• Find us:
    +1 415 655 1723   |   +91-804-719-2727
  • Free Newsletter


  • Archive

  • Categories

  • Securing Oracle MAF Applications with HTTP Basic Authentication

    Posted by "" in "FMW" on 2014-07-22


    Oracle Mobile Application Framework (MAF) is a hybrid mobile application development framework that allows developers to develop applications rapidly and efficiently. To get started with MAF, you can check my previous post here – http://k21technologies.com/blog/fmw/writing-your-first-oracle-mobile-application-framework-maf-application/. To know more about Authentication in MAF, check out this post here – http://k21technologies.com/blog/oam/oracle-mobile-application-framework-maf-authentication/.

    In this post, we are going to see how you can secure your MAF applications using HTTP Basic Authentication. In this mode, the user credentials are authenticated against a remote application server. We will use our Mobile Application – EmployeeSecurityApplication in which there are basically two features – Employees and Departments. Departments feature is a public feature and can be accessed by anonymous users. However, Employee feature is restricted and only authenticated users are allowed to access it. We will develop an ADF Fusion Web Application to act as credential validation application.

    Authentication Process

    The following diagram shows the HTTP Basic Authentication process: Screen Shot 2014-07-20 at 10.32.21 pm


    1. Mobile User accesses the MAF application. User can view all the unsecured content
    2. When user wants to see the secured feature, MAF application presents a login page
    3. User enters username and password on the login page
    4. MAF application sends the username and password to remote application server
    5. Remote server validates the credentials and returns the result
    6. If the user is authenticated, MAF application stores the credentials locally depending on the Connectivity Mode used and displays the secured features. If the user is not authenticated, MAF application returns the login page to input the valid credentials.


    Web Application for Authentication

    Follow the below steps to create a simple web application which will act as a credential validator for your mobile application:

    1. Create a new application. Select ADF Fusion Web Application. You can choose to create any web application as long as it supports HTTP Basic Web Authentication. I am choosing ADF Fusion Web Application so that you can get a feel of Configuring Security feature of ADF Applications

    Screen Shot 2014-07-21 at 09.14.23 am



    1. Give a name to the application – LoginApplication in our case. Provide an optional Application Package Prefix and click Finish

    Screen Shot 2014-07-21 at 09.14.53 am



    1. Click on the dropdown menu next to the Application name in Application Navigator. Select Secure > Configure ADF Security…

    Screen Shot 2014-07-21 at 09.17.33 am



    1. Select ADF Authentication check box

    Screen Shot 2014-07-21 at 09.17.51 am



    1. Select Authentication Type as HTTP Basic Authentication

    Screen Shot 2014-07-21 at 09.18.37 am



    1. You may choose to Redirect Upon Successful Authentication to redirect page after valid authentication.

    Screen Shot 2014-07-21 at 09.18.51 am



    1. Click Finish to generate ADF Security artifacts

    Screen Shot 2014-07-21 at 09.19.02 am



    1. Deploy the application to an application server

    Screen Shot 2014-07-21 at 09.34.59 am



    1. Validate the HTTP Basic authentication by hitting the application url in browser

    Screen Shot 2014-07-21 at 09.38.55 am

    Now we have a standalone web application which is not aware of any mobile device accessing it.

    MAF Application Security

    Here we have the application – EmployeeSecurityApplication with two features – Employees and Departments. Follow the below steps to add security for feature Employees

    1. Open maf-feature.xml file which contains all the features of your mobile application

    Screen Shot 2014-07-21 at 01.19.19 pm



    1. Now we need to secure only Employees feature. Click on Enable Security checkbox of Employees feature

    Screen Shot 2014-07-21 at 01.20.25 pm



    1. Open maf-application.xml file from Application Resources panel. Click on Security tab. You can see that the Login Page is default. Authentication and Access Control can be configured only for Employees Feature. Remote URL Whitelist is empty and KBA Page is set to Default.

    Screen Shot 2014-07-21 at 01.22.18 pm



    1. Next we will configure Application/Configuration Login Server. Click on the add button (green plus icon) under Authentication and Access Control. It will launch Create MAF Login Connection. By default, Authentication Server Type is HTTP Basic which is what we are exploring in this post. (To know more about Connectivity Modes, check out my previous post here: http://k21technologies.com/blog/oam/oracle-mobile-application-framework-maf-authentication/)

    Screen Shot 2014-07-21 at 01.26.44 pm



    1. We will select the hybrid Connectivity Mode. (To know more about Connectivity Modes, check out my previous post here: http://k21technologies.com/blog/oam/oracle-mobile-application-framework-maf-authentication/). Provide a Connection Name. All the fields are self-explanatory

