Saturday, September 15, 2012

Enabling WebLogic Administrator Group Inside Custom ADF Application

When building custom ADF applications, where special system access is required - application configuration, monitoring and etc. screens - we want to grant access only to the system administrator. Often to the same administrator, who can access and manage WebLogic instance, typically - weblogic user from Administrators group. This user belongs to Administrators group defined in WebLogic domain by default. I will describe in this post, how to configure this group (same method can be applied for other default groups from WebLogic) with ADF Security for custom ADF application.

Download working sample application with restricted access only for WebLogic administrators - WLSAdminSampleApp.zip.

Firstly this sample defines typical Application Role in ADF Security store - RedSamuraiAdmin:


This role is custom one, we will map it with Administrators role from WebLogic.

Now is the main trick - we can't map our custom RedSamuraiAdmin Application Role with system Administrators role from WebLogic using jazn-data.xml wizard. We can do it manually in jazn-data.xml source directly. When Enterprise Role is mapped with Application Role through the wizard, one security class is assigned:

oracle.security.jps.internal.core.principals.JpsXmlEnterpriseRoleImpl

But Administrators group from WebLogic belongs to different security class:

weblogic.security.principal.WLSGroupImpl

This means we need to fix correct class name manually in the source of jazn-data.xml:


Once correct role mapping is fixed, we can assign security permission to protected resource in ADF application, main page in this case (main page is granted view access for RedSamuraiAdmin role, this role in turn is mapped with WebLogic Administrators group):


You can test provided sample application with WebLogic admin user:


Protected page will be accessed:


You will receive error, if will test with default security class assigned by the wizard:

oracle.security.jps.internal.core.principals.JpsXmlEnterpriseRoleImpl

No comments: