oracle adf case study
DESCRIPTION
South African Oracle User Group November 2010 Cape Town presentationTRANSCRIPT
![Page 1: Oracle ADF Case Study](https://reader033.vdocuments.site/reader033/viewer/2022042513/54827cf8b079592e0c8b4802/html5/thumbnails/1.jpg)
ADF Security in a Project-Centric Environment
An ADF Case Study
Jean-Marc Desvaux - General Construction Co.Ltd
![Page 2: Oracle ADF Case Study](https://reader033.vdocuments.site/reader033/viewer/2022042513/54827cf8b079592e0c8b4802/html5/thumbnails/2.jpg)
AgendaGCC Business Case
Security Approach for the overall Ecosystem
Enabling ADF Security
Enabling Per Project & Module Security in ADF
Setting up the Infrastructure
![Page 3: Oracle ADF Case Study](https://reader033.vdocuments.site/reader033/viewer/2022042513/54827cf8b079592e0c8b4802/html5/thumbnails/3.jpg)
The Business Case
![Page 4: Oracle ADF Case Study](https://reader033.vdocuments.site/reader033/viewer/2022042513/54827cf8b079592e0c8b4802/html5/thumbnails/4.jpg)
The GCC Business Building & Civil Engineering
GCC = Main Contractor = Builders Work mainly
Operations in Mauritius Only
~3000 Workforce, ~400 Staff (200 HQ, 200 on Sites).
![Page 5: Oracle ADF Case Study](https://reader033.vdocuments.site/reader033/viewer/2022042513/54827cf8b079592e0c8b4802/html5/thumbnails/5.jpg)
The GCC IT Team4 Engineers & Developers
1 ADF dedicated since 2 years + Forms/Reports (6yrs) 1 ADF dedicated since 1 year 1 Forms/Reports dedicated +20yrs (new/reviews &
upgrades) 2 of them dealing with overall infrastructure
(Installation, Admin of DB,AS,Storage,DR,Firewalls,...)
2 Desktop & Peripheral Support Technicians Sites NetworkingDesktop/Clients Configs & Support
![Page 6: Oracle ADF Case Study](https://reader033.vdocuments.site/reader033/viewer/2022042513/54827cf8b079592e0c8b4802/html5/thumbnails/6.jpg)
Dev Started 1990, Kept Updated & Still Growing…
ORACLE FORMS&
ORACLE REPORTS
SINGLE ORACLE DATABASE INSTANCE
![Page 7: Oracle ADF Case Study](https://reader033.vdocuments.site/reader033/viewer/2022042513/54827cf8b079592e0c8b4802/html5/thumbnails/7.jpg)
Today ~1500 Forms & 1500 Reports covering most aspects of line of
services/business units(Logistics, Professional Support &
Coorporate Services) each backing up Sites Operations
![Page 8: Oracle ADF Case Study](https://reader033.vdocuments.site/reader033/viewer/2022042513/54827cf8b079592e0c8b4802/html5/thumbnails/8.jpg)
Need for our Sites to be Active Players
in this Services Ecosystem
We saw there a good case for an ADF transition
![Page 9: Oracle ADF Case Study](https://reader033.vdocuments.site/reader033/viewer/2022042513/54827cf8b079592e0c8b4802/html5/thumbnails/9.jpg)
Started with ADF 10g, 2 years ago
Connecting Sites to the GCC System with ADF Web applications
![Page 10: Oracle ADF Case Study](https://reader033.vdocuments.site/reader033/viewer/2022042513/54827cf8b079592e0c8b4802/html5/thumbnails/10.jpg)
As we grow with ADF we will replace FORMS slowly across the whole IS
ORACLE ADF&
REPORTS&
FORMS
![Page 11: Oracle ADF Case Study](https://reader033.vdocuments.site/reader033/viewer/2022042513/54827cf8b079592e0c8b4802/html5/thumbnails/11.jpg)
Security Approach for the overall Ecosystem
![Page 12: Oracle ADF Case Study](https://reader033.vdocuments.site/reader033/viewer/2022042513/54827cf8b079592e0c8b4802/html5/thumbnails/12.jpg)
Site User always works under a Project ContextCompared to a Corp.User who works
transversely across projects
![Page 13: Oracle ADF Case Study](https://reader033.vdocuments.site/reader033/viewer/2022042513/54827cf8b079592e0c8b4802/html5/thumbnails/13.jpg)
Security delegated to “Line of Service” Managers where applicable
•Each “Line of Service” Manager makes service agreements with Sites defining how they will work :-Who will do what.
