Setting up access permission using Enterprise Roles in WebCenter

Tweet about this on TwitterShare on Facebook0Share on LinkedIn6Share on Google+0

When we create an application that requires access control, we need to define users and groups that should have access to the system and their permissions. Usually in large companies, this data is stored in directory services and / or database. Some examples of directory services are Oracle Internet Directory (OID) and Active Directory (AD).

Using the WebLogic Server as the application server, the configuration of directory services or database to query users and permissions is very simple to achieve.

In this article we will learn how to configure WebLogic Server to query users and database groups and apply access permissions by groups in a WebCenter application. The use of a directory service will not be presented in this article.

This article was published on OTN LA in brazilian portuguese, and you can read it here: WebCenter Portal – Configurando permissão de acesso usando Enterprise Roles.

First we must create the user and permissions tables in the database. To facilitate we can use the standard structure that WebLogic expects.

In this example I will use the HR schema.
Run the following script in your database to create the tables.

CREATE TABLE USERS ( 
U_NAME VARCHAR(200) NOT NULL, 
U_PASSWORD VARCHAR(50) NOT NULL, 
U_DESCRIPTION VARCHAR(1000)); 

ALTER TABLE USERS ADD CONSTRAINT PK_USERS PRIMARY KEY (U_NAME); 

CREATE TABLE GROUPS ( 
G_NAME VARCHAR(200) NOT NULL, 
G_DESCRIPTION VARCHAR(1000)); 

ALTER TABLE GROUPS ADD CONSTRAINT PK_GROUPS PRIMARY KEY (G_NAME); 

CREATE TABLE GROUPMEMBERS ( 
G_NAME VARCHAR(200) NOT NULL, 
G_MEMBER VARCHAR(200) NOT NULL); 

ALTER TABLE GROUPMEMBERS 
ADD CONSTRAINT PK_GROUPMEMS 
PRIMARY KEY (G_NAME, G_MEMBER); 

ALTER TABLE GROUPMEMBERS 
ADD CONSTRAINT FK1_GROUPMEMBERS 
FOREIGN KEY ( G_NAME ) 
REFERENCES GROUPS (G_NAME) 
ON DELETE CASCADE; 

-- Create two users: user1 and user2
insert into USERS (U_NAME, U_PASSWORD, U_DESCRIPTION) values ('user1',  'user1', null);
insert into USERS (U_NAME, U_PASSWORD, U_DESCRIPTION) values ('user2',  'user2', null); 

-- Create two groups: Administrator and User
insert into GROUPS (G_NAME, G_DESCRIPTION) values ('weblogic-admin',  'Administrator Group');
insert into GROUPS (G_NAME, G_DESCRIPTION) values ('weblogic-user',  'User Group'); 

-- Create associations
insert into GROUPMEMBERS (G_NAME, G_MEMBER) values ('weblogic-admin',  'user1');
insert into GROUPMEMBERS (G_NAME, G_MEMBER) values ('weblogic-user',  'user2'); 

The tables were created!

setting-up-access-permission-using-enterprise-roles-in-webcenter1

Now we must configure the WebLogic Server. First we will create the datasource. Access the Administration Console and in the tree menu navigate to Services > Data Sources. Click the New button and select Generic Data Source.

setting-up-access-permission-using-enterprise-roles-in-webcenter2

Enter the Name, JNDI Name and Database Type, and click Next.

setting-up-access-permission-using-enterprise-roles-in-webcenter3

Click Next.

setting-up-access-permission-using-enterprise-roles-in-webcenter4

Click Next.

setting-up-access-permission-using-enterprise-roles-in-webcenter5

Enter the connection properties and click Next.

setting-up-access-permission-using-enterprise-roles-in-webcenter6

Click the Test Configuration button, if successful, click Next.

setting-up-access-permission-using-enterprise-roles-in-webcenter7

Select your server, and click Finish.

setting-up-access-permission-using-enterprise-roles-in-webcenter8

A message requesting the server restart is displayed, but do not do it yet.

setting-up-access-permission-using-enterprise-roles-in-webcenter9

Now we need to configure our authentication provider. In the tree menu, navigate to Security Realms > myrealm.

setting-up-access-permission-using-enterprise-roles-in-webcenter10

Select the Providers tab, and click the New button to create a new Authentication Provider of SQLAuthenticator type that will query our tables.

