Zheng Tech Blog

My previous post described a scenario that the OAM DCC programmatic authentication is not supported yet, and here I am presenting a nice alternative to do the DCC authentication non-programmatically. You may have a read on Frank's book "Oracle Fusion Developer Guide" and there is a section in the ADF security talking about "Creating a login form in JSF" programmatically. This approach works for JEE contained security but would not work well with your WebCenter Portal or ADF app integrated with OAM authentication. I am introducing an approach that does not require any programmatic authentication and can be used safely with any type of authentications (contained security or OAM authentication). Note: You can create HTML form in JSF but there are many limitations, such as only one form component can be allowed in a page. Due to this, it's impossible to support a complicated login page in JSF. It induced extra pitfalls and challenges on the skinning as we...

In case of OAM authentication failures, the OAM server will send the error codes back to the client. It's up to the client to decide what actual error message needs to be displayed on different types of authentication failures. For the list of the standard error codes, you can refer to here . To getting the error code on the client side, they are different based on whether it's ECC or DCC authentication. I have not found this difference documented in anywhere yet. So I am putting it in this blog post. DCC (Detached Credential Collector) is introduced in OAM 11gR2. ECC is embedded credential collector. My previous post has described its concept and advantages, so I will not repeat it here. For ECC, the link above also shows a code snippet to get the error code parameter "p_error_code". The error code is returned back as one of the request parameters on the browser URL. So it can be accessed by calling request.getParameter("p_error_code"). <%@page i...

Credential Collection is the process of collecting the end user's credentials through a login page. When OAM Webgate intercepts a requests and detects the user is not authenticated yet, it would redirect the user to the login page. In OAM, when the login page is hosted on the OAM server, it's called Embedded Credential Collector (ECC). Another form - Detached Credential Collector (DCC) - is introduced in OAM 11gR2. As the name explains, DCC can be decoupled from the OAM server, which provides the flexibility of deploying the login page in either trusted internal network or DMZ. It uses a specific WebGate to collect he user credential and communicate to the OAM using secure Oracle Access Protocol (OAP). It offers a solution that isolates the OAM serve from any unauthenticated network connection, such as public access. It is my interest to discuss on whether DCC supports programmatic authentication. Usually the login page for OAM authentication would be form based JSP page w...