Partner Webcast – Oracle ADF Security & Best Practices - 28 August 2012

“This slide format serves to call attention to a quote from a prominent customer, executive, or thought leader in regards to a particular topic.” Name Title, Company Name CUSTOMER LOGOblogs.oracle.com/IMC 1 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.

ISV Migration Center Team• Who we Are ISV Migration Center Team is a team of senior technical consultants based in Eastern and Central Europe and represents Oracles technical investment for partners.• Mission Statement Enable partners to rapidly and successfully adopt and implement Oracle latest technology• What do we Offer Whether you are selling Oracle technology, building business solutions, including hosted Internet solutions or providing system integration and implementation services for Oracle technology, IMC Team can help you succeed.• How can we assist We offer a wide range of free services for partners such as one2one assistance, webinars, seminars and hands-on workshops. ISV Migration Center blog: http://blogs.oracle.com/imc 3 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.

Program Agenda • Security Risks, Patterns and Best Practices • Oracle Platform Security Services and ADF Security • Designing Security into ADF applications • Deploying and Configuring security enabled ADF applications on WebLogic Server4 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.

Application security encompasses measures taken throughout the applications life-cycle to prevent exceptions in the security policy of an application or the underlying system (vulnerabilities) through flaws in the design, development, deployment, upgrade, or maintenance of the application.Wikipediahttp://en.wikipedia.org/wiki/Security5 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.

OWASP Top 10 Application Security Risks 1. Injection 2. Cross-Site Scripting (XSS) 3. Broken Authentication and Session Management 4. Insecure Direct Object References 5. Cross-Site Request Forgery (CSRF)6 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.

OWASP Top 10 Application Security Risks 6. Security Misconfiguration 7. Insecure Cryptographic Storage 8. Failure to Restrict URL access 9. Insufficient Transport Layer Protection 10. Unvalidated Redirects and Forwards7 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.

Security Design Patterns • Single Access Point – A security model is difficult to validate when it has multiple “front doors,” “back doors,” and “side doors” for entering the application. – Set up only one way to get into the system, and if necessary, create a mechanism for deciding which sub-applications to launch. • Check Point – An application needs to be secured from break-in attempts, and appropriate actions should be taken when such attempts occur. – Create an object that encapsulates the algorithm for the enterprises security policy.8 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.

Security Design Patterns • Role-Based Access Control – Users have different security profiles, and some profiles are similar. If the user base is large enough or the security profiles are complex enough, then managing user-privilege relationships can become difficult. – Create one or more role objects that define the permissions and access rights that groups of users have. • Session – Many objects need access to shared values, but the values are not unique throughout the system. – Create a Session object, which holds all of the variables that need to be shared by many objects.9 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.

Security Design Patterns • Full View With Errors – Users should not be allowed to perform illegal operations. – Design the application so users see everything that they might have access to. • Limited View – Only let the users see what they have access to. • Secure Access Layer – Application security will be insecure if it is not properly integrated with the security of the external systems it uses.10 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.

What is OPSS• An acronym for Oracle Platform Security Services• The Oracle security platform for developers• Derived out of JAZN, JPS and CSS• Portable security services abstraction layer designed to save development time and effort by providing a consistent security experience across different platforms and environments• Provides basic security services such as authentication, authorization, auditing, role management, and credential management. 12 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.

Oracle Products using OPSS Product Name What It Does How It Uses OPSS Oracle ADF / WebCenter ADF is the framework used to Uses CSS for authentication and JPS for authorization (JAAS). Leverages develop WebCenter applications application role, anonymous and authenticated role, policy store abstraction, (portlets, etc.) policy management, credential store framework Oracle Web Services Manager Provides SOA and web services Leverages JPS for authorization, key store services, and audit (OWSM) security Oracle SOA Suite Provides applications designed to Uses CSS for authentication and JPS for authorization and audit deploy SOA environments (BPEL, ESB, etc.) Oracle Service Bus (OSB) Connects, mediates, and manages Uses CSS for authentication, identity assertion, authorization, role mapping, SOA composites interaction credentials mapping, cert. lookup, audit, SSO, SSPI framework for third-party integration Oracle Entitlements Service (OES) Provides externalized fine-grained Uses CSS for authentication, identity assertion, authorization, role mapping, authorization credentials mapping, cert. lookup, audit. WebLogic Server (WLS) Container Java EE server / container Uses CSS for authentication, identity assertion, authorization, role mapping, credentials mapping, cert. lookup, audit, SSO, SSPI framework for third-party integration13 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.

OPSS architecture for WLSOracle JDeveloper - Designtime Oracle WebLogic Server (OPSS) - Runtime Authentication system-jazn-data.xml web.xml servlet Application Target Permission Grants Usersadf-config.xml Users Permission class Roles Groups Enterprise Rolesjazn-data.xml Actions Rolesweblogic.xml Permissions Credential Store RDBMS Identity Store OID Enterprise Enterprise OVD Users Groups LDAP Deploy Active Directory LoginModule 15 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.

ADF Security • Provides declarative protection for ADF applications • Designed to simplify security in ADF applications • Enforces JEE authentication – Delegated to WebLogic Server Authentication Providers – Easy to configure via the "ADF Security Wizard" • ADF bindings protected by JAAS based Authorization – Leverages EL to protect UI components • Provides support for XML & LDAP providers • Integrated with JDeveloper design time and WLS16 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.

ADF Security • Task Flow Security • ADF Security protects task flows based on JAAS permissions independently from the availability of ADF bindings. • Bounded task flows are secured by default. • ADF Page Security • Page definitions are secured by default. • Page-level security is not checked within bounded task flows. • Use nested task flows to add extra security to a page17 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.

ADF Security Policy Configuration Enable/ Disable Security Create Policy Roles Define custom permissions Group resource grants Define EAR settings Model IDM - Users - Groups 21 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.

ADF & OPSS Integration What Happens When You Enable ADF Security • web.xml – Defines the Oracle JpsFilter filter to set up the OPSS policy provider. – Adds, ADF authentication servlet to trigger Java EE authentication. – Defines required security roles. • adf-config.xml – Defines JAAS security context – Enables the use of ADF security policies for permission checking. – Enables the use of the ADF authentication servlet. – Enables the use of ADF Security security policies for permission checking.22 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.

ADF & OPSS Integration What Happens When You Enable ADF Security • jps-config.xml – Defines the Oracle Platform Security Services context. • weblogic.xml – Maps the valid-users security role to the Oracle Platform Security Services principal users. • jazn-data.xml – Sets the default jazn.com realm name for the XML identity store that you configure for use with Integrated WebLogic Server.23 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.

QuestionsGokhan GungorOracle ISV Migration Center FMW Consultantgokhan.gungor@oracle.comISV Migration Center blog: http://blogs.oracle.com/imc 25 Copyright © 2011, Oracle and/or its affiliates. All rights ©2011 Oracle Corporation reserved.

“This slide format serves to call attention to a quote from a prominent customer, executive, or thought leader in regards to a particular topic.” Name Title, Company Name CUSTOMER LOGOblogs.oracle.com/IMC 26 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.

Partner Webcast – Oracle ADF Security & Best Practices - 28 August 2012

by Oracle ISV Migration Center on Aug 28, 2012

Accessibility

Categories

Upload Details

Usage Rights

2 Embeds 3

Statistics