Detailed Logging for ADF Security

is possible to get more information about what security checks are happening and failing when you run an application with ADF Security enabled. The answer is yes. Just go to the Run / Debug / Profile entry in the project properties and edit the run profile (or create a new one) and add the following parameter to the Java Options field:
-Djps.auth.debug.verbose=true

Then when you run you'll get a huge amount of output showing each check and the status - rather like this:

[JpsAuth] Check Permission    PolicyContext:        [unsecuredtuhra2#V2.0]    Resource/Target:      [sessiondef.fragments_searchUIPageDef_BasicEmployeeSearchCriteriaQuery_VCTree_Root_internal_vcival_def_34_DynamicRegion]    Action:               [view]    Permission Class:     [oracle.adf.share.security.authorization.RegionPermission]    Result:               [FAILED]    Evaluator:            [ACC]    Failed ProtectionDomain:ClassLoader=sun.misc.Launcher$AppClassLoader@1ea2dfe   CodeSource=file:/C:/builds/R1_Production/jdeveloper/modules/oracle.adf.share_11.1.1/adf-share-support.jar   Principals=total 2 of principals(     1. JpsPrincipal: oracle.security.jps.internal.core.principals.JpsAnonymousUserImpl "anonymous" GUID=null DN=null     2. JpsPrincipal: oracle.security.jps.internal.core.principals

Managing ADF Security Using Oracle Enterprise Manager 11g

from Andrejus Baranovskis's Blog by Andrejus Baranovskis

Recently I had a long meeting on customer side, to discuss and describe various ADF Security management strategies in production environment. Good news - at the end, everyone left this meeting happy and with correct understanding of benefits given by ADF Security. I will describe how you can manage Application and Enterprisesecurity roles, as well as Permissions, after ADF application deployment on production WebLogic server.

Download sample application - ApplicationRoles.zip. This application contains one Application level role -accountants, for testing purposes it is mapped to Enterprise level role - Accountants:

There is test user defined - dev1, granted with Enterprise role:

Application contains one JSPX page and one ADF Task Flow with fragment. JSPX page is granted to be viewable for any authenticated user:

ADF Task Flow only to accountants Application role:

Sample application is configured not to migrate any users or groups defined inside local jazn-data.xml. This means we will consume users and groups defined in WebLogic server, without uploading those ones from development environment:

After deploying application, I can see there are no users uploaded from development environment, thats what I want:

Now, when deployment is done, we can open application control screen in Oracle Enterprise Manager 11g. There is Security group in the menu - it gives access to application policies and roles. This means we can manage ADF Security directly, even after application was deployed on the server, without redeployment:

I can see two Application Policies defined based on authenticated-role and accountants roles:

We can access Application Role - accountants:

And see details for this role:

Interesting thing, I can still see that Application Role accountants is mapped to Accountants group (Enterprise Role). It should not be visible, because with deployment profile I have declared not to upload any users or groups from development environment. I will try to delete this mapping:

However, delete operation fails with error - such role is not found:

This means it is good practice to remove any mapping between Application and Enterprise Roles in development environment, before doing actual deployment:

After removing role mapping in jazn-data.xml and redeploying, I can see correct picture - no Groups assigned to Application Role:

Now I will switch to WebLogic console, and I will define new Group (Enterprise Role) - FinanceG. This role may come from Active Directory, etc:

I have defined new user on WebLogic server as well - john:

This user is granted with group - FinanceG:

Now its time to open Oracle Enterprise Manager 11g and map FinanceG group with Application Role -accountants:

Through Oracle Enterprise Manager 11g we can browse and assign groups from WebLogic server. All users fromFinanceG group, will be able to access resources protected by accountants Application Role:

Login as user john, granted FinanceG group:

Both - page and ADF Task Flow are rendered:

If I would login as user scott, who is not granted with FinanceG group:

Region from ADF Task Flow will not be rendered, thats correct because user scott is not authorized to access this region without accountants Application Role:

Let's say organization security policy is changing and it is not allowed anymore to show Countries page without proper role assignment. You may think, application change and redeployment will be required. However, there is easy way - we can change Application Policies directly in Oracle Enterprise Manager 11g. Open Application Policies screen and select main page permission granted to authenticated role:

Grant this permission to accountants Application Role:

Remove authenticated role from the list:

Application becomes secured completely only by accountants Application Role:

All users from different groups, not mapped with accountants Application Role, will be unauthorized to access application (user scott in this case):