collateral/papers/10g/adfstrutsj2eesec.pdf --> a whitepaper I've written about J2EE security for Web applications written with Struts and JavaServer pages. You may not be able to use all of it, but its a good source of information.
thanks Frank. I found your white paper very helpful when i was evaluating the approach for security. I avoided JAAS for reasons already dicussed and also being my first real ADF app i didn't want the technology scope to blow out.
it would be good if future versions of ADF could integrate a database security model into the ADF Lifecyle, as it is something fundamental to almost all apps.
Hi Brenden,
our approach to this was:
we have a security model like yours...
so we customize the lifecycle to dynamically create a iterator and a range binding with the permissions based on the user_roles, so each DataPage we create have this behavior automatically...
then in the view layer (uix) we just set the rendered value of our buttons using the "bindings" variable like
rendered="${bindings.Permission.Cancel eq 'S'}, without using session vars or request parameters...
We are just starting our development with ADF here so i dont know if this approach is the better solution...
Has anyone experiences using Oracle Database Roles instead?
Especially when using BC4J in local mode the JAAS via Oracle Application Server is too expensive for us ...
In Oracle Forms 4.5 the database roles could be used for menu security (menu item only displayed if user has the role assigned. Missing feature in BC4J / JClient. But in forms against a 7.3 / 8.0 database there where big performance problems because of the view FRM45_ENABLED_ROLES.
Is it possible in 9.2 database? There is a database init.ora parameter max_enabled_roles, so i assume that it is not possible to assign a user a few 100 database roles and enable all of them. But perhaps i can assign the roles and check only if it is assigned (but not enable it)
Is there a JAAS implementation based on Oracle Database Roles?
Thanks, Markus 
could you detail your Lifecyle plugin configuration. I am not sure which Lifecycle class to extend and which methods to override.
Also, the proper way to access the ADF data layer from the lifecycle class would be helpful.
Take a look in page in the Chapter 5 of the adf Guidelines, there is a topic called "Oracle ADF Lifecycle" which explains what you have to do...
To access the data layer simply get the reference to your binding container
like this DCBindingContainer bc = ((DataActionContext)lcContext).getBindingContainer();
them you can access your iterators and everything else...
hope it helps 
Thanks Eduardo
Hi Brenden.
I have implemented the solution you've suggested and it looks fine regarding the security issue but the buttons in the pages that extends the SecureDataForwardAction are not working anymore.
Any idea why or what am I missing?
The second problem is that if I access the mypage.uix URL instead of mypage.do the security check is passed by and the page is displayed. Any thoughts on how to work arround this?
Solved the first problem.
Still have the .uix url problem.


there are three solution for Jdeveloper application:
1. each user get a database account
2. single database login, user get application account and application account and role maintained in database table.
3. Web application - container security.
My question is why Oracle doesn't recommend item 2 solution. instead solution 3? 
I don't know that Oracle "doesn't recommend" option 2; I've certainly used each of the 3 options with ADF successfully.
One advantage that options 1 and 3 have over option 2 is that you don't have to "reinvent the wheel"
really? I serch for all the documents and developer guide, can not find any place where mention about solution2.
ok, solution 3 can save us a lot of time for implement security, but how about user account maintainance or user self-registration? Thanks for guide!!! 
I'm currently using ADF security to secure my ADF application.
The user database and roles are stored in database tables and very easy to build user administartion on top of that.
I used the following article to configure my weblogic server to use my user/role tables as my user database instead of the default embedded ldap server:
Sturla Thor 
lets have a look at all of them
+1. each user get a database account+
Though it is possible to use dedicated database accounts using ADF and ADF BC, and a whitepaper exists explaining how to do it, it doesn't really fit to the web model of disconnected clients. It is a waste of server side resources and doesn't scale well. Its a relict from desktop clients and usually used by developers that have to maintain both application types or hook into an infrstaructure that was build for desktop aplications
+ 2. single database login, user get application account and application account and role maintained in database table.
At least this scales. However, you put faith into yur own hands- As said, the database connection is not persistent for a user and instead you will have to set the user context (security context) for each request. Using ADF Business Components you can do so in the prepare session method, reading the authenticated user from the session. However, then you implement your own authorization enforcement into the application (usually some Java code you execute before rendering content or executing business methods.
+3. Web application - container security.+
There are two side to this: Container managed security (a portable mean of authentication and URL pattern based authorization) and JAAS, a fine grained authorization architecture that is well integrated in the Java stack and that allows you to protect reources by the resource target and the authenticated user. Using container managed authentication, the container keeps login handling and ensures that the user is authenticated when accessing a protected resource. Using for example WLS, you can change and combine the authentication provider (including RDBMS based authentication against user tables). This means a lot of flexibility. Using EL or Java in JSF you can authorize UI components and functionality by checking the permission for a specifi resource.
So when we recommend "3" then beause its the right thing to do. However, 2 still is a valid option if security only needs to be implemented for a single application - no doubt about it. However, you can imagine that 2 is an individual - application specific - solution that is hard to write generic documentation about