Another custom resource permission in the sample application is
Panel TabProtection, which Oracle ADF
Security EL checks in the rendered attribute
of the af: showDetail item component that
represents the HR Managers Only tab.
In the Security Policy editor, the
Entitlement Grants tab enables you to group
resources that have the same access protection requirements to be granted in a single
grant statement. The concept of entitlements in Oracle ADF Security simplifies
security administration, because you don’t
need to grant access to individual resources.
Instead, you can perform grants by using a
single bulk statement.
The sample application has a single
Public Task Flows entitlement defined,
which references all task flows accessible to
all employees.
To create new entitlements in your
custom project, click the green plus (+) icon
next to the Entitlements header and define a
name for the new security group. Then click
the green plus (+) icon on the Resources tab
to choose the resources to combine in this
entitlement. When selecting a resource type
in the Select Resources dialog box, ensure
that the Resource Projects field contains the
name of the project that holds the resource.
If a project is not shown, use the magnifier
icon to add it to the list of projects.
In Oracle JDeveloper 11 g Release 2,
entitlements can contain only resources that
are defined in application projects. To secure
resources stored in Oracle ADF libraries, use
the Resource Grants option. After defining
the resources in an entitlement, you select
the resource action to be granted to an
application role. To grant an entitlement to
an application role, select the Grants tab and
click the green plus (+) icon to choose one or
many application roles.
USING SECURI T Y EXPRESSIONS
For checking security in the user interface
or in the Oracle ADF binding layer, Oracle
ADF provides the following set of specialized
security expressions:
•;#{ securityContext.authenticated}
•;#{ securityContext.userName}
•;#{ securityContext.userInRole['roleList']}
•;#{ securityContext.userInAllRoles['roleList']}
•;#{securityContext.
taskflowViewable['target']}
•;#{ securityContext.regionViewable['target']}
•;#{ securityContext.userGrantedResource['p
ermission']}
•;#{ securityContext.userGrantedPermission[
'permission']}
To add a security expression to a user
interface component, select the compo-
nent in the visual page editor and open the
Property Inspector. Click the down-arrow
icon to the right of the property to which you
want to add the expression (such as the dis-
abled property on an af:showDetail item on
a panel tab). Choose Expression Builder from
the context menu that appears.
In the Expression Builder, expand the ADF
Bindings node and the securityContext node
it contains. To get help on how to use an
expression, expand the Description node at
the bottom of the expression editor.
The sample application uses security
expressions on the Home.jsf page to enable
and disable panel tabs, based on the user
authentication state and that person’s role
membership. The browse-employees-btf
.xml task flow definition in the WEB-INF\
regions folder uses security expression on
the edit-employees-flow-btfsdc task flow
call activity to skip the train stop for all users
except HR managers.
USING JAVA FOR SECURIT Y
All permissions in Oracle ADF Security
are represented at runtime by a Java class
that can be instantiated and dynamically
checked. Commonly used classes are
•;oracle.security.jps.ResourcePermission, for
custom resource definitions
•;oracle.adf.controller.security
. TaskFlowPermission, for bounded task
flows
•;oracle.adf.share.[…].RegionPermission, for
page permissions in unbounded task flows
•;oracle.adf.share.[…].EntityPermission, for
entities
•;oracle.adf.share.[…]
.EntityAttributePermission, for entity attri-
bute permissions
The sample application checks Oracle
ADF Security from Java in two places: in the
EmployeesImpl.java file in the Model project
and in the UserSearchBean.java managed
bean in the ViewController project. The
entity implementation class has a security
check for a custom resource permission that
allows managers (such as ahunold) to update
employee salaries for newly created employee
records. The permission check in the
managed bean verifies the user privilege to
access the task flow referenced by a dynamic
region and returns an empty region if per-
mission is not granted. This check is also an
example of defense in depth, in that task flow
security is also checked by the framework.
IN CONCLUSION
Oracle ADF Security simplifies a complex
topic by abstracting JAAS authorization and
Java EE authentication. With Oracle ADF, you
use visual editors to protect the resources
you care about the most and enforce security
configurations. You can also use security
expression language or Java in applications
to verify user access rights. With all the simplicity added, the most important thing to be
aware of is that applying security to an application is a journey and not a destination.
Frank Nimphius is a senior principal product
manager for Oracle JDeveloper and Oracle
Application Development Framework. He is
a coauthor of Oracle Fusion Developer Guide:
Building Rich Internet Applications with Oracle
ADF Business Components and Oracle ADF
Faces (McGraw-Hill, 2010).
NEXT STEPS
READ more about
Oracle ADF
Oracle Fusion Middleware Fusion Developer’s
Guide for Oracle Application Development
Framework 11g Release 2 ( 11. 1. 2.0.0)
download.oracle.com/docs/cd/E16162_01/
web.1112/e16182/ reusing_components.htm
Oracle ADF Security
Oracle Fusion Middleware Fusion Developer’s
Guide for Oracle Application Development
Framework 11g Release 2 ( 11. 1. 2.0.0),
Chapter 35: “Enabling ADF Security in a
Fusion Web Application”
download.oracle.com/docs/cd/E16162_01/
web.1112/e16182/ adding_security.htm
oracle.com/technetwork/issue-archive/2011/
12-jan/o12adf-524995.zip
