Revised Adf security in a project centric environment

2,847 views

Published on

Presented for Oracle virtual Dev Day conference in 2011.
Check the full day agenda & on-demand sessions at:
http://www.oracle.com/technetwork/community/developer-day/virtual-dev-day-rea-369353.html

0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
2,847
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
22
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Revised Adf security in a project centric environment

  1. 1. ADF Security in a Project-Centric Environment An ADF Case Study Jean-Marc DesvauxGeneral Construction Co.Ltd
  2. 2. http://groups.google.com/group/adf-methodology ADF EMG • A place to discuss best practices and methodologies for JDeveloper ADF enterprise applications • Founded mid-2008 by Chris Muir, now 600+ members • Focus is Fusion Tech Stack (ADF Faces, ADF BC) • Online forum plus sessions at major Oracle conferences (OOW, ODTUG, UKOUG, DOAG…) <presenter, organisation>
  3. 3. About meHead of Information Systems of a ConstructionCompany based in Republic of Mauritius+20 years experience with Oracle technologies :Database, Development Tools and Middleware.twitter/jmdesvaux jmdesvaux.blogspot.com
  4. 4. AgendaThe GCC Business CaseThe Security problem & the approach takenSetting up the InfrastructureEnabling ADF SecurityEnabling Per Project & Module Security in ADFGeneral Construction Co.Ltd
  5. 5. The Business CaseGeneral Construction Co.Ltd
  6. 6. The GCC Business - Building & Civil Engineering GCC = Main Contractor = Builders Work mainly Operations in Mauritius Only ~3000 Workforce, ~400 Staff (200 HQ, 200 on Sites). General Construction Co.Ltd
  7. 7. The GCC IT Team 4 Engineers & Developers 1 ADF dedicated since 2 years + Forms/Reports (6yrs) 1 ADF dedicated since 1 year 1 Forms/Reports dedicated +20yrs 2 dealing with overall infrastructure: DB,AS,Firewalls.. 2 Desktop & Peripheral Support Technicians Sites Networking Desktop/Clients Configs & Support General Construction Co.Ltd
  8. 8. Dev Started 1990, kept updated & still growing… SINGLE ORACLE DATABASE INSTANCE
  9. 9. Today ~1500 Forms & 1500 Reports covering most aspects of line of services/business units (Logistics, Professional Support & Coorporate Services) each backing up Sites OperationsGeneral Construction Co.Ltd
  10. 10. Need for our Sites to be Active Players in this Services Ecosystem We saw there a good case for an ADF transitionGeneral Construction Co.Ltd
  11. 11. Connecting Sites to the GCC System with ADF Web applicationsGeneral Construction Co.Ltd
  12. 12. The Security Problem & The approach takenGeneral Construction Co.Ltd
  13. 13. Corporate User works Site User always transversely across works under a Project projects ContextGeneral Construction Co.Ltd
  14. 14. Security is delegated to “Line of Service” ManagersEach “Line of Service” Manager makes service agreementswith Sites defining how they will work :-Who will do what.“Line of Service” Manager applies Agreement by settingroles in a Security Configuration/Management application. General Construction Co.Ltd
  15. 15. Security Model for all applications (ADF, Forms & Reports)General Construction Co.Ltd
  16. 16. Blocks involved to implement :OID/SSO, Database, ADF Security & UI OID (LDAP) for USERS and MODULE GROUPS ORACLE Single Sign-On (SSO) DATA MODEL FOR A SECURITY APPLICATION TO DRIVE PER MODULE/PROJECT ROLES ADF SECURITY FOR PAGES ON OID GROUPS ADF UI COMPONENTS RENDERED OR NOT USING EL : CUSTOM CLASSES TO CHECK ROLES FROM THE DATABASE General Construction Co.Ltd
  17. 17. Delegation of management of Project/Module Security Module Security Manager General Construction Co.Ltd
  18. 18. Security Management related Forms Modules Who can Manage a Module for one or more Projects OID GroupModule Roles & related privileges Grant/Revoke Module Roles to User for Project When access granted to a first Site, OID updated with module group using dbms_ldap package
  19. 19. Other advantages of using the Database isthe integration of security with HR Data New Users are added to the Site from HR Employees data by the Security manager. Auditing Accesses inside the database and Timesheet cross- checking (Absent but logged on, not assigned to a Site but still authorized etc..) When an employee leaves the company, authorization is automatically revoked Ability to do more control as & when needed/decided Security Data is backed up with Database General Construction Co.Ltd
