Your SlideShare is downloading. ×
0
ADF Security in a Project-Centric
Environment
An ADF Case Study
Jean-Marc Desvaux - General Construction Co.Ltd
Agenda
GCC Business Case
Security Approach for the overall Ecosystem
Enabling ADF Security
Enabling Per Project & Module S...
The Business Case
The GCC Business
Building & Civil Engineering
GCC = Main Contractor = Builders Work mainly
Operations in Mauritius Only
...
The GCC IT Team
4 Engineers & Developers
 1 ADF dedicated since 2 years + Forms/Reports (6yrs)
 1 ADF dedicated since 1...
Dev Started 1990, Kept Updated & Still Growing…
SINGLE ORACLE DATABASE INSTANCE
Today ~1500 Forms & 1500 Reports
covering most aspects of line of
services/business units
(Logistics, Professional Support...
Need for our Sites to be
Active Players
in this
Services Ecosystem
We saw there a good case
for an ADF transition
Started with ADF 10g, 2 years ago
Connecting Sites to the GCC System
with ADF Web applications
As we grow with ADF we will replace
FORMS slowly across the whole IS
Security Approach for the
overall Ecosystem
Site User always works under a Project Context
Compared to a Corp.User who works
transversely across projects
Security delegated to “Line of Service”
Managers where applicable
•Each “Line of Service” Manager makes service agreements...
Security Model for all applications
(ADF, Forms & Reports)
4 “Levels”: OID/SSO, Database, ADF Security & UI
OID (LDAP) for USERS and MODULE GROUPS
ORACLE Single Sign-On (SSO)
DATA M...
Security Application
Built with both Forms & ADF
to support delegation to Line of Service Managers
Users stored in Database + mirrored in OID
using dbms_ldap package
OID Data
Delegate management of Project/Module Security
Module Security
Manager
Who can Manage a Module for one or more Projects
Grant/Revoke Module Roles to User for Project
OID Group
Security Manageme...
Other advantages of using the Database is
the integration of security with HR Data
New Users are added to the Site from HR...
Setting up the Infrastructure
WebLogic, OID & SSO
What we need to integrate OID/SSO
with WebLogic
Webcache wls1033.gcc.mu:7785
HTTP 11g wls1033.gcc.mu:7777
WebLogic wls1033...
Proxying WebLogic with HTTP 11g
WebLogic wls1033.gcc.mu:7007
Webcache wls1033.gcc.mu:7785
HTTP 11g wls1033.gcc.mu:7777
Register the weblogic server URL with webcache port (7785) on the
OID/SSO Server :-
1/.Create a wls_osso.conf file from th...
Setup WebLogic Security Providers
o Authenticator must be configured
for Oracle Internet Directory (OID)
o Identity Assert...
WebLogic Realm Security Providers
Infrastructure Setup Done
Webcache wls1033.gcc.mu:7785
HTTP 11g wls1033.gcc.mu:7777
WebLogic wls1033.gcc.mu:7007
Oracle Si...
Enabling ADF Security
Normal ADF Security
(Not Project related yet)
Authentication
&
ADF application pages Authorization u...
Enabling ADF Security
Jdeveloper creates :
jazn-data.xml: Set security rules & permissions + dev/test
store for testing only (skipped on deploym...
Authentication Type (web.xml)
with Oracle Infrastructure Single sign-on
Remember this is due to Forms/Reports integration ...
Authorization : Roles & Pages Security
oApplication Roles
ADF application specified role, ADF Authorization are set on the...
Authorization (Jazn-data.xml)
What we have at this stage
o A user with an OID account and OID Groups
(enterprise roles) gets a SSO login form to identif...
On each page, we only want
the authorized UI components
to be rendered.
UI components level
Rendering or not a UI component
(button, panel etc..)
JSF Expression Language (EL)
CurrentPeriod <= (l...
Enabling Per Project &
Module Security in ADF
Before proceeding let’s see a normal
navigation use case demo of the
application
Oracle Single Sign-On Login Form
Oracle Infrastructure 10.1.4 Default Login Form
Customized with our logo.
We could (& sho...
List of Projects for which the user
is entitled to at least one Application Module
Was done with ADF 10g, 11g was not yet ...
List of Modules to which the user is
entitled to on the selected Project
Was done with ADF 10g, 11g was not yet released. ...
