Oracle ADF Security, one of the most important issues faces any Developer working in Fusion Application, How to secure your Application to prevent illegal Access escaping from your security Rules ..
From my point of view, 2 solutions Exists ,
- using Standard ADF Security which implements Servlets to take Responsibility of Security Rule, More.
- Customize your Servlet to make same Rules and take care of Automatic Redirect in case of illegal access.
Steps ..
1- in Web.xml file, include your servlet to be used as a security filter.
<filter>
<filter-name>ServletFilter</filter-name>
<filter-class>Servlets.ServletFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>ServletFilter</filter-name>
<servlet-name>Faces Servlet</servlet-name>
</filter-mapping>
<filter-mapping>
<filter-name>ServletFilter</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>FORWARD</dispatcher>
<dispatcher>REQUEST</dispatcher>
<dispatcher>ERROR</dispatcher>
</filter-mapping>
2- create Security in your Servlets.ServletFilter directory ..
package Servlets;
import java.io.IOException;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
public class ServletFilter implements Filter {
private FilterConfig _filterConfig = null;
public void init(FilterConfig filterConfig) throws ServletException {
_filterConfig = filterConfig;
}
public void destroy() {
_filterConfig = null;
}
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException,
ServletException {
HttpServletRequest MyRequest = (HttpServletRequest)request;
HttpServletResponse MyResponse = (HttpServletResponse)response;
HttpSession session = MyRequest.getSession();
String a = (String)session.getAttribute(“a”);
/*System.out.println(“Filter Works .. “);
System.out.println(MyRequest.getRequestURI().toString());*/
if (MyRequest.getRequestURI().toString().endsWith(“/Pages/login.jsf”) ||
MyRequest.getRequestURI().toString().endsWith(“/Pages/login”) ||
MyRequest.getRequestURI().toString().endsWith(“.jpg”) ||
MyRequest.getRequestURI().toString().endsWith(“.css”) ||
MyRequest.getRequestURI().toString().endsWith(“.bmp”) ||
MyRequest.getRequestURI().toString().endsWith(“.gif”) ||
MyRequest.getRequestURI().toString().endsWith(“.png”) ||
MyRequest.getRequestURI().toString().endsWith(“.swf”) ||
MyRequest.getRequestURI().toString().endsWith(“.js”) || a != null) {
chain.doFilter(MyRequest, MyResponse);
return;
} else {
MyResponse.sendRedirect(“/Interface/faces/Pages/login.jsf”);
return;
}
}
// Wael Abdeen
}
Note, as you see in above Example, i avoid image extensions as well as swf & js files , to make servlet exclude them from security Rule, otherwise, you will get JSF page without them !!
No comments:
Post a Comment