setting-up-access-permission-using-enterprise-roles-in-webcenter11

Enter the name, for example SQLAuthenticator, and the SQLAuthenticator type. Click OK.

setting-up-access-permission-using-enterprise-roles-in-webcenter12

The message requesting the server restart is displayed again, but do not do it yet. Click Reorder and place the SQLAuthenticator in first position. Click OK.

setting-up-access-permission-using-enterprise-roles-in-webcenter13

Access the SQLAuthenticator created and select the Common tab. In Control Flag field, select the SUFFICIENT option, and click Save. With SUFFICIENT option if the user is found on the provider, the WebLogic Server does not look at other providers.

setting-up-access-permission-using-enterprise-roles-in-webcenter14

Select the Provider Specific tab, select the Plaintext Passwords Enabled option, and in the Data Source Name field enter the name of the datasource created earlier, and click Save.

setting-up-access-permission-using-enterprise-roles-in-webcenter15

Now you must restart the WebLogic Server for these changes to take effect.
After the restart, reenter the Administration Console to verify that the configuration is done correctly. To do this, go to the tree menu and navigate to Security Realms > myrealm > Users and Groups. Note that user1 and user2 users appear in the list.

setting-up-access-permission-using-enterprise-roles-in-webcenter16

All necessary settings in WebLogic Server have been made!
Now let’s just do the mapping of groups in WebCenter Portal application.

Open the Jazn-data.xml file and in the Enterprise Roles tab create roles with the same names of the groups created in the database.

setting-up-access-permission-using-enterprise-roles-in-webcenter17

In the Application Roles tab, create the necessary roles for the project, and in the Mappings section, add the Enterprises Roles created.

setting-up-access-permission-using-enterprise-roles-in-webcenter18

Change an option in the Security Deployment because we do not want the users and groups created in the WebCenter are propagated to the WebLogic Server. In JDeveloper, go to Application > Secure > Configure Security Deployment and deselect the Users and Groups option.

setting-up-access-permission-using-enterprise-roles-in-webcenter19

You can use two files to set access permissions using the roles created: pages.xml and jazn-data.xml.

pages.xml: This file defines the navigation structure of the website, and here the permissions can be inherited from father to son, or not. This file contains only pages.

To accomplish the test of permissions, I created the userPage.jspx, adminPage.jspx and adminUserPage.jspx pages, and added them in the pages.xml file.

Permissions have been set as follows:

  • userPage.jspx: userRole -> view
  • adminPage.jspx: adminRole -> view
  • adminUserPage.jspx: userRole -> view, adminRole -> view

setting-up-access-permission-using-enterprise-roles-in-webcenter20

setting-up-access-permission-using-enterprise-roles-in-webcenter21

setting-up-access-permission-using-enterprise-roles-in-webcenter22

jazn-data.xml: In Resource Grants tab of this file, the permissions are set for all other files, such as pages that are not associated with the pages.xml file, task flows, etc.

To accomplish the test of permissions, I created the DepartmentTaskFlow Task Flow, added it to the Portal project and added the view permission for the AdminRole role. Thus, only the user associated with AdminRole role will view this Task Flow.

setting-up-access-permission-using-enterprise-roles-in-webcenter23

I added the Task Flow as region in adminUserPage.jspx page. The two roles have permission to view this page, but only the AdminRole role will see the Task Flow page.

setting-up-access-permission-using-enterprise-roles-in-webcenter24

Let’s test the application!
Accessing the portal with the user1 user, the adminPage and adminUserPage pages will appear in the menu.

setting-up-access-permission-using-enterprise-roles-in-webcenter25

As user1 is part of the weblogic-admin group, the Task Flow appears in adminUserPage page.

setting-up-access-permission-using-enterprise-roles-in-webcenter26

Accessing the portal with the user user2, the userpage and adminUserPage pages will appear in the menu.

setting-up-access-permission-using-enterprise-roles-in-webcenter27

As the user2 is part of the weblogic-user group, the Task Flow will not appear on adminUserPage page.

setting-up-access-permission-using-enterprise-roles-in-webcenter28

Tweet about this on TwitterShare on Facebook0Share on LinkedIn6Share on Google+0

Author: Waslley Souza

Consultor Oracle com foco em tecnologias Oracle Fusion Middleware e SOA. Certificado Oracle WebCenter Portal, Oracle ADF e Java.

Leave a Reply

Your email address will not be published. Required fields are marked *