Many people are using JSF technology for developing the web applications. No doubt about that. What if you are asked to protect that JSF application using Oracle Access Manager? Is it certified? Yes – OAM is certified for JSF applications from 10.1.4.3 onwards. In our environment, OAM Access Server is 10.1.4.3 and WebGate is 10.1.4.2.
So, that’s all basic. How about implementing it? In our case, there is no security mechanism employed in JSF application i.e., nothing in web.xml or other configuration files.
The JSF application URL format is : http://host:port/WebApp/faces/home.jsp
We can protect the JSF application in OAM Policy domain by specifying the URL as /WebApp/faces/home.jsp. What if you have 100 jsp pages in JSF application. Are you going specify all jsp pages explicitly in Policy domain. If not, what is the way…? All you need to do is to specify the URL /WebApp/faces/.
Please note that the following URL formats in OAM policy domain does not work.
/WebApp/faces/*.jsp
/WebApp/faces/*.*
/WebApp/faces/…/*
……
The related thread in Oracle Forums is here.
Comments are closed.