Implementing Security

in
ADF Applications

Copyright 2008, Oracle. All rights reserved.

 Objectives

After completing this lesson, you should be able to:

Explain the need to secure Web applications
Describe security aspects of a Web application
Implement ADF security:
Authentication
Authorization:
In the data model
In the UI for task flows and pages
Access security information programmatically
Use Expression Language to extend security capabilities

21 - 2 Copyright 2008, Oracle. All rights reserved.

 Benefits of Securing Web Applications

Web applications often connect with a single database

user account. Therefore, separate application users
accounts must be utilized.
Identity can be used to:
Ensure that only authenticated users can access the
application
Restrict access to parts of the application
Customize the UI (such as pick lists)
Provide the user name for auditing
Set up a virtual private database (VPD)

21 - 3 Copyright 2008, Oracle. All rights reserved.

 Examining Security Aspects

Authentication: Is this user allowed to

access this application?

Application

Resource 1 Resource 2 Resource 3

Authorization: Is this users role

allowed to access this resource?

Resource 4 Resource 5 Resource 6

21 - 4 Copyright 2008, Oracle. All rights reserved.

 ADF Security Framework: Overview

The ADF security framework provides:

Standard features required to secure ADF applications
More granular declarative security
Hierarchical roles with permission inheritance
Utility methods for use in EL expressions
Different access defined for different roles at same URL
Uses JAAS enforced by ADF binding servlet filter
Can authenticate users against a resource provider:
LDAP
OID
XML-based

21 - 5 Copyright 2008, Oracle. All rights reserved.

 Configure ADF Security Wizard:
Configuring ADF Security Authentication

Tools > Configure ADF Security

21 - 6 Copyright 2008, Oracle. All rights reserved.

 Configure ADF Security Wizard:
Choosing the Authentication Type

Most commonly used:

HTTP basic authentication:
It uses browser login dialog box.
Cached credentials prevent logout.
Form-based authentication: Developer-designed login
page

21 - 7 Copyright 2008, Oracle. All rights reserved.

 Using Form-Based Authentication

You implement authentication in the UI by:

Configuring the login in web.xml (done by Configure ADF
Security Wizard)
Setting up a login page to accept user credentials with the
following elements:
A form attribute: action="jsecurity_check"
An input text item: name="j_username"
An input password: name="j_password"
Presenting the login page in HTTPS mode

21 - 8 Copyright 2008, Oracle. All rights reserved.

 Configure ADF Security Wizard:
Choosing the Identity Store

Choices:
Application XML:
Used for small-scale applications or testing
Uses the Oracle Platform Security for Java's file-based
repository
Configured in JDeveloperuser and role information stored
in jazn-data.xml
LDAP:
Identity store configured outside of JDeveloper
Scalable and secure
Integrates with Oracle Single Sign On

21 - 9 Copyright 2008, Oracle. All rights reserved.

 Configure ADF Security Wizard:
Choosing the Welcome Page

Specify page where user should go upon

authentication
Ignored if page specified on URL
If no page specified, user returns to the login page

21 - 10 Copyright 2008, Oracle. All rights reserved.

 Configure ADF Security Wizard:
Enabling ADF Authorization

Choose the ADF

Authentication and
Authorization option.
Select an option for testing.
To change existing
authorizations,
use overview
editor for
jazn-data.xml.

21 - 11 Copyright 2008, Oracle. All rights reserved.

 Files Modified by Configure ADF Security Wizard:
web.xml

web.xml modifications:
ADF authentication servlet definition
and mapping
Security constraint
Login configuration

21 - 12 Copyright 2008, Oracle. All rights reserved.

 Other Files Modified or Created
by Configure ADF Security Wizard
<CredentialStoreContext credentialStoreClass=
"oracle.adf.share.security.providers.jazn.JAZNCredentialStore"
credentialStoreDefaultUser="anonymous"
adf-config.xml credentialStoreLocation="./credential-jazn-data.xml"/>
<sec:JaasSecurityContext initialContextFactoryClass=
"oracle.adf.share.security.JAASInitialContextFactory"
jaasProviderClass=
"oracle.adf.share.security.providers.jps.JpsSecurityContext"
authorizationEnforce="true"
<serviceProviders>
authenticationRequire="true"/>
jps-config.xml
<serviceProvider
class="oracle.security.jps.internal..."
...
</serviceProvider>
Based Authentication
...
<serviceInstances>
jazn-data.xml <jazn-realm default="jazn.com"> <serviceInstance
<realm> provider="credstore.provider"
<name>jazn.com</name> ...
</realm> </serviceInstance>
</jazn-realm> ...
<policy-store> <jpsContexts default="Storefront-12">
... <jpsContext name="anonymous">
Modified ... <serviceInstanceRef ref="credstore"/>
</policy-store> ...
Created </jpsContext>
</jpsContexts>

21 - 13 Copyright 2008, Oracle. All rights reserved.

