v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
Normal
0
false
false
false
false
EN-US
X-NONE
X-NONE
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin:0in;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;}
table.MsoTableGrid
{mso-style-name:"Table Grid";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-priority:59;
mso-style-unhide:no;
border:solid black 1.0pt;
mso-border-alt:solid black .5pt;
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-border-insideh:.5pt solid black;
mso-border-insidev:.5pt solid black;
mso-para-margin:0in;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:10.0pt;
font-family:"Times New Roman","serif";}
ADF security protects ADF bound pages, bounded task flows
and ADF Business Components entities with framework specific JAAS permissions
classes (RegionPermission,
TaskFlowPermission and EntityPermission). If used in combination with the ADF security expression language and security
checks performed in Java, this protection already provides you with fine
grained
access control that can also be used
to secure UI components like
buttons and input text field. For example, the EL shown below disables the user
profile panel tabs for unauthenticated users:
<af:panelTabbed
id="pt1" position="above">
...
<af:showDetailItem
text="User
Profile" id="sdi2"
disabled="#{!securityContext.authenticated}">
</af:showDetailItem>
...
</af:panelTabbed>
The next example disables a panel tab item if the
authenticated user is not granted
access to the bounded task flow exposed in a
region on this tab:
<af:panelTabbed
id="pt1" position="above">
...
<af:showDetailItem
text="Employees Overview" id="sdi4" disabled="#{!securityContext.taskflowViewable
['/WEB-INF/EmployeeUpdateFlow.xml#EmployeeUpdateFlow']}">
</af:showDetailItem>
...
</af:panelTabbed>
Security expressions like shown above allow developers
to
check the user permission, authentication and role membership status before
showing UI components. Similar, using Java, developers can use code like shown
below
to verify the user authentication status:
ADFContext
adfContext = ADFContext.getCurrent();
SecurityContext securityCtx = adfContext.getSecurityContext();
boolean userAuthenticated = securityCtx.isAuthenticated();
Note that the Java code lines use the same security context
reference that is used with expression language.
But is this all that there is? No ! The goal of ADF Security is
to enable all ADF developers
to
build secure web application with JAAS (Java Authentication and Authorization
Service). For this, more fine grained protection can be defined using the ResourcePermission, a
generic JAAS permission class owned by the Oracle Platform Security Services
(OPSS). Using the ResourcePermission class, developers can grant permission
to
functional parts of
an application that are not protected by page or task flow
security.
For example,
an application menu allows creating and
canceling product shipments
to customers. However, only a specific user group -
or application role, which is the better way
to use ADF Security - is allowed
to cancel a shipment.
To enforce this rule, a permission is needed that can be
used declaratively on the UI
to hide a menu entry and programmatically in Java
to check the user permission before the action is performed.
Note that multiple lines of defense are what you should implement in your application development.
Don't just rely on UI protection through hidden or disabled command options.
To create menu protection permission for
an ADF Security
enable application, you choose Application
| Secure | Resource Grants from the Oracle JDeveloper menu.
The opened editor shows a visual representation of the jazn-data.xml file
that is used at design time
to define security policies and user identities for
testing.
An option in the Resource
Grants section is
to create a new Resource
Type.
A list of pre-defined types exists for you
to create policy
definitions for. Many of these pre-defined types use the ResourcePermission class.
To create a custom Resource
Type, for example
to protect application menu functions, you click the
green plus icon next
to the Resource
Type select list.
The
Create Resource
Type editor that opens allows you
to add a name for the resource type, a
display name that is shown when granting resource permissions and a description.
The ResourcePermission
class name is already set. In the menu protection sample, you add the following
information:
Name:
MenuProtection
Display Name:
Menu Protection
Description:
Permission
to grant menu item permissions
OK the dialog
to
close the resource permission creation.
To create a resource policy that can be used
to check user
permissions at runtime, click the green
plus icon in the Resources
section of the Resource Grants
section.
In the
Create
Resource dialog, provide a name for the menu option you want
to protect.
To
protect the cancel shipment menu option,
create a resource with the following settings
Resource Type:
Menu Protection
Name:
Cancel Shipment
Display Name:
Cancel Shipment
Description:
Grant allows user
to cancel customer good shipment
A new resource Cancel
Shipmentis added
to the Resources
panel. Initially the resource is not granted
to any user, enterprise or
application role.
To grant the resource, click the green plus icon in the Granted
To section, select the Add Application Role option and choose one
or more application roles in the opened dialog.
Finally, you click the process
action
to define the policy. Note that permission can have multiple actions
that you can grant individually
to users and roles. The cancel shipment
permission for example could have another action "view" defined
to
determine which user should see that this option exist and which users don't.
To use the cancel
shipment permission, select the disabled
property on a command item, like af:commandMenuItem and click the arrow icon on the right.
From the context menu, choose the Expression
Builder entry. Expand the ADF
Bindings | securityContext node and click the userGrantedResource option.
Hint: You can
expand the Description panel below
the EL selection panel
to see
an example of
how the grant should look like.
The EL that is created needs
to be manually edited
to show
as
#{!securityContext.userGrantedResource[
'resourceName=Cancel
Shipment;resourceType=MenuProtection;action=process']}
OK the dialog so
the permission checking EL is added as a value
to the disabled property. Running the application and expanding the Shipment menu shows the Cancel Shipments menu item disabled for
all users that don't have the custom menu protection resource permission
granted.
Note: Following
the steps listed above, you
create a JAAS permission and declaratively
configure it for function security in
an ADF application. Do you need
to understand
JAAS for this? No! This is one of the
benefits that you gain from using the ADF development framework.
To implement multi lines of defense for your application,
the action performed when clicking the enabled "Cancel Shipments"
option should also check if the authenticated user is allowed
to use process
it. For this, code as shown below can be used in a managed bean
public
void onCancelShipment(ActionEvent actionEvent) {
SecurityContext securityCtx =
ADFContext.getCurrent().getSecurityContext();
//create instance of ResourcePermission(String
type, String name,
//String action)
ResourcePermission resourcePermission =
new
ResourcePermission("MenuProtection","Cancel Shipment",
"process");
boolean userHasPermission =
securityCtx.hasPermission(resourcePermission);
if (userHasPermission){
//execute
privileged logic here
}
}
Note:
To learn
more abput ADF Security, visit
http://download.oracle.com/docs/cd/E17904_01/web.1111/b31974/adding_security.htm#BGBGJEAHNote: A monthly summary of OTN Harvest blog postings can be downloaded from ADF Code Corner. The monthly summary is a PDF document that contains supporting screen shots for some of the postings: http://www.oracle.com/technetwork/developer-tools/adf/learnmore/index-101235.html