•“Line of Service” Manager applies Agreement by setting roles in a Security Configuration/Management application.
![Page 14: Oracle ADF Case Study](https://reader033.vdocuments.site/reader033/viewer/2022042513/54827cf8b079592e0c8b4802/html5/thumbnails/14.jpg)
Security Model for all applications (ADF, Forms & Reports)
![Page 15: Oracle ADF Case Study](https://reader033.vdocuments.site/reader033/viewer/2022042513/54827cf8b079592e0c8b4802/html5/thumbnails/15.jpg)
4 “Levels”: OID/SSO, Database, ADF Security & UI
OID (LDAP) for USERS and MODULE GROUPSORACLE Single Sign-On (SSO)
DATA MODEL FOR A SECURITY APPLICATION TO DRIVE PER MODULE/PROJECT ROLES
ADF SECURITY FOR PAGES ON OID GROUPS
ADF UI COMPONENTS RENDERED OR NOT USING EL :CUSTOM CLASSES TO CHECK ROLES FROM THE DATABASE
![Page 16: Oracle ADF Case Study](https://reader033.vdocuments.site/reader033/viewer/2022042513/54827cf8b079592e0c8b4802/html5/thumbnails/16.jpg)
Security ApplicationBuilt with both Forms & ADF
to support delegation to Line of Service Managers
![Page 17: Oracle ADF Case Study](https://reader033.vdocuments.site/reader033/viewer/2022042513/54827cf8b079592e0c8b4802/html5/thumbnails/17.jpg)
Users stored in Database + mirrored in OIDusing dbms_ldap package
OID Data
![Page 18: Oracle ADF Case Study](https://reader033.vdocuments.site/reader033/viewer/2022042513/54827cf8b079592e0c8b4802/html5/thumbnails/18.jpg)
Delegate management of Project/Module Security
Module Security Manager
![Page 19: Oracle ADF Case Study](https://reader033.vdocuments.site/reader033/viewer/2022042513/54827cf8b079592e0c8b4802/html5/thumbnails/19.jpg)
Who can Manage a Module for one or more Projects
Grant/Revoke Module Roles to User for Project
OID Group
Security Management related Forms
Module Roles & related privileges
Modules
When access granted to a first Site, OID updated with module group using dbms_ldap package
![Page 20: Oracle ADF Case Study](https://reader033.vdocuments.site/reader033/viewer/2022042513/54827cf8b079592e0c8b4802/html5/thumbnails/20.jpg)
Other advantages of using the Database isthe integration of security with HR Data
New Users are added to the Site from HR Employees data by the Security manager.
Auditing Accesses inside the database and Timesheet cross-checking (Absent but logged on, not assigned to a Site but still
authorized etc..)
When an employee leaves the company, authorization is automatically revoked
Ability to do more control as & when needed/decided
Security Data is backed up with Database
![Page 21: Oracle ADF Case Study](https://reader033.vdocuments.site/reader033/viewer/2022042513/54827cf8b079592e0c8b4802/html5/thumbnails/21.jpg)
Setting up the Infrastructure
WebLogic, OID & SSO
![Page 22: Oracle ADF Case Study](https://reader033.vdocuments.site/reader033/viewer/2022042513/54827cf8b079592e0c8b4802/html5/thumbnails/22.jpg)
What we need to integrate OID/SSO with WebLogic
Webcache wls1033.gcc.mu:7785
HTTP 11g wls1033.gcc.mu:7777
WebLogic wls1033.gcc.mu:7007
Oracle Single Sign-on/OID
Oracle WebTier 11g
ADF 11g deployment
Oracle Identity Management 10.1.4
“Forms (11g) will not be specifically coded to use, nor tested with Oracle Access Manager. Other Oracle products, such as ADF, Web Center and Portal, will also support Oracle Single-Sign-on.
Oracle has plans to support Oracle Access Manager in future versions of Oracle Forms 11g.”
![Page 23: Oracle ADF Case Study](https://reader033.vdocuments.site/reader033/viewer/2022042513/54827cf8b079592e0c8b4802/html5/thumbnails/23.jpg)
Proxying WebLogic with HTTP 11g
WebLogic wls1033.gcc.mu:7007
Webcache wls1033.gcc.mu:7785
HTTP 11g wls1033.gcc.mu:7777
![Page 24: Oracle ADF Case Study](https://reader033.vdocuments.site/reader033/viewer/2022042513/54827cf8b079592e0c8b4802/html5/thumbnails/24.jpg)
Register the weblogic server URL with webcache port (7785) on the OID/SSO Server :-
1/.Create a wls_osso.conf file from the ssoreg.sh tool on the OID/SSO infra server .
2/.Replace the Weblogic server webtier osso.conf with the generated file
3/.Configure mod_osso.conf to point to the newly copied osso.conf
Register HTTP serverWith the OSSO Infra Server
![Page 25: Oracle ADF Case Study](https://reader033.vdocuments.site/reader033/viewer/2022042513/54827cf8b079592e0c8b4802/html5/thumbnails/25.jpg)
Setup WebLogic Security Providers
o Authenticator must be configured for Oracle Internet Directory (OID)
o Identity Assertion Provider must be configured for SSO
Oracle WebTier 11g
IdM
![Page 26: Oracle ADF Case Study](https://reader033.vdocuments.site/reader033/viewer/2022042513/54827cf8b079592e0c8b4802/html5/thumbnails/26.jpg)
WebLogic Realm Security Providers
![Page 27: Oracle ADF Case Study](https://reader033.vdocuments.site/reader033/viewer/2022042513/54827cf8b079592e0c8b4802/html5/thumbnails/27.jpg)
Infrastructure Setup Done
Webcache wls1033.gcc.mu:7785
HTTP 11g wls1033.gcc.mu:7777
WebLogic wls1033.gcc.mu:7007
Oracle Single Sign-on/OID
Oracle WebTier 11g
ADF 11g deployment
Oracle Identity Management 10.1.4
![Page 28: Oracle ADF Case Study](https://reader033.vdocuments.site/reader033/viewer/2022042513/54827cf8b079592e0c8b4802/html5/thumbnails/28.jpg)
Enabling ADF Security
Normal ADF Security(Not Project related yet)
Authentication &
ADF application pages Authorization using OID Groups
![Page 29: Oracle ADF Case Study](https://reader033.vdocuments.site/reader033/viewer/2022042513/54827cf8b079592e0c8b4802/html5/thumbnails/29.jpg)
Enabling ADF Security
![Page 30: Oracle ADF Case Study](https://reader033.vdocuments.site/reader033/viewer/2022042513/54827cf8b079592e0c8b4802/html5/thumbnails/30.jpg)
Jdeveloper creates :jazn-data.xml: Set security rules & permissions + dev/test store for testing only (skipped on deployment)
What it does ..
and updates :web.xml: Set type of Authentication selected.weblogic.xml : where users are mapped to role (by default a generic principal (user) is mapped to a Weblogic role “valid-users” (authenticated user)adf-config.xml: To indicate that ADF security is enabled & handled by JPS (Java Platform Security)
![Page 31: Oracle ADF Case Study](https://reader033.vdocuments.site/reader033/viewer/2022042513/54827cf8b079592e0c8b4802/html5/thumbnails/31.jpg)
Authentication Type (web.xml) with Oracle Infrastructure Single sign-on
Remember this is due to Forms/Reports integration & the following Oracle statement:
![Page 32: Oracle ADF Case Study](https://reader033.vdocuments.site/reader033/viewer/2022042513/54827cf8b079592e0c8b4802/html5/thumbnails/32.jpg)
Authorization : Roles & Pages Security
oApplication RolesADF application specified role, ADF Authorization are set on these roles.
oEnterprise RolesRoles assigned to the ADF user from the Credential/Identity Store (Oracle Internet Directory)
oApplication Role is mapped to Enterprise Role allowing developer to use roles and map them later to final Roles.
oRoles are applied to pages with View permissionOther permissions are only applicable if you use WebCenter
![Page 33: Oracle ADF Case Study](https://reader033.vdocuments.site/reader033/viewer/2022042513/54827cf8b079592e0c8b4802/html5/thumbnails/33.jpg)
Authorization (Jazn-data.xml)
![Page 34: Oracle ADF Case Study](https://reader033.vdocuments.site/reader033/viewer/2022042513/54827cf8b079592e0c8b4802/html5/thumbnails/34.jpg)
What we have at this stage
o A user with an OID account and OID Groups (enterprise roles) gets a SSO login form to identify himself when trying to access an ADF application (all pages being protected by ADF Security).
o Once authenticated, he can navigate to the page if he has the necessary enterprise role (mapped to the application role set to protect the page).
![Page 35: Oracle ADF Case Study](https://reader033.vdocuments.site/reader033/viewer/2022042513/54827cf8b079592e0c8b4802/html5/thumbnails/35.jpg)
On each page, we only want the authorized UI components
to be rendered.
![Page 36: Oracle ADF Case Study](https://reader033.vdocuments.site/reader033/viewer/2022042513/54827cf8b079592e0c8b4802/html5/thumbnails/36.jpg)
UI components level Rendering or not a UI component (button, panel etc..)
JSF Expression Language (EL)
CurrentPeriod <= (le for less or equal) Period
#{securityContext.userInRole[‘rolename’]} for “static” role
We will see later how we use EL to apply per project security
![Page 37: Oracle ADF Case Study](https://reader033.vdocuments.site/reader033/viewer/2022042513/54827cf8b079592e0c8b4802/html5/thumbnails/37.jpg)
Enabling Per Project & Module Security in ADF
![Page 38: Oracle ADF Case Study](https://reader033.vdocuments.site/reader033/viewer/2022042513/54827cf8b079592e0c8b4802/html5/thumbnails/38.jpg)
Before proceeding let’s see a normal navigation use case demo of the
application
![Page 39: Oracle ADF Case Study](https://reader033.vdocuments.site/reader033/viewer/2022042513/54827cf8b079592e0c8b4802/html5/thumbnails/39.jpg)
Oracle Single Sign-On Login Form
Oracle Infrastructure 10.1.4 Default Login FormCustomized with our logo.
We could (& should) write a custom Login Form
![Page 40: Oracle ADF Case Study](https://reader033.vdocuments.site/reader033/viewer/2022042513/54827cf8b079592e0c8b4802/html5/thumbnails/40.jpg)
List of Projects for which the user is entitled to at least one Application Module
Was done with ADF 10g, 11g was not yet released. Currently being upgraded to 11g
Last Project accessed by the User in last session
![Page 41: Oracle ADF Case Study](https://reader033.vdocuments.site/reader033/viewer/2022042513/54827cf8b079592e0c8b4802/html5/thumbnails/41.jpg)
List of Modules to which the user is entitled to on the selected Project
Was done with ADF 10g, 11g was not yet released. Being upgraded to 11g
![Page 42: Oracle ADF Case Study](https://reader033.vdocuments.site/reader033/viewer/2022042513/54827cf8b079592e0c8b4802/html5/thumbnails/42.jpg)
User can switch Project ContextWithin the Same Module
Module
Ex: Button rendered or not depending on User’s rights on this specific Project
![Page 43: Oracle ADF Case Study](https://reader033.vdocuments.site/reader033/viewer/2022042513/54827cf8b079592e0c8b4802/html5/thumbnails/43.jpg)
Module
![Page 44: Oracle ADF Case Study](https://reader033.vdocuments.site/reader033/viewer/2022042513/54827cf8b079592e0c8b4802/html5/thumbnails/44.jpg)
Oracle Reports integration(Report TaskFlow)
Report URL not displayed
Oracle Report Parameter Form
![Page 45: Oracle ADF Case Study](https://reader033.vdocuments.site/reader033/viewer/2022042513/54827cf8b079592e0c8b4802/html5/thumbnails/45.jpg)
What we do(Guideline only. To Show extensibility/flexibility of the Framework)