  20. 20. Setting up the InfrastructureGeneral Construction Co.Ltd
  21. 21. How to integrate OID/SSO with WebLogic “Forms (11g) will not be specifically coded to use, nor tested with Oracle Access Manager. Other Oracle products, such as ADF, Web Center and Portal, will also support Oracle Single-Sign-on. Oracle has plans to support Oracle Access Manager in future versions of Oracle Forms 11g.” Oracle WebTier 11g Oracle Identity Management 10.1.4 Webcache wls1034.gcc.mu:7785 Oracle Single Sign-on/OID HTTP 11g wls1034.gcc.mu:7777 ADF 11g deployment WebLogic wls1034.gcc.mu:7007 General Construction Co.Ltd
  22. 22. Proxying WebLogic with HTTP 11g Webcache wls1034.gcc.mu:7785 HTTP 11g wls1034.gcc.mu:7777 WebLogic wls1034.gcc.mu:7007 General Construction Co.Ltd
  23. 23. Register HTTP server With the OSSO Infra Server Register the weblogic server URL with webcache port (7785) on the OID/SSO Server :- 1/.Create a wls_osso.conf file from the ssoreg.sh tool on the OID/SSO infra server . 2/.Replace the Weblogic server webtier osso.conf with the generated file 3/.Configure mod_osso.conf to point to the newly copied osso.conf General Construction Co.Ltd
  24. 24. Setup WebLogic Security ProvidersAuthenticator must be configured Oracle WebTier 11gfor Oracle Internet Directory (OID)Identity Assertion Provider must be IdMconfigured for SSO General Construction Co.Ltd
  25. 25. WebLogic Realm Security Providers General Construction Co.Ltd
  26. 26. Infrastructure Setup Done Oracle WebTier 11g Oracle Identity Management 10.1.4 Webcache wls1034.gcc.mu:7785 Oracle Single Sign-on/OID HTTP 11g wls1034.gcc.mu:7777 ADF 11g deployment WebLogic wls1034.gcc.mu:7007 General Construction Co.Ltd
  27. 27. Enabling ADF SecurityGeneral Construction Co.Ltd
  28. 28. Enabling ADF Security General Construction Co.Ltd
  29. 29. What is done at the back...Jdeveloper creates :jazn-data.xml: Set security rules & permissions + dev/teststore for testing only (skipped on deployment)and updates :web.xml: Set type of Authentication selected.weblogic.xml : where users are mapped to role (by defaulta generic principal (user) is mapped to a Weblogic role “valid-users” (authenticated user)adf-config.xml: To indicate that ADF security is enabled &handled by JPS (Java Platform Security) General Construction Co.Ltd
  30. 30. Authentication Type (web.xml)with Oracle Infrastructure Single sign-on General Construction Co.Ltd
  31. 31. Authorization : Roles & Pages SecurityApplication Roles ADF application specified role, ADF Authorization are set on these roles.Enterprise Roles Roles assigned to the ADF user from the Credential/Identity Store (Oracle Internet Directory)Application Role is mapped to Enterprise Role allowingdeveloper to use roles and map them later to final Roles.Roles are applied to pages with “View” permission Other permissions are only applicable if you use WebCenter General Construction Co.Ltd
  32. 32. Authorization (Jazn-data.xml) General Construction Co.Ltd
  33. 33. What we have at this stage A user with an OID account and OID Groups (enterprise roles) gets a SSO login form to identify himself when trying to access an ADF application (all pages being protected by ADF Security). Once authenticated, he can navigate to the page if he has the necessary enterprise role (mapped to the application role set to protect the page). General Construction Co.Ltd
  34. 34. On each page, we only want the authorized UI components to be rendered…..General Construction Co.Ltd
  35. 35. UI components level Rendering or not a UI component (button, panel etc..) JSF Expression Language (EL) CurrentPeriod <= (le for less or equal) Period#{securityContext.userInRole[‘rolename’]} for “static” role General Construction Co.Ltd
  36. 36. Enabling Per Project & Module Security in ADFGeneral Construction Co.Ltd
  37. 37. Application navigation use case (Apps screenshots)General Construction Co.Ltd
  38. 38. Oracle Single Sign-On Login Form Oracle Infrastructure 10.1.4 Default Login Form Customized with our logo. One could write a custom Login Form General Construction Co.Ltd
  39. 39. List of Projects for which the useris entitled to at least one Application Module