User can switch Project Context
Within the Same Module
Module
Ex: Button rendered or not
depending on User’s rights
on thi...
Module
Oracle Reports integration
(Report TaskFlow)
Report URL not displayed
Oracle Report Parameter Form
What we do
(Guideline only. To Show extensibility/flexibility of the Framework)
1. User Login is fetched from ADF Context....
6. A “Module access” audit event is logged in the Database
7. When a page is accessed, session parameters are stored (if
n...
Normal EL Expression to check from static role
#{securityContext.userInRole[‘Role Name']}
Custom EL Expression to check fr...
Reusability
Task Flows, Libraries & Page Templates
ADF Framework Base Classes
TaskFlow Workspace
GCCCommon Workspace
Reusability
Task Flows, Libraries, Page templates..
adf-...
Oracle WebCenter
Application Entry point (Portal) + Customization for tasks shortcuts (Approving Requests etc..)
Improve A...
Non-Oracle
Lucas Jellema, Andrejus Baranovski, Chris Muir
Oracle
Frank Nimphius, Grant Ronald, Steve Muench, Duncan Mills
...
ADF EMG
• A place to discuss best practices and methodologies
for JDeveloper ADF enterprise applications
• Founded mid-200...
Thank You
Upcoming SlideShare
Loading in...5
×

Oracle ADF Case Study

4,062

Published on

South African Oracle User Group November 2010 Cape Town presentation

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
4,062
On Slideshare
0
From Embeds
0
Number of Embeds
10
Actions
Shares
0
Downloads
264
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Transcript of "Oracle ADF Case Study"

  1. 1. ADF Security in a Project-Centric Environment An ADF Case Study Jean-Marc Desvaux - General Construction Co.Ltd
  2. 2. Agenda GCC Business Case Security Approach for the overall Ecosystem Enabling ADF Security Enabling Per Project & Module Security in ADF Setting up the Infrastructure
  3. 3. The Business Case
  4. 4. The GCC Business Building & Civil Engineering GCC = Main Contractor = Builders Work mainly Operations in Mauritius Only ~3000 Workforce, ~400 Staff (200 HQ, 200 on Sites).
  5. 5. The GCC IT Team 4 Engineers & Developers  1 ADF dedicated since 2 years + Forms/Reports (6yrs)  1 ADF dedicated since 1 year  1 Forms/Reports dedicated +20yrs (new/reviews & upgrades)  2 of them dealing with overall infrastructure (Installation, Admin of DB,AS,Storage,DR,Firewalls,...) 2 Desktop & Peripheral Support Technicians  Sites Networking Desktop/Clients Configs & Support
  6. 6. Dev Started 1990, Kept Updated & Still Growing… SINGLE ORACLE DATABASE INSTANCE
  7. 7. Today ~1500 Forms & 1500 Reports covering most aspects of line of services/business units (Logistics, Professional Support & Coorporate Services) each backing up Sites Operations
  8. 8. Need for our Sites to be Active Players in this Services Ecosystem We saw there a good case for an ADF transition
  9. 9. Started with ADF 10g, 2 years ago Connecting Sites to the GCC System with ADF Web applications
  10. 10. As we grow with ADF we will replace FORMS slowly across the whole IS
  11. 11. Security Approach for the overall Ecosystem
  12. 12. Site User always works under a Project Context Compared to a Corp.User who works transversely across projects
  13. 13. Security delegated to “Line of Service” Managers where applicable •Each “Line of Service” Manager makes service agreements with Sites defining how they will work :-Who will do what. •“Line of Service” Manager applies Agreement by setting roles in a Security Configuration/Management application.
