When you click on the Action menu there's one option - "Login". If you look at the source you'll see that this triggers a pop-up for you to enter your credentials:
<af:menuBar id="pt_mb1"> <af:menu text="Action" id="pt_m2" textAndAccessKey="&Action"> <af:commandMenuItem text="Login" id="pt_cmi2" rendered="#{!securityContext.authenticated}" > <af:showPopupBehavior popupId="loginPopup" triggerType="action"/> </af:commandMenuItem> <af:commandMenuItem text="Logout" id="pt_cmi3" action="#{login.performLogout}" rendered="#{securityContext.authenticated}"/> </af:menu>We're going to get rid of that pop-up login box and switch over to an OAM login page. To do that there's only three simple things that need to be changed:
- Configure OAM to protect the ADF authentication URL but leave everything else unprotected
- Configure the OAM Identity Asserter
- Change the web.xml to work with OAM
- Change the login menu option to force you through the ADF authentication URL which is protected by OAM
<auth-method>CLIENT-CERT,FORM</auth-method> <form-login-config> <form-login-page>/login.html</form-login-page> <form-error-page>/error.html</form-error-page> </form-login-config>This will almost certainly work (he had CLIENT-CERT), but just to be sure it's always better to just specify only the CLIENT-CERT authentication method. So my web.xml now says:
<auth-method>CLIENT-CERT</auth-method>(note that I deleted the form-login-config section since it's not needed with CLIENT-CERT. Step 4: Change the login menu option to force you through the ADF authentication URL which is protected by OAM There are two steps here - replacing the menu option and adding code to kick you into the process. Step 4.1 I replaced the Login menu option above with a new chunk of code:
<af:commandMenuItem text="Login via OAM" id="pt_cmi4" rendered="#{!securityContext.authenticated}" action="#{login.performOAMLogin}" />This makes the new menu option appear (note that I left the old "Login" option there for this screen shot): Step 4.2 Then we need to add a small chunk of code to the bean that gets called when you invoke login.performOAMLogin from the JSF page:
public String performOAMLogin() { HttpServletRequest request = JSFUtils.getHttpServletRequest(); HttpServletResponse response = JSFUtils.getHttpServletResponse(); FacesContext ctx = JSFUtils.getFacesContext(); ctx.responseComplete(); String loginUrl = request.getContextPath() + "/adfAuthentication?success_url=/faces" + JSFUtils.getRootViewId(); try { response.sendRedirect( loginUrl ); } catch (IOException ioe) { reportUnexpectedLoginError("IOException", ioe); } return null; }What that code does is tells JSF that it should stop processing the page and redirect the user to "/adfAuthentication" with the query string set to "?success_url=/faces/" plus the current view. In other words go over to adfAuthentication (which is protected by OAM) and then once you get there come back here. /adfAuthentication is, as the name implies, part of the ADF framework. We can't do an internal "forward" of the request because we need the web browser to make a request directly so that OAM (which is running in the web server) sees it and forces the user to login. That's all there is to it.
Now when the user clicks the menu button they'll make a request to a protected resource, will see a login page. After they login the OAM Identity Asserter will re-establish their identity to the container before they reach /adfAuthentication. The /adfAuthentication URL will do some work and then redirect them back to the JSF view they were looking at when they decided to login.
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.