Embed Size (px)
Citation preview
Java Authentication and Authorization Services for E-Business SuiteVeshaal SinghDirector, Applications Technology
The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions.The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.
<Insert Picture Here>
Program Agenda
• Current Scenarios• Problems• Solution• Benefits • Demonstration• Q & A
<Insert Picture Here>
Current Scenarios
ADF with e-Business Suite
• E-Business Suite ships with standard Modules• Needs to extend/develop module• Wants to develop using ADF• Ensure that it works with the e-Business Security
Model• Register as a Responsibility• Utilize the FND_USER for authentication• Leverage UMX and RBAC for authorization
EJB’s with e-Business Suite
• Healthcare platform is exposed using EJB’s• E-Business Suite does not support EJB’s.• There EJB’s run on a separate OC4J.• Ensure that it works with the e-Business Security
Model
Database Logic Application logic
EBS Technology Stack Topology
JSP
JMS
Web-Services
Servlets
EJB
Application
JSP
Forms
Reports
BC4J
OC4J
Web
Lis
tene
rUIX
9iAS 1.0.2.29i or 10g
Database
10gR2
Ext. TierJ2EE Server
Others..
<Insert Picture Here>
External Tier Access
Problems and Existing Solutions
Apps Schema Access
• Issues• Apps Schema• Schema password keeps changing• Standard based access• Is it secured?
• Current Solution• Create a new schema and provide privileges• Provide apps password to external system
SolutionApplication Data Source
• Application Data Source Implementation• J2EE/JDBC standards based
• On the External Tier Application Server• Register the Application Data Source• Register the Node as trusted Node• Create a new Application User• Grant Role (shipped) to this User• Register this new User in the Application Server
EBS Security ModelAuthentication and Authorization
• Issues• Can I Utilize the existing Responsibility/Menu to Register
my custom/extended application?• Will I get the EBS Authentication/SSO?• Will I be able to leverage the Function Security?
• Current Solution• Need access to Apps Schema• Ship large AOL/J libraries on the external tier• Deal with the dependencies etc.• Need to understand the EBS security internals• Application logic needs to have the security call
New Requirements..
• Develop or extend e-Business Suite application using standard J2EE technologies
• Leverage EBS security• Authentication• Authorization• Secured connectivity
• Upgrade my Custom/Extended Application Technology stack
<Insert Picture Here>
EBS Security
Overview
Authentication & Authorization
• Authentication is the process of verifying the users’ identity. Typically this entails obtaining a user name and a password or some other credential from the user.
• Authorization is the process of verifying whether a user has access to protected resources.
Authentication
Andy
AuthenticationService
Is the user who hesays he is?
User NamePassword
Authorization
Andy
Resource
AuthorizationService
Some Action
Can this userperform this
action on me?
OverviewEBS Security
Function SecurityData Security
Role Based Access Control
Delegated AdministrationProvisioning Services
Self Service Features
Function Security
OverviewEBS Security
Function Security• Functions represent basic entry points / operations / secured
resources that do not have any data context, for example:
• “Page X”• “Region Y”• Typically done using responsibilities in the eBusiness suite
Employee HRSelf Service
Manager HRSelf Service
Hiring / Firing
Transfers
Promotions
Compensation
Personal Info
Job Posts
Pay Slip
Function SecurityData Security
Data Security• What business objects / documents hold sensitive data & need to be
secured• For example: Expense Reports, Employees
• What secured operations can be performed on each object• For example: update, delete, reject, approve, escalate• Secured operations are represented as privileges aka permissions
• Authorization Policy: grant [someone] access to perform [a set of operations] on a given [set of business documents]:• [Managers] can • [view, approve, reject, update]• [expense reports]• [filed by their direct reports]
• Sets of business documents are identified through instance sets (SQL predicates)
Function SecurityData Security
Role Based Access Control
Role Based Access Control
• RBAC standard (ANSI INCITS 359-2004)• A role consists of
• Other roles (via inheritance)• Responsibilities (via inheritance)• Function Security Policies• Data Security Policies
• A user can be assigned with several roles• A role can be assigned to several users
Use Cases
• Grant access to a set of Sales Managers• Need access to:
• HR Self Service• Manager + Employee access
• Sales Online • Sales Manager access
• Expenses • Manager + Employee access
• iProcurement• Manager + Employee access
Access Control before..