  14. 14. Security Model for all applications (ADF, Forms & Reports)
  15. 15. 4 “Levels”: OID/SSO, Database, ADF Security & UI OID (LDAP) for USERS and MODULE GROUPS ORACLE Single Sign-On (SSO) DATA MODEL FOR A SECURITY APPLICATION TO DRIVE PER MODULE/PROJECT ROLES ADF SECURITY FOR PAGES ON OID GROUPS ADF UI COMPONENTS RENDERED OR NOT USING EL : CUSTOM CLASSES TO CHECK ROLES FROM THE DATABASE
  16. 16. Security Application Built with both Forms & ADF to support delegation to Line of Service Managers
  17. 17. Users stored in Database + mirrored in OID using dbms_ldap package OID Data
  18. 18. Delegate management of Project/Module Security Module Security Manager
  19. 19. Who can Manage a Module for one or more Projects Grant/Revoke Module Roles to User for Project OID Group Security Management related Forms Module Roles & related privileges Modules When access granted to a first Site, OID updated with module group using dbms_ldap package
  20. 20. Other advantages of using the Database is the integration of security with HR Data New Users are added to the Site from HR Employees data by the Security manager. Auditing Accesses inside the database and Timesheet cross- checking (Absent but logged on, not assigned to a Site but still authorized etc..) When an employee leaves the company, authorization is automatically revoked Ability to do more control as & when needed/decided Security Data is backed up with Database
  21. 21. Setting up the Infrastructure WebLogic, OID & SSO
  22. 22. What we need to integrate OID/SSO with WebLogic Webcache wls1033.gcc.mu:7785 HTTP 11g wls1033.gcc.mu:7777 WebLogic wls1033.gcc.mu:7007 Oracle Single Sign-on/OID Oracle WebTier 11g ADF 11g deployment Oracle Identity Management 10.1.4 “Forms (11g) will not be specifically coded to use, nor tested with Oracle Access Manager. Other Oracle products, such as ADF, Web Center and Portal, will also support Oracle Single-Sign-on. Oracle has plans to support Oracle Access Manager in future versions of Oracle Forms 11g.”
  23. 23. Proxying WebLogic with HTTP 11g WebLogic wls1033.gcc.mu:7007 Webcache wls1033.gcc.mu:7785 HTTP 11g wls1033.gcc.mu:7777
  24. 24. Register the weblogic server URL with webcache port (7785) on the OID/SSO Server :- 1/.Create a wls_osso.conf file from the ssoreg.sh tool on the OID/SSO infra server . 2/.Replace the Weblogic server webtier osso.conf with the generated file 3/.Configure mod_osso.conf to point to the newly copied osso.conf Register HTTP server With the OSSO Infra Server
  25. 25. Setup WebLogic Security Providers o Authenticator must be configured for Oracle Internet Directory (OID) o Identity Assertion Provider must be configured for SSO Oracle WebTier 11g IdM
  26. 26. WebLogic Realm Security Providers
  27. 27. Infrastructure Setup Done Webcache wls1033.gcc.mu:7785 HTTP 11g wls1033.gcc.mu:7777 WebLogic wls1033.gcc.mu:7007 Oracle Single Sign-on/OID Oracle WebTier 11g ADF 11g deployment Oracle Identity Management 10.1.4
  28. 28. Enabling ADF Security Normal ADF Security (Not Project related yet) Authentication & ADF application pages Authorization using OID Groups
  29. 29. Enabling ADF Security
  30. 30. Jdeveloper creates : jazn-data.xml: Set security rules & permissions + dev/test store for testing only (skipped on deployment) What it does .. and updates : web.xml: Set type of Authentication selected. weblogic.xml : where users are mapped to role (by default a generic principal (user) is mapped to a Weblogic role “valid- users” (authenticated user) adf-config.xml: To indicate that ADF security is enabled & handled by JPS (Java Platform Security)
  31. 31. Authentication Type (web.xml) with Oracle Infrastructure Single sign-on Remember this is due to Forms/Reports integration & the following Oracle statement:
  32. 32. Authorization : Roles & Pages Security oApplication Roles ADF application specified role, ADF Authorization are set on these roles. oEnterprise Roles Roles assigned to the ADF user from the Credential/Identity Store (Oracle Internet Directory) oApplication Role is mapped to Enterprise Role allowing developer to use roles and map them later to final Roles. oRoles are applied to pages with View permission Other permissions are only applicable if you use WebCenter
  33. 33. Authorization (Jazn-data.xml)
  34. 34. What we have at this stage o A user with an OID account and OID Groups (enterprise roles) gets a SSO login form to identify himself when trying to access an ADF application (all pages being protected by ADF Security). o Once authenticated, he can navigate to the page if he has the necessary enterprise role (mapped to the application role set to protect the page).
  35. 35. On each page, we only want the authorized UI components to be rendered.
