Upload
dharan0007
View
222
Download
0
Embed Size (px)
Citation preview
8/4/2019 171285
1/46
8/4/2019 171285
2/46
Java Authentication and Authorization Servicesfor E-Business Suite
Veshaal Singh
Director, Applications Technology
8/4/2019 171285
3/46
The following is intended to outline our generalproduct direction. It is intended for informationpurposes only, and may not be incorporated into anycontract. It is not a commitment to deliver anymaterial, code, or functionality, and should not be
relied upon in making purchasing decisions.The development, release, and timing of anyfeatures or functionality described for Oraclesproducts remains at the sole discretion of Oracle.
8/4/2019 171285
4/46
Program Agenda
Current Scenarios
Problems Solution
Benefits
Demonstration Q & A
8/4/2019 171285
5/46
Current Scenarios
8/4/2019 171285
6/46
ADF with e-Business Suite
E-Business Suite ships with standard Modules
Needs to extend/develop module Wants to develop using ADF
Ensure that it works with the e-Business SecurityModel
Register as a Responsibility
Utilize the FND_USER for authentication
Leverage UMX and RBAC for authorization
8/4/2019 171285
7/46
EJBs with e-Business Suite
Healthcare platform is exposed using EJBs
E-Business Suite does not support EJBs. There EJBs run on a separate OC4J.
Ensure that it works with the e-Business SecurityModel
8/4/2019 171285
8/46
Database Logic Application logic
EBS Technology StackTopology
JSP
JMS
Web-Services
Servlets
EJB
Application
JSP
Forms
Reports
BC4J
OC4J
WebListener
UIX
9iAS 1.0.2.29i or 10g
Database
10gR2
Ext. TierJ2EE Server
Others..
8/4/2019 171285
9/46
External Tier Access
Problems and Existing
Solutions
8/4/2019 171285
10/46
Apps Schema Access
Issues
Apps Schema
Schema password keeps changing Standard based access
Is it secured?
Current Solution Create a new schema and provide privileges
Provide apps password to external system
8/4/2019 171285
11/46
SolutionApplication Data Source
Application Data Source Implementation
J2EE/JDBC standards based
On the External Tier Application Server
Register the Application Data Source
Register the Node as trusted Node
Create a new Application User
Grant Role (shipped) to this User Register this new User in the Application Server
8/4/2019 171285
12/46
EBS Security ModelAuthentication and Authorization
Issues
Can I Utilize the existing Responsibility/Menu to Registermy custom/extended application?
Will I get the EBS Authentication/SSO? Will I be able to leverage the Function Security?
Current Solution
Need access to Apps Schema
Ship large AOL/J libraries on the external tier
Deal with the dependencies etc.
Need to understand the EBS security internals Application logic needs to have the security call
8/4/2019 171285
13/46
New Requirements..
Develop or extend e-Business Suite application usingstandard J2EE technologies
Leverage EBS security
Authentication
Authorization
Secured connectivity
Upgrade my Custom/Extended ApplicationTechnology stack
8/4/2019 171285
14/46
EBS Security
Overview
8/4/2019 171285
15/46
Authentication & Authorization
Authentication is the process ofverifying the users identity. Typically
this entails obtaining a user name and apassword or some other credential fromthe user.
Authorization is the process of verifyingwhether a user has access to protected
resources.
Authentication
Andy
Authentication
Service
Is the user who hesays he is?
User Name
Password
Authorization
Andy
Resource
AuthorizationService
Some Action
Can this user
perform thisaction on me?
