Monday, September 28, 2009

ADF and OES, part one of many

Before I get into the guts of a post allow me to introduce myself. I'm Chris Johnson (nice to meet you) and, like Josh and Brian, am a member of the Fusion Middleware Architecture Group; AKA the A-Team (cue theme music here). When Josh started this blog he invited me to join in and I promised to do so. Today I make good on that promise with this, the first of a number of posts on using OES to secure an ADF Web Application. This post will cover getting an OES enabled WebLogic domain to startup properly and run your ADF based web app. The second post will show how to write OES policies to protect URLs. And finally in the third post I'll discuss how to really dig down into the app and apply OES' fine grained access control to secure links, buttons, tabs and other components.

Oracle Entitlements Server is a product that we've discussed here before. For new readers the quickest way to describe OES is as a way to take all of the authorization logic out of your application and put it in a better tool with central configuration and management. OES is to the authorization logic as something like OAM or SiteMinder is to the login code you used to keep in your application.

Oracle Application Development Framework (ADF) is "an end-to-end Java EE framework that simplifies development by providing out of the box infrastructure services and a visual and declarative development experience." ADF is a complete framework for developing applications, but the easiest bit to bite off first is ADF Faces. If you're familiar with JSF you can think of ADF as a bunch of really high quality AJAX based UI components for JSF plus a great development environment (JDeveloper) plus a bunch of other stuff to make your life easier.

ADF has a security framework can be used on its own or in conjunction with OES but in these posts I'm going to pretend that ADF just JSF. I'm doing this intentionally for a number of reasons, the most important of which is a desire to document and describe how to use OES with JSF alone. Truth be told another part is that while I know quite a bit about OES I actually know fairly little about ADF since I just began using it to build my OpenWorld demonstration part time a couple of weeks ago. I'll be telling you more about my session in another post soon enough.

As with all posts on this site please remember to check the current support status of the products before planning a production deployment. As of this writing the OES Security Module for WebLogic is not currently supported on WebLogic 11g R1, but as Josh mentioned in the first of his OES + SOA Suite posts it does seem to work just fine.

The basic environment I'm using is:
  • Oracle Enterprise Linux
  • WebLogic 11g R1
  • Oracle Entitlement Server 10gR3 Admin Server (with CP2)
  • Oracle Entitlement Server 10gR3 Security Module (with CP1)
  • JDeveloper 11g R1

I created my application in JDeveloper and was able to test as I went along with the built in WebLogic Server. Once I reached a reasonable point I wanted to deploy it into a standalone OES-enabled WebLogic Server domain. The steps I took were:
  1. Create a WebLogic domain using the Configuration Wizard
  2. use the OES Config Tool to create your SSM instance and load the basic policies needed to boot the domain
  3. switch the default security realm back to myrealm
  4. boot the domain
  5. use the WebLogic console to adjust the security providers so that OPSS will work
  6. switch the default security realm back to OES
  7. boot your domain
  8. celebrate

The first couple of steps are well documented elsewhere, but I'll cover them quickly here just for completeness.

Create WebLogic Domain
The Fusion Middleware Configuration Wizard will create a new WebLogic Server domain or extend an existing domain. On Windows you can find that tool in your Start Menu, on Unix it's in Oracle/Middleware/wlserver_10.3/common/bin/ Because ADF uses the Java Runtime Framework (JRF) if you're using ADF rather than simple JSF pages remember to check the JRF box when creating your WebLogic Domain!

Use the Config Tool to create an SSM
The OES ConfigTool will create an SSM instance, load the policies necessary to boot the WebLogic domain and will configure WebLogic to use the OES Database Authenticator as well as the Authorization, Role Mapping and Audit Providers.

If you try to start your WebLogic Server at this point you'll get an exception from "Exception while getting default policy Provider". If you read through the error you'll see another error "No Default or LDAP Authenticator configured on WLS". Josh discussed using the Default Authenticator and I want to use LDAP anyway so...

Switch the default security realm back to myrealm
Make a backup of the config/config.xml file, then edit the original with Notepad, vi, emacs or any other plain text editor. Search for the line that contains default-realm and change the value from whatever it currently says to myrealm but take careful note of the value you have there as you will need it later.

