Question of authentication/authorization for experts

We have developed an ADF application that makes use of the ADF security, where we have defined roles that determine access to the different functions. We currently use the jazn-"Data.xml" file to store the user and the password, but these aren't real people. They are only used for tests, etc. We would like to authenticate (real people) on Active Directory. We accuse the app on weblogic on a Linux server. From what I see, it seems that OPSS is the missing piece of the puzzle that connects WLS of AD and our code. My understanding is that OPSS would go on WLS and provide hooks that our code would need to access user roles stored in AD. Is this correct? We are not going for the SSO at this stage, we want to just authenticate to Active Directory and retireve user roles to be used in the application of the ADF. We then change our app to use the names of roles in AD instead of our role of test names.
A few links I've read trying to understand...

http://www.Oracle.com/technetwork/issue-archive/2012/12-Jan/o12adf-1364748.html
http://www.Oracle.com/WebFolder/technetwork/tutorials/OBE/FMW/OPSS/environment_set_up/Setup.htm
http://andrejusb.blogspot.com/2011/01/Fusion-Middleware-11g-security-retrieve.html
http://docs.Oracle.com/CD/E21764_01/Web.1111/e13718/ATN.htm

Thanks in advance for any ideas.

Doug

Hello

You need to match the groups in your AD that is, create a corresponding business role in jazn.

If you have a group called user in AD create a business user role in jazn.

Map the roles of this business to the Application role.

Map application roles to resources.

If the user is available in the weblogic and if it is associated with the group that it will automatically provide with the permission of the resource

Make sue uncheck you a box users and groups under properties of the Application---> Deployment---> Weblogic while deploying.

Rakesh

Tags: Java

Similar Questions

WebLogic 103 authentication & authorization using openldap extenal
Can someone provide documentation to implement the authentication & authorization for Weblogic 10.3 web app using openLdap?

Thank you
Also turn on logging of debugging for authentication in the console. Which will tell you if the user authenticates, but it's just a problem with the mapping of your group or if there is another type of problem.

Urgent - Custom authentication and authorization for the application of the ADF
Hi friends,

Custom implementation for authentication and authorization for the application of the ADF

My project to use the OID , authentication and authorization, we will need to support both OAM and DB tables ( according to the preferences of the client during the installation ).

I am new to this and do not have a clue about the same.

Please guide me how to set up both in JDeveloper 11 g + ADF

Thanks in advance.
The answers you got up to present every point in the right direction. ADF security see the authentication of WLS, even for business authorization with respect to user roles defined on the WLS server. During the deployment, ADF security defined application roles are mapped to the user enterprise groups

Application developed using Jdeveloper ADF +.

This would use WLS for authentication

Users of authentication - LDAP (OID) - are stored in LDAP

Use the OID authentication provider in WLS

Authorization - OAM or database (authorization details are stored in the DB or OAM tables)

You can't allow users without authentication. If you need create authentication providers additional if they exist for OAM and RDBMS (there is a supplier of existing RDBMA, that you can use to identify users and to assign membership user groups). Then, you set the optional flag so that when authentication fails for additional providers you can always start the application.

When running Admin users - create users from roles to create and assign permission privileges to the role (for pages and workflows)
assign (or remove) the roles to/to leave users.

ADF security uses JAAS to permissions that you can change using Enterprise Manager when running. Permissions are granted to the application roles and application roles are granted to business roles that which then has users become members of the. If you want to change the status of user account, then you don't do this the ADF or EM, but use a direct access to the provider of the user (for example, access OID, RDBMS access etc.) There is no unified administration API available that would allow you to do this via WLS (which uses OPSS).

If your question is in the context of the ADF, the documentation, with that you should follow is OPSS and WLS authentication providers.

Frank

Question about CD recovery for Tecra M2

Maybe it's a stupid to ask question, but the recovery for Tecra M2 CD comes with windows XP? I need to reformat my laptop, as it is infected by spyware unerasable. When I bought the laptop it only comes with the recovery CD.

Hello

There is no question beast just dumb response. The recovery CD with Windows XP Professional and all the necessary drivers, tools and utilities.

You can install it on two tracks with the help of an installation standard and expertise. If you have only a partition there is possibility to do both by using expert mode. If you have more questions please write again.