 Enabling Users to Access Resources

To give users access:

Define a security realm in the identity store:
Create users.
Create roles.
Assign users to roles.
Define an application policy in the policy store
Create application roles.
Map the identity roles to the application roles.
Grant the application roles access to resources.

21 - 14 Copyright 2008, Oracle. All rights reserved.

 Defining Users and Roles in the Identity Store

Opening the Properties editor

Defining a Realm

Adding user credentials

to the default realm

Adding a user to
a role in the
identity store

21 - 15 Copyright 2008, Oracle. All rights reserved.

 Defining Security Policies

A security policy is a set of grants made to roles.

To define a security policy:
Create application roles
Assign identity store roles to application roles
Grant permissions to roles

21 - 16 Copyright 2008, Oracle. All rights reserved.

 Defining Application Roles in the Policy Store

Policy store is in
jazn-data.xml.

21 - 17 Copyright 2008, Oracle. All rights reserved.

 Assigning Identity Store Roles
to Application Roles

Users

Roles
clerk manager

Mapping an identity role

to an application role
app_clerk app_manager

21 - 18 Copyright 2008, Oracle. All rights reserved.

 Granting Permissions to Roles

You can associate roles to grants on resources:

Authorization Point Grants Issued On: Defined In:

Groups of pages Bounded task flows jazn-data.xml editor

Individual pages Page definitions * jazn-data.xml editor

Rows Entity objects or EO security and authorization

attributes editors

* To secure page with no

data, create an empty
page definition file.

21 - 19 Copyright 2008, Oracle. All rights reserved.

 Securing Groups of Pages
(Bounded Task Flows)

Prevent unauthorized access to secured task flows

Provide developers with ability to:
Secure a bounded task flow as a logical entity
Write security-aware bounded task flows and pages

21 - 20 Copyright 2008, Oracle. All rights reserved.

 Securing Individual Pages
(Page Definitions)

Determines whether user is allowed to navigate to (view) a

page
Not needed on pages in secured task flows

21 - 21 Copyright 2008, Oracle. All rights reserved.

 ADF BC Model Authorization

Purpose is to:
Prevent unauthorized access to entity objects or attributes
Enable developers to:
Secure access to an entire entity object or only certain
attributes
Specify the actions that members of a role can perform on
entity objects or attributes

21 - 22 Copyright 2008, Oracle. All rights reserved.

 Securing Row Data
(Entity Objects or Attributes)

You can enable security on:

Entire Individual
entity attributes:
objects:

ADF Business Securable Expected Mapped

Component Operation Action Implementation
Entity object read Read View rows of result set.

removeCurrentRow Delete Delete a row from the

bound collection.
update Update Update any attribute.

Attribute of EO update Update Update specific

attribute.

21 - 23 Copyright 2008, Oracle. All rights reserved.

 Granting Privileges on Entity Objects or
Attributes

In Structure window, right-click

entity object or attribute and
select Edit Authorization.
Select privileges to grant to
application roles.

21 - 24 Copyright 2008, Oracle. All rights reserved.

 Application Authentication at Run Time

Two types:
Implicit: Based on JAAS permissions for anonymous-
role role
Explicit: Based on security constraint on authentication
servlet that you can define by using the Configure ADF
Security Wizard

21 - 25 Copyright 2008, Oracle. All rights reserved.

 ADF Security: Implicit Authentication
J2EE Container

Implicit Authentication JAAS Security P2

ADF
Security
anonymous (User Principal) Filter
anonymous-role (Role Principal) *.jsp
Added to the Subject
/app/Public.jspx *.jspx
P1 P3 Public.jsp
/app/MyPage.jspx
1
6
/adfAuthentication?success_url=/app/MyPage.jspx 2
MyPage.jspx Enterprise
User: Bob
3 Identity
Management
Authentication servlet Redirect to success
protected by J2EE No URL=/app/MyPage.jspx
Security Constraint, Session as per #1
Triggers Container
login process 5
adfAuthentication
Servlet

J2EE Security
4
Container Authentication
submit=j_security_check() Logic BOB

21 - 26 Copyright 2008, Oracle. All rights reserved.

 ADF Security: Explicit Authentication
Explicit Authentication
Login Link on the
Public Page
/app/Public.jspx

1
/adfAuthentication?success_url=/app/Public.jspx
J2EE Container

User: Bob
J2EE Security Constraint J2EE Security
2 Enterprise
Identity
Authentication servlet
protected by J2EE No
Management
Redirect to success
Security Constraint, Session URL=/app/MyPage.jspx
Triggers Container 4 as per #1
login process
adfAuthentication
Servlet

Container Authentication
BOB
submit=j_security_check() Logic

21 - 28 Copyright 2008, Oracle. All rights reserved.

