Implement JAAS based Authentication and Authorization for ADF Faces applications on OC4J 10.1.3


Implementing JAAS based security – or at least Authentication and (role based) Authorization – in JSF applications is a joint responsibility of the Application and the Application Server. 

The Application has to:

  • specify which security roles it recognizes
  • indicate which resources (URLs) are to be secured and to which role(s) each category of resources should be made accessible
  • determine which method of login-challenge is used (the standard browser login-popup or a custom login page)

All of these are indicated in the web.xml file. 

In its turn, the Application Server will

  • check for each request if the requested resource is a secured one
  • if it is, it will verify whether the user has already been authenticated in the current session ("do we know who it is?")
    if not, it will present the login challenge and subsequently attempt authentication using the username and password data submitted by the user
    if authentication fails, either an error page or the login challenge again is presented to the user; no access is given to the requested resource
  • now that it knows who the user is, the application server will determine if the user has at least one of the roles required for accessing this secured resource
    if he/she does – the request is passed on to the application
    if he/she does not – an error code is returned to the browser if not, the request is passed on to the application

OC4J 10.1.3 uses JAAS based authentication and authorization. That means that it relies on an implementation of a more or less standardized interface for authenticating a user from username/password data as well as inspecting the role-membership for a user. The JAAS loginmodule – as this implementation is called – uses some form of repository with user and role data – typically an XML file or a database. The most straightforward implementation of a JAAS loginmodule – and the default on OC4J – uses the system-jazn-data.xml (or application specific jazn-data.xml) repository for storing usernames, (encrypted) passwords and role-memberships. Alternatively OC4J has a LDAP (e.g. OID) based loginmodule as well as the option to configure custom JAAS loginmodules.

In this article, we will see how to implement Authentication and Authorization for the world’s simplest ADF Faces application, that demonstrates all features – including logout, presenting the name of the logged in user and hide & display of elements depending on the role of the current user. We will deploy this simplest of applications on the Embedded OC4J 10.1.3 server in JDeveloper as well as on a Stand-alone OC4J instance. This article only discusses file based (jazn-data.xml) repositories. In a subsequent article we will see how we can use our own custom Database based mechanism for Authentication and Authorization.


Our Application – SecureWebApp – consists of three pages. One is accessible to all users, even the non-authenticated ones. Another is accessible to all roles: normaluser and manager – but contains some elements the normaluser may either not see or modify. The third one is only accessible to the manager.

Step one – Configuring the web.xml file

The web.xml contains three pieces of security related information: which roles matter for the applications, which resources (URL patterns) are to be secured and to which roles is each accessible and finally what login-method is to be used.

Roles in the application

These are defined in the security-role element within the web-app element:

    &lt;security-role&gt;<br />        &lt;description&gt;Normal User&lt;/description&gt;<br />        &lt;role-name&gt;normaluser&lt;/role-name&gt;<br />    &lt;/security-role&gt;<br />    &lt;security-role&gt;<br />        &lt;description&gt;Administrator, Super User&lt;/description&gt;<br />        &lt;role-name&gt;manager&lt;/role-name&gt;<br />    &lt;/security-role&gt;<br />&nbsp;

Secure(d) Resources

Using security-constraints we specify the URL patterns of categories of secure resources – indicating for each category to which roles access is available.

    &lt;security-constraint&gt;<br />        &lt;web-resource-collection&gt;<br />            &lt;web-resource-name&gt;SuperSecurePages&lt;/web-resource-name&gt;<br />            &lt;url-pattern&gt;faces/page/SuperSecure/*&lt;/url-pattern&gt;<br />        &lt;/web-resource-collection&gt;<br />        &lt;auth-constraint&gt;<br />            &lt;role-name&gt;manager&lt;/role-name&gt;<br />        &lt;/auth-constraint&gt;<br />    &lt;/security-constraint&gt;<br />    &lt;security-constraint&gt;<br />        &lt;web-resource-collection&gt;<br />            &lt;web-resource-name&gt;Normal Secure Pages&lt;/web-resource-name&gt;<br />            &lt;url-pattern&gt;faces/page/NormalSecure/*&lt;/url-pattern&gt;<br />        &lt;/web-resource-collection&gt;<br />        &lt;auth-constraint&gt;<br />            &lt;role-name&gt;normaluser&lt;/role-name&gt;<br />            &lt;role-name&gt;manager&lt;/role-name&gt;<br />        &lt;/auth-constraint&gt;<br />    &lt;/security-constraint&gt;<br />&nbsp;

Here we have created two constraints, for the NormalSecure resources and SuperSecure resources. For each category, we have specified the roles that are allowed to access the resources.

