Skip Headers
Oracle® Fusion Middleware Desktop Integration Developer's Guide for Oracle Application Development Framework
11g Release 2 (11.1.2.2.0)

Part Number E16180-03
Go to Documentation Home
Home
Go to Table of Contents
Contents
Go to Feedback page
Contact Us

Go to previous page
Previous
Go to next page
Next
PDF · Mobi · ePub

11 Securing Your Integrated Excel Workbook

This chapter provides describes how to secure your integrated Excel workbook with a Fusion web application by providing authentication and authorization capabilities in an authenticated session. The chapter describes how to access integrated Excel workbooks in an authenticated and nonauthenticated session and canvases issues related to securing the integrated Excel workbook.

This chapter includes the following sections:

11.1 About Security In Your Integrated Excel Workbook

If you are using a Fusion web application that does not enforce authentication, then the integrated Excel workbook verifies and creates a valid user session before connecting to the Fusion web application and downloading data. The session that is established is used for each and every data transfer between the integrated Excel workbook and Fusion web application. The session is also used for web pages referenced from the integrated Excel workbook.

In a Fusion web application that is enforcing authentication, the integrated Excel workbook ensures that a valid, authenticated user session is established before transferring data to or from the web application.

You should configure ADF Security for the Fusion web application before you deploy the integrated Excel workbook; however, it is not required. For information about ADF Security, see the “Enabling ADF Security in a Fusion Web Application” chapter in the Oracle Fusion Middleware Fusion Developer's Guide for Oracle Application Development Framework.

For both authenticated and non-authenticated Fusion web applications, ADF Desktop Integration relies on the establishment of cookie-based sessions. With no authentication mechanism in place, your Fusion web application is not completely safe. Hence, it is recommended that you enable ADF Security in your Fusion web application before you deploy your web application with integrated Excel workbooks.

If you are using a secure Fusion web application configured with ADF Security, you are not required to configure your integrated Excel workbook for authentication. When you open the integrated Excel workbook, ADF Desktop Integration detects if the Fusion web application, that the workbook runs against, is a secure application and enforces authentication automatically.

11.1.1 Integrated Excel Workbook Security Use Cases and Examples

When you open the integrated Excel workbook of a secure Fusion web application, a Login dialog opens and prompts you to connect to the Fusion web application, as shown in Figure 11-1. Note that the Login dialog also appears when the Fusion web application is not secure.

Figure 11-1 Dialog to verify Connection

Login dialog box

If you click Yes to connect, another dialog prompts you to enter the credentials, as shown by the example in Figure 11-2.

Figure 11-2 Dialog to verify End User's Credentials

Dialog to verify End User's Credentials

The dialog that is shown in Figure 11-2 might be different as it depends on how the Fusion web application is configured to enforce authentication. For example, if Form-based authentication is being used by the web application, then the end-user will see a browser dialog with a web page with fields for user name and password.

11.1.2 Additional Functionality for Integrated Excel Workbook in a Secure Fusion Web Application

After you have secured your integrated Excel workbook, you may find that you need to add additional functionality for your workbook. Following are links to other functionalities that you can use:

11.2 Authenticating the Excel Workbook User

The integration of an Excel workbook with a secure Fusion web application requires an authenticated web session established between the integrated Excel workbook and the server that hosts the Fusion web application. ADF Security determines the mechanism used to authenticate the user.

If the end user opens an Excel workbook without a valid authenticated session, a login mechanism is invoked to authenticate the end user.

11.2.1 What Happens at Runtime: How the Login Method Is Invoked

After the login method is invoked, a new session between the integrated Excel workbook and the Fusion web application is created, and a modal dialog appears that contains a web browser control. This web browser control displays whatever login mechanism the Fusion web application uses. For example, if the Fusion web application uses HTTP Basic Authentication, the web browser control displays the simple dialog shown in Figure 11-3.

Figure 11-3 Dialog That Appears When a Fusion Web Application Uses Basic Authentication

Basic authentication dialog box

The end user enters user credentials and, assuming these are valid, an authenticated session is created and assigned to the client (the web browser control hosted by the Excel workbook).

