How to protect JSF application using Oracle Access Manager?

Many people are using JSF technology for developing the web applications. No doubt about that. What if you are asked to protect that JSF application using Oracle Access Manager? Is it certified? Yes – OAM is certified for JSF applications from 10.1.4.3 onwards. In our environment, OAM Access Server is 10.1.4.3 and WebGate is 10.1.4.2.

So, that’s all basic. How about implementing it? In our case, there is no security mechanism employed in JSF application i.e., nothing in web.xml or other configuration files.

The JSF application URL format is : http://host:port/WebApp/faces/home.jsp

We can protect the JSF application in OAM Policy domain by specifying the URL as /WebApp/faces/home.jsp. What if you have 100 jsp pages in JSF application. Are you going specify all jsp pages explicitly in Policy domain. If not, what is the way…? All you need to do is to specify the URL /WebApp/faces/.

Please note that the following URL formats in OAM policy domain does not work.

/WebApp/faces/*.jsp

/WebApp/faces/*.*

/WebApp/faces/…/*

……

The related thread in Oracle Forums is here.

About the Author Mahendra

I am engulfed in Oracle Identity & Access Management domain. I have expertise on providing the optimized solutions for user provisioning, web access management, Single Sign-On and federation capabilities etc., I am also well versed with complex integrations within Identity Management and other product domains. I have expertise on building demos and implementation experience on products Oracle Access Manager, Oracle Adaptive Access Manager, Oracle Entitlement Server, Oracle Virtual Directory, Oracle Internet Directory etc., Look @ my blog: http://talkidentity.blogspot.com

Leave a Comment:

4 comments

kkchopra says February 5, 2011

Grt stuff.

Atul Kumar says February 5, 2011

Thanks Mahendra good one.

kkchopra says February 5, 2011

any idea about the other options to secure it?
I guess same goes with ADF application also.

Mahendra says February 5, 2011

Hello Chopra,

I have not tried OAM and ADF combination yet. Can you tell me the complete URL of ADF application to be protected. You can try the same approach mentioned in this post. Please let me know the results.

Hope this helps.

-Mahendra.

Add Your Reply