8-20 Java EE Developers Guide for Oracle Application Development Framework
To configure the web.xml file: 1.
In the Application Navigator, right-click the project and choose New. 2.
In the New Gallery, expand General, select Deployment Descriptors and then Java EE Deployment Descriptor Wizard
, and click OK. 3.
In the Select Descriptor page of the Create Java EE Deployment Descriptor dialog, select web.xml and click Next.
4. In the Select Version page, select 2.5 and click Next.
5. In the Summary page, click Finish.
8.3.3.5 Enabling the Application for Real User Experience Insight
Real User Experience Insight RUEI is a web-based utility to report on real-user traffic requested by, and generated from, your network. It measures the response times of
pages and transactions at the most critical points in the network infrastructure. Session diagnostics allow you to perform root-cause analysis.
RUEI enables you to view server and network times based on the real-user experience, to monitor your Key Performance Indicators KPIs and Service Level Agreements
SLAs, and to trigger alert notifications on incidents that violate their defined targets. You can implement checks on page content, site errors, and the functional
requirements of transactions. Using this information, you can verify your business and technical operations. You can also set custom alerts on the availability, throughput,
and traffic of all items identified in RUEI.
For more information about RUEI, see the Oracle Real User Experience Insight User’s Guide at
http:download.oracle.comdocscdE16339_ 01doc.60e16359toc.htm
. You must enable an application for RUEI by adding the context-param tag to the
web.xml file shown in
Example 8–3 .
Example 8–3 Enabling RUEI Monitoring for an Application in web.xml
context-param descriptionThis parameter notifies ADF Faces that the
ExecutionContextProvider service provider is enabled. When enabled, this will start monitoring and aggregating
user activity information for the client initiated requests. By default this param is not set or is false.
description param-name
oracle.adf.view.faces.context.ENABLE_ADF_EXECUTION_CONTEXT_PROVIDER param-name
param-valuetrueparam-value context-param
8.3.4 How to Deploy Applications with ADF Security Enabled
If you are developing an application in JDeveloper using Integrated WebLogic Server, application security deployment properties are configured by default, which means
Note: Typically, your project has a web.xml file that is compatible
and you would not need to perform this procedure. JDeveloper creates a starter web.xml file when you create a project.
Deploying an ADF Java EE Application 8-21
that the application and security credentials and policies will be overwritten each time you redeploy for development purposes.
8.3.4.1 Applications That Will Run Using Oracle Single Sign-On SSO
Before you can deploy and run the web application with ADF Security enabled on the application server, the administrator of the target server must configure the
domain-level jps-config.xml file for the Oracle Access Manager OAM security provider. To assist with this configuration task, an Oracle WebLogic Scripting Tool
WLST script has been provided with the JDeveloper install. You can also use this command for configuring WebSphere for OAM. For details about running this
configuration script with command addOAMSSOProviderloginuri, logouturi, autologinuri
, see the procedure for configuring Oracle WebLogic Server for a web application using ADF Security, OAM SSO, and OPSS SSO in the
Oracle Fusion Middleware Security Guide. Running the configuration script ensures that the ADF Security framework defers to
the OAM service provider to clear the SSO cookie token. OAM uses this token to save the identity of authenticated users and, unless it is cleared during logout, the user will
be unable to log out.
After the system administrator runs the script on the target server, the domain jps-config.xml
file will contain the following security provider definition that is specific for ADF Security:
propertySet name=props.auth.uri property name=login.url.FORM value={app.context}adfAuthentication
property name=logout.url value= propertySet
Additionally, the authentication type required by SSO is CLIENT-CERT. The web.xml authentication configuration for the deployed application must specify the
auth-method element as one of the following CLIENT-CERT types.
WebLogic supports two types of authentication methods:
■
For FORM-type authentication method, specify the elements like this: login-config
auth-methodCLIENT-CERT,FORMauth-method realm-namemyrealmrealm-name
form-login-config form-login-pagelogin.htmlform-login-page
form-error-pageerror.htmlform-error-page form-login-config
login-config
■
For BASIC-type authentication method, specify the elements like this: login-config
auth-methodCLIENT-CERT,BASICauth-method realm-namemyrealmrealm-name
login-config
WebSphere supports a single authentication method. Specify the elements like this: login-config
auth-methodCLIENT-CERTauth-method realm-namemyrealmrealm-name
form-login-config form-login-pagelogin.htmlform-login-page
form-error-pageerror.htmlform-error-page
8-22 Java EE Developers Guide for Oracle Application Development Framework
form-login-config login-config
You can configure the web.xml file either before or after deploying the web application. For further details about setting up the authentication method for Single
Sign-On, see the Oracle Fusion Middleware Security Guide.
8.3.4.2 Configuring Security for WebLogic Server
In a development environment, JDeveloper will automatically migrate application-level credentials, identities, and policies to the remote WebLogic Server
instance only if the server is set up to be in development mode. Integrated WebLogic Server is set up in development mode by default. You can set up a remote WebLogic
Server to be in development mode during Oracle WebLogic Server domain creation using the Oracle Fusion Middleware Configuration Wizard. For more information
about configuring Oracle WebLogic Server domains, see Oracle Fusion Middleware Creating Domains Using the Configuration Wizard.