8/4/2019 171285
16/46
OverviewEBS Security
Function Security
Data Security
Role Based Access Control
Delegated Administration
Provisioning Services
Self Service Features
8/4/2019 171285
17/46
Function Security
OverviewEBS Security
8/4/2019 171285
18/46
Function Security
Functions represent basic entry points / operations / securedresources that do not have any data context, for example:
Page X
Region Y Typically done using responsibilities in the eBusiness suite
Employee HRSelf Service
Manager HRSelf Service
Hiring / Firing
Transfers
Promotions
Compensation
Personal Info
Job Posts
Pay Slip
8/4/2019 171285
19/46
Function Security
Data Security
8/4/2019 171285
20/46
Data Security
What business objects / documentshold sensitive data & need to besecured
For example: Expense Reports, Employees
What secured operationscan be performed on each object For example: update, delete, reject, approve, escalate
Secured operations are represented as privilegesaka permissions
Authorization Policy: grant [someone] access to perform [a set ofoperations] on a given [set of business documents]:
[Managers] can
[view, approve, reject, update]
[expense reports]
[filed by their direct reports]
Sets of business documents are identified through instance sets(SQLpredicates)
8/4/2019 171285
21/46
Function Security
Data Security
Role Based Access Control
8/4/2019 171285
22/46
Role Based Access Control
RBAC standard (ANSI INCITS 359-2004)
A role consists of Other roles (via inheritance) Responsibilities (via inheritance)
Function Security Policies
Data Security Policies
A user can be assigned with several roles
A role can be assigned to several users
8/4/2019 171285
23/46
Use Cases
Grant access to a set of Sales Managers
Need access to: HR Self Service Manager + Employee access
Sales Online
Sales Manager access Expenses
Manager + Employee access
iProcurement
Manager + Employee access
8/4/2019 171285
24/46
Access Control before..
Expenses Mgr
Employee HR
Self Service
Manager HR
Self Service
iProcurement
Mgr
Sales Online
Mgr
Users directly assigned Responsibilities
Responsibility
Expenses
Employee
iProcurementEmployee
8/4/2019 171285
25/46
..With RBAC: Basic Approach
SalesManager
Employee
Sales Rep Manager
Expenses
Employee HR
Self Service
Manager HR
Self Service
iProcurement
Sales Online
Role Inheritance
Role
8/4/2019 171285
26/46
..With RBAC: Basic Approach (2)
Employee HRSelf Service Manager HRSelf Service
Hiring / Firing
Transfers
Promotions
Compensation
Personal Info
Job Posts
Pay Slip
Before RBAC & with Basic RBAC Approach:
A Responsibility includes both the menu and the permissions toaccess the menu items
Menu Item
8/4/2019 171285
27/46
RBAC: Advanced Approach
Human
Resources
With Advanced Approach:
Separation of Navigation & Access Control
A Responsibility represents an Application Menu Menu items disabled by default (grant = false)
Hiring / Firing
Transfers
Promotions
Compensation
Personal Info
Job Posts
Pay Slip
Employee
Manager
8/4/2019 171285
28/46
Manager
Employee
RBAC: Advanced Approach (2)
Human
Resources
Personal Info
Job Posts
Pay Slip
Employee
Employee
Manager
Hiring / Firing
Transfers
Promotions
Compensation
Manager
Menu items (functions) granted to Roles
Menus automatically pruned in theNavigator
Users only see the menus they have
access to
Not all Apps support this approach due tolegacy security implementations
Responsibility level Profiles etc
8/4/2019 171285
29/46
RBAC Benefits
Reduces / Simplifies Administration
Mass updates via single operation Coexists with existing Security Setups
Basic Approach: Try it now!
Consolidate your existing Responsibilities into Roles
Advanced Approach
Reduces # Responsibilities and Menus
8/4/2019 171285
30/46
New Requirements
Standardized External
Authentication andAuthorization Service
8/4/2019 171285
31/46
JAAS
Java Authentication and
Authorization Service
JAAS
8/4/2019 171285
32/46
JAASWhat is JAAS?
JAAS Specifications offers the necessary methods forauthentication and authorization for J2EE and coreJava applications.
It abstracts the underlying mechanism of control.
Authentication User login
Authorization Access Control
JAAS implementation for EBS
8/4/2019 171285
33/46
JAAS implementation for EBSNew Solution
E-Biz light-weight LoginModule, compliant with JAASspecifications, works with JDK or J2EE environments.