Expenses Mgr
Employee HRSelf Service
Manager HRSelf Service
iProcurementMgr
Sales OnlineMgr
Users directly assigned ResponsibilitiesResponsibility
ExpensesEmployee
iProcurementEmployee
..With RBAC: Basic Approach
SalesManager
Employee
Sales Rep Manager
Expenses
Employee HRSelf Service
Manager HRSelf Service
iProcurement
Sales Online
Role InheritanceRole
..With RBAC: Basic Approach (2)
Employee HRSelf Service
Manager HRSelf Service
Hiring / Firing
Transfers
Promotions
Compensation
Personal Info
Job Posts
Pay Slip
• Before RBAC & with Basic RBAC Approach:• A Responsibility includes both the menu and the permissions to
access the menu items
Menu Item
RBAC: Advanced Approach
Human Resources
• With Advanced Approach:• Separation of Navigation & Access Control• A Responsibility represents an Application Menu• Menu items disabled by default (grant = false)
Hiring / Firing
Transfers
Promotions
Compensation
Personal Info
Job Posts
Pay Slip
Employee
Manager
Manager
Employee
RBAC: Advanced Approach (2)
Human Resources
Personal Info
Job Posts
Pay Slip
Employee
Employee
Manager
Hiring / Firing
Transfers
Promotions
Compensation
Manager
• Menu items (functions) granted to Roles• Menus automatically pruned in the
Navigator• Users only see the menus they have
access to• Not all Apps support this approach due to
legacy security implementations• Responsibility level Profiles etc
RBAC Benefits
• Reduces / Simplifies Administration• Mass updates via single operation• Coexists with existing Security Setups • Basic Approach: Try it now!
• Consolidate your existing Responsibilities into Roles
• Advanced Approach• Reduces # Responsibilities and Menus
<Insert Picture Here>
New Requirements
Standardized External Authentication and Authorization Service
<Insert Picture Here>
JAAS
Java Authentication and Authorization Service
JAASWhat is JAAS?
• JAAS Specifications offers the necessary methods for authentication and authorization for J2EE and core Java applications.
• It abstracts the underlying mechanism of control.
• Authentication• User login
• Authorization• Access Control
JAAS implementation for EBSNew Solution
• E-Biz light-weight LoginModule, compliant with JAAS specifications, works with JDK or J2EE environments.
• Implement JAAS Authentication using AOL security System
• Implement JAAS Authorization using UMX roles.
Client
JAAS for EBSDeployment Diagram
JSP
FormsReports
BC4J
OC4J
Web
Lis
tene
r
UIX
9i or 10g
DB Tier
10gR2
Mid-Tier
Web
Lis
tene
r
Ext J2EE Application
Server
E-BusinessLoginModule
ADFWeb-Services
EJB
1. Access
7 Allow if User in Role
4 Send Credentials
6 Add Roles2 Delegate5 Verify
CredentialsAdd Roles
3 Request Credentials
Key Benefits
• Utilize standard Java development technologies
• Security using Java Standards• Data Source• Java Authentication and Authorization Services
• Runs on any J2EE compliant Servers
• Standards based development and deployment model
• Upgrade the development technology without getting tied to EBS technology stack
Availability
• Today
• Works for both 11i and R12 versions
<Insert Picture Here>
Demonstration
Order Management Extension
• Extension has been developed in ADF for the Order Management Application Module shipped by standard EBS.
• Sample ADF application from OTN (Order management)
• Module is registered as Order Management ADF Responsibility
• ADF runs on a separate application Server 10g
• Role has been created for the ADF responsibility
• User has been granted this new ADF Role
Order Management Demo
Related Sessions: ATG
ThursdaySeptember 25, 2008
09.00 Centralize your Oracle E-Business Suite SearchPowered by Oracle Secure Enterprise SearchRajesh Ghosh and Veshaal Singh, OracleMoscone West 2007
10.30 Customer Case Study: Forsythe Technologies IncOracle E-Business Suite SOA ImplementationSamuel Tong, Forsythe Technologies Inc and Neeraj Chauhan, OracleMoscone West 2007
Related Sessions: ATG
ThursdaySeptember 25, 2008
12.00 Managing Oracle E-Business Suite Customizations and Patches, using Oracle Enterprise ManagerUma Prabhala, OracleMoscone West 2005
13.30 Opening Up Oracle Application Framework Applications through Web Services and Portlets Ramkumar Sekar, OracleMoscone West 2005
13.30 Understanding the Oracle Diagnostics Security Model and Support for Custom Responsibility Angelo Rosado, OracleMoscone West 2007
Demogrounds
• Oracle Applications Management Pack for Oracle E-Business Suite
• Oracle iSetup and Oracle Diagnostics Framework
• Oracle E-Business Suite Cloning Techniques
• Native Service Enablement of Oracle E-Business Suite
• Integration Repository and E-Business Suite Adapter
• Oracle SOA Suite for Oracle E-Business Suite
• The Next-Generation Semantic Search Experience
• Design and Develop New Searchable Objects, Using the Search Modeler
• Powered by Oracle Enterprise Search
• Extract Portlets from Oracle OAF Applications
• Generate, Test, Deploy, and Integrate Web Services
• Desktop Integrators Using Oracle Web Applications Desktop Integrator
Oracle Secure Enterprise SearchPod K26
E-Business Suite Lifecycle Management
Web Services / Portlets in Oracle OAFPod K25
SOA Enablement of E-Business SuitePod K24Pod K30
For More Information
http://search.oracle.com
Applications technology
orhttp://www.oracle.com/
Conclusion
• The new solution is a light weight JAAS login module implementation independent of APPS schema password and large-sized AOL/J libraries.
• The new solution makes application code independent of Authentication & Authorization code.
• The solution works in any J2EE compliant application server and configurable at deployment time.
