Secure your Adf Application || Oracle ADF

Hi
Oracle ADF Security, one of the most important issues faces any Developer working in Fusion Application, How to secure your Application to prevent illegal Access escaping from your security Rules ..
From my point of view, 2 solutions Exists ,

• using Standard ADF Security which implements Servlets to take Responsibility of Security Rule, More.
•  Customize your Servlet to make same Rules and take care of Automatic Redirect in case of illegal access.

today, i will Develop 2nd solution to apply security Rules matching with my Customized Security Rules ..
Steps ..
    1- in Web.xml file, include your servlet to be used as a security filter.
<filter>
        <filter-name>ServletFilter</filter-name>
        <filter-class>Servlets.ServletFilter</filter-class>
    </filter>
    <filter-mapping>
        <filter-name>ServletFilter</filter-name>
        <servlet-name>Faces Servlet</servlet-name>
    </filter-mapping>
    <filter-mapping>
        <filter-name>ServletFilter</filter-name>
        <url-pattern>/*</url-pattern>
        <dispatcher>FORWARD</dispatcher>
        <dispatcher>REQUEST</dispatcher>
        <dispatcher>ERROR</dispatcher>
    </filter-mapping>
   2- create Security in your Servlets.ServletFilter directory ..
package Servlets;

import java.io.IOException;

import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;

public class ServletFilter implements Filter {
    private FilterConfig _filterConfig = null;

    public void init(FilterConfig filterConfig) throws ServletException {
        _filterConfig = filterConfig;
    }

    public void destroy() {
        _filterConfig = null;
    }

    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException,
                                                                                                     ServletException {
        HttpServletRequest MyRequest = (HttpServletRequest)request;
        HttpServletResponse MyResponse = (HttpServletResponse)response;
        HttpSession session = MyRequest.getSession();
        String a = (String)session.getAttribute(“a”);
        /*System.out.println(“Filter Works .. “);
        System.out.println(MyRequest.getRequestURI().toString());*/

        if (MyRequest.getRequestURI().toString().endsWith(“/Pages/login.jsf”) ||
            MyRequest.getRequestURI().toString().endsWith(“/Pages/login”) ||
            MyRequest.getRequestURI().toString().endsWith(“.jpg”) ||
            MyRequest.getRequestURI().toString().endsWith(“.css”) ||
            MyRequest.getRequestURI().toString().endsWith(“.bmp”) ||
            MyRequest.getRequestURI().toString().endsWith(“.gif”) ||
            MyRequest.getRequestURI().toString().endsWith(“.png”) ||
            MyRequest.getRequestURI().toString().endsWith(“.swf”) ||
            MyRequest.getRequestURI().toString().endsWith(“.js”) || a != null) {

            chain.doFilter(MyRequest, MyResponse);
            return;
        } else {
            MyResponse.sendRedirect(“/Interface/faces/Pages/login.jsf”);
            return;
        }
    }
    // Wael Abdeen
}

Note, as you see in above Example, i avoid image extensions as well as swf & js files , to make servlet exclude them from security Rule, otherwise, you will get JSF page without them !!

Oracle Forms Security user Responsibilities || Oracle ADF

Hi
Few Days ago, One Expert in Oracle Forms & DB asked me to include Oracle Security System already implemented in his Stand alone Applications and focus on the user responsibilities ..
in fact, Security System contains a Hierarchical Tables including all Data About Systems, Security Grades, Menues, Pages , Items Roles, Normal & Super users.
i finished the best solution for our case to use HashMap in Session Scope to have all User Responsibilities and no release until Log-out or Session Timeout.
i will Focus in only one part of how to Capture all user responsibility with 4 Types (Accessible,Insert-able,Update-able,Deletable)..

• in Back Bean - in Session Scope Level, Create your hash map using validation Object.

private Map<String, Validation> UserMap = new HashMap<String, Validation>();

• Create Validation class to include all 4 security Rules ..

package Beans;
public class Validation {
   
    private Boolean Accessible;
    private Boolean Insertable;
    private Boolean Updatable;
    private Boolean Deleteable;
   
    public Validation(Boolean a, Boolean b, Boolean c , Boolean d){
        Accessible = a;
        Insertable = b;
        Updatable  = c;
        Deleteable = d;
    }
    public void setAccessible(Boolean Accessible) {
        this.Accessible = Accessible;
    }
    public Boolean getAccessible() {
        return Accessible;
    }
    public void setInsertable(Boolean Insertable) {
        this.Insertable = Insertable;
    }
    public Boolean getInsertable() {
        return Insertable;
    }
    public void setUpdatable(Boolean Updatable) {
        this.Updatable = Updatable;
    }
    public Boolean getUpdatable() {
        return Updatable;
    }
    public void setDeleteable(Boolean Deleteable) {
        this.Deleteable = Deleteable;
    }
    public Boolean getDeleteable() {
        return Deleteable;
    }
}

