How to protect UI components using OPSS Resource Permissions
- by frank.nimphius
v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
Normal
0
false
false
false
false
EN-US
X-NONE
X-NONE
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin:0in;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;}
table.MsoTableGrid
{mso-style-name:"Table Grid";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-priority:59;
mso-style-unhide:no;
border:solid black 1.0pt;
mso-border-alt:solid black .5pt;
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-border-insideh:.5pt solid black;
mso-border-insidev:.5pt solid black;
mso-para-margin:0in;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:10.0pt;
font-family:"Times New Roman","serif";}
ADF security protects ADF bound pages, bounded task flows
and ADF Business Components entities with framework specific JAAS permissions
classes (RegionPermission,
TaskFlowPermission and EntityPermission). If used in combination with the ADF security expression language and security
checks performed in Java, this protection already provides you with fine
grained access control that can also be used to secure UI components like
buttons and input text field. For example, the EL shown below disables the user
profile panel tabs for unauthenticated users:
<af:panelTabbed
id="pt1" position="above">
...
<af:showDetailItem
text="User
Profile" id="sdi2"
disabled="#{!securityContext.authenticated}">
</af:showDetailItem>
...
</af:panelTabbed>
The next example disables a panel tab item if the
authenticated user is not granted access to the bounded task flow exposed in a
region on this tab:
<af:panelTabbed
id="pt1" position="above">
...
<af:showDetailItem
text="Employees Overview" id="sdi4" disabled="#{!securityContext.taskflowViewable
['/WEB-INF/EmployeeUpdateFlow.xml#EmployeeUpdateFlow']}">
</af:showDetailItem>
...
</af:panelTabbed>
Security expressions like shown above allow developers to
check the user permission, authentication and role membership status before
showing UI components. Similar, using Java, developers can use code like shown
below to verify the user authentication status:
ADFContext
adfContext = ADFContext.getCurrent();
SecurityContext securityCtx = adfContext.getSecurityContext();
boolean userAuthenticated = securityCtx.isAuthenticated();
Note that the Java code lines use the same security context
reference that is used with expression language.
But is this all that there is? No ! The goal of ADF Security is to enable all ADF developers to
build secure web application with JAAS (Java Authentication and Authorization
Service). For this, more fine grained protection can be defined using the ResourcePermission, a
generic JAAS permission class owned by the Oracle Platform Security Services
(OPSS). Using the ResourcePermission class, developers can grant permission to
functional parts of an application that are not protected by page or task flow
security.
For example, an application menu allows creating and
canceling product shipments to customers. However, only a specific user group -
or application role, which is the better way to use ADF Security - is allowed
to cancel a shipment.
To enforce this rule, a permission is needed that can be
used declaratively on the UI to hide a menu entry and programmatically in Java
to check the user permission before the action is performed.
Note that multiple lines of defense are what you should implement in your application development.
Don't just rely on UI protection through hidden or disabled command options.
To create menu protection permission for an ADF Security
enable application, you choose Application
| Secure | Resource Grants from the Oracle JDeveloper menu.
The opened editor shows a visual representation of the jazn-data.xml file
that is used at design time to define security policies and user identities for
testing. An option in the Resource
Grants section is to create a new Resource
Type.
A list of pre-defined types exists for you to create policy
definitions for. Many of these pre-defined types use the ResourcePermission class.
To create a custom Resource
Type, for example to protect application menu functions, you click the
green plus icon next to the Resource
Type select list.
The Create Resource
Type editor that opens allows you to add a name for the resource type, a
display name that is shown when granting resource permissions and a description.
The ResourcePermission
class name is already set. In the menu protection sample, you add the following
information:
Name:
MenuProtection
Display Name:
Menu Protection
Description:
Permission to grant menu item permissions
OK the dialog to
close the resource permission creation.
To create a resource policy that can be used to check user
permissions at runtime, click the green
plus icon in the Resources
section of the Resource Grants
section.
In the Create
Resource dialog, provide a name for the menu option you want to protect. To
protect the cancel shipment menu option,
create a resource with the following settings
Resource Type:
Menu Protection
Name:
Cancel Shipment
Display Name:
Cancel Shipment
Description:
Grant allows user to cancel customer good shipment
A new resource Cancel
Shipmentis added to the Resources
panel. Initially the resource is not granted to any user, enterprise or
application role. To grant the resource, click the green plus icon in the Granted To section, select the Add Application Role option and choose one
or more application roles in the opened dialog.
Finally, you click the process
action to define the policy. Note that permission can have multiple actions
that you can grant individually to users and roles. The cancel shipment
permission for example could have another action "view" defined to
determine which user should see that this option exist and which users don't.
To use the cancel
shipment permission, select the disabled
property on a command item, like af:commandMenuItem and click the arrow icon on the right.
From the context menu, choose the Expression
Builder entry. Expand the ADF
Bindings | securityContext node and click the userGrantedResource option.
Hint: You can
expand the Description panel below
the EL selection panel to see an example of how the grant should look like.
The EL that is created needs to be manually edited to show
as
#{!securityContext.userGrantedResource[
'resourceName=Cancel
Shipment;resourceType=MenuProtection;action=process']}
OK the dialog so
the permission checking EL is added as a value to the disabled property. Running the application and expanding the Shipment menu shows the Cancel Shipments menu item disabled for
all users that don't have the custom menu protection resource permission
granted.
Note: Following
the steps listed above, you create a JAAS permission and declaratively
configure it for function security in an ADF application. Do you need to understand
JAAS for this? No! This is one of the
benefits that you gain from using the ADF development framework.
To implement multi lines of defense for your application,
the action performed when clicking the enabled "Cancel Shipments"
option should also check if the authenticated user is allowed to use process
it. For this, code as shown below can be used in a managed bean
public
void onCancelShipment(ActionEvent actionEvent) {
SecurityContext securityCtx =
ADFContext.getCurrent().getSecurityContext();
//create instance of ResourcePermission(String
type, String name,
//String action)
ResourcePermission resourcePermission =
new
ResourcePermission("MenuProtection","Cancel Shipment",
"process");
boolean userHasPermission =
securityCtx.hasPermission(resourcePermission);
if (userHasPermission){
//execute
privileged logic here
}
}
Note: To learn
more abput ADF Security, visit
http://download.oracle.com/docs/cd/E17904_01/web.1111/b31974/adding_security.htm#BGBGJEAHNote: A monthly summary of OTN Harvest blog postings can be downloaded from ADF Code Corner. The monthly summary is a PDF document that contains supporting screen shots for some of the postings: http://www.oracle.com/technetwork/developer-tools/adf/learnmore/index-101235.html
