Skip Headers
Oracle® Fusion Middleware Security Overview
11g Release 1 (11.1.1)

Part Number E12889-04
Go to Documentation Home
Home
Go to Book List
Book List
Go to Table of Contents
Contents
Go to Index
Index
Go to Master Index
Master Index
Go to Feedback page
Contact Us

Go to previous page
Previous
Go to next page
Next
View PDF

3 Developing Secure Applications

This chapter provides an overview of Oracle Application Development Framework security and JavaEE security features.

3.1 ADF Security

This section contains these topics:

3.1.1 About Oracle ADF

The Oracle Application Development Framework (Oracle ADF) is an end-to-end application framework that builds on Java Platform, Enterprise Edition (Java EE) standards and open-source technologies to simplify and accelerate implementing service-oriented applications. For enterprise solutions that search, display, create, modify, and validate data using web, wireless, desktop, or web services interfaces, Oracle ADF can simplify the development effort.

Used in tandem, Oracle JDeveloper 11g and Oracle ADF give you an environment that covers the full development life cycle from design to deployment, with drag-and-drop data binding, visual UI design, and team development features built in.

Applications you build using the Fusion web technology stack achieve a clean separation of business logic, page navigation, and user interface by adhering to a model-view-controller architecture.

The core module in the framework is Oracle ADF Model, a declarative data binding facility that implements the JSR-227 specification. The Oracle ADF Model layer enables a unified approach to bind any user interface to any business service, without having to write code. The other modules that comprise a Fusion web application technology stack are:

  • Oracle ADF Business Components, which simplifies building business services.

  • Oracle ADF Faces rich client, which offers a rich library of AJAX-enabled UI components for web applications built with JavaServer Faces (JSF).

  • Oracle ADF Controller, which integrates JSF with Oracle ADF Model. The ADF Controller extends the standard JSF controller by providing additional functionality, such as reusable task flows that pass control not only between JSF pages, but also between other activities, for instance method calls or other task flows.

3.1.2 About Oracle ADF Security

The Oracle ADF Security framework is the preferred technology to provide authentication and authorization services to the Fusion web application. A prime reason is that Oracle ADF Security is built on top of the Oracle Platform Security Services (OPSS) architecture, which provides a critical security framework and is itself well-integrated with Oracle WebLogic Server.

Note:

Oracle ADF's built-in support for security features including OPSS features helps reduce the effort that would be required to implement those features outside Oracle ADF; indeed, certain features are not available using only container-managed security.

While other security-aware models exist that can handle user login and resource protection, Oracle ADF Security is ideally suited to provide declarative, permission-based protection for ADF bounded task flows, top-level web pages that use ADF bindings (pages that are not contained in a bounded task flow), and at the lowest level of granularity, rows of data defined by ADF entity objects and their attributes. In this document, these specific resources that the ADF Security framework protects are known as ADF security-aware resources.

You enable ADF Security for Fusion web applications when you run the Configure ADF Security wizard. The wizard configures ADF Security for the entire Fusion web application, so that any web page associated with an ADF security-aware resource is protected by default. Thus, after you enable ADF Security, your application is locked down so that the pages are considered secure by default.

After you enable ADF Security you must grant users access rights so that they may view the web pages of the Fusion web application. Access rights that you grant users are known as a security policy that you specify for the page's corresponding ADF security-aware resource. Ultimately, it is the security policy on the ADF resource that controls the user's ability to enter a task flow or view a web page.

Because ADF Security is based on Java Authentication and Authorization Service (JAAS), security policies identify the principal (the user or application role), the ADF resource, and the permission (an operation defined by the resource's ADF permission class). For example, the StoreFront module of the Fusion Order Demo application secures the web pages contained by the checkout-task-flow task flow to grant access only to logged-in users (also known as authenticated users).

At run-time, the Oracle ADF Security framework performs permission checking against the task flow's security policy to determine the user's right to complete the view operation. In this case, the security policy must grant the view permission to the user if they are to complete the checkout process.

