Wednesday, January 21, 2009

Creating a separate MapViewer admin account

By default MapViewer borrows the same admin account that you use to log into the Application Server admin web page. For OracleAS 10.1.3.* this is typically the user named "oc4jadmin", and for WebLogic it's typically "weblogic".

In some cases however you may want to create a separate admin account just for MapViewer,such as when you do not wish to give away the middleware's master admin account information. Basically, this new account can only be used to log into MapViewer's admin page and perform all of its management tasks. It cannot be used to log into the middleware's master admin web site (the /em URL for OracleAS 10.1.3.* or the /console URL for WebLogic Server).

So how do you do that? We will show you the steps for both OracleAS 10.1.3 and WebLogic Server 10.

Oracle Application Server 10.1.3.*

Lets first assume you already have MapViewer deployed to one of the OC4J instances in your OracleAS 10.1.3.* installation. If MapViewer is not deployed yet, you should go ahead and deploy it.

Step 1. Log onto App Server's admin web site (/em).
Step 2. Find the OC4J instance that contains MapViewer. Then click on its Administration tab.
Step 3. Find the Security - Security Providers row, then click the Go to Task icon. This is shown in the following screen shot.

Step 4. Click the "Instance Level Security" button
Step 5. Select the Realms tab
Step 6. Click the number in the Users column of the row starting with "".
Step 7. Click the Create button.
Step 8. Enter the user name and password for the new user to be created for MapViewer. For example I entered mapadmin as the user name.
Step 9. On the same page, from Available Roles, select and move "oc4j-app-administrators" to the Selected Roles box. Click Ok. You should see a confirmation page showing the new user and its assigned roles (oc4j-app-administrators).

The above steps create a new admin user for MapViewer with the assigned role of oc4j-app-administrators. We now need to modify Mapviewer's deployment descriptor so that it will accept this role for administration purposes.

Modify MapViewer's deployment descriptor

Before performing the following step, I typically shutdown the entire OracleAS instance; however it may also work if you just shut down the OC4J instance that contains MapViewer.

Once the OC4J instance is down, edit the following MapViewer deployment descriptor file:


where AS_HOME is the home directory of your OracleAS install. If your MapViewer is NOT deployed to the "home" OC4J instance, then you will also need to replace "home" with the directory name of the actual OC4J instance containing MapViewer. If your OC4J is named "mapper" for instance, then the direcorry is typically AS_HOME/j2ee/oc4j_mapper/...

Once the orion-web.xml file is opened in an editor, locate the XML element <security-role-mapping name="map_admin_role">. Add a new child <group> element
<group name="oc4j-app-administrators">. In other words, the entire element should look like this:

<security-role-mapping name="map_admin_role">
<group name="oc4j-app-administrators"/>
<group name="oc4j-administrators"/>
<group name="administrators"/>

You may also find another tag <security-role-mapping name="secure_maps_role"> in the same file, leave that one alone (it is used for the secure mapping demos).

By making the above change, we are telling MapViewer that any App Server user with the role "oc4j-app-administrators" should also be considered a MapViewer admin user.

Save the file. And restart OC4J or OracleAS instance.

Now you should be able to log into MapViewer's admin page using the newly created user (mapadmin in my case). All the admin tasks of MapViewer should go through as usual. You will not be able to log into the App Server admin site (/em) using mapadmin. You can however, still log into MapViewer's admin page using the oc4jadmin account (after all it is the master admin for the entire OracleAS instance).

WebLogic Server

To be added later...

1 comment:

LJ said...

As part 2 of this post, the instructions for WebLogic Server can be found in this post here.