tag:blogger.com,1999:blog-1816408742331555186.post765363113282856473..comments2023-05-22T03:03:54.478-07:00Comments on Oracle Fusion Middleware Security: Hands-on WSRP Security in Oracle Fusion MiddlewareChris Johnson (Oracle)http://www.blogger.com/profile/13331466366556759355noreply@blogger.comBlogger10125tag:blogger.com,1999:blog-1816408742331555186.post-39563205036222529032010-09-07T09:54:09.905-07:002010-09-07T09:54:09.905-07:00On the Portlet Producer side, do I need to first c...On the Portlet Producer side, do I need to first configure the 'Token Profile' as 'WSS 1.0 SAML Token with Message Protection' when I register the WSRP Portlet Producer?Billhttp://www.blogger.com/profile/05056134171864282771noreply@blogger.comtag:blogger.com,1999:blog-1816408742331555186.post-37993066539030464752010-09-07T11:34:58.996-07:002010-09-07T11:34:58.996-07:00Hi Bill, which JDev build are you using? I didn...Hi Bill, which JDev build are you using? I didn't have to do that. In fact, I did it manually by updating oracle-webservices.xml.Andre Correahttp://www.blogger.com/profile/02002324440974871079noreply@blogger.comtag:blogger.com,1999:blog-1816408742331555186.post-2735259281838614002010-09-07T12:37:52.498-07:002010-09-07T12:37:52.498-07:00Build JDEVADF_11.1.1.3.PS2_GENERIC_100408.2356.566...Build JDEVADF_11.1.1.3.PS2_GENERIC_100408.2356.5660<br><br>I think I'm just confused on which application I'm invoking the WSRP Connection Wizard from. It appears that I should be invoking the portlet producer wizard from the 'Application Resources - Connections' (as opposed to the 'Resource Palette') associated with my WebCenter Application (the consumer) and not from my Fusion application (the producer). Is this correct?<br><br>Also when I 'Create Portlet Entry' on my Task Flow in my Fusion application none of my application role information defined for the task flow is populated in the portlet.xml file. The only role that appears is the 'valid-users' role. Is this correct?Billhttp://www.blogger.com/profile/05056134171864282771noreply@blogger.comtag:blogger.com,1999:blog-1816408742331555186.post-90828755416591312902010-09-07T16:32:43.013-07:002010-09-07T16:32:43.013-07:00Bill, I misunderstood your first question. You'...Bill, I misunderstood your first question. You're referring to "Securing the Consumer" section. That's done from the client's perspective. You're basically registering a portlet producer in your consumer app.<br>You don't see the app roles in portlet.xml. Your application roles are defined in jazn-data.xml. valid-users is a JavaEE role, acting as a glue between JavaEE and OPSS, but that deserves a brand-new article. :-)Andre Correahttp://www.blogger.com/profile/02002324440974871079noreply@blogger.comtag:blogger.com,1999:blog-1816408742331555186.post-55502392995429493162010-09-09T06:58:12.987-07:002010-09-09T06:58:12.987-07:00Andre, I finally got it working - actually I have ...Andre, I finally got it working - actually I have it working using the integrated WebLogic Server and JDeveloper. I just deploy my source portlet application using the admin console rather then 'point and deploy'.<br><br>There is just one issue that needs a little clarification in your article. When I create a Portlet Producer (from a Task Flow exposed as a portlet), the User Categories page in the wizard only displays role-names that are defined in the producer's portlet-xml file and not the roles defined in the jazn-data.xml file. So I add the relevant application roles to the portlet.xml file manually. Otherwise I don't get anything displayed in the User Categories page.Billhttp://www.blogger.com/profile/05056134171864282771noreply@blogger.comtag:blogger.com,1999:blog-1816408742331555186.post-21241292955002018462010-09-17T12:09:27.984-07:002010-09-17T12:09:27.984-07:00Andre, I'm having an 'access denied' p...Andre, I'm having an 'access denied' problem after deploying my portlet producer app to my development