This chapter outlines the specific security mechanisms offered by the Mobile Merchandising application.
The Mobile Merchandising security model follows the Oracle Fusion Security Model. This model uses Oracle Platform Security Services (OPSS) to fulfil Authentication, Authorization, and Credential management requirements. On the client side, this product uses the Oracle Mobile Application Framework (MAF) security model to protect resources on the device and to communicate with other features within the device. Facets include:
Authentication - Ensuring that only authorized individuals get access to the application and data.
Authorization - Access control to application features. This builds on authentication to ensure that individuals only get appropriate access.
Secure Data Storage on the Device - The Mobile Merchandising application uses a SQLite database that protects locally stored data. MAF applications do not share the SQLite database; the application that creates the database is the only application that can access it. In addition, only users with the correct username and password can access this database.
Transport Layer Protection - It is recommended using SSL/TLS when accessing data over a provider network. Because provider networks can be hacked, never assume that they are safe. SSL should be enforced when the application transports sensitive data. All certificates should be validated to ensure they are legitimate and signed by public authorities.
The Mobile Merchandising application delegates authentication responsibility to the MAF's security components. MAF determines whether access to the application feature requires user authentication when an application feature is secured by a login server. Authentication modes supported in MAF are Basic Auth, OAuth and Web SSO.
The Retail Platform Mobile Basic Auth application is packaged as part of Platform Mobile Security Enterprise Archive (EAR) file. This application is packaged as a Web Archive (WAR) within the EAR file. Retail Mobile Merchandising application uses this application's URL as a login endpoint/server to validate mobile user credentials. It is recommended to use SSL/TSL when accessing login endpoint/server. For more information, see the Oracle Retail Mobile Merchandising Implementation Guide.
The Mobile Merchandising application uses MAF's in-built security components and Retail Mobile Access Control Service (ACS) to enforce role based access to Mobile UI features. MAF determines the access to a feature based on the role constraints defined for it.
MAF provides the ability to configure a Retail Mobile Access Control Service to get roles and privileges for a given user. The MAF framework also provides support to validate feature role constraints against the roles returned by Retail Mobile Access Control Service. Features are enabled/disabled based on the verification result.
Duty roles are roles that are associated with a specific task or a logical grouping of tasks. Generally, the list of duties for a job is a good indicator of what duty roles should be defined. Because enterprise roles allow for easier and better management of duty roles, duty roles should normally be granted to enterprise roles and not to specific users.
There are three duty roles implemented to control access to features in Retail Mobile Merchandising:
ALC_MOBILE_MENU_DUTY - To control access to the Allocation Feature
RESA_MOBILE_MENU_DUTY - To control access to the ReSA Feature
REIM_MOBILE_MENU_DUTY – To control access to ReIM Feature
Retail Mobile Access Control Service is packaged as part of the Platform Mobile Security Enterprise Archive (EAR) file. This service is packaged as a Web Archive (WAR) within the EAR file. This Service uses oracle/http_basic_auth_over_ssl_client_policy or oracle/http_cookie_client_policy to support SSL/TSL. For more information, see the Oracle Retail Mobile Merchandising Implementation Guide.
The Mobile Merchandising application is packaged with default role mappings. These role mappings can be changed based on the business needs. Use 'PlatformMobileSecurity' as Application Stripe name to find the default role mappings in Oracle Fusion Middleware Control. For more information, see the 'Managing Authorization' section in the Oracle Retail Merchandising Security Guide.
The Mobile Merchandising application uses a local SQLite database to persist application state between sessions. This database will be encrypted through the APIs provided by the MAF.
The local database file will be created the first time an application opens a connection to it. It will be encrypted before any queries are allowed to be made using it. The GeneratedPassword class from MAF is provided with the device UUID and is combined with additional random data to create an encryption key. This key is stored in the iOS keychain for future reference. The key is then used to encrypt the newly created database file under the default MAF algorithm (AES 128).
The keychain limits access to any given key to only the application that originally stored it. The keychain file is itself securely encrypted.
The database file is encrypted by MAF's default algorithm (AES 128). While MAF provides two alternative algorithms (RC4 and AES 256), we do not anticipate a change being necessary, as the default option provides sufficient speed and security in storing the data.
For more information on the GeneratedPassword, the encryptDatabase (and its counterpart, decryptDatabase), see Oracle Fusion Middleware Java API Reference for Oracle Mobile Application Framework, Section 17.2.7, How to Encrypt and Decrypt the Database and Section 17.2.7, How to Encrypt and Decrypt the Database.
Oracle recommends using SSL/TLS when accessing data over a provider network. As provider networks can be hacked, never assume that they are safe. SSL should be enforeced when the application transports sensitive data. All certificates should be validated to verify they are legitimate and signed by public authorities.
For more information, see the >http://docs.oracle.com/middleware/maf213/mobile/develop-maf/maf-secure-understand.htm
Oracle Retail Mobile Merchandising supports a Web SSO authentication mode to achieve single sign-on capability across its features.
For more information see section'29.5.6 –How to Configure Web SSO Authentication' in MAF Developers Guide at >http://docs.oracle.com/middleware/maf213/mobile/develop-maf/maf-securing.htm#ADFMF24777