Good bye

Questioning the authenticity of a self declared agent Tech Optimizer call me on my land line.

I got a call from Eric Wilson saying that he intended to call me by Windows because I had downloaded a file from an unauthorized source that would have corrupted my hard dirve. It was very convincing gave me a phone number, 210-767-3298 and his ID # as 10068 me getting a 'Run' command I don't know how to check the validity of such a request, but he was now ready to accept a phone call unsolicited to my line that is listed in the telephone directory under my name. I took his information and decided to enter the Windows Web site Query Optimizer Tech and this is where it takes me. I'd like some food to go back to that.

You were right to question the authenticity of the phone call. These scam calls are usually of a person representing Windows rather than Microsoft, but in any case, the call was nothing else than a phishing attempt! Do not give any information. Their intentions are simply to separate you from your money.

Because they use the internet lines and/or phone to complete their fraud, there may be federal agencies in your country who are interested in discovering their calls. Their report directly to the appropriate agency if you feel you can contribute to their arrest and the charges.

Microsoft do NOT pick up the phone and start dialing customers and never phones/e-mails asking for personal information or asking them to visit a web site! Please do not take into account these calls and hang up immediately.

Avoid scams that use the Microsoft name fraudulently

On another note, if you have problems with your computer, please do not hesitate to post a description of the situation and the error messages you received in those forums. We would be happy to help you. (information staff unnecessary or requested !)

The use of certificates as the authentication method for AnyConnect VPN

I'm trying to add certificates as authentication method for one of my AnyConnect connection profiles, that is, by using the option 'Corresponding certificate' available in the profile of the Client AnyConnect. My question concerns the "Distinguished Name Entry" options available. I know what some of them refer to the (for example, "TRANSMITTER-CN" is just like that), but some of them I don't know ("GENQ", "EA", etc.). Is there a reference somewhere that I can use to understand what each of these options to average? Here a sreenshot of the window in question. Thank you!

Untitled.PNG

The order has a good explanation of the various DN fields. Here is a copy of the inscription:

Tag values are as follows:

DNQ = qualifier DN
Generational qualifier = GENQ
I have original =
GN = first name
N = name
SN = surname
IP = IP address
SER = sΘrie numΘro
UNAME = unstructured name
EA = address Email
T = Title
O = organization name
L = local
SP = State/Province
C = country
OU = organizational unit
CN = common name

Authorization for the BPEL (SOASuite 12 c) Web service

I'm currently implementing WSSE security authentication and authorization for a SOA Composite, exposed as a Web service in SOA Suite12C . WSSE authentication security is successful, but seems to leave doesn't think.
Details:
SOA Composite = SOAComposite1 (exposed as a Web service)
I have two valid authenticated users USER1 and USER2. Only USER1 has access to the Web service.
WebLogic console
Adds a user User1 to the Administrators group
Console EM
Created a DBMS (Test USER) role-> wanted to add the administrator group to the Application role 'User of Test', so search for groups, but does not list in MS, so I added the 'Administrator' explicitly (Advanced section) group .i don't know if this is appropriate.
Create an Application with (TestUser) policy as name and application added user 'Test' for her role.
Adds approval of "oracle.wsm.security.WSFunctionPermission" with the name of the resource and the action as «*»
SOAComposite1
. The strategy used for authorization is "oracle/binding_permission_authorization_policy" to the level of service.
This configuration has worked in SOA Suite 11 g, but does not work in SOA Suite 12 C.
11 g that only USER1 is allowed access to the webservice, in a trial with User2, user2 performs authentication but fails with an exception "Is not to allow" which should
12 c, users USER1 and USER2 is able to access the Web service. I want the request fails whenever the user is user 2.
The only difference is in 11 g, having created groups in the weblogic console, the groups are listed in 'EM, I just need to select the group to add in the role of Application, where as in 12 C I don't see the groups created in weblogic, listed in the MS. I had to add explicitly in the Application role.
I haven't restarted the servers (Admin /SOA serrvers) 11 g and 12 C.
Customer - https-> SOA
[Authentication of WSE and Authroization security]
Please help.

Hi there user,

Recently, I've implemented something similar on OSB, if authentication has been with the user name token and the SSL was pure transport level, i.e. was not part of the political configuration of GOSA.