    Screen Shot 2014-07-21 at 01.38.07 pm



    1. Click on HTTP Basic tab. Provide values for Login and Logout URL. Here the URL should be the application login URL against which the users are to be authenticated. Our application URL is – Make sure you select a page which can be accessed. Do not just enter the context-path or a URL which is not accessible. Click on Test Connection to validate the connection. MAF supports the notion of multi-tenancy, where a mobile application includes a hosted application feature that can be shared by different organizations (tenants), but can appear as though it is owned by a particular tenant. You can define multi-tenancy awareness for the mobile application connection by selecting the Multi-Tenant Aware option

    Screen Shot 2014-07-21 at 01.43.02 pm



    1. Click on AutoLogin tab. Here you can configure options to remember username, password, staying logged in

    Screen Shot 2014-07-21 at 01.46.08 pm



    1. We are not exploring the Authorization part in this post. So ignore the Authorization tab and click Ok. The configured server will appear in Application/Configuration Login Server dropdown. Select this connection in Login Server Connection for Employee feature

    Screen Shot 2014-07-21 at 01.48.18 pm



    1. Next we will configure the logout functionality for our application. Add an actionListener event to the Logout button. Create a method logOut in ManagedBean.

    Screen Shot 2014-07-21 at 03.14.38 pm



    1. The logout method should use the logout method from oracle.adfmf.framework.api.AdfmfJavaUtilities to logout from the all the features.

    Screen Shot 2014-07-21 at 03.14.10 pm




    In previous two sections, we have developed a web application which authenticates the users and configured security for Employees features of EmployeeSecurityApplication. Next, deploy the application on iOS simulator or android emulator to verify the results.

    1. Launch the application once the deployment is finished. In our application, Employees features is default and hence when you are accessing it you can see the login page

    Screen Shot 2014-07-21 at 01.57.24 pm



    1. However, if you try to access the Departments feature, you will not be thrown a login page. This is how MAF separates secured and public content.

    Screen Shot 2014-07-21 at 01.58.06 pm



    1. Now click on Employees feature and as expected you are asked to login. Enter the credentials which are to be validated against the remote application server.

    Screen Shot 2014-07-21 at 02.02.39 pm



    1. Here you go. You can see the contents of Employees feature. Now that you are authenticated, you can move between Departments and Employees features seamlessly without having to be authenticated.

    Screen Shot 2014-07-21 at 02.57.22 pm



    1. Click on the Logout button. It will trigger the action listener event and will log you out from all the features. Now if you try to access the secured features, you will be asked to enter the login credentials again.

    Screen Shot 2014-07-21 at 03.01.03 pm


    Source Code

    You can find the source of the two applications here:




    This article describes how you can secure your Oracle Mobile Application Framework Applications using HTTP Basic Authentication with remote Application Server.


    http://k21technologies.com/blog/oam/oracle-mobile-application-framework-maf-authentication/ http://docs.oracle.com/middleware/mobile200/mobile/develop/maf-securing.htm

    2 thoughts on “Securing Oracle MAF Applications with HTTP Basic Authentication”

    1. deepti says:

      Hi ,
      Is the username (Weblogic) the Weblogic server’s userid. I tried similar example. for me I was able to acess only if I give application servers credentials. How can we create users credentials. and let the users enter there username/password instead of servers credentials.


      1. Hi Deepti,
        The user credentials are authenticated against WebLogic identity store. You can create users by following this link (if you wish to use the inbuilt identity store) – http://docs.oracle.com/cd/E21764_01/apirefs.1111/e13952/taskhelp/security/DefineUsers.html.
        It is recommended to store the users and groups in an external identity store such as Oracle Unified Directory or Oracle Internet Directory. You can configure the WebLogic server to use the external LDAP by using various authentication providers – http://docs.oracle.com/cd/E17904_01/web.1111/e13707/atn.htm#SECMG169.


    Leave a Reply

    Your email address will not be published. Required fields are marked *

  • K21 Technologies is among the most experienced Identity Access Management service providers. We work with application development companies and in-house technology division to help achieve significant returns on their IT security investment. Our clientele includes some of the globally renowned corporate, which speaks of our expertise in our field.

    We have the most talented and experienced team that can swiftly deploy security solutions even in complex IT ecosystem. Our clients highly appreciate our timely implementation, interactive training, on-demand support and community resources.

    K21 Technologies
    128 Uxbridge Road, Hatchend,,
    London, HA5 4DS

    US: +1 415 655 1723
    India: +91-804-719-2727

  • Copyright 2019, K21 Technologies. All rights reserved
  • TOP