8-20 Java EE Developers Guide for Oracle Application Development Framework To configure the web.xml file: 1. In the Application Navigator, right-click the project and choose New. 2. In the New Gallery, expand General, select Deployment Descriptors and then Java EE Deployment Descriptor Wizard , and click OK. 3. In the Select Descriptor page of the Create Java EE Deployment Descriptor dialog, select web.xml and click Next.

4. In the Select Version page, select 2.5 and click Next.

5. In the Summary page, click Finish.

8.3.3.5 Enabling the Application for Real User Experience Insight

Real User Experience Insight RUEI is a web-based utility to report on real-user traffic requested by, and generated from, your network. It measures the response times of pages and transactions at the most critical points in the network infrastructure. Session diagnostics allow you to perform root-cause analysis. RUEI enables you to view server and network times based on the real-user experience, to monitor your Key Performance Indicators KPIs and Service Level Agreements SLAs, and to trigger alert notifications on incidents that violate their defined targets. You can implement checks on page content, site errors, and the functional requirements of transactions. Using this information, you can verify your business and technical operations. You can also set custom alerts on the availability, throughput, and traffic of all items identified in RUEI. For more information about RUEI, see the Oracle Real User Experience Insight User’s Guide at http:download.oracle.comdocscdE16339_ 01doc.60e16359toc.htm . You must enable an application for RUEI by adding the context-param tag to the web.xml file shown in Example 8–3 . Example 8–3 Enabling RUEI Monitoring for an Application in web.xml context-param descriptionThis parameter notifies ADF Faces that the ExecutionContextProvider service provider is enabled. When enabled, this will start monitoring and aggregating user activity information for the client initiated requests. By default this param is not set or is false. description param-name oracle.adf.view.faces.context.ENABLE_ADF_EXECUTION_CONTEXT_PROVIDER param-name param-valuetrueparam-value context-param

8.3.4 How to Deploy Applications with ADF Security Enabled

If you are developing an application in JDeveloper using Integrated WebLogic Server, application security deployment properties are configured by default, which means Note: Typically, your project has a web.xml file that is compatible and you would not need to perform this procedure. JDeveloper creates a starter web.xml file when you create a project. Deploying an ADF Java EE Application 8-21 that the application and security credentials and policies will be overwritten each time you redeploy for development purposes.

8.3.4.1 Applications That Will Run Using Oracle Single Sign-On SSO

Before you can deploy and run the web application with ADF Security enabled on the application server, the administrator of the target server must configure the domain-level jps-config.xml file for the Oracle Access Manager OAM security provider. To assist with this configuration task, an Oracle WebLogic Scripting Tool WLST script has been provided with the JDeveloper install. You can also use this command for configuring WebSphere for OAM. For details about running this configuration script with command addOAMSSOProviderloginuri, logouturi, autologinuri , see the procedure for configuring Oracle WebLogic Server for a web application using ADF Security, OAM SSO, and OPSS SSO in the Oracle Fusion Middleware Security Guide. Running the configuration script ensures that the ADF Security framework defers to the OAM service provider to clear the SSO cookie token. OAM uses this token to save the identity of authenticated users and, unless it is cleared during logout, the user will be unable to log out. After the system administrator runs the script on the target server, the domain jps-config.xml file will contain the following security provider definition that is specific for ADF Security: propertySet name=props.auth.uri property name=login.url.FORM value={app.context}adfAuthentication property name=logout.url value= propertySet Additionally, the authentication type required by SSO is CLIENT-CERT. The web.xml authentication configuration for the deployed application must specify the auth-method element as one of the following CLIENT-CERT types. WebLogic supports two types of authentication methods: ■ For FORM-type authentication method, specify the elements like this: login-config auth-methodCLIENT-CERT,FORMauth-method realm-namemyrealmrealm-name form-login-config form-login-pagelogin.htmlform-login-page form-error-pageerror.htmlform-error-page form-login-config login-config ■ For BASIC-type authentication method, specify the elements like this: login-config auth-methodCLIENT-CERT,BASICauth-method realm-namemyrealmrealm-name login-config WebSphere supports a single authentication method. Specify the elements like this: login-config auth-methodCLIENT-CERTauth-method realm-namemyrealmrealm-name form-login-config form-login-pagelogin.htmlform-login-page form-error-pageerror.htmlform-error-page 8-22 Java EE Developers Guide for Oracle Application Development Framework form-login-config login-config You can configure the web.xml file either before or after deploying the web application. For further details about setting up the authentication method for Single Sign-On, see the Oracle Fusion Middleware Security Guide.