That's what I did:

1 created users (in embedded LDAP)

2. created LDAP groups and made users members of them. For simplicity, I created a hasAccess group and the other - hasNoAccess and added User1 to user2 to hasNoAccess and hasAccess

3. has created a new policy of security GOSA

4. the newly created policy added assertion of authentication - in my username token case

5. the newly created policy added AuthZ assertion of type binding-authorization

6 set the AuthZ liaison-authorization assertion as follows:

-action game *.

-resources match *.

-added the hasAccess groups of the embedded in the roles of article selection options "selected roles.

7. fix new GOSA policy to your component of the service binding.

In short you need not create application roles. You can work directly with the LDAP groups with authZ assertions.

HTH,

A.

Schema authorization for users stored in a database table?
Hello!

I'm trying to find how to make a diagram of authorization for users of the database.

I did one of my current application authentication scheme, I named it "Authentication for database accounts", and the type of plan is 'Database accounts'.

A word of explanation:_
I have a table in my database, named "USERS". Inside this table, I have the following columns:
-USERNAME (NUMBER)
-USERNAME (VARCHAR2 (50))
-PASSWORD (VARCHAR2 (50))
-E-MAIL (VARCHAR2 (200))

For that matter, I'll take a user from the example. The user name is the USER and the USER password. Email and username don't matter here, but let's say that the user ID is 1.

What I want:_
When you go into the application and you are prompted to connect (page 101), then I want a user to be able to connect with the data that has been stored in the USERS table.
So, on the login page, the user will enter USER as user name and USER password. The authorisation scheme must verify whether or not this user name and password match the data in the USERS table. If so, he must sign the user with the credentials entered by the user (who are the USERS and USER).
I also want the username to be stored somewhere in the application (if possible, in a part of the application).

How can I do this? I've never done a prior authorisation scheme... I'm not too good with PL/SQL either, but I'm working on this part.

Any help is greatly appreciated.
Hi Magali,.

In your existing structure of the table, add a column more called ROLE as MANAGER, CLERK etc then you can create the authorization on the basis of the ROLE not not based on the individual user

Select your application and then go into shared component
under Security, select schema permission and create

Step 1: create the authorization scheme
(1) create the authorization scheme = zero
name 2) = IS_MANAGER / / the name of
schema type 3) = exists SQL Query
(4) SQL Query is 1 select table_name from where upper (username) = upper(:APP_USER);.
or if you have the role of your table then try this
(4) SQL Query is 1 select table_name from where = 'MANAGER' ROLE and upper (username) = upper(:APP_USER);.
(5) identify error message appears when the regime violated = your error message.

your authorization scheme is now ready.

Step 2: assign this regime to the components of the page

modify any component of your page like region, button, article page etc...

where you will find the guarantee under what you have permission regime selectlist, than choose any schema that you want to apply.

Permission schema = IS_MANAGER / / that I had created in example above

For tabs
change your tab, then you have permission and do the same thing as above.

In this way, you can create a permission scheme and assign to the components page etc...

Hope this will give you an idea on the authorization scheme

Thank you
Jitendra

Get "authentication error" for a device that is not in the OME

Hello

I'm really stuck here. We have over 15,000 "authentication failure" for a device that is not listed in the section "devices." That's why I'm unable to remove this device. The alert is displayed with the ip address that points to a live device (Equallogic member).

Here's what I've done so far:

When I try to "ignore this device only" I get an error saying that there is no mechanism for this alert. When we look at the device ID in the database table is displayed as -1

The goal is to have the reporting of Equallogic in OME and when I add the Group and the Member (which is using this ip address) the device adds ok. But the Alerts continue to occur (showing the correct DNS name this time).

I then removed the discovery range devices but alerts keep coming (with ip address).

So for me, it looks like this device got stuck somewhere in the OME and is accessible, although there is no device. But I don't see it came from. These alerts are just a pain and I need to find a way to get rid of it.

Please is - can anyone enlighten us in this strange behavior. We are on OME 1.2.0.3441

Thank you

Thorsten

Hi Thorsten,

Well I can confuse or missing some subtle detail here.

When it comes to SNMP alerts, OME don't communicate with the target, the target device sends an alert to OME. So if OME Gets a rogue alert in the alert/event console, this is because the device is pointing to the OME IP for sending traps.