WebCenter Spaces server. Both the WebCenter Spaces page and the portlet producer are running within the same domain. The message I'm getting in the logs is: oracle.fabric.common.PolicyEnforcementException: access denied (oracle.wsm.security.WSIdentityPermission resource=webcenter assert). Could this be caused by by both the cosumer and producer using the same keystore?Billhttp://www.blogger.com/profile/05056134171864282771noreply@blogger.comtag:blogger.com,1999:blog-1816408742331555186.post-51089168315664991662010-09-17T16:21:20.179-07:002010-09-17T16:21:20.179-07:00Not really Bill.This looks like a new requirement ...Not really Bill.<br><br>This looks like a new requirement (or bug) in FMW PS2. Add the following code-source grant in your client application jazn-data.xml and redeploy it, or directly edit the WLS domain system-jazn-data.xml. Add it to the outermost <jazn-policy> element in that file, wehre code-source grants are kept.<br><br><grant> <br> <grantee> <br> <codesource> <br> <url>file:${common.components.home}/modules/oracle.wsm.agent.common_11.1.1/wsm-agent-core.jar</url> <br> </codesource> <br> </grantee> <br> <permissions> <br> <permission> <br> <class>oracle.wsm.security.WSIdentityPermission</class> <br> <name>resource=webcenter</name> <br> <actions>assert</actions> <br> </permission> <br> </permissions><br></grant>Andre Correahttp://www.blogger.com/profile/02002324440974871079noreply@blogger.comtag:blogger.com,1999:blog-1816408742331555186.post-91361876479186843472010-09-20T14:02:59.751-07:002010-09-20T14:02:59.751-07:00Andre, adding the codesource grant worked. Thanks...Andre, adding the codesource grant worked. Thanks for your help!Billhttp://www.blogger.com/profile/05056134171864282771noreply@blogger.comtag:blogger.com,1999:blog-1816408742331555186.post-24552349576891379462010-09-30T13:09:34.750-07:002010-09-30T13:09:34.750-07:00Querido, entendi tdbjste amo mtQuerido, entendi td<br>bjs<br>te amo mtMaria Céliahttp://www.blogger.com/profile/01449152370444144167noreply@blogger.comtag:blogger.com,1999:blog-1816408742331555186.post-38415945244381280262011-01-17T05:33:43.524-08:002011-01-17T05:33:43.524-08:00Andre, thanks to your post, I finally got WSRP sec...Andre, thanks to your post, I finally got WSRP security with authenticated users. :-)<br><br>My problem resides now on anonymous users. I have configured the policy on the producer's oracle-webservice.xml, as well as "anonymous" as the default user on the consumer.<br><br>I also followed instructions (http://download.oracle.com/docs/cd/E14571_01/webcenter.1111/e12405/wcadm_portlet_prod.htm#WCADM326) to add the "strict-authentication" flag and the proper grant to the policy store on the producer side.<br><br>The portlet renders as "Portlet unavailable", and the log shows the following exception:<br><br>Caused by: javax.xml.rpc.soap.SOAPFaultException: FailedAuthentication : Não foi possível autenticar o token de segurança.<br> at oracle.j2ee.ws.client.StreamingSender._raiseFault(StreamingSender.java:668)<br> at oracle.j2ee.ws.client.StreamingSender._sendImpl(StreamingSender.java:474)<br> at oracle.j2ee.ws.client.StreamingSender._send(StreamingSender.java:147)<br> at oracle.portlet.wsrp.v2.soap.runtime.WSRP_v2_Markup_Binding_SOAP_Stub.initCookie(WSRP_v2_Markup_Binding_SOAP_Stub.java:359)<br> at oracle.portlet.wsrp.v2.WSRP_v2_Markup_PortTypeJaxbToSoap.initCookie(WSRP_v2_Markup_PortTypeJaxbToSoap.java:676)<br> at oracle.portlet.wsrp.v2.ServerToWSRPv2.initCookie(ServerToWSRPv2.java:18294)<br> at oracle.portlet.client.connection.wsrp.ActivityServerWrapper.initCookie(ActivityServerWrapper.java:2410)<br> ... 23 more<br><br>I've searched the Oracle docs and the web, and found absolutely nothing about this error. Am I missing something? Any help would be much appreciated!<br><br>Tomy Inhauser<br>(Jdeveloper 11.1.1.3.0 with Integrated WLS)Tomyhttp://www.blogger.com/profile/08878727288448120989noreply@blogger.com