8.3.4.2 Configuring Security for WebLogic Server

In a development environment, JDeveloper will automatically migrate application-level credentials, identities, and policies to the remote WebLogic Server instance only if the server is set up to be in development mode. Integrated WebLogic Server is set up in development mode by default. You can set up a remote WebLogic Server to be in development mode during Oracle WebLogic Server domain creation using the Oracle Fusion Middleware Configuration Wizard. For more information about configuring Oracle WebLogic Server domains, see Oracle Fusion Middleware Creating Domains Using the Configuration Wizard. JDeveloper will not migrate application-level security credentials to WebLogic Server setup in production mode. Typically, in a production environment, administrators will use Enterprise Manager or WLST scripts to deploy an application, including its security requirements. When you deploy an application to WebLogic Server, credentials in the cwallet.sso and jazn-data.xml files will either overwrite or merge with the WebLogic Server domain-level credential store, depending on whether a property in weblogic-application.xml is set to OVERWRITE or MERGE. In production-mode WebLogic Server, to avoid security risks, only MERGE is allowed. For development-mode WebLogic Server, you can set to OVERWRITE to test user names and passwords. You can set the mode by running setDomainEnv.cmd or setDomainEnv.sh with the following option added to the command usually located in ORACLE_HOMEuser_projectsdomainsMyDomainbin. For setDomainEnv.cmd: set EXTRA_JAVA_PROPERTIES=-Djps.app.credential.overwrite.allowed=true EXTRA_JAVA_PROPERTIES For setDomainEnv.sh: EXTRA_JAVA_PROPERTIES=-Djps.app.credential.overwrite.allowed=true {EXTRA_JAVA_PROPERTIES} export EXTRA_JAVA_PROPERTIES If the Administration Server is already running, you must restart it for this setting to take effect. You can check to see whether WebLogic Server is in production mode by using the Oracle WebLogic Server Administration Console or by verifying the following line in the WebLogic Server config.xml file: production-mode-enabledtrueproduction-mode-enabled By default, JDeveloper sets the application’s credentials, identities, and policies to OVERWRITE . That is, the Application Policies, Credentials, and Users and Groups options are selected by default in the Application Properties dialog Deployment page. However, an application’s credentials will be migrated only if the target WebLogic Server instance is set to development mode with -Djps.app.credential.overwrite.allowed=true Deploying an ADF Java EE Application 8-23 When your application is ready for deployment to a production environment, you should remove the identities from the jazn-data.xml file or disable the migration of identities by deselecting Users and Groups from the Application Properties dialog. Application credentials must be manually migrated outside of JDeveloper. For more information about migrating application credentials and other jazn-data user credentials, see the Oracle Fusion Middleware Security Guide.

8.3.4.2.1 Applications with JDBC Data Source for WebLogic

If your application uses application-level JDBC data sources with password indirection for database connections, you may need to create credential maps in WebLogic Server to enable the database connection. For more information, see Section 8.3.7, What You May Need to Know About JDBC Data Source for Oracle WebLogic Server.

8.3.4.3 Configuring Security for WebSphere Server

Applications with credentials and policies in the jazn-data.xml and cwallet.sso files can be migrated to WebSphere. You will need to perform additional tasks in WebSphere Be aware that the opss-application.xml file is not included in the application EAR file if it is intended for WebSphere. For more information about setting up WebSphere to accept credentials and policies, see the Oracle Fusion Middleware Third-Party Application Server Guide.

8.3.4.3.1 Applications with JDBC Data Source for WebSphere

If your application uses application-level JDBC data sources with password indirection for database connections, you will need to create a JDBC data source in WebSphere. For more information, see the IBM WebSphere documentation.

8.3.4.3.2 Editing the web.xml File to Protect the Application Root for WebSphere

When you enable ADF Security for your web application, the web.xml file includes the Java EE security constraint allPages to protect the Java EE application root. By default, to support deploying to Oracle WebLogic Server, JDeveloper specifies the URL pattern for the security constraint as backslash. If you intend to deploy the application to IBM WebSphere, the correct URL pattern is backslash-asterisk. Note: Before you migrate the jazn-data.xml file to a production environment, check that the policy store does not contain duplicate permissions for a grant. If a duplicate permission one that has the same name and class appears in the file, the administrator migrating the policy store will receive an error and the migration of the policies will be halted. You should manually edit the jazn-data.xml file to remove any duplicate permissions from a grant definition. Note: Before you migrate the jazn-data.xml file to a production environment, check that the policy store does not contain duplicate permissions for a grant. If a duplicate permission one that has the same name and class appears in the file, the administrator migrating the policy store will receive an error and the migration of the policies will be halted. You should manually edit the jazn-data.xml file to remove any duplicate permissions from a grant definition. 8-24 Java EE Developers Guide for Oracle Application Development Framework Before you deploy the application to WebSphere, manually edit the web.xml file for your application to change the allPages security constraint as follows: security-constraint web-resource-collection web-resource-nameallPagesweb-resource-name url-patternurl-pattern web-resource-collection . . . security-constraint

8.3.5 How to Replicate Memory Scopes in a Clustered Environment