Revised Adf security in a project centric environment

ADF Security in a Project-Centric Environment

An ADF Case Study

Jean-Marc Desvaux

General Construction Co.Ltd

<presenter, organisation>

ADF EMG• A place to discuss best practices and

methodologies for JDeveloper ADF enterprise applications

• Founded mid-2008 by Chris Muir, now 600+ members

• Focus is Fusion Tech Stack (ADF Faces, ADF BC)

• Online forum plus sessions at major Oracle conferences (OOW, ODTUG, UKOUG, DOAG…)

http://groups.google.com/group/adf-methodology

About me

Head of Information Systems of a ConstructionCompany based in Republic of Mauritius

+20 years experience with Oracle technologies :Database, Development Tools and Middleware.

twitter/jmdesvaux jmdesvaux.blogspot.com

AgendaThe GCC Business Case

The Security problem & the approach taken

Setting up the Infrastructure

Enabling ADF Security

Enabling Per Project & Module Security in ADF


The Business Case


The GCC Business - Building & Civil Engineering

GCC = Main Contractor = Builders Work mainly

Operations in Mauritius Only

~3000 Workforce, ~400 Staff (200 HQ, 200 on Sites).


The GCC IT Team

4 Engineers & Developers 1 ADF dedicated since 2 years + Forms/Reports (6yrs)1 ADF dedicated since 1 year1 Forms/Reports dedicated +20yrs2 dealing with overall infrastructure: DB,AS,Firewalls..

2 Desktop & Peripheral Support TechniciansSites NetworkingDesktop/Clients Configs & Support


Dev Started 1990, kept updated & still growing…

ORACLE FORMS&

ORACLE REPORTS

SINGLE ORACLE DATABASE INSTANCE

Today ~1500 Forms & 1500 Reports covering most aspects of line of

services/business units(Logistics, Professional Support &

Coorporate Services) each backing up Sites Operations


Need for our Sites to be Active Players

in this Services Ecosystem

We saw there a good case for an ADF transition


Connecting Sites to the GCC System with ADF Web applications


The Security Problem & The approach taken



Corporate User works transversely across

projects

Site User always works under a Project

Context

Security is delegated to “Line of Service” Managers

Each “Line of Service” Manager makes service agreements with Sites defining how they will work :-Who will do what.

“Line of Service” Manager applies Agreement by setting roles in a Security Configuration/Management application.


Security Model for all applications (ADF, Forms & Reports)


Blocks involved to implement :OID/SSO, Database, ADF Security & UI

OID (LDAP) for USERS and MODULE GROUPSORACLE Single Sign-On (SSO)

DATA MODEL FOR A SECURITY APPLICATION TO DRIVE PER MODULE/PROJECT ROLES

ADF SECURITY FOR PAGES ON OID GROUPS

ADF UI COMPONENTS RENDERED OR NOT USING EL :CUSTOM CLASSES TO CHECK ROLES FROM THE DATABASE


Delegation of management of Project/Module Security

Module Security Manager


Who can Manage a Module for one or more Projects

Grant/Revoke Module Roles to User for Project

OID Group

Security Management related Forms

Module Roles & related privileges

Modules

When access granted to a first Site, OID updated with module group using dbms_ldap package

Other advantages of using the Database isthe integration of security with HR Data

New Users are added to the Site from HR Employees data by the Security manager.

Auditing Accesses inside the database and Timesheet cross-checking (Absent but logged on, not assigned to a Site but still authorized etc..)

When an employee leaves the company, authorization is automatically revoked

Ability to do more control as & when needed/decided

Security Data is backed up with Database


Setting up the Infrastructure


How to integrate OID/SSO with WebLogic

Webcache wls1034.gcc.mu:7785

HTTP 11g wls1034.gcc.mu:7777

WebLogic wls1034.gcc.mu:7007

Oracle Single Sign-on/OID

Oracle WebTier 11g

ADF 11g deployment

Oracle Identity Management 10.1.4

“Forms (11g) will not be specifically coded to use, nor tested with Oracle Access Manager. Other Oracle products, such as ADF, Web Center and Portal, will also support Oracle Single-Sign-on.

Oracle has plans to support Oracle Access Manager in future versions of Oracle Forms 11g.”


Proxying WebLogic with HTTP 11g





Register the weblogic server URL with webcache port (7785) on the OID/SSO Server :-

1/.Create a wls_osso.conf file from the ssoreg.sh tool on the OID/SSO infra server .

2/.Replace the Weblogic server webtier osso.conf with the generated file

3/.Configure mod_osso.conf to point to the newly copied osso.conf

Register HTTP server With the OSSO Infra Server


Setup WebLogic Security Providers

Authenticator must be configured for Oracle Internet Directory (OID)

Identity Assertion Provider must be configured for SSO

Oracle WebTier 11g

IdM


WebLogic Realm Security Providers


Infrastructure Setup Done




Oracle Single Sign-on/OID

Oracle WebTier 11g

ADF 11g deployment

Oracle Identity Management 10.1.4






Jdeveloper creates :jazn-data.xml: Set security rules & permissions + dev/test store for testing only (skipped on deployment)

What is done at the back...

and updates :web.xml: Set type of Authentication selected.weblogic.xml : where users are mapped to role (by default a generic principal (user) is mapped to a Weblogic role “valid-users” (authenticated user)adf-config.xml: To indicate that ADF security is enabled & handled by JPS (Java Platform Security)


Authentication Type (web.xml)with Oracle Infrastructure Single sign-on


Authorization : Roles & Pages Security

Application RolesADF application specified role, ADF Authorization are set on these roles.