Note:

If the Login method is invoked when a session has already been established, it first invokes the Logout action internally to free that session.

11.2.2 What Happens at Runtime: How the Logout Method Is Invoked

After the logout method is invoked, a dialog appears informing users that they have logged out of the current session. The user is automatically logged out when the workbook is closed, or when the Clear All Data option is selected from the runtime custom tab in Excel ribbon.

Figure 11-4 Dialog That Appears When a User Logs Out

Logout confirmation dialog box

After logging out, the user must log in again to upload or download data.

If two or more workbooks are open (in test or runtime mode) with same credentials, closing one workbook does not initiate the logout mechanism. The user continues to stay logged in and may continue to work on remaining open workbooks, and can open the closed workbook without being asked for credentials again. The user is logged out when all workbooks, requiring same credentials, are closed.

11.3 Checking the Integrity of an Integrated Excel Workbook's Metadata

ADF Desktop Integration provides a mechanism to verify that the metadata it uses to integrate an Excel workbook with a Fusion web application is not tampered with after you publish the Excel workbook for end users. It generates a hash code value and inserts the value into the ADF Desktop Integration client registry file (adfdi-client-registry.xml) that it also creates when you publish the integrated Excel workbook as described in Section 14.3, "Publishing Your Integrated Excel Workbook." ADF Desktop Integration stores the adfdi-client-registry.xml file in the WEB-INF directory of the Fusion web application.

If you republish the integrated Excel workbook, ADF Desktop Integration generates a new hash code value and replaces the value in the adfdi-client-registry.xml file. ADF Desktop Integration creates the adfdi-client-registry.xml file if it does not exist.

The ApplicationHomeFolder and WebPagesFolder workbook properties allow the integrated Excel workbook to identify the location of the Fusion web application's WEB-INF directory. You must set valid values for these properties before you can publish the integrated Excel workbook and ADF Desktop Integration can generate a hash code value.

ADF Desktop Integration generates the hash code value using most of the elements in the metadata for the workbook and the value of the WorkbookID workbook property. The WorkbookID workbook property is read-only and uniquely identifies the integrated Excel workbook. You must reset the WorkbookID workbook property if you create a new integrated Excel workbook by copying an existing integrated Excel workbook. ADF Desktop Integration excludes the WebAppRoot property from the hash code calculation since its value is expected to change at runtime.

For more information about the workbook properties discussed here, see Table A-18.

11.3.1 How to Reset the Workbook ID

The value of the WorkbookID workbook property is unique to each workbook and cannot be modified by you. You can, however, reset the WorkbookID workbook property. You must do this when you create a new integrated Excel workbook by copying an existing integrated Excel workbook.

Before you begin:

It may be helpful to have an understanding of how to verify the integrity of integrated Excel workbook's metadata. For more information, see Section 11.3, "Checking the Integrity of an Integrated Excel Workbook's Metadata."

You may also find it helpful to understand functionality that can be added using other ADF Desktop Integration features. For more information, see Section 11.1.2, "Additional Functionality for Integrated Excel Workbook in a Secure Fusion Web Application."

To reset a workbook ID:

  1. Open the integrated Excel workbook.

  2. In the Workbook group of the Oracle ADF tab, click Workbook Properties.

  3. In the Edit Workbook Properties dialog, click the Reset WorkbookID link.

  4. Click Yes to confirm and reset the WorkbookID workbook property in the dialog that appears., as shown in Figure 11-5.

    Figure 11-5 Reset Workbook ID Dialog

    Reset Workbook ID Dialog
  5. Click OK.

11.3.2 How to Disable the Metadata Tamper-Check in the Fusion Web Application

By default, ADF Desktop Integration verifies that the metadata it uses to integrate an Excel workbook with a Fusion web application is not tampered with after you publish the Excel workbook for end users. You can disable the metadata tamper-check by configuring a parameter in the deployment descriptor file (web.xml) of the Fusion web application, although this is not recommended.

Before you begin:

It may be helpful to have an understanding of how to verify the integrity of integrated Excel workbook's metadata. For more information, see Section 11.3, "Checking the Integrity of an Integrated Excel Workbook's Metadata."