JDeveloper will not migrate application-level security credentials to WebLogic Server setup in production mode. Typically, in a production environment, administrators will
use Enterprise Manager or WLST scripts to deploy an application, including its security requirements.
When you deploy an application to WebLogic Server, credentials in the cwallet.sso
and jazn-data.xml files will either overwrite or merge with the WebLogic Server domain-level credential store, depending on whether a property in
weblogic-application.xml is set to OVERWRITE or MERGE. In production-mode
WebLogic Server, to avoid security risks, only MERGE is allowed. For development-mode WebLogic Server, you can set to OVERWRITE to test user names
and passwords. You can set the mode by running setDomainEnv.cmd or setDomainEnv.sh
with the following option added to the command usually located in ORACLE_HOMEuser_projectsdomainsMyDomainbin.
For setDomainEnv.cmd: set EXTRA_JAVA_PROPERTIES=-Djps.app.credential.overwrite.allowed=true
EXTRA_JAVA_PROPERTIES For setDomainEnv.sh:
EXTRA_JAVA_PROPERTIES=-Djps.app.credential.overwrite.allowed=true {EXTRA_JAVA_PROPERTIES}
export EXTRA_JAVA_PROPERTIES
If the Administration Server is already running, you must restart it for this setting to take effect.
You can check to see whether WebLogic Server is in production mode by using the Oracle WebLogic Server Administration Console or by verifying the following line in
the WebLogic Server config.xml file:
production-mode-enabledtrueproduction-mode-enabled By default, JDeveloper sets the application’s credentials, identities, and policies to
OVERWRITE
. That is, the Application Policies, Credentials, and Users and Groups
options are selected by default in the Application Properties dialog Deployment page. However, an application’s credentials will be migrated only if the target WebLogic
Server instance is set to development mode with -Djps.app.credential.overwrite.allowed=true
Deploying an ADF Java EE Application 8-23
When your application is ready for deployment to a production environment, you should remove the identities from the jazn-data.xml file or disable the migration of
identities by deselecting Users and Groups from the Application Properties dialog. Application credentials must be manually migrated outside of JDeveloper.
For more information about migrating application credentials and other jazn-data user credentials, see the Oracle Fusion Middleware Security Guide.
8.3.4.2.1 Applications with JDBC Data Source for WebLogic
If your application uses application-level JDBC data sources with password indirection for database connections, you may need to create credential maps in
WebLogic Server to enable the database connection. For more information, see Section 8.3.7, What You May Need to Know About JDBC Data Source for Oracle
WebLogic Server.
8.3.4.3 Configuring Security for WebSphere Server
Applications with credentials and policies in the jazn-data.xml and cwallet.sso files can be migrated to WebSphere. You will need to perform additional tasks in
WebSphere Be aware that the opss-application.xml file is not included in the application EAR file if it is intended for WebSphere.
For more information about setting up WebSphere to accept credentials and policies, see the Oracle Fusion Middleware Third-Party Application Server Guide.
8.3.4.3.1 Applications with JDBC Data Source for WebSphere
If your application uses application-level JDBC data sources with password indirection for database connections, you will need to create a JDBC data source in
WebSphere. For more information, see the IBM WebSphere documentation.
8.3.4.3.2 Editing the web.xml File to Protect the Application Root for WebSphere
When you enable ADF Security for your web application, the web.xml file includes the Java EE security constraint allPages to protect the Java EE application root. By
default, to support deploying to Oracle WebLogic Server, JDeveloper specifies the URL pattern for the security constraint as backslash. If you intend to deploy the
application to IBM WebSphere, the correct URL pattern is backslash-asterisk.
Note: Before you migrate the jazn-data.xml file to a production
environment, check that the policy store does not contain duplicate permissions for a grant. If a duplicate permission one that has the
same name and class appears in the file, the administrator migrating the policy store will receive an error and the migration of the policies
will be halted. You should manually edit the jazn-data.xml file to remove any duplicate permissions from a grant definition.
Note:
Before you migrate the jazn-data.xml file to a production environment, check that the policy store does not contain duplicate
permissions for a grant. If a duplicate permission one that has the same name and class appears in the file, the administrator migrating
the policy store will receive an error and the migration of the policies will be halted. You should manually edit the jazn-data.xml file to
remove any duplicate permissions from a grant definition.
8-24 Java EE Developers Guide for Oracle Application Development Framework
Before you deploy the application to WebSphere, manually edit the web.xml file for your application to change the allPages security constraint as follows:
security-constraint web-resource-collection
web-resource-nameallPagesweb-resource-name url-patternurl-pattern
web-resource-collection . . .
security-constraint
8.3.5 How to Replicate Memory Scopes in a Clustered Environment