Oracle ِApplication Development Framework (ADF)

ADF SECURITY

ORACLE APPLICATION DEVELOPMENT FRAMEWORK

Abdulla Alshourbagy (Micky Mouse)

• Is an end-to-end Java EE framework that is extensible• Utilizes and adds value to the Java EE platform• Abstracts Java EE complexity• Provides declarative and visual development• Enables developers to focus on the application, not the low-level

infrastructure• Creates reusable and maintainable code• Uses metadata, simplifying the basic task of wiring user interfaces to

services• Implements Java EE best practices and design patterns, including MVC

ORACLE APPLICATION DEVELOPMENT FRAMEWORK (ADF)


ADF HIERARCHY ADF Faces

ADF Model

ADF Controller

ADF Business Components


• the preferred technology to provide authentication and authorization

services to the Fusion web application.• ADF Security is built on top of the Oracle Platform Security Services (OPSS)

architecture, which itself is well-integrated with Oracle WebLogic Server.• ADF Security is ideally suited to provide declarative, permission-based

protection for ADF bounded task flows, for top-level web pages that use ADF bindings and at the lowest level of granularity, for rows of data defined by ADF entity objects and their attributes.

ADF SECURITY FRAMEWORK


• The ADF Security model is not based on the URL mapping of a security constraint as exemplified by the Java EE security model.

• Instead, ADF Security implements a Java Authentication and Authorization Service (JAAS) security model

• The JAAS model is policy-based that built on the existing Java security model and integrates with any JAAS implementation, including the Oracle Platform Security Services (OPSS) implementation of the JAAS service.

• ADF Security simplifies the implementation of a JAAS authorization model.

INTEGRATION OF ADF SECURITY AND JAVA SECURITY


ADF SECURITY FRAMEWORK: OVERVIEW

– The ADF security framework provides:• Standard features required to secure ADF applications• More granular declarative security• Hierarchical roles with permission inheritance• Utility methods for use in EL expressions• Different access defined for different roles at the same URL

– It uses JAAS enforced by the ADF binding servlet filter.– It can authenticate users against a resource provider:

• LDAP (lightweight directory access protocol)• OID (Object Identifiers )• XML-based


• ADF bounded task flow protects the entry point to the task flow

• ADF page definition files associated with web pages not contained by a bounded task flow

• ADF entity objects and attributes of entity objects that reference rows of data and help define collections for display in the user interface

ADF SECURITY-AWARE RESOURCES:


ADF Security Process Overview :

As you create the user interface for your application, you may run the Configure ADF Security wizard at any time. You may choose to:

•Iterate between creating web pages in the UI project and defining security policies on their associated ADF resources

•Complete all of the web pages in the UI project and then define security policies on their associated ADF resources


• Authentication: Is this user allowed to access this application ?

• Authorization: Is this user’s role allowed to access this resource?


ADF SECURITY SUPPORTS:


ADF SECURITY OVERVIEW


CONFIGURE ADF SECURITY WIZARD: CONFIGURING ADF SECURITY AUTHENTICATION

Application > Secure > Configure ADF Security


CHOOSING THE AUTHENTICATION TYPE

Most commonly used:– HTTP basic authentication:

• It uses the browser login dialog box.• Cached credentials prevent logout.

– Form-based authentication: Developer-designed login page


– Specify page where user should go upon authentication

– Ignored if page specified on URL– If no page specified, user returns to the login page

CONFIGURE ADF SECURITY WIZARD: CHOOSING THE WELCOME PAGE


To give users access:– Define a security realm in the identity store: (Enterprise Role)

• Create users. • Create roles.• Assign users to roles.

– Define an application policy in the policy store: (Application Role)• Create application roles.• Map the identity roles to the application roles.• Grant the application roles access to resources.

ENABLING USERS TO ACCESS RESOURCES


Users

Rolesclerk

manager

app_clerk app_manager

Create Users

Create enterprise Role

Create Application Role


GRANTING PERMISSIONS TO ROLES

You can associate roles to grants on resources:

Groups of pages Bounded task flows

Individual pages Page definitions *

Rows Entity objects or attributes


SECURING GROUPS OF PAGES (BOUNDED TASK FLOWS)

– Prevent unauthorized access to secured task flows.– Provide developers with the ability to:

• Secure a bounded task flow as a logical entity• Write security-aware bounded task flows and pages


SECURING INDIVIDUAL PAGES(PAGE DEFINITIONS)

– Determines whether the user is allowed to navigate to (view) a page

– Not needed on pages in secured task flows


GRANTING PRIVILEGES ON ENTITY OBJECTS OR ATTRIBUTES

– In the Structure window, right-click the entity object or attribute and select Edit Authorization.

– Select privileges to grant to application roles.

Two Types :On attribute On Entity


SECURING ROW DATA(ENTITY OBJECTS OR ATTRIBUTES)

You can enable security on:–Entire entity objects• Individual

attributes:


Questions

???????

Science

Oracle ِApplication Development Framework (ADF)