Java Developer
ORACLE ADF BY FRANK NIMPHIUS
Security for Everyone
Protect your Oracle ADF applications from unauthorized
access using the Oracle ADF Security feature.
ORACLE JDEVELOPER and ORACLE APPLICATION DEVELOPMENT FRAMEWORK
Historically, Java EE developers have used container-managed security and Java
Authentication and Authorization Service
(JAAS) to implement security in their applications. For implementing security in Oracle
Application Development Framework (Oracle
ADF) and Oracle Fusion Middleware applications, however, Oracle provides Oracle platform security services, an integrated security
environment that builds on the underlying
Java EE standards and is portable across
application servers.
The Oracle ADF Security feature provides a
declarative and visual development environment for building Oracle platform security
services–based security into Oracle ADF
applications. Together, Oracle ADF Security
and Oracle platform security services enable
developers to focus more on what needs to be
protected than on how it should be protected.
This article introduces Oracle ADF
Security and shows how developers can use
it to implement security within their enterprise Oracle ADF applications.
into an enterprise role called Employees to
give them access to all employee self-service
applications within an enterprise. From an
administrative point of view, it is easier to
add users to or remove them from an enterprise role than to maintain individual user
grants for an application.
Application roles are specific to an
application and are used to grant privileges to users defined in enterprise roles.
Application roles make it possible for all
users who belong to an enterprise role (such
as Employees) to have specific access privileges defined for various applications. For
users within an enterprise role to work within
an application, application roles must be
granted to the enterprise role. Application
roles can be granted directly to users, but
this practice is rare and is not considered
good programming design.
Figure 1 shows the Oracle platform security services architecture, both at design
time in Oracle JDeveloper and at runtime in
Oracle WebLogic Server. At design time,
user identities, enterprise roles, and security
policies are defined in a local file called
jazn-data.xml. It is located in the src\
ME TA-INF directory of the application root
folder on the file system.
For testing applications by using Oracle
WebLogic Server integrated with Oracle
JDeveloper, security policies defined in
jazn-data.xml are copied into the
system-jazn-data.xml policy file in the
config\fmwconfig directory of the target
Oracle WebLogic Server domain. In this
scenario, user identities and enterprise
roles defined in the jazn-data.xml file are
deployed to the integrated Oracle WebLogic
Server in Oracle JDeveloper.
In a production environment, user identities and enterprise roles defined in the application jazn-data.xml file generally cannot
be deployed to Oracle WebLogic Server
instances. On a production server, user
authentication is instead performed with
the identity management system set up for
the enterprise. Typical mechanisms include
LDAP, RDBMS, Oracle Internet Directory, and
Microsoft’s Active Directory.
INTRODUCING ORACLE ADF SECURI T Y AND
ORACLE PLATFORM SECURIT Y SERVICES
Three key concepts are critical in understanding Oracle ADF Security and Oracle
platform security services: user identities,
enterprise roles, and application roles.
User identities define users in an enterprise. Users—such as company employees—
usually have a single username/password
pair they use to authenticate themselves to
applications within an organization. A user
identity defines only who the user is—it does
not define any access privileges.
To ease system deployment, administrators often organize users into enterprise
roles, which provide a way to manage groups
of users who have similar requirements
when accessing enterprise resources. For
example, employees may all be grouped
SAMPLE APPLICATION OVERVIE W
This article walks through a sample application designed to show how Oracle ADF
Security and Oracle platform security services
work. You can download this application,
containing configuration and code examples for you to explore at design time and
Oracle JDeveloper - Design Time
Authentication
servlet
Users
Groups
Roles
Permissions
web.xml
adf-config.xml
jazn-data.xml
weblogic.xml
Oracle platform security services (on Oracle WebLogic Server) - Runtime
Users
Enterprise Roles
system-jazn-data.xml
Grants
Application
Roles
Permission
Target
Permission Class
Actions
Credential Store
Identity Store
Enterprise
Users
Enterprise
Groups
Deploy
RDBMS
Oracle Internet Directory
Oracle Virtual Directory
LDAP
Active Directory
LoginModule
Figure 1: Oracle ADF Security design time and runtime architecture
ORACLE MAGAZINE JANUARY/FEBRUARY 2012