  40. 40. List of Modules to which the user isentitled to on the selected Project
  41. 41. Module User can switch Project Context Within the Same Module Actions available or not depending on User’s rights on this specific Project and Module
  42. 42. Oracle Reports integration (Report TaskFlow) Oracle Report Parameter Form Report URL not displayed General Construction Co.Ltd
  43. 43. How it works (Guideline only. To Show extensibility/flexibility of the Framework) 1. User Login is fetched from ADF Context. 2. From a “Project List” module and a “Project Switcher” Taskflow, a selected Project is set in the database. Any direct access to Module takes the Project from the database. 3. When accessing an application we store in the AM Session our context parameters: Project Code, User Login, Module Code,etc.. 4. Module Access Right for Project is checked from the database (in case Module accessed directly via Module URL) 5. Database Client Identifier & Module Environment are set in the Database for Auditing purpose & other needs. General Construction Co.Ltd
  44. 44. 6. A “Module access” audit event is logged in the Database7. When a page is accessed, session parameters are stored (if not already done) in a Session bean.8. User’s Privileges Codes for Module/Project is fetched from the Security Database and stored in HTTP session as a Map.9. Bind Variables on our View Objects (VOs) are automatically replaced by our parameters value to filter data at VO level when VOs are executed.10. We have a session bean method (SecurityScope.userinRole) that is used in EL to check Privileges from our HTTP session Map to Render or not a Component. General Construction Co.Ltd
  45. 45. Normal EL Expression to check from static role #{securityContext.userInRole*‘Role Name+} Custom EL Expression to check from Database privileges Codes assigned to Role #{securityScope.userInRole*‘Priv List Code]}General Construction Co.Ltd
  46. 46. Reusability Task Flows, Libraries & Page TemplatesGeneral Construction Co.Ltd
  47. 47. ReusabilityTask Flows, Libraries, Page templates.. ADF Framework Base Classes GCCCommon Workspace GCC adf-extensions gcc-security gcc-template Libraries project project ProjectApplication Modules GCC Apps …… ……Workspaces ModuleTask Flows Task Flows …… ……Workspaces TaskFlow Workspace General Construction Co.Ltd
  48. 48. The FuturePotential grounds for improvements Oracle Access Manager When Forms/Reports support it Oracle WebCenter Application Entry point (Portal) + Customization for tasks shortcuts (Approving Requests etc..) Improve Application Structure using Catalogs Content Integration & Web 2.0 features (ex: Project Site Communications Module extended with Chat/Forum/Workspace) ADF Mobile Pervasiveness of our Applications (ex: allowing an approval anywhere on site) General Construction Co.Ltd
  49. 49. Our Main Resources Oracle Technology Network (OTN) ADF Code Corner JDev/ADF Forum Tutorials And more.. ADF Experts bloggers Non-Oracle Lucas Jellema, Andrejus Baranovski, Chris Muir,.. Oracle Frank Nimphius, Grant Ronald, Steve Muench, Duncan Mills,.. And more… ADF booksGeneral Construction Co.Ltd
  50. 50. More info on this ADF case studyand other case studieshttp://tinyurl.com/2e7y3zpOr from OTN Jdeveloper Page:http://www.oracle.com/technetwork/developer-tools/jdev/overview/index.html General Construction Co.Ltd
  51. 51. Thank You.General Construction Co.Ltd
  52. 52. VOs Bind Variables are automatically replacedby our parameters value to filter data per Project at VO level Parameter naming convention : Parameter name must be consistent, For ex. a projectCode parameter defined in the AM must have the same name as the VO bind variable name. All ViewObjects use a custom based class “BaseFilteredViewObject” where executeQuery and executeQueryForCollection are overridden : setGlobalVariablesValues(); super.executeQuery(); private void setGlobalVariablesValues() { VariableValueManager vm = ensureVariableManager(); Variable[] vars = vm.getVariablesOfKind(Variable.VAR_KIND_WHERE_CLAUSE_PARAM); for (Variable var : vars) { Object voVarValue = vm.getVariableValue(var.getName()); if (voVarValue == null || voVarValue.toString().isEmpty()) { vm.setVariableValue(var.getName(), getApplicationModule().getSession().getUserData().get(var.getName())); } } } General Construction Co.Ltd

×