11 Securing Your Integrated Excel Workbook
This chapter describes security related features in ADF Desktop Integration.
This chapter includes the following sections:
11.1 About Security In Your Integrated Excel Workbook
If you are using a Fusion web application that does not enforce authentication, the integrated Excel workbook verifies and creates a valid user session when it connects to the Fusion web application before downloading any data. The session that is established is used for each and every data transfer between the integrated Excel workbook and Fusion web application. The session is also used for web pages displayed from the integrated Excel workbook.
In a Fusion web application that is enforcing authentication, the integrated Excel workbook ensures that a valid, authenticated user session is established before transferring data to or from the web application.
For both authenticated and non-authenticated Fusion web applications, ADF Desktop Integration relies on the establishment of cookie-based sessions. With no authentication mechanism in place, your Fusion web application is not completely safe. Hence, you should enable ADF Security in your Fusion web application before you deploy your web application with integrated Excel workbooks. For information about ADF Security, see the "Enabling ADF Security in a Fusion Web Application" chapter in the Developing Fusion Web Applications with Oracle Application Development Framework.
When you open the integrated Excel workbook, ADF Desktop Integration detects if the Fusion web application that the workbook runs against is a secure application and enforces authentication automatically. For authenticated web applications, the end user will always be prompted for credentials, even though the workbooks are downloaded from an authenticated web browser. Since the web browser and Excel are different operating system processes, they cannot share credentials (unless Windows native authentication is used).
11.1.1 Integrated Excel Workbook Security Use Cases and Examples
When you open the integrated Excel workbook of a secure Fusion web application opens, a Login dialog appears and prompts you to connect to the Fusion web application, as shown in Figure 11-1. Note that the Login dialog also appears when the Fusion web application is not secure.
If you click Yes to connect, another dialog prompts you to enter the credentials, as shown by the example in Figure 11-2.
The dialog that is shown in Figure 11-2 might be different as it depends on how the Fusion web application is configured to enforce authentication. For example, if Form-based authentication is being used by the web application, then the end-user will see a browser dialog with a web page with fields for user name and password.
11.1.2 Additional Functionality for Integrated Excel Workbook in a Secure Fusion Web Application
After you have secured your integrated Excel workbook, you may find that you need to add additional functionality for your workbook. Following are links to other functionalities that you can use:
Validating integrated Excel workbook: You can configure server-side and client-side validation for the Fusion web application and the integrated Excel workbook. For more information, see Chapter 12, "Adding Validation to an Integrated Excel Workbook."
Testing integrated Excel workbook: Before publishing and deploying your integrated Excel workbook, you must test it. For more information, see Chapter 13, "Testing Your Integrated Excel Workbook."
Publishing and deploying integrated Excel workbook: The final step after you design and validate your integrated Excel workbook is to publish and deploy it. For more information, see Chapter 14, "Deploying Your Integrated Excel Workbook."
11.2 Authenticating the Excel Workbook User
The integration of an Excel workbook with a secure Fusion web application requires an authenticated web session established between the integrated Excel workbook and the server that hosts the Fusion web application. ADF Security determines the mechanism used to authenticate the user.
If the end user opens an Excel workbook without a valid authenticated session, a login mechanism is invoked to authenticate the end user.
11.2.1 What Happens at Runtime: How the Login Method Is Invoked
After the login method is invoked, a new session between the integrated Excel workbook and the Fusion web application is created, and a modal dialog appears that contains a web browser control. This web browser control displays whatever login mechanism the Fusion web application uses. For example, if the Fusion web application uses HTTP Basic Authentication, the web browser control displays the simple dialog shown in Figure 11-3.
The end user enters user credentials and, assuming these are valid, an authenticated session is created and assigned to the client (the web browser control hosted by the Excel workbook).
Login method is invoked when a session has already been established, it first invokes the
Logout action internally to free that session.
11.2.2 What Happens at Runtime: How the Logout Method Is Invoked
After the logout method is invoked, a dialog appears informing users that they have logged out of the current session. The user is automatically logged out when the workbook is closed, or when the Clear All Data option is selected from the runtime custom tab in Excel ribbon.