Login Configuration 

The final piece of setup to perform in the web.xml file is specifying the way for the user to provide credentials. Using the login-config element in the web.xml, we can choose from four methods of login. The one we use is the custom login-page: we provide a JSP that the user can use to login:

    &lt;login-config&gt;<br />        &lt;auth-method&gt;FORM&lt;/auth-method&gt;<br />        &lt;form-login-config&gt;<br />            &lt;form-login-page&gt;/Login.jsp&lt;/form-login-page&gt;<br />            &lt;form-error-page&gt;/Login.jsp&lt;/form-error-page&gt;<br />        &lt;/form-login-config&gt;<br />    &lt;/login-config&gt;<br />&nbsp;

JDeveloper provides a wizard style interface for creating all these entries in the web.xml file. Open the right mouse button menu on web.xml, select the option Properties and the editor pops up. Editing Security Constraints looks like this:


Step two – Create the Login page

The Login.jsp we have configured in the previous step can be any page we like, with our very own format. There are just a few requirements, to ensure that the Application Server can recognize the credential-information and request Authentication from the JAAS loginmodule. These requirements are:

  • a form with action=j_security_check
  • input element called j_username
  • input element called j_password

A very simple implementation of our Login.jsp could look like this:

&lt;!DOCTYPE HTML PUBLIC &quot;-//W3C//DTD HTML 4.01 Transitional//EN&quot;<br />&quot;;&gt;<br />&lt;%@ page contentType=&quot;text/html;charset=UTF-8&quot;%&gt;<br />&lt;html&gt;<br />  &lt;head&gt;<br />    &lt;meta http-equiv=&quot;Content-Type&quot; content=&quot;text/html; charset=UTF-8&quot;/&gt;<br />    &lt;title&gt;Login&lt;/title&gt;<br />  &lt;/head&gt;<br />  &lt;body style=&quot;font-family:sans-serif; background-color:rgb(214,231,255); color:rgb(0,0,255);&quot;&gt;<br />          &lt;form action=&quot;j_security_check&quot; method=&quot;post&quot;&gt;<br />      &lt;span style=&quot;font-size:xx-large; font-weight:bold;&quot;&gt;<br />        The Secure Application<br />      &lt;/span&gt;<br />      &lt;hr/&gt;<br />      &lt;h2&gt;<br />        Login:<br />      &lt;/h2&gt;<br />      &lt;table cellspacing=&quot;3&quot; cellpadding=&quot;2&quot; border=&quot;0&quot; width=&quot;100%&quot;&gt;<br />            &lt;tr&gt;<br />              &lt;td width=&quot;120&quot;&gt;<br />                &lt;b style=&quot;whitespace:nowrap&quot;&gt;Username&lt;/b&gt;<br />              &lt;/td&gt;<br />              &lt;td&gt;<br />                &lt;input type=&quot;text&quot; name=&quot;j_username&quot;/&gt;<br />              &lt;/td&gt;<br />            &lt;/tr&gt;<br />            &lt;tr&gt;<br />              &lt;td width=&quot;120&quot;&gt;<br />                &lt;b&gt;Password&lt;/b&gt;<br />              &lt;/td&gt;<br />              &lt;td&gt;<br />                &lt;input type=&quot;password&quot; name=&quot;j_password&quot;/&gt;<br />              &lt;/td&gt;<br />            &lt;/tr&gt;<br />            &lt;tr&gt;<br />              &lt;td&gt;&amp;nbsp;&lt;/td&gt;<br />              &lt;td&gt;<br />                &lt;input type=&quot;submit&quot; name=&quot;logon&quot; value=&quot;Login&quot;/&gt;<br />              &lt;/td&gt;<br />            &lt;/tr&gt;<br />          &lt;/table&gt;<br />         &lt;/form&gt;&lt;p&gt;<br />      (c) AMI
S - (2002-20
06) - <br />      &lt;a href=&quot;;&gt;<br /><br />      &lt;/a&gt;<br />    &lt;/p&gt;&lt;/body&gt;<br />&lt;/html&gt; <br />