Enterprise RolesRoles assigned to the ADF user from the Credential/Identity Store (Oracle Internet Directory)

Application Role is mapped to Enterprise Role allowing developer to use roles and map them later to final Roles.

Roles are applied to pages with “View” permissionOther permissions are only applicable if you use WebCenter


Authorization (Jazn-data.xml)


What we have at this stage

A user with an OID account and OID Groups (enterprise roles) gets a SSO login form to identify himself when trying to access an ADF application (all pages being protected by ADF Security).

Once authenticated, he can navigate to the page if he has the necessary enterprise role (mapped to the application role set to protect the page).


On each page, we only want the authorized UI components

to be rendered…..


UI components level

Rendering or not a UI component (button, panel etc..)

JSF Expression Language (EL)

CurrentPeriod <= (le for less or equal) Period

#{securityContext.userInRole[‘rolename’]} for “static” role


Enabling Per Project & Module Security in ADF


Application navigation use case (Apps screenshots)


Oracle Single Sign-On Login Form

Oracle Infrastructure 10.1.4 Default Login FormCustomized with our logo.

One could write a custom Login Form


List of Projects for which the user is entitled to at least one Application Module

List of Modules to which the user is entitled to on the selected Project

Actions available or not depending on User’s rights on this specific Project and Module

User can switch Project ContextWithin the Same Module

Module

Oracle Reports integration (Report TaskFlow)

Report URL not displayed

Oracle Report Parameter Form


How it works (Guideline only. To Show extensibility/flexibility of the Framework)

1. User Login is fetched from ADF Context.

2. From a “Project List” module and a “Project Switcher” Taskflow, a selected Project is set in the database. Any direct access to Module takes the Project from the database.

3. When accessing an application we store in the AM Session our context parameters: Project Code, User Login, Module Code,etc..

4. Module Access Right for Project is checked from the database (in case Module accessed directly via Module URL)

5. Database Client Identifier & Module Environment are set in the Database for Auditing purpose & other needs.


6. A “Module access” audit event is logged in the Database

7. When a page is accessed, session parameters are stored (if not already done) in a Session bean.

8. User’s Privileges Codes for Module/Project is fetched from the Security Database and stored in HTTP session as a Map.

9. Bind Variables on our View Objects (VOs) are automatically replaced by our parameters value to filter data at VO level when VOs are executed.

10. We have a session bean method (SecurityScope.userinRole) that is used in EL to check Privileges from our HTTP session Map to Render or not a Component.


Normal EL Expression to check from static role

#{securityContext.userInRole[‘Role Name']}

Custom EL Expression to check from Database privileges Codes assigned to Role

#{securityScope.userInRole[‘Priv List Code']}


Reusability

Task Flows, Libraries & Page Templates


ADF Framework Base Classes

TaskFlow Workspace

GCCCommon Workspace

ReusabilityTask Flows, Libraries, Page templates..

adf-extensions project

gcc-security project

gcc-template Project

GCC Apps Module

Task Flows ……

……

……

……Application

ModulesWorkspaces

Task FlowsWorkspaces

GCCLibraries


Oracle WebCenterApplication Entry point (Portal) + Customization for tasks shortcuts (Approving Requests etc..)Improve Application Structure using CatalogsContent Integration & Web 2.0 features (ex: Project Site Communications Module extended with Chat/Forum/Workspace)

The FuturePotential grounds for improvements

Oracle Access Manager When Forms/Reports support it

ADF MobilePervasiveness of our Applications (ex: allowing an approval anywhere on site)


Non-Oracle

Lucas Jellema, Andrejus Baranovski, Chris Muir,..Oracle

Frank Nimphius, Grant Ronald, Steve Muench, Duncan Mills,..

And more…

ADF Experts bloggers

Oracle Technology Network (OTN)ADF Code CornerJDev/ADF Forum

TutorialsAnd more..

ADF books

Our Main Resources


More info on this ADF case studyand other case studies

http://tinyurl.com/2e7y3zp

Or from OTN Jdeveloper Page:http://www.oracle.com/technetwork/developer-tools/jdev/overview/index.html


Thank You.


VOs Bind Variables are automatically replaced by our parameters value to filter data per Project at VO level

All ViewObjects use a custom based class “BaseFilteredViewObject” where executeQuery and executeQueryForCollection are overridden :

setGlobalVariablesValues();super.executeQuery();

private void setGlobalVariablesValues() { VariableValueManager vm = ensureVariableManager(); Variable[] vars = vm.getVariablesOfKind(Variable.VAR_KIND_WHERE_CLAUSE_PARAM);

for (Variable var : vars) { Object voVarValue = vm.getVariableValue(var.getName()); if (voVarValue == null || voVarValue.toString().isEmpty()) { vm.setVariableValue(var.getName(), getApplicationModule().getSession().getUserData().get(var.getName())); } } }


Parameter naming convention : Parameter name must be consistent,For ex. a projectCode parameter defined in the AM must have the same name as the VO bind variable name.

Documents

Revised Adf security in a project centric environment