After logging out, the user must log in again to upload or download data.
If two or more workbooks are open (in test or runtime mode) and running against the same Fusion web application, closing one workbook does not initiate the logout mechanism. The user continues to stay logged in and may continue to work on remaining open workbooks, and can open the closed workbook without being asked for credentials again. The user is logged out when all workbooks running against the same Fusion web application are closed.
11.3 Checking the Integrity of an Integrated Excel Workbook's Metadata
ADF Desktop Integration provides a mechanism to verify that the metadata it uses to integrate an Excel workbook with a Fusion web application is not tampered with after you publish the Excel workbook for end users. It generates a hash code value and inserts the value into the ADF Desktop Integration client registry file (
adfdi-client-registry.xml) that it also creates when you publish the integrated Excel workbook as described in Section 14.3, "Publishing Your Integrated Excel Workbook." ADF Desktop Integration stores the
adfdi-client-registry.xml file in the
WEB-INF directory of the Fusion web application.
If you republish the integrated Excel workbook, ADF Desktop Integration generates a new hash code value and replaces the value in the
adfdi-client-registry.xml file. ADF Desktop Integration creates the
adfdi-client-registry.xml file if it does not exist.
WebPagesFolder workbook properties allow the integrated Excel workbook to identify the location of the Fusion web application's
WEB-INF directory. You must set valid values for these properties before you can publish the integrated Excel workbook and ADF Desktop Integration can generate a hash code value.
ADF Desktop Integration generates the hash code value using most of the elements in the metadata for the workbook and the value of the
WorkbookID workbook property. The
WorkbookID workbook property is read-only and uniquely identifies the integrated Excel workbook. You must reset the
WorkbookID workbook property if you create a new integrated Excel workbook by copying an existing integrated Excel workbook. ADF Desktop Integration excludes the
WebAppRoot property from the hash code calculation since its value is expected to change at runtime.
For more information about the workbook properties discussed here, see Table A-18.
11.3.1 How to Reset the Workbook ID
The value of the
WorkbookID workbook property is unique to each workbook and cannot be modified by you. You can, however, reset the
WorkbookID workbook property. You must do this when you create a new integrated Excel workbook by copying an existing integrated Excel workbook.
Before you begin:
It may be helpful to have an understanding of how to verify the integrity of integrated Excel workbook's metadata. For more information, see Section 11.3, "Checking the Integrity of an Integrated Excel Workbook's Metadata."
You may also find it helpful to understand functionality that can be added using other ADF Desktop Integration features. For more information, see Section 11.1.2, "Additional Functionality for Integrated Excel Workbook in a Secure Fusion Web Application."
To reset a workbook ID:
Open the integrated Excel workbook.
In the Workbook group of the Oracle ADF tab, click Workbook Properties.
In the Edit Workbook Properties dialog, click the Reset WorkbookID link.
Click Yes to confirm and reset the
WorkbookIDworkbook property in the dialog that appears., as shown in Figure 11-5.
11.3.2 What Happens When the Metadata Tamper-Check Is Performed
At runtime, the integrated Excel workbook regenerates the metadata hash code and provides it to the Fusion web application with the first server request. If the Fusion web application cannot get a match on this hash code, it returns an error to the integrated Excel workbook. On receiving an error from the tamper check process, the integrated Excel workbook reports this failure to the end user and closes the integration framework.
11.4 What You May Need to Know About Securing an Integrated Excel Workbook
Note the following points about securing an integrated Excel workbook with a Fusion web application:
If you save an Excel workbook containing data downloaded from a Fusion web application to a location, such as a network directory, where other users can access the Excel workbook, the data stored in the Excel workbook is accessible to other users.
Security in Microsoft Excel
You can enhance the security of an integrated Excel workbook using Excel's functionality to set a password on a workbook. It prevents unauthorized users from opening or modifying the workbook. For more information about Excel security features, see Excel's documentation.
Integrated Excel workbooks can be configured to cache data, as described in Section 15.2, "Restore Server Data Context Between Sessions." Make sure that you do not cache sensitive data in the integrated Excel workbook.