When executed, this page looks as follows:


Step 3a – (optional) Configuring the Users and their Roles with the application

Typically all users and their roles will be managed by the Application Server administrator, typically through the Enterprise Manager Console or alternatively in the configuration files such as application.xml and system-jazn-data.xml. However, when the the (initial) list of users is known in advance, it can be configured in the application before deployment to save work after deployment. Especially in a development environment with frequent deployment on the Embedded OC4J server in JDeveloper, this can be very convenient.

In our example, we create a file called jazn-data.xml in the src\META-INF directory of our project. Note: a convenient way of correctly creating this file is from the New Gallery in JDeveloper: New, General – Deployment Descriptors, OC4J Deployment Descriptor Wizard – pick option jazn-data.xml in Step 1 of 2 in this wizard. Our file looks like this:

&lt;?xml version = '1.0' encoding = 'UTF-8' standalone = 'yes'?&gt;<br />&lt;jazn-data xmlns:xsi=&quot;;<br />           xsi:noNamespaceSchemaLocation=&quot;;<br />           filepath=&quot;&quot; OC4J_INSTANCE_ID=&quot;&quot;&gt;<br /> &lt;!-- JAZN Realm Data --&gt;<br /> &lt;jazn-realm&gt;<br />  &lt;realm&gt;<br />   &lt;name&gt;;/name&gt;<br />   &lt;users&gt;<br />    &lt;user&gt;<br />     &lt;name&gt;me&lt;/name&gt;<br />     &lt;credentials&gt;!me&lt;/credentials&gt;<br />    &lt;/user&gt;<br />    &lt;user&gt;<br />     &lt;name&gt;you&lt;/name&gt;<br />     &lt;credentials&gt;!you&lt;/credentials&gt;<br />    &lt;/user&gt;<br />    &lt;user&gt;<br />     &lt;name&gt;her&lt;/name&gt;<br />     &lt;credentials&gt;!her&lt;/credentials&gt;<br />    &lt;/user&gt;<br />   &lt;/users&gt;<br />   &lt;roles&gt;<br />    &lt;role&gt;<br />     &lt;name&gt;manager&lt;/name&gt;<br />     &lt;members&gt;<br />      &lt;member&gt;<br />       &lt;type&gt;user&lt;/type&gt;<br />       &lt;name&gt;me&lt;/name&gt;<br />      &lt;/member&gt;<br />     &lt;/members&gt;<br />    &lt;/role&gt;<br />    &lt;role&gt;<br />     &lt;name&gt;normaluser&lt;/name&gt;<br />     &lt;members&gt;<br />      &lt;member&gt;<br />       &lt;type&gt;user&lt;/type&gt;<br />       &lt;name&gt;me&lt;/name&gt;<br />      &lt;/member&gt;<br />      &lt;member&gt;<br />       &lt;type&gt;user&lt;/type&gt;<br />       &lt;name&gt;her&lt;/name&gt;<br />      &lt;/member&gt;<br />      &lt;member&gt;<br />       &lt;type&gt;user&lt;/type&gt;<br />       &lt;name&gt;you&lt;/name&gt;<br />      &lt;/member&gt;<br />     &lt;/members&gt;<br />    &lt;/role&gt;<br />   &lt;/roles&gt;<br />  &lt;/realm&gt;<br /> &lt;/jazn-realm&gt;<br /> &lt;!-- JACC Repository Data --&gt;<br /> &lt;jacc-repository/&gt;<br />&lt;/jazn-data&gt;<br /><br />&nbsp;

