2. • Is an end-to-end Java EE framework that is extensible
• Utilizes and adds value to the Java EE platform
• Abstracts Java EE complexity
• Provides declarative and visual development
• Enables developers to focus on the application, not the low-level infrastructure
• Creates reusable and maintainable code
• Uses metadata, simplifying the basic task of wiring user interfaces to services
• Implements Java EE best practices and design patterns, including MVC
ORACLE APPLICATION DEVELOPMENT
FRAMEWORK (ADF)
Abdulla Alshourbagy (Micky Mouse)
4. • the preferred technology to provide authentication and authorization services to the
Fusion web application.
• ADF Security is built on top of the Oracle Platform Security Services (OPSS) architecture,
which itself is well-integrated with Oracle WebLogic Server.
• ADF Security is ideally suited to provide declarative, permission-based protection
for ADF bounded task flows, for top-level web pages that use ADF bindings and at the
lowest level of granularity, for rows of data defined by ADF entity objects and their
attributes.
ADF SECURITY FRAMEWORK
Abdulla Alshourbagy (Micky Mouse)
5. • The ADF Security model is not based on the URL mapping of a security
constraint as exemplified by the Java EE security model.
• Instead, ADF Security implements a Java Authentication and
Authorization Service (JAAS) security model
• The JAAS model is policy-based that built on the existing Java security
model and integrates with any JAAS implementation, including the
Oracle Platform Security Services (OPSS) implementation of the JAAS
service.
• ADF Security simplifies the implementation of a JAAS authorization
model.
INTEGRATION OF ADF SECURITY AND JAVA SECURITY
Abdulla Alshourbagy (Micky Mouse)
6. ADF SECURITY FRAMEWORK: OVERVIEW
– The ADF security framework provides:
• Standard features required to secure ADF applications
• More granular declarative security
• Hierarchical roles with permission inheritance
• Utility methods for use in EL expressions
• Different access defined for different roles at the same URL
– It uses JAAS enforced by the ADF binding servlet filter.
– It can authenticate users against a resource provider:
• LDAP (lightweight directory access protocol)
• OID (Object Identifiers )
• XML-based
Abdulla Alshourbagy (Micky Mouse)
7. • ADF bounded task flow protects the entry point to the task
flow
• ADF page definition files associated with web pages not
contained by a bounded task flow
• ADF entity objects and attributes of entity objects that
reference rows of data and help define collections for display
in the user interface
ADF SECURITY-AWARE RESOURCES :
Abdulla Alshourbagy (Micky Mouse)
8. ADF Security Process Overview :
As you create the user interface for your application, you may run the Configure
ADF Security wizard at any time. You may choose to:
•Iterate between creating web pages in the UI project and defining security policies on their
associated ADF resources
•Complete all of the web pages in the UI project and then define security policies on their
associated ADF resources
Abdulla Alshourbagy (Micky Mouse)
9. • Authentication: Is this user allowed to access this application ?
• Authorization: Is this user’s role allowed to access this
resource?
Abdulla Alshourbagy (Micky Mouse)
13. CHOOSING THE AUTHENTICATION TYPE
Most commonly used:
– HTTP basic authentication:
• It uses the browser login dialog box.
• Cached credentials prevent logout.
– Form-based authentication: Developer-designed
login page
Abdulla Alshourbagy (Micky Mouse)
14. – Specify page where user should go upon
authentication
– Ignored if page specified on URL
– If no page specified, user returns to the login page
CONFIGURE ADF SECURITY WIZARD:
CHOOSING THE WELCOME PAGE
Abdulla Alshourbagy (Micky Mouse)
15. To give users access:
– Define a security realm in the identity store: (Enterprise Role)
• Create users.
• Create roles.
• Assign users to roles.
– Define an application policy in the policy store: (Application Role)
• Create application roles.
• Map the identity roles to the application roles.
• Grant the application roles access to resources.
ENABLING USERS TO ACCESS RESOURCES
Abdulla Alshourbagy (Micky Mouse)
17. GRANTING PERMISSIONS TO ROLES
You can associate roles to grants on resources:
Groups of pages Bounded task flows
Individual pages Page definitions *
Rows Entity objects or attributes
Abdulla Alshourbagy (Micky Mouse)
18. SECURING GROUPS OF PAGES
(BOUNDED TASK FLOWS)
– Prevent unauthorized access to secured task flows.
– Provide developers with the ability to:
• Secure a bounded task flow as a logical entity
• Write security-aware bounded task flows and pages
Abdulla Alshourbagy (Micky Mouse)
19. SECURING INDIVIDUAL PAGES
(PAGE DEFINITIONS)
– Determines whether the user is allowed to navigate to (view) a
page
– Not needed on pages in secured task flows
Abdulla Alshourbagy (Micky Mouse)
20. GRANTING PRIVILEGES ON ENTITY
OBJECTS OR ATTRIBUTES
– In the Structure window, right-
click the entity object or
attribute and select Edit
Authorization.
– Select privileges to grant to
application roles.
Two Types :
On attribute
On Entity
Abdulla Alshourbagy (Micky Mouse)
21. SECURING ROW DATA
(ENTITY OBJECTS OR ATTRIBUTES)
You can enable security on:
–Entire entity objects
• Individual
attributes:
Abdulla Alshourbagy (Micky Mouse)