Securing Oracle MAF Applications with HTTP Basic Authentication
"Ganesh Kamble" in "FMW" on 2014-07-22
Oracle Mobile Application Framework (MAF) is a hybrid mobile application development framework that allows developers to develop applications rapidly and efficiently. To get started with MAF, you can check my previous post here – http://k21technologies.com/blog/fmw/writing-your-first-oracle-mobile-application-framework-maf-application/. To know more about Authentication in MAF, check out this post here – http://k21technologies.com/blog/oam/oracle-mobile-application-framework-maf-authentication/.
In this post, we are going to see how you can secure your MAF applications using HTTP Basic Authentication. In this mode, the user credentials are authenticated against a remote application server. We will use our Mobile Application – EmployeeSecurityApplication in which there are basically two features – Employees and Departments. Departments feature is a public feature and can be accessed by anonymous users. However, Employee feature is restricted and only authenticated users are allowed to access it. We will develop an ADF Fusion Web Application to act as credential validation application.
The following diagram shows the HTTP Basic Authentication process:
- Mobile User accesses the MAF application. User can view all the unsecured content
- When user wants to see the secured feature, MAF application presents a login page
- User enters username and password on the login page
- MAF application sends the username and password to remote application server
- Remote server validates the credentials and returns the result
- If the user is authenticated, MAF application stores the credentials locally depending on the Connectivity Mode used and displays the secured features. If the user is not authenticated, MAF application returns the login page to input the valid credentials.
Web Application for Authentication
Follow the below steps to create a simple web application which will act as a credential validator for your mobile application:
- Create a new application. Select ADF Fusion Web Application. You can choose to create any web application as long as it supports HTTP Basic Web Authentication. I am choosing ADF Fusion Web Application so that you can get a feel of Configuring Security feature of ADF Applications
- Give a name to the application – LoginApplication in our case. Provide an optional Application Package Prefix and click Finish
- Click on the dropdown menu next to the Application name in Application Navigator. Select Secure > Configure ADF Security…
- Select ADF Authentication check box
- Select Authentication Type as HTTP Basic Authentication
- You may choose to Redirect Upon Successful Authentication to redirect page after valid authentication.
- Click Finish to generate ADF Security artifacts
- Deploy the application to an application server
- Validate the HTTP Basic authentication by hitting the application url in browser
Now we have a standalone web application which is not aware of any mobile device accessing it.
MAF Application Security
Here we have the application – EmployeeSecurityApplication with two features – Employees and Departments. Follow the below steps to add security for feature Employees
- Open maf-feature.xml file which contains all the features of your mobile application
- Now we need to secure only Employees feature. Click on Enable Security checkbox of Employees feature
- Open maf-application.xml file from Application Resources panel. Click on Security tab. You can see that the Login Page is default. Authentication and Access Control can be configured only for Employees Feature. Remote URL Whitelist is empty and KBA Page is set to Default.
- Next we will configure Application/Configuration Login Server. Click on the add button (green plus icon) under Authentication and Access Control. It will launch Create MAF Login Connection. By default, Authentication Server Type is HTTP Basic which is what we are exploring in this post. (To know more about Connectivity Modes, check out my previous post here: http://k21technologies.com/blog/oam/oracle-mobile-application-framework-maf-authentication/)
- We will select the hybrid Connectivity Mode. (To know more about Connectivity Modes, check out my previous post here: http://k21technologies.com/blog/oam/oracle-mobile-application-framework-maf-authentication/). Provide a Connection Name. All the fields are self-explanatory
- Click on HTTP Basic tab. Provide values for Login and Logout URL. Here the URL should be the application login URL against which the users are to be authenticated. Our application URL is – http://192.168.0.100:7101/LoginApplication-ViewController-context-root/faces/welcome.jspx. Make sure you select a page which can be accessed. Do not just enter the context-path or a URL which is not accessible. Click on Test Connection to validate the connection. MAF supports the notion of multi-tenancy, where a mobile application includes a hosted application feature that can be shared by different organizations (tenants), but can appear as though it is owned by a particular tenant. You can define multi-tenancy awareness for the mobile application connection by selecting the Multi-Tenant Aware option
- Click on AutoLogin tab. Here you can configure options to remember username, password, staying logged in
- We are not exploring the Authorization part in this post. So ignore the Authorization tab and click Ok. The configured server will appear in Application/Configuration Login Server dropdown. Select this connection in Login Server Connection for Employee feature
- Next we will configure the logout functionality for our application. Add an actionListener event to the Logout button. Create a method logOut in ManagedBean.
- The logout method should use the logout method from oracle.adfmf.framework.api.AdfmfJavaUtilities to logout from the all the features.
In previous two sections, we have developed a web application which authenticates the users and configured security for Employees features of EmployeeSecurityApplication. Next, deploy the application on iOS simulator or android emulator to verify the results.
- Launch the application once the deployment is finished. In our application, Employees features is default and hence when you are accessing it you can see the login page
- However, if you try to access the Departments feature, you will not be thrown a login page. This is how MAF separates secured and public content.
- Now click on Employees feature and as expected you are asked to login. Enter the credentials which are to be validated against the remote application server.
- Here you go. You can see the contents of Employees feature. Now that you are authenticated, you can move between Departments and Employees features seamlessly without having to be authenticated.
- Click on the Logout button. It will trigger the action listener event and will log you out from all the features. Now if you try to access the secured features, you will be asked to enter the login credentials again.
You can find the source of the two applications here:
This article describes how you can secure your Oracle Mobile Application Framework Applications using HTTP Basic Authentication with remote Application Server.