In order to ensure that this application specific jazn-data.xml is picked up by the application server (and its contents merged into the system-jazn-data.xml file on the application server) we have to also create an application specific orion-application.xml file. This file can be initiated from the New Gallery in the same way as the jazn-data.xml file. It should look like this:

&lt;?xml version = '1.0' encoding = 'UTF-8'?&gt;<br />&lt;orion-application xmlns:xsi=&quot;;<br />                   xsi:schemaLocation=&quot;<br />         ; version=&quot;10.0&quot;<br />                   xmlns=&quot;;&gt;<br />  &lt;jazn  provider=&quot;XML&quot; location=&quot;./jazn-data.xml&quot; default-realm=&quot;;/&gt;<br />&lt;/orion-application&gt; <br />

and be located also in src/META-INF.

Step 3b – (alternatively) Configure the Users and their Roles with the application server

Instead of creating our own application specific jazn-data.xml file, we can also add the information from that file directly to the system-jazn-data.xml file on the application server (OC4J_HOME\j2ee\home\config or JDEV_HOME\jdev\system\oracle.j2ee.\embedded-oc4j\config for the embedded OC4J server in JDeveloper) or indirectly through the Enterprise Manager console.

Step 4 – Create the application’s pages

Okay, typically you would probably have created the application’s pages by now. In fact, configuring security and developing the application itself can largely be parallel processes. Only when elements inside pages should be dynamically switched on or off depending on the level of authorization of the current user is the application impacted by the security set up.

in this example I have created three very simple (and I really mean very simple) JSF JSP pages with minimal content, just to show the idea.

Step 5 – Deploy and Run the Application

From within JDeveloper, we can now simply run any of the pages in our web application. If it is a secured one, we will be sent to the Login page by the application server. If not, we can access it directly.

We can also package the application in a WAR file (or EAR) and deploy it on the OC4J application server. Note that the orion-application.xml and jazn-data.xml file are only included in the EAR file, not in the war.

Useful Security related extensions 

We will discuss a number of security related features that you probably will want to implement in your ADF Faces application. The JDeveloper Application you can download at the end of this article implements all of these features, to give you a working example of what they look like. 

Displaying the currently logged in user

The name of the currently logged in user is readily available in your application. In JSF application, we can use the following EL expression to access the username:

<span class="code-quote">#{}</span><br /> <br />

The ADF PanelPage element has a facet that is specifically designed in the BLAF guidelines to display the user:

&lt;f:facet name=<span class="code-quote">&quot;infoUser&quot;</span>&gt;<br />  &lt;af:outputFormatted value=<span class="code-quote">&quot;logged in as #{}&quot;</span> /&gt;<br />&lt;/f:facet&gt;&nbsp;<br />&nbsp;


Adding a Logout facility to the application

Being able to login to an application is certainly useful if we want to make use of JAAS based Authentication and Authorization. Being able to logout again – and possibly login as another user – is also quite useful, especially during development of the application as well as for applications that will have end-users who can take on multiple identities. Logging out effectively means giving up the identity associated with the current session. This can be done with a little code in a managed bean, that we can associate with a logout link or button. 

The method that logs a user out of his current identity looks like this:

<span class="code-keyword">public</span> void logout() <span class="code-keyword">throws</span> IOException {<br />    ExternalContext ectx =<br />    FacesContext.getCurrentInstance().getExternalContext();<br />    HttpServletResponse response =<br />    (HttpServletResponse)ectx.getResponse();<br />    HttpSession session = (HttpSession)ectx.
sion(<span class="code-keyword">false</span>);<br />    session.invalidate();<br />}&nbsp;

In our sample application, we have configured a Managed Bean called security:

&lt;managed-bean&gt;<br />  &lt;managed-bean-name&gt;security&lt;/managed-bean-name&gt;<br />  &lt;managed-bean-class&gt;nl.amis.infrastructure.SecuritySupporter&lt;/managed-bean-class&gt;<br />  &lt;managed-bean-scope&gt;session&lt;/managed-bean-scope&gt;<br />&lt;/managed-bean&gt; <br />