You looked at the target device SNMP parameters itself?

THX

Rob

(Sorry if I'm being dense and not your question)

BAM connection with jdeveloper authentication failed for Basic realm
Hi all

I'm trying to connect to BAM 11 g, my authentication is correct, but when I try to test the connection I get the error authentication failed for Basic realm = "oracle-bam-webservices.

any ideas on how to solve this problem?

Thank you
K
Hello

Please ask your question on the forum BAM. I guess that they are aware of the possible error messages in their product (at least better that we are)

Frank

I can't open my folder "internet options"... believe that there are problems or questions in the parametrs for this folder.

problems of folder for the file 'internet options '.

I can't open my folder "internet options"... believe that there are problems or questions in the parametrs for this folder.

I'm unable to download or print anything from to interent explorer or any other internet connection.

Hi rich,

Please upgrade to Internet Explorer, some of the problem it solves.

Kind regards

J Chambers

You want to set the parental authorization for Xbox live.

Original title: authorization wizzard - x box live

I'm trying to set the parental authorization for x box live, but the permission Wizard is American and does not accept my UK address. What can I do?

Hi LizG1,

I recommend you contact Xbox Live support for assistance:

http://support.Xbox.com/en-us/Xbox-Live/browse

Hope the helps of information.

Authentication failed for Basic realm = "oracle-bam-webservices" - BAM 11 g
Hi all

I BAM 11g, im trying to create a connection of BAM of Jdeveloper, but I get this error authentication failed for Basic realm = "oracle-bam-webservices.

I tried boucing the server and rebooting my machine, but I still have the problem. All my authentications are correct. is there a way to get around this?

Thank you
K
Hello
BAM11g is certified with SOA 10.1.3.4 and beyond. Therefore, it is preferable to use JDev 10.1.3.4 and later versions.
We don't certify with 10.1.3.3 SOA.
The other thread is BAM connection
Poyard

separate authentication and authorization for Active directory groups

Hi all

After a long search and failure, I write the question.

I use apex oracle 4.2 on windows server 2012 on oracle 12 c, all 64 bits.

We have configured Microsoft Active directory with LDAP.

in LDAP, we have a core group which is say A and an is down there students and the two groups.

According to the staff, there are many other groups and students, there are a lot of groups.

I created a mobile application, it has a main page that is publicly accessible without username and password.

in this home page, I have a list that contains two elements, personnel and another is a student.

When one of the list item, the login screen appears.

now I want to control when the user clicks on the staff list, only personnel should be authenticated.

If the end user is a student, it doesn't have to be authenticated.

the same goes for the student list item, if the end-user click on list of students, only students must be authenticated.

someone please guide me, I'm failed in research and testing.

Thank you.

Kind regards.

Hi Maahjoor,

Try this (it is written all the attributes for the user) by logging in to your schema to SQL Developer:

DECLARE

  -- Adjust as necessary.
  l_ldap_host    VARCHAR2(256) := 'hct.org';
  l_ldap_port    VARCHAR2(256) := '389';
  l_ldap_user    VARCHAR2(256) := 'cn=hct\itnew';
  l_ldap_passwd  VARCHAR2(256) := 'itnew';
  l_ldap_base    VARCHAR2(256) := 'DC=hct,DC=org';

  l_retval       PLS_INTEGER;
  l_session      DBMS_LDAP.session;
  l_attrs        DBMS_LDAP.string_collection;
  l_message      DBMS_LDAP.message;
  l_entry        DBMS_LDAP.message;
  l_attr_name    VARCHAR2(256);
  l_ber_element  DBMS_LDAP.ber_element;
  l_vals         DBMS_LDAP.string_collection;

BEGIN

  -- Choose to raise exceptions.
  DBMS_LDAP.USE_EXCEPTION := TRUE;

  -- Connect to the LDAP server.
  l_session := DBMS_LDAP.init(hostname => l_ldap_host,
                              portnum  => l_ldap_port);

  l_retval := DBMS_LDAP.simple_bind_s(ld     => l_session,
                                      dn     => l_ldap_user||','||l_ldap_base,
                                      passwd => l_ldap_passwd);

