FROM THE BLOG

ADF Tutorial: How to map roles to when user logs in.

ADF Security provides you with a really strong and robust security framework which allows you to set up the security for your application in a easy, quickly and understandable way. Also, if its good configured with, for example, Weblogic authenticator providers, then you can have all your enterprise roles coming from, for example, an Oracle Internet Directory (LDAP), mapped automatically with little configuration to your application roles. However, some times you might need to do some of this process manually and we are not going to discuss in this post what would be the best way and practices to achieve the task using the framework rather than implementing it yourself. Instead, we are gong to illustrate a way to do so, based on some assumptions independently if they do or don’t make any sense.

So this is the scenario, we are using ADF Security to authenticate users but they roles are not coming along so we need to add them manually. So lets start by showing what users we have added to our jazn-data. Ideally, users are going to be coming from some kind of authenticator provider. Please note that they don’t have any roles assigned. YET!.

adf_mapping_roles_300

This are the enterprise roles we have created in our jazn-data. Each role is mapped to an Application role.

adf_mapping_roles_1

adf_mapping_roles_2

adf_mapping_roles_3

adf_mapping_roles_4

adf_mapping_roles_5

Also, we have created a simple page displaying to panel box. One is visible to users that have assigned the application role ‘Manager’ and the other to ‘Employee’.

adf_mapping_roles_6

adf_mapping_roles_7

At this point we haven’t done anything else. Let’s see what happens if we run the application as it is. (note that when we configured the adf security, we chose to create a default login page).

Lets log in as TheManager. What should we expect?

adf_mapping_roles_8

adf_mapping_roles_9

Exactly! We need to add permission to the pages.

adf_mapping_roles_10

We try to log in again as TheManager and what do we get?

adf_mapping_roles_11

Exactly again! At this point, the only thing this user has about Manager is its name. The same will happen if we try the with any of the other users. This is when the trick comes in;

There are several ways to execute a java method just after an user has been authenticated. However, for illustrative purposes we will be doing this through an application Filter. So we create a class that will be extending the class Filter.

adf_mapping_roles_12

Then we need to add the Weblogic API to our application (to add the roles to the logged in user at run time via JAVA)

adf_mapping_roles_13

Our class will look like this; overriding the doFilter method to actually apply a very complex logic; In this case we are passing the “Enterprise Roles” so the framework takes care of then and map them to the correct Application Roles.

adf_mapping_roles_14

We are almost there, we need just to add our filter to the web.xml and in this case, this will be executed when a request to the home.jsf is made to the server.

adf_mapping_roles_15

Now, if we try to log in again as TheManager?

adf_mapping_roles_16

adf_mapping_roles_17

Cool! What about TheEmployee?

adf_mapping_roles_18adf_mapping_roles_19

And TheFirstAssistant?

adf_mapping_roles_20

adf_mapping_roles_21

So this is how you COULD implement the role assignment programatically if you are using ADF Security running on your Weblogic Server.

4 comments

  1. ohood

    on

    Reply

    .getCurrentSubject(); not found

    • oralution

      on

      Reply

      Hi,

      Make sure you are using the correct Security object. This is coming from weblogic.security package.

      Regards

  2. Anil

    on

    Reply

    This example has the user credentials configured in adf what if the user was maintained in Active Directory, how will you manage roles? will the securityContext object have access to these roles and how?

    • oralution_admin

      on

      Reply

      Hi Anil,

      Sorry for the late reply. But basically yes, it will work the same if the user was maintained in Active Directory or any other supported LDAP. That is the beauty of this abstraction.

Leave a comment

Your email address will not be published. Required fields are marked *

Social Media

Stay up-to-date with our latest ADF and related technical posts via your favourite social network services.