The bean implementation is like this:

package nl.amis.infrastructure;<br /><br />import;<br />import javax.faces.context.ExternalContext;<br />import javax.faces.context.FacesContext;<br />import javax.servlet.http.HttpServletResponse;<br />import javax.servlet.http.HttpSession;<br /><br />public class SecuritySupporter {<br />    public SecuritySupporter() {<br />    }<br />    <br />    public String logout() throws IOException {<br />        ExternalContext ectx =<br />        FacesContext.getCurrentInstance().getExternalContext();<br />        HttpServletResponse response =<br />        (HttpServletResponse)ectx.getResponse();<br />        HttpSession session = (HttpSession)ectx.getSession(false);<br />        session.invalidate();<br />        // redirect is with regard to current page<br />        // if we want to use an absolute path (starting with /), then we have <br />        // to include the context root such as SecureWebApp-SecureApp-context-root<br />        response.sendRedirect(&quot;../PublicPage.jspx&quot;);<br />        return null;<br />        }<br />}<br />&nbsp;

To complete the Logout feature, we add the following button to the Global Menu in our secure pages:

&lt;f:facet name=&quot;menuGlobal&quot;&gt;<br />  &lt;af:menuButtons&gt;<br />    &lt;af:commandMenuItem text=&quot;Logout&quot; action=&quot;#{security.logout}&quot; icon=&quot;/logout.gif&quot;/&gt;<br />  &lt;/af:menuButtons&gt;<br />&lt;/f:facet&gt;<br />&nbsp;

The button’s action ties to the logout method on the security bean. 

Role-based Disabling and Enabling of UI Elements  

In order to bind properties like disabled and rendered to the roles a user may or may not have, we will use JSF EL expressions that somehow refer to the roles for which an element is visible/invisible or enabled/disabled. We cannot ask the JAAS security module for a list of all roles a user has; all we can do is ask whether he has a specific role. A method we could easily implement is something like this:

public boolean isUserInRole(String role) {        <br />  return FacesContext.getCurrentInstance().getExternalContext().isUserInRole(role);<br />}    &nbsp;<br />

Unfortunately we cannot call it directly from an EL Expression – as we cannot pass a parameter from an EL expression to a method.

That is a challenge I solved quite some time ago – using a Map implementation. See for details an earlier article on this weblog: How to call methods from EL expressions- pre JSP 2.0 trick for JSPs with JSTL. This means that if our backing bean implements the Map interface, we can use EL expressions such as #{backingBean['rolename']} that will call the get(Object key) method on the backing bean. In this methodm, we can do with the key parameter whatever we like – such as call the isUserInRole method – and return its result.

To turn our SecurityProvider class into a Map, select the option Implement Interface from the Source Menu and enter the java.util.Map interface. JDeveloper will create stub implementations of the required methods in the Map interface. We only care about the get method, implementing it like this:

public Object get(Object key) {<br />  return isUserInRole((String)key);<br />}<br /><br />

Now we can start disabling JSF elements using expressions such as rendered="#{security['manager']}" that will display an element only if the current user has the manager role.

For example in the NormalSecuredPage.jspx :

&lt;af:panelHorizontal &gt;<br />  &lt;af:outputText value=&quot;Here is a value that should be visible to any user visiting this page&quot;/&gt;<br />  &lt;af:panelBox rendered=&quot;#{security['manager']}&quot;&gt;<br />    &lt;af:outputText value=&quot;And this can only be seen by a user with role manager!&quot; /&gt;<br />  &lt;/af:panelBox&gt;<br />&lt;/af:panelHorizontal&gt;<br />&nbsp;

Now if we logon as YOU (not a manager) the page looks like this:

If we logout and login as ME (of course a manager), the same page now looks like this:

Easy switching off security (for development/testing purposes)

Now that we have implemented security in our application, there may be times – especially during development and testing – that we wish it would not be there. If the security somehow is buggy, we may not be able to get into our application at all! Fortunately, (temporarily) turning security off is quite simple. Basically, only web resources that match one of the security constraints in the web.xml file are secured. So if we make sure that no security constraints match, the pages can be accessed by non-authenticated users. In our sample application this means that we can turn off authentication & authorization by adding two characters in the web.xml file:

&nbsp;    &lt;security-constraint&gt;<br />        &lt;web-resource-collection&gt;<br />            &lt;web-resource-name&gt;SuperSecurePages&lt;/web-resource-name&gt;<br />            &lt;url-pattern&gt;xfaces/page/SuperSecure/*&lt;/url-pattern&gt;<br />        &lt;/web-resource-collection&gt;<br />        &lt;auth-constraint&gt;<br />            &lt;role-name&gt;manager&lt;/role-name&gt;<br />        &lt;/auth-constraint&gt;<br />    &lt;/security-constraint&gt;<br />    &lt;security-constraint&gt;<br />        &lt;web-resource-collection&gt;<br />            &lt;web-resource-name&gt;Normal Secure Pages&lt;/web-resource-name&gt;<br />            &lt;url-pattern&gt;xfaces/page/NormalSecure/*&lt;/url-pattern&gt;<br />        &lt;/web-resource-collection&gt;<br />        &lt;auth-constraint&gt;<br />            &lt;role-name&gt;normaluser&lt;/role-name&gt;<br />            &lt;role-name&gt;manager&lt;/role-name&gt;<br />        &lt;/auth-constraint&gt;<br />    &lt;/security-constraint&gt;<br /><br />

If we have tied the render or disabled property of elements in our page to the roles of our user, we have to take an additional step to switch off security – otherwise since the user is not authenticated and therefore will not have any roles at all, far too many elements will be hidden or disabled. So we want to slightly enhance our SecurityProvider class, to allow switching off the authorization – we can achieve that by always returning true from the get method that is called from the EL expressions like rendered="#{security['manager']}".

We add a property roleBasedAuthorization to the SecurityProvider class – with its accessors.

    private boolean roleBasedAuthorization = true;<br /><br />    public void setRoleBasedAuthorization(boolean roleBasedAuthorization) {<br />        this.roleBasedAuthorization = roleBasedAuthorization;<br />    }<br /><br />    public boolean isRoleBasedAuthorization() {<br />        return roleBasedAuthorization;<br />    }<br />&nbsp;

We then modify the get method:

public Object get(Object key) {       <br />  return (roleBasedAuthorization?isUserInRole((String)key):true);<br />}&nbsp;

Finally we  add a managed property to the faces-config.xml file, where we switch role based authorization on and off by flipping the value of this property:

  &lt;managed-bean&gt;<br />    &lt;managed-bean-name&gt;security&lt;/managed-bean-name&gt;<br />    &l
ged-bean-class&gt;nl.amis.infrastructure.SecuritySupporter&lt;/managed-bean-class&gt;<br />    &lt;managed-bean-scope&gt;session&lt;/managed-bean-scope&gt;<br />    &lt;managed-property&gt;<br />      &lt;property-name&gt;roleBasedAuthorization&lt;/property-name&gt;<br />      &lt;property-class&gt;boolean&lt;/property-class&gt;<br />      &lt;value&gt;false&lt;/value&gt; &lt;!-- set to true to turn role-based authorization on --&gt;<br />    &lt;/managed-property&gt;<br />  &lt;/managed-bean&gt;<br /><br />

With this configuration, the get method will always return true and all role dependent elements will act as if the user has the required role. 

Accessing the current user inside ADF Business Components

If you make use of ADF Model and ADF Business Components, you have easy access to the current web-user. ADF takes care of setting the value of the user on the Session object. We can use a statement like this:

String currentWebUser = ((SessionImpl)getDBTransaction().getSession()).getUserPrincipalName());

inside for example the ApplicationModuleImpl in our application. 