• Now we have to implement a Back Bean Action Method to populate user responsibility based on user access to HashMap in Session Scope

- Note : you have to get all System Responsibilities with False Activation before specifying the user Responsibilities to avoid any Null pointer Exception coming From HashMap in the Future.
public void UserRolesDistribution(String UserID) {

        ViewObject AllPages = cwc.AccessIteratorBinding(“UserRolesVO1Iterator”).getViewObject();
        AllPages.reset();
        AllPages.setWhereClause(null);
        try {
            AllPages.executeQuery();
        } catch (JboException e) {
            cwc.Validate(FacesContext.getCurrentInstance(),
                         cwc.AccessBundleItemValue(“CS.view.CS-InterfaceBundle”, “ValidatorMessageHeader7”),
                         cwc.AccessBundleItemValue(“CS.view.CS-InterfaceBundle”, “ValidatorMessageFooter7”), 1);
        }
        if (AllPages.getEstimatedRowCount() > 0) {
            Row AllPagesRow;
            while (AllPages.hasNext()) {
                AllPagesRow = AllPages.next();
                UserMap.put(AllPagesRow.getAttribute(“ScreenName”).toString().toUpperCase(),
                            new Validation(Boolean.FALSE, Boolean.FALSE, Boolean.FALSE, Boolean.FALSE));
            }
        }

        AllPages.setWhereClause(“user_id = ” + UserID);
        try {
            AllPages.executeQuery();
        } catch (JboException e) {
            cwc.Validate(FacesContext.getCurrentInstance(),
                         cwc.AccessBundleItemValue(“CS.view.CS-InterfaceBundle”, “ValidatorMessageHeader7”),
                         cwc.AccessBundleItemValue(“CS.view.CS-InterfaceBundle”, “ValidatorMessageFooter7”), 1);
        }

        if (AllPages.getEstimatedRowCount() > 0) {
            Row PagesRow;
            while (AllPages.hasNext()) {
                PagesRow = AllPages.next();
                UserMap.remove(PagesRow.getAttribute(“ScreenName”).toString());
                UserMap.put(PagesRow.getAttribute(“ScreenName”).toString(),
                            new Validation(((Number)PagesRow.getAttribute(“ScreenLogin”)).compareTo(1) == 0,
                                           ((Number)PagesRow.getAttribute(“ScreenAdd”)).compareTo(1) == 0,
                                           ((Number)PagesRow.getAttribute(“ScreenModify”)).compareTo(1) == 0,
                                           ((Number)PagesRow.getAttribute(“ScreenDel”)).compareTo(1) == 0));           
            }
        }
        AllPages.setWhereClause(null);
        AllPages.reset();

    }

• Now, we can access the HashMap all over your system before open Pages,Buttons,Menues,Text items applying 4 security Rules (Accessible,Insert-able,Update-able,Deletable).

#{!UserRolesBean.userMap[“UNIQUE”].accessible}
#{!UserRolesBean.userMap[“UNIQUE”].insertable}
#{!UserRolesBean.userMap[“UNIQUE”].updateable}
#{!UserRolesBean.userMap[“UNIQUE”].deletable}
Finally, we have a complete solution for Oracle Forms Stand Alone Security Systems in User Responsibilities Distribution Phase. ?