The Containment Hierarchy

To simplify the task of defining security policies for users and ADF resources, ADF Security defines a containment hierarchy that lets you define one security policy for the ADF bounded task flow and its contains web pages. In other words, when you define the security policy at the level of the bounded task flow, you protect:

  • the flow's entry point, and

  • all pages within that flow

Role-Based Security

Instead of granting access to individual users, you group users into application roles and grant the view permission to the role. This simplifies configuration and improves the security administrator's ability to manage permissions.

For more information, see Understanding Users and Roles in the Oracle Fusion Middleware Application Security Guide.

Documented Procedures

Documented procedures in the Oracle Fusion Middleware Fusion Developer's Guide for Oracle Application Development Framework explain these and other topics:

  • How to Enable Oracle ADF Security using the Configure ADF Security wizard

  • How to create application roles

  • How to make an ADF resource public

  • How to create test users and associate them with application roles

  • How to create a login page and a welcome page

  • How to Configure, Deploy, and Run a Secure Application in JDeveloper

3.1.3 Using Oracle ADF Security

This section provides an overview of how you use Oracle ADF Security.

Use the Security Wizard

To simplify the configuration process which enables Oracle ADF Security to integrate with OPSS, JDeveloper provides the Configure ADF Security wizard. The wizard is the starting point for securing the Fusion web application using Oracle ADF Security. The wizard is an application-level tool that, once run, enables ADF Security for all user interface projects that your application contains.

The Configure ADF Security wizard enables you to choose to enable authentication and authorization separately.

  • Although ADF Security leverages Java EE container-managed security for authentication, enabling authentication lets you use the ADF authentication servlet to support user login and logout, but define container-managed security constraints to secure web pages.

  • Enabling authorization means you intend to control access to the Fusion web application by creating security policies on ADF resources.

The wizard configures ADF Security for the entire Fusion web application, so that any web page associated with an ADF security-aware resource is protected; thus, your application is locked down so that the pages are considered secure by default.

Create Application Roles

Application roles represent the policy requirements of the application and define groups of users with the same access rights. The application roles that you create in the application policy store are specific to your application.

At run-time, access rights are conferred on the user through the application role of which the user is as a member. Thus, before you can define security policies (described below), the policy store must contain the application roles to which you intend to issue grants.

Grant the Security Policy

After you enable ADF Security you must grant users access rights so that they may view the web pages of the Fusion web application. Access rights that you grant users are known as a security policy that you specify for the page's corresponding ADF security-aware resource. Ultimately, it is the security policy on the ADF resource that controls the user's ability to enter a task flow or view a web page.

Create Test Users

JDeveloper provides editors to help you create both the identity and policy stores in an application-specific file repository. The list of valid user IDs and their assigned passwords is stored in the identity store section of the file.

The same editor lets you create application roles and assign the test users or enterprise roles as members of the application roles. (To enable the user to view resources, you make grants against application roles rather than against the users who are the members of those roles.)

Create a Login Page

Oracle ADF Security provides for implicit and explicit authentication:

  • In an implicit authentication scenario, authentication is triggered dynamically if an unauthenticated user tries to access a web page associated with ADF security-aware resources not granted to the anonymous role. After login, another check verifies whether the authenticated user has view access granted on the requested page's ADF security-aware resource.

  • In an explicit authentication scenario, your application has a public page that displays a login link, which, when clicked, triggers an authentication challenge to log in the user. The login link may optionally specify some other target page that should be displayed (assuming the authenticated user has access) after the successful authentication.

Test Security in JDeveloper

Oracle JDeveloper's Integrated WLS enables you to run the application directly within JDeveloper and determine whether to migrate security objects, including the application policies, users, and credentials that your application defines. By default, all security objects are migrated to Integrated WLS each time you run the application.

Documented Procedures

Documented procedures in the Oracle Fusion Middleware Fusion Developer's Guide for Oracle Application Development Framework describe these and other topics:

3.2 JavaEE Security

Although you can leverage OPSS security capabilities through the OPSS APIs, there is no GUI support for configuration; you must hand-edit deployment descriptors to implement the features.

3.3 End-to-End Security Example

For an end-to-end example of implementing security in Oracle Fusion Middleware, from development to testing through deployment, refer to the Oracle Technology Network:

http://www.oracle.com/technology/products/id_mgmt/opss/index.html