Setting Database Security Context – for example for VPD

It is not unlikely that you not only want to know about the current user in the Model side of the Java Application, but in the database itself as well. Many web applications rely on a backend database and the security – especially horizontal authorization that determines which records are to be returned for the current user – is usually implemented in the database as well. The mechanism used for that horizontal authorization ideally is VPD (Virtual Private Database) that uses an application context and PL/SQL functions that return a policy based on that context. For this to work, the current user typically has to be set in an Application Context, through a PL/SQL package. To make a long story not any longer, the consequence is that we want ADF Business Components to ensure that for any database access that takes place, the current web user is set in the database.

This can easily be achieved by implementing an override of the prepareSession method in your own ApplicationModuleImpl that extends the standard ADF BC one. This prepareSession() method will look like:

<span class="code-keyword">protected</span> void prepareSession(Session session) {<br />      <span class="code-keyword">super</span>.prepareSession(session);<br />      SessionImpl ses = (SessionImpl)getDBTransaction().getSession();<br />      <span class="code-object">String</span> appContext = <span class="code-quote">&quot;Begin MY_CONTEXT_PACKAGE.SET_CURRENTUSER('&quot;</span>+ses.getUserPrincipalName()+<span class="code-quote">&quot;'); END;&quot;</span>;<br /><br />     java.sql.CallableStatement st= <span class="code-keyword">null</span>;<br />     <span class="code-keyword">try</span><br />     {<br />       st = getDBTransaction().createCallableStatement(appContext,0);<br />       st.execute();<br />     } <span class="code-keyword">catch</span> (java.sql.SQLException s)<br />     {<br />      <span class="code-keyword">throw</span> <span class="code-keyword">new</span> oracle.jbo.JboException(s);<br />     }  <span class="code-keyword">finally</span><br />     {<br />      <span class="code-keyword">try</span><br />      {<br />        <span class="code-keyword">if</span> (st!= <span class="code-keyword">null</span>)<br />        {<br />          st.close();<br />        }<br />      } <span class="code-keyword">catch</span> (java.sql.SQLException s2)<br />   }<br /> }<br />}




The JDeveloper 10.1.3 Application with Secure Web Application demonstrated in this article:

Frank Nimphius on J2EE Security: Dynamic user creation for container managed authentication (programmatically maintaining users in the jazn-data.xml file!)

OC4J 10.1.3 Documentation on jazn configuration –  

Frank Nimphius on Lifting the confusion: jazn-data.xml vs. workspace-jazn-data.xml  

Peter Koletzke Web Application Security Part 1: Implementing the Superstition in JDeveloper (presentation ODTUG 2006)  



About Author

Lucas Jellema, active in IT (and with Oracle) since 1994. Oracle ACE Director for Fusion Middleware. Consultant, trainer and instructor on diverse areas including Oracle Database (SQL & PLSQL), Service Oriented Architecture, BPM, ADF, Java in various shapes and forms and many other things. Author of the Oracle Press book: Oracle SOA Suite 11g Handbook. Frequent presenter on conferences such as JavaOne, Oracle OpenWorld, ODTUG Kaleidoscope, Devoxx and OBUG. Presenter for Oracle University Celebrity specials.


  1. Hi Lucas,
    I’ve a problem. isUserInRole() method returns everytime true.
    I don’t know why.
    Please reply me which will help me .


  2. Hi Lucas,
    your tutorial is very usefull for me, the authentication is working very well but the authorization it’s not :(
    I added the test user to the manager role on weblogic admin console.
    When I would like to show an adf component only for the manager role the method:

    public boolean isUserInRole(String role) {
    return FacesContext.getCurrentInstance().getExternalContext().isUserInRole(role);

    return with false.
    I have no errors.
    What’s the problem?
    Thank you for your help!

  3. Hi Lucas Jellema ,

    Is there such demo source for Jdeveloper 11g version? or can I need to know about process J_security form action and its use case process .
    Please reply me which will help me .


  4. Vimalan Balan on


    I need help to run my application in standalone oc4j instance. I developed application using JDeveloper, EJB3.0, Toplink and ADF. Its working fine when i run through the embedded oc4j in JDeveloper and onPageLoad method is called and executed perfectly but its not happening in the standalone server.

    After deploying my application in standalone oc4j instance, i am facing issues now.