Execute & Run Client Side Resources || Oracle ADF

Today i will publish a solution to access Client Side Resource from Oracle ADF applications, and as per my knowledge, we have 2 ways, First One Java Script & Second is Java Applets ..
i recommend use Java Script in ADF - JSF Pages in our case ..
sometimes, Client need to access Client Resources to run exe,bat or vbs files, so i created simple script work with Microsoft Internet Explorer & Mozilla FireFox used to execute vbs file, but first you have to know 3 important points.
1- any JSF Component you will use to get data or execute js script should be client Component property = true.
2- you have to use js tag <af:resource type=”javascript”> to include Java Script Resources and call it using Client Listener <af:clientListener method=”RunSDS” type=”action”/>
3- Activate FireFox option Signed.Applets.codebase Principal Support using about:config in FireFox URL.
My Example: showes Calling vbs file with unique parameter to execute Client Side vbs script ..
<af:resource type=”javascript”>
              function RunSDS(evt) {
                  var MyClaim = AdfPage.PAGE.findComponent(“pt1:ot9”);
                  if (MyClaim.getValue() != null) {
                      evt = window.event;
                      if (navigator.appName == ‘Microsoft Internet Explorer’) {
                          var commandtoRun = “c:\run\Execute.vbs”;
                          var objShell = new ActiveXObject(“Shell.Application”);
                          objShell.ShellExecute(commandtoRun, MyClaim.getValue(), “”, “open”, 0);
                      }
                      else {
                          try {
                              netscape.security.PrivilegeManager.enablePrivilege(“UniversalXPConnect”);
                              var exe = window.Components.classes[‘@mozilla.org/file/local;1’].createInstance(Components.interfaces.nsILocalFile);
                              exe.initWithPath(“c:\run\Execute.vbs”);
                              var run = window.Components.classes[‘@mozilla.org/process/util;1’].createInstance(Components.interfaces.nsIProcess);
                              run.init(exe);
                              var parameters = [MyClaim.getValue()];
                              run.run(false, parameters, parameters.length);
                          }
                          catch (ex) {
                              alert(ex.toString());
                          };
                      };
                  };
              }
</af:resource>

Four Technical Problems in List of Values || Oracle ADF

Today i will go away from Oracle SOA to come Back to my favorite world Oracle ADF, but today i will speak about the famous bugs of list of values with input text with list of values component Exist in All Releases R2 - Oracle ADF 11.1.2.0.0,11.1.2.1.0 & 11.1.2.2.0 latest.

• in Form : Auto Fire of Mandatory Validation Items in same table after Navigation out of input text with list of values.
• in Form :List of values behavior in validating Entered value againest list values same as X like Y%, however i use X=Y in View Criteria.
• in Table : Page Refresh after naivgation out of input text with list of values component in table mode.
• in Table : Unusual behavior in Table validations while modifying old records or create insert new records.

First, i will build fast normal and small expample of list of values using latest ver 11.1.2.2.0 to show 4 main famous technical problems, some of them are bugs need work around solution to solve and others needs just few of improvements.
Resources : JDeveloper 11.1.2.2.0, Database XE, HR Schema ..

• Build View Criteria under Departments View Object based on department id & name attributes.

• Check Query Automatically & Give value for Display Width for the 2 attributes.

• in employees View Object, create new attribute with department Name as a name.

• insert the below sql statement to work in query mode and check Queryable check box & give Alias & type and finally make it Always updatable.

• Create List of values under Department id under Employees View Object using new Accessor and using View Criteria created before under Departments View Object and finally choose the type to be input text with list of values.

• drop Employees View object in first jsf page in view controller project as a form type.

• in Department id , make auto submit = true.

• in Department name , make Partial Triggers = Department id.

• Drop Create insert operation of Employees View object to be used in Test operation.

• always i prefere to use data source created before in integrated weblogic server & stopping Auto Syn of Jdbc/Datasource.

• let us start check the form model, i pressed create insert , started to insert data of employee id, first name , …. etc , then i skipped Hire Date & job id and then tryed to enter correct value in department id and pressed tab to navigate, result below shows a bug in the release, Validation of other attributes done in unusual behavior, this type of validation expected under submit or commit process.

• i made same previous step but i entered everything well and i entered in department id = 10, another strange behavior comes after LOV auto validation process to show 10 & 100 and i have to choose between them !!

• Now i will make another page to test Table Model and drop same view object as a table

• Now, Page Auto refresh execute once i navigate out of department id however i have ppr between department id & name !!

• Now, i will try to make some changes in different rows then press create insert to show a new unusual behavior from table.

Solutions
Now, i will describe the 4 solutions until Oracle make it’s best to finish theses bugs.
1- for the First problem, you have to uncheck the mandatory check box in Employees Entity Object for attribute in same table and Enhance your page to customize Back Bean method to make the required validation in view controller layer before submit or commmit process.

2- for the second problem, i Enhanced a new work around to change department id from Number to Varchar2 Datatype and i created db trigger using lpad function (lpad(department_id,5,0)) to make all the entered values to be like 00010,00100,01000 & 10000 and then using same solution of lov will work as expected.
3- for Auto Page Refresh for Table, we have to change the Event policy in the Binding layer properites to be Non instead of ppr decided based on Partial Triggers.