If the Fusion web application is running on the
httpsprotocol, you may receive a certificate error while connecting from an integrated Excel workbook. You can either install the required certificate using Microsoft Internet Explorer, or choose to continue to log in and connect to the web application.
End users that download integrated Excel workbooks using Microsoft Internet Explorer may be prompted unexpectedly for credentials before the Excel application is visible, and then prompted again once the workbook opens. This may occur when the web application is configured to use certain authentication methods like
Digest. The extra prompt is due to Excel making an
OPTIONSrequest on the web directory containing the workbook.
To avoid the extra login prompt, end users can choose to save the workbook locally instead of opening it directly from the browser.
For a non-authenticated Fusion web application, end-users will not be prompted to log in. However if the application uses the
httpsprotocol, then end users may briefly see a login dialog appear when the first connection is established to the web application. Workbook developers can control the size of the dialog with the
If you are an administrator, you should also see the "What You May Need to Know About Configuring Security in a Fusion Web Application" section in Administering Oracle ADF Applications.
11.5 Authorizing the Excel Workbook User
ADF Desktop Integration enforces view permission for integrated Excel worksheets through page definition authorization. At runtime, end users without proper permissions for a page definition (binding container) are prevented from interacting with the associated integrated Excel worksheet. Any attempt to interact with an unauthorized binding container (for example, download or submit data) is aborted, the end user is informed of the authorization failure, and all ADF Desktop Integration activity on the worksheet is disabled. No further interaction with the ADF Desktop Integration-disabled worksheet is possible until a new user session is established. To allow end users to interact with the integrated Excel worksheet, assign them the roles that have been granted access to the page definition.
If you have upgraded ADF Desktop Integration from an old version, you may need to review the resource grants for all of the page definitions that are used with integrated Excel worksheets. For example, if your Fusion web application supports authorization, and you have a page definition
myWorksheetPageDef.xml that has no resource grants and is used by one (or more) integrated Excel worksheets, then you need to assign end users the roles that have been granted access to the page definition. When transitioning to the new version of ADF Desktop Integration, you may find it helpful to temporarily create resource grants for the worksheet page definitions that are granted to authenticated-role, or some other generic role, allowing you to run those worksheets as before while you fine tune your roles and resource associations.
For more information about authorization, roles, and resource grants, see the "Enabling ADF Security in a Fusion Web Application" chapter in the Developing Fusion Web Applications with Oracle Application Development Framework.
ADF Desktop Integration does not enforce authorization of other resource types, such as entity object-level, entity attribute-level, ADF Method, Insert while New, Panel Tab, and Task Flow authorization.
You can configure resources and grants from the Resource Grants page of the overview editor for the
jazn-data.xml file. For more information, see the "Defining ADF Security Policies" section in the Developing Fusion Web Applications with Oracle Application Development Framework.
On an authorization failure, the end user receives an error message, such as the following, and ADF Desktop Integration in the worksheet is disabled:
ADFDI-05589 You are not authorized to use this worksheet for interacting with the Fusion web application.
11.5.1 What You May Need to Know About ADF Desktop Integration-Disabled Worksheet
The following limitations apply to an ADF Desktop Integration-disabled worksheet:
All ADF buttons, worksheet-level ribbon commands, and worksheet-level events are disabled.
If the authorization failure occurs during worksheet initialization, no form labels, table column headers, or buttons are drawn on the worksheet.
If the authorization failure occurs for an initialized worksheet, all ADF buttons are disabled, but other worksheet components (such as ADF Input Text and ADF Table) are not affected and are left visually unchanged.
End user can perform standard Excel interactions on the disabled worksheet. The user may alter the data in an ADF Table component in the worksheet, but the Changed column will not be updated.
There is no impact on workbook-level commands. End users can continue to use the following commands: Login, Logout, About, Edit Options, and Clear All Data.
An ADF Desktop Integration-disabled worksheet is automatically enabled when the end user reopens the integrated Excel workbook and establishes a new session, provided the new session is authorized. Logging out, and then logging in again, also re-enables ADF Desktop Integration in a disabled integrated Excel worksheet.