Boot your domain
run and boot your domain

Adjust the WebLogic Security Providers
I already mentioned that Josh discussed the DefaultAuthenticator so here's my shameless copy/paste of what he said:

Next, log into the weblogic console http://localhost:7001/console, and create the DefaultAuthenticator and the DefaultIdentityAsserter. Set the JAAS Control Flag on both the DefaultAuthenticator and the DatabaseAuthenticator to SUFFICIENT and order the DefaultAuthenticator first (I'll explain why in a second).

Oh, so the reason for having to have a specific ordering on the authentication providers, and having the DefaultAuthenticator first and sufficient is that the DatabaseAuthenticator adds a special IdentityDirectoryPrincipal, that JDeveloper doesn't have the classes - so I simplified this by "tweaking" the realm. In practice, the DatabaseAuthenticator is not really used, but it is the authentication provider that is created by default in the configtool. This is really just a minor issue, but I wanted people to understand why the change.

If you're going to use JDeveloper to deploy your app to the domain then you should follow his instructions. If you've already deployed the application to the domain or don't plan to use JDeveloper to do that you can go ahead and plug in an LDAP Authenticator instead.

In any case remember to set the order properly and make the DefaultAuthenticator sufficient if you use it. Once you've made the changes shut the WebLogic Server down.

Switch the default security realm back to OES
Edit config.xml again, being sure to reload it from disk to pick up the changes we made a moment ago. Again find the default-realm and change the value back to what was there originally.

Boot your domain
Run startWebLogic again and the domain should startup normally. Wait until you see it reach the RUNNING state before pouring your margarita, martini or beer, then by all means enjoy!

Next up - securing your JSPs, Servlets and JSF pages with OES.


  1. You are a genius, I was looking for something like that for a long time, because actually I am working into an integration between ADF and OES. I wait for your next post, that is going to help me a lot,

    Thanks again,

  2. Leandro,

    I think Chris is flying across the Atlantic now to a customer, so I'll ask:

    What part of ADF+OES integration is most important to you and your customers? OES used to secure Pages? TaskFlows? EntityObjects? Called from EL against say the render property?

    Help us understand your scenario.



  3. Hi Josh,

    Thanks for answer me. I am doing a workshop in which I am going to demonstrate how to integrate jsp and OES. In my case I am using ADF to create the Web Page. At this moment I am testing the tags into ADF and I need to know if you have a manual to help me with that integration,


  4. Hi Josh,

    I create a user in OES and when I log into the app, that show me that:

    Error 403--Forbidden

    I don´t know what is the problem, because I am loging into the app with the default user: Weblogic


  5. Leandro,

    There are a lot of reasons why this could be happening.

    Start here:

    Sorry, "fat fingered" the HTML. Try this link

  6. Thank you very much for the link. Now I am going to debug to view the access policy,


  7. leandro,

    If you turn on logging in OES, specifically the authentication, authorization and (often most helpfully) debugstore your problem will most likely reveal itself.

    Contact me directly by email with your logs and I'll help you find the problem.

    Good luck!

  8. Hi Chris,

    Thanks for all, I have solve that problems but I need to know if it is possible to migrate from an application created in 11g, with ADF and Weblogic 10.3.1, to 10g with weblogic 10.2?


  9. leandro,

    Second post is up and I think it may answer your question.


  10. Hi,

    is the OES ConfigTool mentioned above the same as the DBConfig tool being used when installing OES? if not, where can i get this OES ConfigTool?


  11. The OES config tool is not the same as the DBConfig tool. The DBConfig tool is used to setup the database before installing the Admin Server. The ConfigTool is part of the Security Module kit and you can find it in the adm directory of each Security Module install.

    For example in ales32-ssm/wls-ssm/adm


  12. Thanks Chris!

    It's been a while since i last checked this post. I managed to find the configtool a few weeks back. however, i keep on getting this error from the console:

    2010-02-24 10:32:16,568 [Main Thread] ERROR - Error: Weblogic server is already running (ret:1)
    2010-02-24 10:32:16,584 [Main Thread] ERROR - *** Error Message: Error: Weblogic server is already running (ret:1)

    from the configtool.log, is seems that it was not able to find the IsServerRunning.bat:

    2010-02-24 10:32:15,522 [Main Thread] DEBUG - Executing: C:/DOCUME~1/rosen0b/LOCALS~1/Temp/AlesConfig.performAlesChecks32261\IsServerRunning.bat
    2010-02-24 10:32:16,053 [C:/DOCUME~1/rosen0b/LOCALS~1/Temp/AlesConfig.performAlesChecks32261\IsServerRunning.bat] DEBUG - stderr: The system cannot find the path specified.

    2010-02-24 10:32:16,568 [C:/DOCUME~1/rosen0b/LOCALS~1/Temp/AlesConfig.performAlesChecks32261\IsServerRunning.bat] DEBUG - stderr: Exception in thread "Main Thread" java.lang.NoClassDefFoundError: weblogic/WLST

    2010-02-24 10:32:16,568 [Main Thread] ERROR - Error: Weblogic server is already running (ret:1)
    2010-02-24 10:32:16,568 [Main Thread] DEBUG - Error performing checks Error: Weblogic server is already running (ret:1)
    2010-02-24 10:32:16,584 [Main Thread] ERROR - *** Error Message: Error: Weblogic server is already running (ret:1)

  13. Hi Chris,

    Thanks for all your post. It helped us to resolve some of our issues. Now, we are running into this issue, when we try to start the weblogic server. We would appreciate if you could provide us some support.

    We have created the WLS SSM and have configured the Default Authentication provider (as mentioned above) and DataBase authenticaction provider. Both the providers are set to "SUFFICIENT".

    Note: When we have the default Authorization provider (XACMLAuthorizer) and Role Mapping Provider (XACMLRoleMapper) it works.

    However, when we configure the Authorization provider to (ASIAuthoritationProvider) and Role Mapping Provider (ASIRoleMapperProvider) the server does not start and we see the following error,

    subsystem failed. Reason: Use
    r weblogic is not permitted to boot the server; The server policy may have chang
    ed in such a way that the user is no longer able to boot the server.Reboot the s
    erver with the administrative user account or contact the system administrator t
    o update the server policy definitions. User weblogic is not permitte
    d to boot the server; The server policy may have changed in such a way that the
    user is no longer able to boot the server.Reboot the server with the administrat
    ive user account or contact the system administrator to update the server policy
    BootAuthorization(Unknown Source)
    itialize(Unknown Source)
    at S
    Truncated. see log file for complete stacktrace

  14. Hi Chris,

    This issue is resolved now. The policies were not properly distributed to the WLS SSM. We corrected them and the weblogic server is able to restart successfully


  15. HI Chris,
    We are also working on the same concept. We have configured and application server is started properly. We have one issue, i.e we have application to be secured and the login page is the initial page to be loaded which has the form based authentication.

    Now when i am able to hit the application, it was asking the Basic Authentication, and authentication is success for “weblogic” user since i have given access to "weblogic" user.

    How to remove the basic authentication since login page is the initial page which should be accessed by everyone like it should not be protected.

    Appreciate for your kind help.

    Thanks and Regards,

  16. Hi Chris,hope you're ok! Sorry for the bother but I’ve already made the whole workarounds about the problem I’m facing, but I’m still stucked in the following error when I try to boot my WLS. I’d tried your solution too but it did’t work.I mean, I can boot the server if I change -Myapp- to -myrealm- and I make all the changes but it did’t work. I’m using OES with patch 4, WLS 10.3.0 and SSM with patches 2,3 and 4. I would really apreciate if you give me some light here. Thanks in advance - ArmeNOTREADY Exception: Engine did not recieve initial policy

  17. By the way I'm using 'enroll demo' mode

  18. Sridar

    If you're using the same security model I did (i.e. J2EE rather than ADF) then you need to unprotect the login page and configure the web.xml's forms login section to point to that page.

    Then turn on OES' debugging (especially DebugStore) and try again.

    The basic auth box could be coming up because you don't have a user named "anonymous" defined in the user store and/or the anonymous user doesn't have access to the login page.

    Either way turning on OES' debug logging should make the problem more obvious.



Note: Only a member of this blog may post a comment.