Oracle ADF World: ADF Security Basics part 8 : Expression Language (EL) with ADF security

This blog I am going to explain how we can make use of the EL to evaluate the permission of the user and that can be used to hide or display components in a page

Create a bounded task flow

Create a testEL.jspx and drag and drop the task flow as region

Create a test user

Create an application role app-role1

Grant resources to the app-role1

Create one more page elPage.jspx and create the page def file for it. Assign the page resource to the app-role1.

elPage.jspx :
<?xml version='1.0' encoding='UTF-8'?>
<jsp:root xmlns:jsp="http://java.sun.com/JSP/Page" version="2.1" xmlns:f="http://java.sun.com/jsf/core"
xmlns:af="http://xmlns.oracle.com/adf/faces/rich">
<jsp:directive.page contentType="text/html;charset=UTF-8"/>
<f:view>
<af:document title="elPage.jspx" id="d1">
<af:form id="f1">
<af:panelGroupLayout id="pgl1"/>
<af:panelFormLayout id="pfl1">
<f:facet name="footer"/>

<af:outputText value="#{securityContext.taskflowViewable['/WEB-INF/testELTF.xml#testELTF']}"
id="ot3"/>
<af:outputText value="testELPageDef #{securityContext.regionViewable['view.pageDefs.testELPageDef']}" id="ot2"/>
<af:outputText value="User Name : #{securityContext.userName}" id="ot1"/>
<af:outputText value="Enterprise Id : #{data.adfContext.enterpriseId}" id="ot4"/>
<af:outputText value="Authenticated : #{securityContext.authenticated}" id="ot5"/>
<af:outputText value="User In Role : #{securityContext.userInRole['app-role1']}" id="ot6"/>
<af:outputText value="User In Roles : #{securityContext.userInAllRoles['app-role1']}" id="ot7"/>
</af:panelFormLayout>
</af:form>
</af:document>
</f:view>
</jsp:root>

Run the page and login as the test user created.The above EL expression can be used for hide/view of the components in the page.

The security based page rendering can be possible from an Managed Bean also.

Create an app-role2 also create a page delayedELEval.jspx

delayedELEaval.jspx:

<?xml version='1.0' encoding='UTF-8'?>

<jsp:root xmlns:jsp="http://java.sun.com/JSP/Page" version="2.1" xmlns:f="http://java.sun.com/jsf/core"

xmlns:af="http://xmlns.oracle.com/adf/faces/rich">

<jsp:directive.page contentType="text/html;charset=UTF-8"/>

<f:view>

<af:document title="delayedELEval.jspx" id="d1">

<af:form id="f1" rendered="#{managedBean.authorized}">

<af:button text="button 1" id="b1"/>

</af:form>

</af:document>

</f:view>

</jsp:root>

Create a managed bean

package view;

import javax.faces.application.FacesMessage;

import javax.faces.context.FacesContext;

import oracle.adf.share.ADFContext;

import oracle.adf.share.security.SecurityContext;

import oracle.adf.share.security.authorization.RegionPermission;

public class Managed {

public Managed() {

super();

}

//private String targetPageDef = "view.pageDefs.testELPageDef";

private String targetPageDef = "view.pageDefs.noPermPageDef";

public void setTargetPageDef(String targetPageDef) {

this.targetPageDef = targetPageDef;

}

public String getTargetPageDef() {

return targetPageDef;

}

public boolean isAuthorized() {

if (targetPageDef != null) {

FacesContext fctx = FacesContext.getCurrentInstance();

ADFContext adfCtx = ADFContext.getCurrent();

SecurityContext secCtx = adfCtx.getSecurityContext();

boolean hasPermission =

secCtx.hasPermission(new RegionPermission(targetPageDef, RegionPermission.VIEW_ACTION));

if (hasPermission) {

return hasPermission;

} else {

fctx.addMessage(null,

new FacesMessage(FacesMessage.SEVERITY_WARN, "Access Permission Not defined !", null));

return false;

}

return false;

}

Assign the managed bean to the request scope

Test both the condition of having permission and no permission to the resource by changing the variable "targetPageDef " in the managed bean

Oracle ADF World

Friday, August 9, 2013

ADF Security Basics part 8 : Expression Language (EL) with ADF security

No comments:

Post a Comment

About Me

Followers