About Securing Oracle JET Applications

Oracle JET applications are client-side HTML applications written in JavaScript, and you should follow best practices for securing your Oracle JET applications.

There are a number of Internet resources available that can assist you, including the Open Web Application Security Project (OWASP), Web Application Security Project (WASP), Web Application Security Working Group (WASWG), and various commercial sites.

Topics:

The Oracle JET framework includes components that follow best practices for security and provides the oj.OAuth plugin for providing secure access to a user's private data. However, the application developer is expected to perform tasks that are not included in the Oracle JET framework.

Oracle JET Components and Security

Oracle JET components follow best practices for security. In particular:

Hybrid Mobile Application Security

Since hybrid mobile applications are JavaScript HTML5 applications, many of the same security practices apply to hybrid mobile applications. However, there are additional considerations when you’re deploying to mobile devices.

The Cordova documentation includes a Security Guide that provides some security best practices for Cordova applications. You can use this guide as a starting point to secure your hybrid mobile application. However, as Cordova points out, security is a complicated topic, and its guide is not exhaustive.

Oracle JET Security and Developer Responsibilities

Oracle JET components follow established security guidelines and ensure that strings provided as options and user input will never be executed as JavaScript to prevent XSS attacks. However, the Oracle JET framework does not include a mechanism for sanitizing strings, and you should consult established guidelines for dealing with XSS attacks in your own code and content.

You can find more information about securing JavaScript applications at https://www.owasp.org/index.php/DOM_based_XSS_Prevention_Cheat_Sheet#Guidelines_for_Developing_Secure_Applications_Utilizing_JavaScript.

Oracle JET Framework Security Features

The Oracle JET API provides the oj.OAuth authorization plugin which supports the OAuth 2.0 open protocol. OAuth standardizes the way desktop and web applications access a user's private data. It provides a mechanism for users to grant access to private data without sharing their private username and password credentials.

OAuth 2.0 defines the following roles:

  • Resource owner: An entity that can grant access to a protected resource, such as the end user.

  • Client: Application making protected and authorized resource requests on behalf of the resource owner.

  • Resource server: Server hosting the protected resources that can accept and respond to protected resource requests using access tokens.

  • Authorization server: Server that issues access tokens to the client after it successfully authenticates the resource owner and obtains authorization.

Note:

The authorization server can be the same server as the resource server. In addition, an authorization server can issue access tokens accepted by multiple resource servers.

OAuth 2.0 Request for Comments (RFC) 6749 describes the interaction between the four roles as an abstract flow.

  1. The client requests authorization from the resource owner, either directly or through the authorization server.

    Note:

    The RFC specifies that the authorization server is preferred.

  2. The client receives an authorization grant, which is defined as the credential representing the resource owner's authorization.

  3. The client requests an access token from the authorization server by authenticating with the server and presenting the authorization grant.

  4. The authorization server issues the access token after authenticating the client and validating the authorization grant.

  5. The client presents the access token to the resource server and requests the protected resource.

  6. The resource server validates the access token and serves the request if validated.

The access token is a unique identifier issued by the server and used by the client to associate authenticated requests with the resource owner whose authorization is requested or has been obtained by the client.

The Oracle JET oj.OAuth plugin provides functions for the following tasks:

  • Getting access token credentials if initialized by client credentials.

  • Caching access token credentials.

  • Creating the header array with bearer token.

For details about using the oj.OAuth plugin, see Using oj.OAuth in Your Oracle JET Application. For additional information about OAuth 2.0, see http://tools.ietf.org/html/rfc6749.