4- for Table unusual behavior, i prefere to use theses 2 properites to enhance to give more control for table properites (Editing Mode = Click to Edit) & Immediate = true.

i hope to hear good news from oracle about solutions of theses bugs in coming

BBS Project - ADF Web Services - BSL || Oracle SOA

Today, i will go inside, and start to build the first steps of our BBS Project, and we will use the xsd file created in First Steps Article.
- Resources Required.

• Complete SOA Infrastructure - 11.1.1.5, More.
• JDeveloper & SOA & BPM Extension - 11.1.1.5.

- Start to Build SOA Application with name “BANK-03" using "SOA Application Template”.

- Project Name “BANK-03” using SOA & BPM Technologies.

- BPEL Process using Ver 2.0 with name “BPELProcess” and same to service name and Clear Namespace and sure we need to expose SOAP service.

- Default xsd file generated contains Process & ProcessResponse as a Request & Response.

- Now , modify the xsd source with the xsd source we have in last Article
Note : save the old name space before overwrite old source, Reason : as we will use it to update our new source from our XSD file (as you see in the image below)

- as we know from the SOA structure, all xsd file deals & extracted as messages in WSDL file, so we have to Enhance the WSDL file to use the new structure instead of the old one for (Messages,Process,Ports & Partner Links).

- Remove any Messages & Ports (Default Structure) and start to Drop our 2 Main Elements “Bank Request & Bank Response from XSD Structure in Message Part of WSDL” naming as “Bank-Request-Message” & “Bank-Response-Message”.

- Build your First port and Process to include the both Messages as Input & Output, naming the process as “Loan-Process”

- Modify Source of Partner Link Type to rename role to be “Loan-Process”.

- Now you can see the reflections of WSDL modifications in BANKBPEL_ep Service, but what about the main components of BPEL process ?.

- Port Type already Reflected in main web service.

- you have to choose My Role in BPEL Partner Link of Service.

- you have to modify and map the main default 2 variable “inputVariable & outputVariable" to use "Bank-Request-Message & Bank-Response-Message" in WSDL file as types.

- Receive & Reply Activities already Reflects the modifications of WSDL file.

- Now : the question, how to test to know “everything ok ? “.
Answer : i will use simple Assign Activity to Transfer Data between Recieve & Reply Activity.
Note : Assign Activity, it is very simple Component to transfer Data & make some Data Processing (we will use many times in the future, but today we will use for test purpose).
- drop Assign Activity naming “Test-Assign-Activity”.

- Double Click on Assign Activity , you will see Vadiables access all Elements of xsd file, now transfer between Requested Amount (Source) & Approved Amount (Destination) - just for testing.

- Drop Function utility to use Current-date from Date Functions in Response Date Element (Destination) - Just For Test.

- Drop Function utility to use Concat from String Functions in Message Element (Destination) - Just For Test.

- Assign Source : very simple !!

- Now Let us prepare for the deployment step, Create SOA Bundle.

- Name of Deployment Profile is “BANK-03”.

- Check Dependencies to include BANK-03 in the deployment profile.

- Start Deployment Process for SOA server.

- Check Overwrite any composists with the same revision id.

- Now , Test Phase, go to weblogic Enterprise Manager. Under SOA Folder , u will found your Project with Test Facility

- Put Your Values for Required Parameters & Press Test Button

- Result Comes as we designed before using Test Assign component
Note : Result comes in the form of Tree, XML view and also you can check the Train of the process until end containing values results and operations made.

<env:Envelope xmlns:env=”http://schemas.xmlsoap.org/soap/envelope/” xmlns:wsa=”http://www.w3.org/2005/08/addressing”>
    <env:Header>
        <wsa:MessageID>urn:E52FB070ED2B11E1BF0665496D602DC3</wsa:MessageID>
        <wsa:ReplyTo>
            <wsa:Address>http://www.w3.org/2005/08/addressing/anonymous</wsa:Address>
        </wsa:ReplyTo>
    </env:Header>
    <env:Body>
        <Bank-Response xmlns=”http://xmlns.oracle.com/BANK_03/BANK_03/BPELPROCESS”>
            <Client-Name/>
            <Approved-Amount>1000</Approved-Amount>
            <Currency/>
            <Status/>
            <Response-Date>2012-08-23</Response-Date>
            <Message>your loan request under 1st soa application successfully tested for account no : 224000000</Message>
        </Bank-Response>
    </env:Body>
</env:Envelope>

- when you start to test, you will see the port,Service & Operation you designed, and finally you see WSDL URL & Endpoint url you can use any where to start.

- BBS Project Plan until now ..

Soon, we will go to Technical second step to improve the process with our Technical Facilities to cover Banking Business of Banking Business Services Project.?