  36. 36. UI components level Rendering or not a UI component (button, panel etc..) JSF Expression Language (EL) CurrentPeriod <= (le for less or equal) Period #{securityContext.userInRole[‘rolename’]} for “static” role We will see later how we use EL to apply per project security
  37. 37. Enabling Per Project & Module Security in ADF
  38. 38. Before proceeding let’s see a normal navigation use case demo of the application
  39. 39. Oracle Single Sign-On Login Form Oracle Infrastructure 10.1.4 Default Login Form Customized with our logo. We could (& should) write a custom Login Form
  40. 40. List of Projects for which the user is entitled to at least one Application Module Was done with ADF 10g, 11g was not yet released. Currently being upgraded to 11g Last Project accessed by the User in last session
  41. 41. List of Modules to which the user is entitled to on the selected Project Was done with ADF 10g, 11g was not yet released. Being upgraded to 11g
  42. 42. User can switch Project Context Within the Same Module Module Ex: Button rendered or not depending on User’s rights on this specific Project
  43. 43. Module
  44. 44. Oracle Reports integration (Report TaskFlow) Report URL not displayed Oracle Report Parameter Form
  45. 45. What we do (Guideline only. To Show extensibility/flexibility of the Framework) 1. User Login is fetched from ADF Context. 2. From a “Project List” module and a “Project Switcher” Taskflow, a selected Project is set in the database. Any direct access to Module takes the Project from the database. 3. When accessing an application we store in the AM Session our context parameters: Project Code, User Login, Module Code,etc.. 4. Module Access Right for Project is checked from the database (in case Module accessed directly via Module URL) 5. Database Client Identifier & Module Environment are set in the Database for Auditing purpose & other needs.
  46. 46. 6. A “Module access” audit event is logged in the Database 7. When a page is accessed, session parameters are stored (if not already done) in a Session bean. 8. User’s Privileges Codes for Module/Project is fetched from the Security Database and stored in HTTP session as a Map. 9. Bind Variables on our View Objects (VOs) are automatically replaced by our parameters value to filter data at VO level when VOs are executed. 10. We have a session bean method (SecurityScope.userinRole) that is used in EL to check Privileges from our HTTP session Map to Render or not a Component.
  47. 47. Normal EL Expression to check from static role #{securityContext.userInRole[‘Role Name']} Custom EL Expression to check from Database privileges Codes assigned to Role #{securityScope.userInRole[‘Priv List Code']}
  48. 48. Reusability Task Flows, Libraries & Page Templates
  49. 49. ADF Framework Base Classes TaskFlow Workspace GCCCommon Workspace Reusability Task Flows, Libraries, Page templates.. adf-extensions project gcc-security project gcc-template Project GCC Apps Module Task Flows …… …… …… …… Application Modules Workspaces Task Flows Workspaces GCC Libraries
  50. 50. Oracle WebCenter Application Entry point (Portal) + Customization for tasks shortcuts (Approving Requests etc..) Improve Application Structure using Catalogs Content Integration & Web 2.0 features (ex: Project Site Communications Module extended with Chat/Forum/Workspace) The Future Potential grounds for improvements Move to Oracle Access Manager (When Forms/Reports support it) & investigate/try to leverage Oracle Entitlement Server “Oracle Entitlements Server is a fine grained authorization engine that externalizes, unifies, and simplifies the management of complex entitlement policies” ADF Mobile Pervasiveness of our Applications (ex: allowing an approval anywhere on site)
  51. 51. Non-Oracle Lucas Jellema, Andrejus Baranovski, Chris Muir Oracle Frank Nimphius, Grant Ronald, Steve Muench, Duncan Mills And more… ADF Experts bloggers Oracle Technology Network (OTN) ADF Code Corner JDev/ADF Forum Tutorials And more.. ADF books Our Main Resources
  52. 52. ADF EMG • A place to discuss best practices and methodologies for JDeveloper ADF enterprise applications • Founded mid-2008, now 400+ members • Focus is Fusion Tech Stack (ADF Faces, ADF BC) • Sessions at ODTUG, OOW • Expert bloggers • Sub Groups: Expert Panel (Ex: Inter-Region communication Expert Panel, Security Expert Panel) http://groups.google.com/group/adf-methodology
  53. 53. Thank You
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×