25-18 Oracle Fusion Middleware Application Security Guide SimpleSearchFilter sf = oidStore.getSimpleSearchFilterUserProfile.NAME, SimpleSearchFilter.TYPE_EQUAL, null; sf.setValuesf.getWildCardChar; Example 2: Simple Filter to Find Users by Language Preference This example retrieves users whose preferred language is not English: SimpleSearchFilter sf = oidStore.getSimpleSearchFilter UserProfile.PREFERRED_LANGUAGE, SimpleSearchFilter.TYPE_EQUAL, english; sf.negate; Example 3: Complex Filter for Names by Starting Letter This complex filter combines multiple search filters with operators or |. It searches for users whose name starts with a letter between a and j: SimpleSearchFilter sf1 = oidStore.getSimpleSearchFilter UserProfile.NAME, SimpleSearchFilter.TYPE_GREATER, null; sf1.setValuea+sf1.getWildCardChar; SimpleSearchFilter sf2 = oidStore.getSimpleSearchFilterUserProfile.NAME, SimpleSearchFilter.TYPE_LESS, null; sf2.setValuej+sf2.getWildCardChar; SimpleSearchFilter sfArray[] = new SimpleSearchFilter[] {sf1, sf2}; ComplexSearchFilter cf1 = store.getComplexSearchFiltersfArray, ComplexSearchFilter.TYPE_AND; Example 4: Complex Filter with Restrictions on Starting Letter In this example, complex filters are nested to enable a search for users whose name starts with a letter between a and j but not with the letter i: [continue from Example 3] SimpleSearchFilter sf3 = oidStore.getSimpleSearchFilter UserProfile.NAME, SimpleSearchFilter.TYPE_EQUAL, null; sf3.setValue“i”+sf3.getWildCardChar; sf3.negate; SearchFilter sfArray2[] = new SearchFilter[] {cf1, sf3}; ComplexSearchFilter cf2 = store.getComplexSearchFiltersfArray2, ComplexSearchFilter.TYPE_AND; Example 5: Complete Search with Output This example filters names starting with the letter a and outputs the return values: Developing with the User and Role API 25-19 search filter cn=a SimpleSearchFilter sf = oidStore.getSimpleSearchFilter UserProfile.NAME, SimpleSearchFilter.TYPE_EQUAL, null; sf.setValuea+sf.getWildCardChar; SearchParameters params = new SearchParameters; params.setFiltersf; Searching for users SearchResponse resp = oidStore.searchUsersparams; System.out.printlnSearched users are:; while resp.hasNext { Identity idy = resp.next; System.out.printlnUnique name: +idy.getUniqueName; }

25.4.5 Searching by GUID

In this example, GUID values obtained from the User and Role API can be directly used in the search: up = user.getUserProfile; String guid = up.getGUID; SimpleSearchFilter sf1 = oidStore.getSimpleSearchFilter UserProfile.GUID, SimpleSearchFilter.TYPE_EQUAL, guid; SearchParameters params = new SearchParameters; params.setFiltersf1; SearchResponse resp = oidStore.searchparams; while resp.hasNext System.out.printlnuser for guid : + guid + ,+ resp.next;

25.5 User Authentication

For verification purposes, you can use the User and Role API for password-based authentication of users. As mentioned earlier, the API is not meant for authentication and authorization. The authenticateUser API accepts a user login name and attempts to authenticate the user with the specified password. If authentication is successful, it returns the user object. Here is an example of password-based authentication: store.getUserManager.authenticateUser“testuser”,”password”;

25.6 Creating and Modifying Entries in the Identity Store

The User and Role API facilitates adding new identities to the identity store and modifying identities in the store. The UserManager and RoleManager classes address the user- and role-specific data creation, modification and deletion operations. UserManager and RoleManager instances can be obtained from the store instance as follows: 25-20 Oracle Fusion Middleware Application Security Guide UserManager um = oidStore.getUserManager; RoleManager rm = oidStore.getRoleManager; Topics in this section include: ■ Handling Special Characters when Creating Identities ■ Creating an Identity ■ Modifying an Identity ■ Deleting an Identity

25.6.1 Handling Special Characters when Creating Identities

RFC-2253 defines the string representation of Distinguished Names for LDAP v3. This means that all the characters specified in the RFC are handled. The User and Role API user does not need to escapede-escape those special characters; attempting to do so will cause erroneous results. There could be a problem when creating identities with empty properties. In this case, the RDN name is used to fill in the values of various mandatory attributes. Some of these attributes could have stricter validation rules. In this case, the creation of the identity fails and an exception is raised.

25.6.2 Creating an Identity

Two functions in the UserManager class facilitate creating a user: createUserjava.lang.String name, char[] password creates a user with the specified name and password in the underlying repository. When the identity store designates that some attributes are mandatory, all such fields will be populated with the name value. createUserjava.lang.String name, char[] password, PropertySet suppliedProps Properties are set using the supplied property values. If any mandatory attribute values are not supplied, the missing attributes will use the name value as the default. Likewise, RoleManager APIs are used to create roles. Roles are organized into two categories: ■ application scope ■ enterprise scope When you invoke RoleManager to create a role, by default the role is created in the enterprise scope unless you specify otherwise. RoleManager APIs supporting role creation are: createRoleString roleName; createRoleString roleName, int roleScope; The procedure for creating a role is similar to that for creating a user, and all mandatory attributes must be supplied with roleName.