 ADF Security: Authorization at Run Time
J2EE Container
ADF Security performs Bob has No
authorization check View
ADF Privilege Defined
Security on the Page.
Filter SecPage.jspx
/app/SecPage.jsp

/app/MyPage.jspx View
Privilege is
/app/Public.jsp *.jsp granted to a Role
*.jspx of which Bob is a
MyPage.jspx member.

User: Bob
PageDefs JAAS AuthZ
request View Privilege
granted to the
PageDefs used as or anyone
Security Def end Role.
points Public.jsp

Policy Store Administrator

Bob is a member of the <grant>
<principal> HR
Staff role in the policy <type>role</type>
store. <name>Staff</name> Dev
</principal>
Staff
<permission>
Unlike J2EE Container <name>MyPage</name>
Security, authorization is <actions>view</actions>
Sales

not path based. </permission>

Clerks
</grant>

21 - 29 Copyright 2008, Oracle. All rights reserved.

 Programmatically Accessing
ADF Security Context

Is ADF security turned on?

if (ADFContext.getCurrent().getSecurityContext().isAuthorizationEnabled())
{ }

Is the user logged on?

public boolean isAuthenticated() {
return ADFContext.getCurrent().getSecurityContext().isAuthenticated(); }

Who is the user?

public String getCurrentUser() {
return ADFContext.getCurrent().getSecurityContext().getUserName(); }

Is the user in a specified role?

public boolean isUserInRole(String role) {
return ADFContext.getCurrent().getSecurityContext().isUserInRole(role); }

21 - 30 Copyright 2008, Oracle. All rights reserved.

 Using Expression Language
to Extend Security Capabilities

You can integrate expression language in three ways:

Using a security proxy bean:
<af:commandLink action="accounts"
See next slide for source
rendered="#{userInfo.admin}"
of this expression.
text="Manage Accounts"/>

Using the JSF-Security Project extensions:

<af:commandLink action="accounts"
rendered="#{securityScope.userInRole['admin']}"
text="Manage Accounts"/>

Using built-in global security expressions:

<af:commandLink action="accounts"
rendered="#{securityContext.userInRole['admin']}"
text="Manage Accounts"/>

21 - 31 Copyright 2008, Oracle. All rights reserved.

 Using a Security Proxy Bean

A managed bean can expose a Boolean property that the UI

expressions can consume.
Example: UserInfo bean:
public boolean isAdmin() {
return (ADFContext.getCurrent().
getSecurityContext().isUserInRole("admin"));
}

Example: UI expression:
#{userInfo.admin}

Checking for multiple roles is a problem; you could end up

writing many convenience methods.

21 - 32 Copyright 2008, Oracle. All rights reserved.

 Using the JSF-Security Project Extensions

Expression Purpose
#{securityScope.securityEnabled} Is security on?

#{securityScope.remoteUser} User name of the

authenticated user
#{securityScope.authType} Type of authentication in
use: BASIC, DIGEST, FORM
#{securityScope. Is the user in any of these
userInRole['admin,manager']} roles?
#{securityScope. Is the user in all of these
userInAllRoles['admin,manager']} roles?

21 - 33 Copyright 2008, Oracle. All rights reserved.

 Using Global Security Expressions

Expression Purpose
#{securityContext.userName} User name of the authenticated
user
#{securityContext.userInRole Is the user in any of these roles?
['role list']}
#{securityContext.userInAllRoles Is the user in all of these roles?
['role list']}
#{securityContext. Does the user have this
userGrantedPermission permission granted?
['permission']}

#{securityContext.taskflowViewable Does the user have view

['target']} permission on the target task
flow?

#{securityContext.regionViewable Does the user have view

['target']} permission on the target region?

21 - 34 Copyright 2008, Oracle. All rights reserved.

 Summary

In this lesson, you should have learned how to:

Explain the need to secure Web applications
Describe security aspects of a Web application
Implement ADF security:
Authentication
Authorization:
In the data model
In the UI for task flows and pages
Access security information programmatically
Use Expression Language to extend security capabilities

21 - 35 Copyright 2008, Oracle. All rights reserved.

 Practice 21 Overview:
Implementing ADF Security

This practice covers the following topics:

Configuring the application to use ADF Security
Defining users, roles, and application roles
Implementing entity object security
Accessing security context programmatically

21 - 36 Copyright 2008, Oracle. All rights reserved.