When we create an application that requires access control, we need to define users and groups that should have access to the system and their permissions. Usually in large companies, this data is stored in directory services and / or database. Some examples of directory services are Oracle Internet Directory (OID) and Active Directory (AD).
Using the WebLogic Server as the application server, the configuration of directory services or database to query users and permissions is very simple to achieve.
In this article we will learn how to configure WebLogic Server to query users and database groups and apply access permissions by groups in a WebCenter application. The use of a directory service will not be presented in this article.
This article was published on OTN LA in brazilian portuguese, and you can read it here: WebCenter Portal – Configurando permissão de acesso usando Enterprise Roles.
First we must create the user and permissions tables in the database. To facilitate we can use the standard structure that WebLogic expects.
In this example I will use the HR schema.
Run the following script in your database to create the tables.
CREATE TABLE USERS ( U_NAME VARCHAR(200) NOT NULL, U_PASSWORD VARCHAR(50) NOT NULL, U_DESCRIPTION VARCHAR(1000)); ALTER TABLE USERS ADD CONSTRAINT PK_USERS PRIMARY KEY (U_NAME); CREATE TABLE GROUPS ( G_NAME VARCHAR(200) NOT NULL, G_DESCRIPTION VARCHAR(1000)); ALTER TABLE GROUPS ADD CONSTRAINT PK_GROUPS PRIMARY KEY (G_NAME); CREATE TABLE GROUPMEMBERS ( G_NAME VARCHAR(200) NOT NULL, G_MEMBER VARCHAR(200) NOT NULL); ALTER TABLE GROUPMEMBERS ADD CONSTRAINT PK_GROUPMEMS PRIMARY KEY (G_NAME, G_MEMBER); ALTER TABLE GROUPMEMBERS ADD CONSTRAINT FK1_GROUPMEMBERS FOREIGN KEY ( G_NAME ) REFERENCES GROUPS (G_NAME) ON DELETE CASCADE; -- Create two users: user1 and user2 insert into USERS (U_NAME, U_PASSWORD, U_DESCRIPTION) values ('user1', 'user1', null); insert into USERS (U_NAME, U_PASSWORD, U_DESCRIPTION) values ('user2', 'user2', null); -- Create two groups: Administrator and User insert into GROUPS (G_NAME, G_DESCRIPTION) values ('weblogic-admin', 'Administrator Group'); insert into GROUPS (G_NAME, G_DESCRIPTION) values ('weblogic-user', 'User Group'); -- Create associations insert into GROUPMEMBERS (G_NAME, G_MEMBER) values ('weblogic-admin', 'user1'); insert into GROUPMEMBERS (G_NAME, G_MEMBER) values ('weblogic-user', 'user2');
The tables were created!
Now we must configure the WebLogic Server. First we will create the datasource. Access the Administration Console and in the tree menu navigate to Services > Data Sources. Click the New button and select Generic Data Source.
Enter the Name, JNDI Name and Database Type, and click Next.
Enter the connection properties and click Next.
Click the Test Configuration button, if successful, click Next.
Select your server, and click Finish.
A message requesting the server restart is displayed, but do not do it yet.
Now we need to configure our authentication provider. In the tree menu, navigate to Security Realms > myrealm.
Select the Providers tab, and click the New button to create a new Authentication Provider of SQLAuthenticator type that will query our tables.
Enter the name, for example SQLAuthenticator, and the SQLAuthenticator type. Click OK.
The message requesting the server restart is displayed again, but do not do it yet. Click Reorder and place the SQLAuthenticator in first position. Click OK.
Access the SQLAuthenticator created and select the Common tab. In Control Flag field, select the SUFFICIENT option, and click Save. With SUFFICIENT option if the user is found on the provider, the WebLogic Server does not look at other providers.
Select the Provider Specific tab, select the Plaintext Passwords Enabled option, and in the Data Source Name field enter the name of the datasource created earlier, and click Save.
Now you must restart the WebLogic Server for these changes to take effect.
After the restart, reenter the Administration Console to verify that the configuration is done correctly. To do this, go to the tree menu and navigate to Security Realms > myrealm > Users and Groups. Note that user1 and user2 users appear in the list.
All necessary settings in WebLogic Server have been made!
Now let’s just do the mapping of groups in WebCenter Portal application.
Open the Jazn-data.xml file and in the Enterprise Roles tab create roles with the same names of the groups created in the database.
In the Application Roles tab, create the necessary roles for the project, and in the Mappings section, add the Enterprises Roles created.
Change an option in the Security Deployment because we do not want the users and groups created in the WebCenter are propagated to the WebLogic Server. In JDeveloper, go to Application > Secure > Configure Security Deployment and deselect the Users and Groups option.
You can use two files to set access permissions using the roles created: pages.xml and jazn-data.xml.
pages.xml: This file defines the navigation structure of the website, and here the permissions can be inherited from father to son, or not. This file contains only pages.
To accomplish the test of permissions, I created the userPage.jspx, adminPage.jspx and adminUserPage.jspx pages, and added them in the pages.xml file.
Permissions have been set as follows:
- userPage.jspx: userRole -> view
- adminPage.jspx: adminRole -> view
- adminUserPage.jspx: userRole -> view, adminRole -> view
jazn-data.xml: In Resource Grants tab of this file, the permissions are set for all other files, such as pages that are not associated with the pages.xml file, task flows, etc.
To accomplish the test of permissions, I created the DepartmentTaskFlow Task Flow, added it to the Portal project and added the view permission for the AdminRole role. Thus, only the user associated with AdminRole role will view this Task Flow.
I added the Task Flow as region in adminUserPage.jspx page. The two roles have permission to view this page, but only the AdminRole role will see the Task Flow page.
Let’s test the application!
Accessing the portal with the user1 user, the adminPage and adminUserPage pages will appear in the menu.
As user1 is part of the weblogic-admin group, the Task Flow appears in adminUserPage page.
Accessing the portal with the user user2, the userpage and adminUserPage pages will appear in the menu.
As the user2 is part of the weblogic-user group, the Task Flow will not appear on adminUserPage page.