  -- Get all attributes
  l_attrs(1) := '*'; -- retrieve all attributes
  l_retval := DBMS_LDAP.search_s(ld       => l_session,
                                 base     => l_ldap_base,
                                 scope    => DBMS_LDAP.SCOPE_SUBTREE,
                                 filter   => l_ldap_user,
                                 attrs    => l_attrs,
                                 attronly => 0,
                                 res      => l_message);

  IF DBMS_LDAP.count_entries(ld => l_session, msg => l_message) > 0 THEN
    -- Get all the entries returned by our search.
    l_entry := DBMS_LDAP.first_entry(ld  => l_session,
                                     msg => l_message);

    << entry_loop >>
    WHILE l_entry IS NOT NULL LOOP
      -- Get all the attributes for this entry.
      DBMS_OUTPUT.PUT_LINE('---------------------------------------');
      l_attr_name := DBMS_LDAP.first_attribute(ld        => l_session,
                                               ldapentry => l_entry,
                                               ber_elem  => l_ber_element);
      << attributes_loop >>
      WHILE l_attr_name IS NOT NULL LOOP
        -- Get all the values for this attribute.
        l_vals := DBMS_LDAP.get_values (ld        => l_session,
                                        ldapentry => l_entry,
                                        attr      => l_attr_name);
        << values_loop >>
        FOR i IN l_vals.FIRST .. l_vals.LAST LOOP
          DBMS_OUTPUT.PUT_LINE('ATTIBUTE_NAME: ' || l_attr_name || ' = ' || SUBSTR(l_vals(i),1,200));
        END LOOP values_loop;
        l_attr_name := DBMS_LDAP.next_attribute(ld        => l_session,
                                                ldapentry => l_entry,
                                                ber_elem  => l_ber_element);
      END LOOP attibutes_loop;
      l_entry := DBMS_LDAP.next_entry(ld  => l_session,
                                      msg => l_entry);
    END LOOP entry_loop;
  END IF;

  -- Disconnect from the LDAP server.
  l_retval := DBMS_LDAP.unbind_s(ld => l_session);
  DBMS_OUTPUT.PUT_LINE('L_RETVAL: ' || l_retval);

END;
/

NOTE: The DN parameter on line 29 requires exact unique name for the user. In addition, on line 37 to filter, you can use username i.e. "cn = firstname.lastname."

You can specify a specific attribute must be extracted from the user in order by changing line 33 of the:

l_attrs(1) := '*';

l_attrs(1) := 'title';

Then you can write a function based on above the code to extract the attribute LDAP user as follows:

create or replace function fnc_get_ldap_user_attr_val ( p_username in varchar2
                                                      , p_password in varchar2
                                                      , p_attrname in varchar2 )
return varchar2
as

  -- Adjust as necessary.
  l_ldap_host    VARCHAR2(256) := 'hct.org';
  l_ldap_port    VARCHAR2(256) := '389';
  l_ldap_user    VARCHAR2(256) := 'cn='||p_username;
  l_ldap_passwd  VARCHAR2(256) := p_password;
  l_ldap_base    VARCHAR2(256) := 'DC=hct,DC=org';

  l_retval       PLS_INTEGER;
  l_session      DBMS_LDAP.session;
  l_attrs        DBMS_LDAP.string_collection;
  l_message      DBMS_LDAP.message;
  l_entry        DBMS_LDAP.message;
  l_attr_name    VARCHAR2(256);
  l_attr_value   VARCHAR2(256);
  l_ber_element  DBMS_LDAP.ber_element;
  l_vals         DBMS_LDAP.string_collection;

BEGIN

  -- Choose to raise exceptions.
  DBMS_LDAP.USE_EXCEPTION := TRUE;

  -- Connect to the LDAP server.
  l_session := DBMS_LDAP.init(hostname => l_ldap_host,
                              portnum  => l_ldap_port);

  l_retval := DBMS_LDAP.simple_bind_s(ld     => l_session,
                                      dn     => l_ldap_user||','||l_ldap_base,
                                      passwd => l_ldap_passwd);

  -- Get specific attributes
  l_attrs(1) := p_attrname;
  l_retval := DBMS_LDAP.search_s(ld       => l_session,
                                 base     => l_ldap_base,
                                 scope    => DBMS_LDAP.SCOPE_SUBTREE,
                                 filter   => l_ldap_user,
                                 attrs    => l_attrs,
                                 attronly => 0,
                                 res      => l_message);