    1. 2008-05-10 12:11:29.039 WARNING could not create validator for validatorId:null and binding:#{bindings.deductionAmt.validator}
    2008-05-10 12:11:29.961 WARNING The AdfFacesFilter has not been installed. ADF Faces requires this filter for proper execution.

    2. onPageLoad method is not calling when the page is loaded.

    Thanks & Regards
    Vimalan Balan

  5. I am getting the following Error while i hit logout

    The problem seems to be in the send redirect.

    Caused by: java.lang.IllegalStateException: Response has already been committed
    at com.evermind.server.http.EvermindHttpServletResponse.resetBuffer(
    at javax.servlet.ServletResponseWrapper.resetBuffer(
    at javax.servlet.ServletResponseWrapper.resetBuffer(
    at com.evermind.server.http.ServletRequestDispatcher.unprivileged_forward(
    at com.evermind.server.http.ServletRequestDispatcher$2.oc4jRun(
    at Method)
    at com.evermind.server.http.OC4JRequestDispatcher.executeAction(
    at com.evermind.server.http.ServletRequestDispatcher.forward(
    at com.sun.faces.context.ExternalContextImpl.dispatch(
    at org.apache.myfaces.trinidad.context.ExternalContextDecorator.dispatch(
    at org.apache.myfaces.trinidad.context.ExternalContextDecorator.dispatch(
    at org.apache.myfaces.trinidad.context.ExternalContextDecorator.dispatch(
    at org.apache.myfaces.trinidadinternal.context.FacesContextFactoryImpl$OverrideDispatch.dispatch(
    at com.sun.faces.application.ViewHandlerImpl.executePageToBuildView(
    at com.sun.faces.application.ViewHandlerImpl.renderView(
    at javax.faces.application.ViewHandlerWrapper.renderView(
    at org.apache.myfaces.trinidadinternal.application.ViewHandlerImpl.renderView(
    at oracle.adfinternal.view.faces.lifecycle.LifecycleImpl._renderResponse(
    at oracle.adfinternal.view.faces.lifecycle.LifecycleImpl._executePhase(
    at oracle.adfinternal.view.faces.lifecycle.LifecycleImpl.render(
    at javax.faces.webapp.FacesServlet.service(
    at com.evermind.server.http.ResourceFilterChain.doFilter(
    at oracle.adf.model.servlet.ADFBindingFilter.doFilter(
    at com.evermind.server.http.EvermindFilterChain.doFilter(
    at org.apache.myfaces.trinidadinternal.webapp.TrinidadFilterImpl$FilterListChain.doFilter(
    at org.apache.myfaces.trinidadinternal.webapp.TrinidadFilterImpl$FilterListChain.doFilter(
    at oracle.adfinternal.view.faces.activedata.ADSFilter.doFilter(
    at org.apache.myfaces.trinidadinternal.webapp.TrinidadFilterImpl$FilterListChain.doFilter(
    at org.apache.myfaces.trinidadinternal.webapp.TrinidadFilterImpl._invokeDoFilter(
    at org.apache.myfaces.trinidadinternal.webapp.TrinidadFilterImpl._doFilterImpl(
    at org.apache.myfaces.trinidadinternal.webapp.TrinidadFilterImpl.doFilter(
    at org.apache.myfaces.trinidad.webapp.TrinidadFilter.doFilter(
    at com.evermind.server.http.EvermindFilterChain.doFilter(
    at Method)
    … 16 more

  6. Target URL — http://host:port/testapp-context-root/testservlet
    Jan 17, 2008 5:20:18 PM doJAASLogin
    WARNING: Login Failure: all modules ignored Login Failure: all modules ignored
    at Method)

  7. Hi tried this sample, worked very well in the first attempt, but the next day when i tried executing this ( trying from embeded oc4j ) getting following error -

    Target URL — http://host:port/testapp-context-root/helloservlet
    Jan 17, 2008 5:20:18 PM doJAASLogin
    WARNING: Login Failure: all modules ignored Login Failure: all modules ignored
    at Method)

    I am quite new to java, kindly help