ADF security protects ADF bound pages, bounded task flows and ADF Business Components entities with framework specific JAAS permissions classes (RegionPermission, TaskFlowPermission and EntityPermission).

If used in combination with the ADF security expression language and security checks performed in Java, this protection already provides you with fine grained access control that can also be used to secure UI components like buttons and input text field. For example, the EL shown below disables the user profile panel tabs for unauthenticated users:

<af:panelTabbed id="pt1" position="above">
  ...
  <af:showDetailItem
       text="User Profile" id="sdi2"                               
       disabled="#{!securityContext.authenticated}">
  </af:showDetailItem>
  ...
</af:panelTabbed>

The next example disables a panel tab item if the authenticated user is not granted access to the bounded task flow exposed in a region on this tab:

<af:panelTabbed id="pt1" position="above">
  ...
  <af:showDetailItem text="Employees Overview" id="sdi4"
                  
     disabled="#{!securityContext.taskflowViewable
        ['/WEB-INF/EmployeeUpdateFlow.xml#EmployeeUpdateFlow']}">
  </af:showDetailItem>
  ...
</af:panelTabbed>

Security expressions like shown above allow developers to check the user permission, authentication and role membership status before showing UI components. Similar, using Java, developers can use code like shown below to verify the user authentication status:

ADFContext adfContext = ADFContext.getCurrent();
SecurityContext securityCtx = adfContext.getSecurityContext();
boolean userAuthenticated = securityCtx.isAuthenticated();

Note that the Java code lines use the same security context reference that is used with expression language.

But is this all that there is? No ! The goal of ADF Security is to enable all ADF developers to build secure web application with JAAS (Java Authentication and Authorization Service). For this, more fine grained protection can be defined using the ResourcePermission, a generic JAAS permission class owned by the Oracle Platform Security Services (OPSS).  Using the ResourcePermission  class, developers can grant permission to functional parts of an application that are not protected by page or task flow security.

For example, an application menu allows creating and canceling product shipments to customers. However, only a specific user group - or application role, which is the better way to use ADF Security - is allowed to cancel a shipment.

To enforce this rule, a permission is needed that can be used declaratively on the UI to hide a menu entry and programmatically in Java to check the user permission before the action is performed.

Note that multiple lines of defense are what you should implement in your application development. Don't just rely on UI protection through hidden or disabled command options.

To create menu protection permission for an ADF Security enable application, you choose Application | Secure | Resource Grants from the Oracle JDeveloper menu.

The opened editor shows a visual representation of the jazn-data.xml file that is used at design time to define security policies and user identities for testing. An option in the Resource Grants section is to create a new Resource Type.

A list of pre-defined types exists for you to create policy definitions for. Many of these pre-defined types use the ResourcePermission class.

To create a custom Resource Type, for example to protect application menu functions, you click the green plus icon next to the Resource Type select list.

The Create Resource Type editor that opens allows you to add a name for the resource type, a display name that is shown when granting resource permissions and a description. The ResourcePermission class name is already set. In the menu protection sample, you add the following information:

OK the dialog to close the resource permission creation.

To create a resource policy that can be used to check user permissions at runtime, click the green plus icon in the Resources section of the Resource Grants section.

In the Create Resource dialog, provide a name for the menu option you want to protect. To protect the cancel shipment menu option, create a resource with the following settings

A new resource Cancel Shipmentis added to the Resources panel. Initially the resource is not granted to any user, enterprise or application role. To grant the resource, click the green plus icon in the Granted To section, select the Add Application Role option and choose one or more application roles in the opened dialog.

Finally, you click the process action to define the policy. Note that permission can have multiple actions that you can grant individually to users and roles. The cancel shipment permission for example could have another action "view" defined to determine which user should see that this option exist and which users don't.

To use the cancel shipment permission, select the disabled property on a command item, like af:commandMenuItem and click the arrow icon on the right. From the context menu, choose the Expression Builder entry. Expand the ADF Bindings | securityContext node and click the userGrantedResource option.

Hint: You can expand the Description panel below the EL selection panel to see an example of how the grant should look like.

The EL that is created needs to be manually edited to show as

#{!securityContext.userGrantedResource[
              'resourceName=Cancel Shipment;resourceType=MenuProtection;action=process']}

OK the dialog so the permission checking EL is added as a value to the disabled property. Running the application and expanding the Shipment menu shows the Cancel Shipments menu item disabled for all users that don't have the custom menu protection resource permission granted.

Note: Following the steps listed above, you create a JAAS permission and declaratively configure it for function security in an ADF application. Do you need to understand JAAS for this? No!  This is one of the benefits that you gain from using the ADF development framework.

To implement multi lines of defense for your application, the action performed when clicking the enabled "Cancel Shipments" option should also check if the authenticated user is allowed to use process it. For this, code as shown below can be used in a managed bean

public void onCancelShipment(ActionEvent actionEvent) {    
  SecurityContext securityCtx =
      ADFContext.getCurrent().getSecurityContext();
  //create instance of ResourcePermission(String type, String name,
  //String action)
  ResourcePermission resourcePermission =
    new ResourcePermission("MenuProtection","Cancel Shipment",
                           "process");     
  boolean userHasPermission =   
      securityCtx.hasPermission(resourcePermission);
  if (userHasPermission){

      //execute privileged logic here

  }
}

Note: To learn more abput ADF Security, visit

http://download.oracle.com/docs/cd/E17904_01/web.1111/b31974/adding_security.htm#BGBGJEAH

Note: A monthly summary of OTN Harvest blog postings can be downloaded from ADF Code Corner. The monthly summary is a PDF document that contains supporting screen shots for some of the postings:

http://www.oracle.com/technetwork/developer-tools/adf/learnmore/index-101235.html