  IF DBMS_LDAP.count_entries(ld => l_session, msg => l_message) > 0 THEN
    -- Get all the entries returned by our search.
    l_entry := DBMS_LDAP.first_entry(ld  => l_session,
                                     msg => l_message);

    << entry_loop >>
    WHILE l_entry IS NOT NULL LOOP
      -- Get all the attributes for this entry.
      DBMS_OUTPUT.PUT_LINE('---------------------------------------');
      l_attr_name := DBMS_LDAP.first_attribute(ld        => l_session,
                                               ldapentry => l_entry,
                                               ber_elem  => l_ber_element);
      << attributes_loop >>
      WHILE l_attr_name IS NOT NULL LOOP
        -- Get all the values for this attribute.
        l_vals := DBMS_LDAP.get_values (ld        => l_session,
                                        ldapentry => l_entry,
                                        attr      => l_attr_name);
        << values_loop >>
        FOR i IN l_vals.FIRST .. l_vals.LAST LOOP
          DBMS_OUTPUT.PUT_LINE('ATTIBUTE_NAME: ' || l_attr_name || ' = ' || SUBSTR(l_vals(i),1,200));
          l_attr_value := l_vals(i);
        END LOOP values_loop;
        l_attr_name := DBMS_LDAP.next_attribute(ld        => l_session,
                                                ldapentry => l_entry,
                                                ber_elem  => l_ber_element);
      END LOOP attibutes_loop;
      l_entry := DBMS_LDAP.next_entry(ld  => l_session,
                                      msg => l_entry);
    END LOOP entry_loop;
  END IF;

  -- Disconnect from the LDAP server.
  l_retval := DBMS_LDAP.unbind_s(ld => l_session);
  DBMS_OUTPUT.PUT_LINE('L_RETVAL: ' || l_retval);
  DBMS_OUTPUT.PUT_LINE('Attribute value: ' || l_attr_value);

  return l_attr_value;

END fnc_get_ldap_user_attr_val;
/

Then create an Application AI_USER_AD_TITLE tell you item request-> shared components.

Create following procedure to define the point of application on the connection of the user in your APEX application:

create or replace procedure ldap_post_auth
as

  l_attr_value varchar2(512):

begin

  l_attr_value := fnc_get_ldap_user_attr_val ( p_username => apex_util.get_session_state('P101_USERNAME')
                                             , p_password => apex_util.get_session_state('P101_PASSWORD')
                                             , p_attrname => 'title' );

  apex_util.set_session_state('AI_USER_AD_TITLE', l_attr_value);

end ldap_post_auth;

Change the "name of procedure after authentication' in your 'ldap_post_auth' authentication scheme

Then modify the process in charge on your homepage to your application of PORTALS to:

begin

    if :AI_USER_AD_TITLE = 'Student' then
        apex_util.redirect_url(p_url=>'f?p=114:1');
    else
        apex_util.redirect_url(p_url=>'f?p=113:1');
    end if;

end;

I hope this helps!

Kind regards

Kiran

Active Directory for authentication - authorization database
Hello

I searched a lot but could not find a way to work to do and I have Weblogic Server 10.3.4. My problem is; I currently have an Authenticator SQL read-only which validates the name of user and password and he also holds a group membership of those users. Thus, the when users are connected to our Flex application, they are authenticated and authorized through this security provider. Now, I want to * move the part name validation of username/password to Active Directory * and group membership and other roles etc will stay in the read-only SQL authenticator. To do this, I added the second security provider to my Kingdom which is Active Directory Authenticator, but right now because users are authenticated via Active Directory roles, the etc group memberships do not come to the user, resulting in not to be able to call EJB.

So my question is, How can I manipulate simply authenticate users to Active Directory and other parties (roles, groups) of database (in the database I don't store the password more meaningless it longer)? Do I have to write a custom provider to do this, if this is the case can show you a way to work from the merger of two suppliers of security?

Thank you.
Yes, you will need to create a security provider for this.

-Faisal
http://www.WebLogic-wonders.com

Question of authentication/authorization for experts

Similar Questions

Untitled.PNG

Maybe you are looking for