Implement JAAS Authentication using AOL securitySystem
Implement JAAS Authorization using UMX roles.
JAAS for EBS
8/4/2019 171285
34/46
Client
JAAS for EBSDeployment Diagram
JSP
Forms
Reports
BC4J
OC4J
WebListener
UIX
9i or 10g
DB Tier
10gR2
Mid-Tier
WebListener
Ext J2EEApplication
Server
E-Business
LoginModule
ADF
Web-Services
EJB
1. Access
7 Allow if User in Role
4 Send
Credentials
6 Add Roles2 Delegate
5 Verify
Credentials
Add Roles
3 Request
Credentials
Key Benefits
8/4/2019 171285
35/46
Key Benefits
Utilize standard Java development technologies
Security using Java Standards Data Source Java Authentication and Authorization Services
Runs on any J2EE compliant Servers
Standards based development and deployment model
Upgrade the development technology without gettingtied to EBS technology stack
8/4/2019 171285
36/46
Availability
Today
Works for both 11i and R12 versions
8/4/2019 171285
37/46
Demonstration
Order Management Extension
8/4/2019 171285
38/46
Order Management Extension
Extension has been developed in ADF for the OrderManagement Application Module shipped by standard EBS.
Sample ADF application from OTN (Order management)
Module is registered as Order Management ADF Responsibility
ADF runs on a separate application Server 10g
Role has been created for the ADF responsibility
User has been granted this new ADF Role
8/4/2019 171285
39/46
Order Management Demo
8/4/2019 171285
40/46
Related Sessions: ATG
ThursdaySeptember 25, 2008
09.00 Centralize your Oracle E-Business Suite SearchPowered by Oracle Secure Enterprise SearchRajesh Ghosh and Veshaal Singh, OracleMoscone West 2007
10.30 Customer Case Study: Forsythe Technologies IncOracle E-Business Suite SOA ImplementationSamuel Tong, Forsythe Technologies Inc and Neeraj Chauhan, OracleMoscone West 2007
8/4/2019 171285
41/46
Related Sessions: ATG
ThursdaySeptember 25, 2008
12.00 Managing Oracle E-Business Suite Customizations andPatches, using Oracle Enterprise ManagerUma Prabhala, OracleMoscone West 2005
13.30 Opening Up Oracle Application Framework Applications
through Web Services and PortletsRamkumar Sekar, OracleMoscone West 2005
13.30 Understanding the Oracle Diagnostics Security Model andSupport for Custom ResponsibilityAngelo Rosado, OracleMoscone West 2007
D d
8/4/2019 171285
42/46
Demogrounds
Oracle Applications Management Pack forOracle E-Business Suite
Oracle iSetup and Oracle DiagnosticsFramework
Oracle E-Business Suite CloningTechniques
Native Service Enablement of OracleE-Business Suite
Integration Repository and E-BusinessSuite Adapter
Oracle SOA Suite for Oracle E-BusinessSuite
The Next-Generation Semantic SearchExperience
Design and Develop New Searchable
Objects, Using the Search Modeler Powered by Oracle Enterprise Search
Extract Portlets from Oracle OAFApplications
Generate, Test, Deploy, and Integrate Web
Services Desktop Integrators Using Oracle Web
Applications Desktop Integrator
Oracle Secure Enterprise SearchPod K26
E-Business Suite Lifecycle Management
Web Services / Portlets in Oracle OAFPod K25
SOA Enablement of E-Business SuitePod K24Pod K30
F M I f ti
8/4/2019 171285
43/46
For More Information
http://search.oracle.com
Applications technology
or
http://www.oracle.com/
Conclusion
8/4/2019 171285
44/46
The new solution is a light weight JAAS login moduleimplementation independent of APPS schema
password and large-sized AOL/J libraries.
The new solution makes application code
independent of Authentication & Authorization code.
The solution works in any J2EE compliant application
server and configurable at deployment time.
8/4/2019 171285
45/46
8/4/2019 171285
46/46