You may also find it helpful to understand functionality that can be added using other ADF Desktop Integration features. For more information, see Section 11.1.2, "Additional Functionality for Integrated Excel Workbook in a Secure Fusion Web Application."

To disable the metadata tamper-check in the Fusion web application:

  1. Stop your Fusion web application.

  2. Open the web.xml file of your Fusion web application.

  3. Add an initialization parameter to the adfdiRemote servlet to disable the metadata tamper-check, as described in Table 11-1.

    Table 11-1 Disabling Metadata Tamper-Check

    Property Value

    Name

    Enter the name of the initialization parameter as follows:

    TamperingCheck.Enabled

    Value

    Set the value of TamperingCheck.Enabled to False.


    Figure 11-6 shows the web.xml editor in JDeveloper.

    Figure 11-6 Disabling the Metadata Tamper Check In JDeveloper

    Shows how to disable the metadata tamper-check in JDev
  4. Save the web.xml file.

    The web.xml file of your Fusion web application has the following entries:

    <servlet>
            <servlet-name>adfdiRemote</servlet-name>
            <servlet-class>...</servlet-class>
            <init-param>
                <param-name>TamperingCheck.Enabled</param-name>
                <param-value>False</param-value>
            </init-param>
    </servlet>
    
  5. Rebuild and restart your Fusion web application.

For more information about the web.xml file, see Appendix E, "ADF Desktop Integration Settings in the Web Application Deployment Descriptor."

11.3.3 How to Allow Missing Entries in the ADF Desktop Integration Client Registry

You can configure the metadata tamper-check so that a missing entry for the WorkbookID workbook property is allowed in the adfdi-client-registry.xml file. To do this, you configure a parameter in the deployment descriptor file (web.xml) of the Fusion web application, although this is not recommended.

Before you begin:

It may be helpful to have an understanding of how to verify the integrity of integrated Excel workbook's metadata. For more information, see Section 11.3, "Checking the Integrity of an Integrated Excel Workbook's Metadata."

You may also find it helpful to understand functionality that can be added using other ADF Desktop Integration features. For more information, see Section 11.1.2, "Additional Functionality for Integrated Excel Workbook in a Secure Fusion Web Application."

To allow missing entries in the metadata of the Fusion web application:

  1. Stop your Fusion web application.

  2. Open the web.xml file of your Fusion web application.

  3. Add an initialization parameter to the adfdiRemote servlet to allow missing entries in the metadata as described in Table 11-2.

    Table 11-2 Allowing Missing Entries in the Metadata

    Property Value

    Name

    Enter the name of the initialization parameter as follows:

    TamperingCheck.AllowMissingEntries

    Value

    Set the value of TamperingCheck.AllowMissingEntries to True.


    Figure 11-7 shows the web.xml editor in JDeveloper.

    Figure 11-7 Enabling Missing Metadata Entries In JDeveloper

    Shows how to enable missing metadata entries In JDev
  4. Save the web.xml file.

    The web.xml file of your Fusion web application has the following entries:

    <servlet>
            <servlet-name>adfdiRemote</servlet-name>
            <servlet-class>...</servlet-class>
            <init-param>
                <param-name>TamperingCheck.AllowMissingEntries</param-name>
                <param-value>True</param-value>
            </init-param>
    </servlet>
    
  5. Rebuild and restart your Fusion web application.

For more information about the web.xml file, see Appendix E, "ADF Desktop Integration Settings in the Web Application Deployment Descriptor."

11.3.4 What Happens When the Metadata Tamper-Check Is Performed

At runtime, the integrated Excel workbook regenerates the metadata hash code and provides it to the Fusion web application with the first server request. If the Fusion web application cannot get a match on this hash code, it returns an error to the integrated Excel workbook. On receiving an error from the tamper check process, the integrated Excel workbook reports this failure to the end user and closes the integration framework.

11.4 What You May Need to Know About Securing an Integrated Excel Workbook

Note the following points about securing an integrated Excel workbook with a Fusion web application: