ADF Security in a Project-Centric

Environment

An ADF Case Study

Jean-Marc Desvaux

General Construction Co.Ltd

http://groups.google.com/group/adf-methodology

ADF EMG
• A place to discuss best practices and
methodologies for JDeveloper ADF enterprise
applications
• Founded mid-2008 by Chris Muir, now 600+
members
• Focus is Fusion Tech Stack (ADF Faces, ADF BC)
• Online forum plus sessions at major Oracle
conferences (OOW, ODTUG, UKOUG, DOAG…)
<presenter,
organisation>
About me

Head of Information Systems of a Construction

Company based in Republic of Mauritius

+20 years experience with Oracle technologies :

Database, Development Tools and Middleware.

twitter/jmdesvaux jmdesvaux.blogspot.com
Agenda
The GCC Business Case
The Security problem & the approach taken
Setting up the Infrastructure
Enabling ADF Security
Enabling Per Project & Module Security in ADF

General Construction Co.Ltd

 The Business Case

General Construction Co.Ltd

The GCC Business - Building & Civil Engineering

GCC = Main Contractor = Builders Work mainly

Operations in Mauritius Only

~3000 Workforce, ~400 Staff (200 HQ, 200 on

Sites).

General Construction Co.Ltd

The GCC IT Team
4 Engineers & Developers
1 ADF dedicated since 2 years + Forms/Reports (6yrs)
1 ADF dedicated since 1 year
1 Forms/Reports dedicated +20yrs
2 dealing with overall infrastructure: DB,AS,Firewalls..

2 Desktop & Peripheral Support Technicians

Sites Networking
Desktop/Clients Configs & Support

General Construction Co.Ltd

Dev Started 1990, kept updated & still growing…

SINGLE ORACLE DATABASE INSTANCE

 Today ~1500 Forms & 1500 Reports
covering most aspects of line of
services/business units
(Logistics, Professional Support &
Coorporate Services)
each backing up Sites Operations

General Construction Co.Ltd

 Need for our Sites to be
Active Players
in this
Services Ecosystem

We saw there a good case

for an ADF transition

General Construction Co.Ltd

 Connecting Sites to the GCC System
with ADF Web applications

General Construction Co.Ltd

 The Security Problem &
The approach taken

General Construction Co.Ltd

Corporate User works Site User always
transversely across works under a Project
projects Context

General Construction Co.Ltd

 Security is delegated to
“Line of Service” Managers

Each “Line of Service” Manager makes service agreements

with Sites defining how they will work :-Who will do what.

“Line of Service” Manager applies Agreement by setting

roles in a Security Configuration/Management application.

General Construction Co.Ltd

 Security Model for all applications
(ADF, Forms & Reports)

General Construction Co.Ltd

Blocks involved to implement :
OID/SSO, Database, ADF Security & UI

OID (LDAP) for USERS and MODULE GROUPS

ORACLE Single Sign-On (SSO)

DATA MODEL FOR A SECURITY APPLICATION

TO DRIVE PER MODULE/PROJECT ROLES

ADF SECURITY FOR PAGES ON OID GROUPS

ADF UI COMPONENTS RENDERED OR NOT USING EL :

CUSTOM CLASSES TO CHECK ROLES FROM THE DATABASE

General Construction Co.Ltd

Delegation of management of Project/Module Security

Module Security
Manager

General Construction Co.Ltd

 Security Management related Forms
Modules
Who can Manage a Module for one or more Projects

OID Group

Module Roles & related privileges

Grant/Revoke Module Roles to User for Project

When access granted to a first

Site, OID updated with module
group using dbms_ldap package
Other advantages of using the Database is
the integration of security with HR Data

New Users are added to the Site from HR Employees data by the
Security manager.
Auditing Accesses inside the database and Timesheet cross-
checking (Absent but logged on, not assigned to a Site but still
authorized etc..)
When an employee leaves the company, authorization is
automatically revoked
Ability to do more control as & when needed/decided
Security Data is backed up with Database

General Construction Co.Ltd

 Setting up the Infrastructure

General Construction Co.Ltd

How to integrate OID/SSO with WebLogic
“Forms (11g) will not be specifically coded to use, nor tested with Oracle Access Manager. Other Oracle
products, such as ADF, Web Center and Portal, will also support Oracle Single-Sign-on.

Oracle has plans to support Oracle Access Manager in future versions of Oracle Forms 11g.”

Oracle WebTier 11g Oracle Identity Management 10.1.4

Webcache wls1034.gcc.mu:7785 Oracle Single Sign-on/OID

HTTP 11g wls1034.gcc.mu:7777

ADF 11g deployment

WebLogic wls1034.gcc.mu:7007

General Construction Co.Ltd

Proxying WebLogic with HTTP 11g

Webcache wls1034.gcc.mu:7785
HTTP 11g wls1034.gcc.mu:7777

WebLogic wls1034.gcc.mu:7007

General Construction Co.Ltd

Register HTTP server With the OSSO Infra Server

Register the weblogic server URL with webcache port (7785) on the
OID/SSO Server :-
1/.Create a wls_osso.conf file from the ssoreg.sh tool on the OID/SSO infra server .

2/.Replace the Weblogic server webtier osso.conf with the generated file

3/.Configure mod_osso.conf to point to the newly copied osso.conf

General Construction Co.Ltd

Setup WebLogic Security Providers

Authenticator must be configured

Oracle WebTier 11g
for Oracle Internet Directory (OID)

Identity Assertion Provider must be

IdM
configured for SSO

General Construction Co.Ltd

WebLogic Realm Security Providers

General Construction Co.Ltd

Infrastructure Setup Done

Oracle WebTier 11g Oracle Identity Management 10.1.4

Webcache wls1034.gcc.mu:7785 Oracle Single Sign-on/OID

HTTP 11g wls1034.gcc.mu:7777

ADF 11g deployment

WebLogic wls1034.gcc.mu:7007

General Construction Co.Ltd

 Enabling ADF Security

General Construction Co.Ltd

Enabling ADF Security

General Construction Co.Ltd

 What is done at the back...

Jdeveloper creates :
jazn-data.xml: Set security rules & permissions + dev/test
store for testing only (skipped on deployment)

and updates :
web.xml: Set type of Authentication selected.
weblogic.xml : where users are mapped to role (by default
a generic principal (user) is mapped to a Weblogic role “valid-
users” (authenticated user)
adf-config.xml: To indicate that ADF security is enabled &
handled by JPS (Java Platform Security)

General Construction Co.Ltd

Authentication Type (web.xml)
with Oracle Infrastructure Single sign-on

General Construction Co.Ltd

Authorization : Roles & Pages Security

Application Roles
ADF application specified role, ADF Authorization are set on these roles.

Enterprise Roles
Roles assigned to the ADF user from the Credential/Identity Store (Oracle
Internet Directory)

Application Role is mapped to Enterprise Role allowing

developer to use roles and map them later to final Roles.

Roles are applied to pages with “View” permission

Other permissions are only applicable if you use WebCenter

General Construction Co.Ltd

Authorization (Jazn-data.xml)

General Construction Co.Ltd

What we have at this stage

A user with an OID account and OID Groups (enterprise

roles) gets a SSO login form to identify himself when
trying to access an ADF application (all pages being
protected by ADF Security).

Once authenticated, he can navigate to the page if he

has the necessary enterprise role (mapped to the
application role set to protect the page).

General Construction Co.Ltd

 On each page, we only want
the authorized UI components
to be rendered…..

General Construction Co.Ltd

UI components level
Rendering or not a UI component
(button, panel etc..)
JSF Expression Language (EL)

CurrentPeriod <= (le for less or equal) Period

#{securityContext.userInRole[‘rolename’]} for “static” role

General Construction Co.Ltd

 Enabling Per Project &
Module Security in ADF

General Construction Co.Ltd

 Application navigation use case
(Apps screenshots)

General Construction Co.Ltd

Oracle Single Sign-On Login Form

Oracle Infrastructure 10.1.4 Default Login Form

Customized with our logo.
One could write a custom Login Form

General Construction Co.Ltd

List of Projects for which the user
is entitled to at least one Application Module
List of Modules to which the user is
entitled to on the selected Project
Module

User can switch Project Context

Within the Same Module

Actions available or not depending on User’s

rights on this specific Project and Module
Oracle Reports integration (Report TaskFlow)

Oracle Report Parameter Form

Report URL not displayed

General Construction Co.Ltd

How it works (Guideline only. To Show extensibility/flexibility of the Framework)
1. User Login is fetched from ADF Context.
2. From a “Project List” module and a “Project Switcher” Taskflow,
a selected Project is set in the database. Any direct access to
Module takes the Project from the database.

3. When accessing an application we store in the AM Session our

context parameters: Project Code, User Login, Module Code,etc..
4. Module Access Right for Project is checked from the database
(in case Module accessed directly via Module URL)
5. Database Client Identifier & Module Environment are set in the
Database for Auditing purpose & other needs.

General Construction Co.Ltd

6. A “Module access” audit event is logged in the Database

7. When a page is accessed, session parameters are stored (if

not already done) in a Session bean.

8. User’s Privileges Codes for Module/Project is fetched from

the Security Database and stored in HTTP session as a Map.

9. Bind Variables on our View Objects (VOs) are automatically

replaced by our parameters value to filter data at VO level
when VOs are executed.

10. We have a session bean method (SecurityScope.userinRole)

that is used in EL to check Privileges from our HTTP session
Map to Render or not a Component.

General Construction Co.Ltd

 Normal EL Expression to check from static role
#{securityContext.userInRole*‘Role Name'+}

Custom EL Expression to check from Database

privileges Codes assigned to Role
#{securityScope.userInRole*‘Priv List Code']}

General Construction Co.Ltd

 Reusability
Task Flows, Libraries & Page Templates

General Construction Co.Ltd

Reusability
Task Flows, Libraries, Page templates..
ADF Framework Base Classes

GCCCommon Workspace
GCC
adf-extensions gcc-security gcc-template
Libraries
project project Project

Application
Modules GCC Apps …… ……
Workspaces Module

Task Flows
Task Flows …… ……
Workspaces
TaskFlow Workspace

General Construction Co.Ltd

The Future
Potential grounds for improvements

Oracle Access Manager

When Forms/Reports support it

Oracle WebCenter
Application Entry point (Portal) + Customization for tasks shortcuts (Approving Requests etc..)
Improve Application Structure using Catalogs
Content Integration & Web 2.0 features
(ex: Project Site Communications Module extended with Chat/Forum/Workspace)

ADF Mobile
Pervasiveness of our Applications (ex: allowing an approval anywhere on site)

General Construction Co.Ltd

 Our Main Resources
Oracle Technology Network (OTN)
ADF Code Corner
JDev/ADF Forum
Tutorials
And more..
ADF Experts bloggers
Non-Oracle
Lucas Jellema, Andrejus Baranovski, Chris Muir,..
Oracle
Frank Nimphius, Grant Ronald, Steve Muench, Duncan Mills,..
And more…

ADF books

General Construction Co.Ltd

More info on this ADF case study
and other case studies

http://tinyurl.com/2e7y3zp

Or from OTN Jdeveloper Page:

http://www.oracle.com/
technetwork/developer-tools/
jdev/overview/index.html

General Construction Co.Ltd

 Thank You.

General Construction Co.Ltd

VOs Bind Variables are automatically replaced
by our parameters value to filter data per Project at VO level
Parameter naming convention : Parameter name must be consistent,
For ex. a projectCode parameter defined in the AM must have the same name as
the VO bind variable name.
All ViewObjects use a custom based class “BaseFilteredViewObject” where
executeQuery and executeQueryForCollection are overridden :
setGlobalVariablesValues();
super.executeQuery();

private void setGlobalVariablesValues() {

VariableValueManager vm = ensureVariableManager();
Variable[] vars =
vm.getVariablesOfKind(Variable.VAR_KIND_WHERE_CLAUSE_PARAM);

for (Variable var : vars) {

Object voVarValue = vm.getVariableValue(var.getName());
if (voVarValue == null || voVarValue.toString().isEmpty()) {
vm.setVariableValue(var.getName(),
getApplicationModule().getSession().getUserData().get(var.getName()));
}
}
}

General Construction Co.Ltd