1. User Login is fetched from ADF Context.
2. From a “Project List” module and a “Project Switcher” Taskflow, a selected Project is set in the database. Any direct access to Module takes the Project from the database.
3. When accessing an application we store in the AM Session our context parameters: Project Code, User Login, Module Code,etc..
4. Module Access Right for Project is checked from the database (in case Module accessed directly via Module URL)
5. Database Client Identifier & Module Environment are set in the Database for Auditing purpose & other needs.
![Page 46: Oracle ADF Case Study](https://reader033.vdocuments.site/reader033/viewer/2022042513/54827cf8b079592e0c8b4802/html5/thumbnails/46.jpg)
6. A “Module access” audit event is logged in the Database
7. When a page is accessed, session parameters are stored (if not already done) in a Session bean.
8. User’s Privileges Codes for Module/Project is fetched from the Security Database and stored in HTTP session as a Map.
9. Bind Variables on our View Objects (VOs) are automatically replaced by our parameters value to filter data at VO level when VOs are executed.
10. We have a session bean method (SecurityScope.userinRole) that is used in EL to check Privileges from our HTTP session Map to Render or not a Component.
![Page 47: Oracle ADF Case Study](https://reader033.vdocuments.site/reader033/viewer/2022042513/54827cf8b079592e0c8b4802/html5/thumbnails/47.jpg)
Normal EL Expression to check from static role
#{securityContext.userInRole[‘Role Name']}
Custom EL Expression to check from Database privileges Codes assigned to Role
#{securityScope.userInRole[‘Priv List Code']}
![Page 48: Oracle ADF Case Study](https://reader033.vdocuments.site/reader033/viewer/2022042513/54827cf8b079592e0c8b4802/html5/thumbnails/48.jpg)
Reusability
Task Flows, Libraries & Page Templates
![Page 49: Oracle ADF Case Study](https://reader033.vdocuments.site/reader033/viewer/2022042513/54827cf8b079592e0c8b4802/html5/thumbnails/49.jpg)
ADF Framework Base Classes
TaskFlow Workspace
GCCCommon Workspace
ReusabilityTask Flows, Libraries, Page templates..
adf-extensions project
gcc-security project
gcc-template Project
GCC Apps Module
Task Flows ……
……
……
……Application
ModulesWorkspaces
Task FlowsWorkspaces
GCCLibraries
![Page 50: Oracle ADF Case Study](https://reader033.vdocuments.site/reader033/viewer/2022042513/54827cf8b079592e0c8b4802/html5/thumbnails/50.jpg)
Oracle WebCenterApplication Entry point (Portal) + Customization for tasks shortcuts (Approving Requests etc..)Improve Application Structure using CatalogsContent Integration & Web 2.0 features (ex: Project Site Communications Module extended with Chat/Forum/Workspace)
The FuturePotential grounds for improvements
Move to Oracle Access Manager (When Forms/Reports support it) &investigate/try to leverage Oracle Entitlement Server“Oracle Entitlements Server is a fine grained authorization engine that externalizes, unifies, and simplifies the management of complex entitlement policies”
ADF MobilePervasiveness of our Applications (ex: allowing an approval anywhere on site)
![Page 51: Oracle ADF Case Study](https://reader033.vdocuments.site/reader033/viewer/2022042513/54827cf8b079592e0c8b4802/html5/thumbnails/51.jpg)
Non-Oracle
Lucas Jellema, Andrejus Baranovski, Chris MuirOracle
Frank Nimphius, Grant Ronald, Steve Muench, Duncan Mills
And more…
ADF Experts bloggers
Oracle Technology Network (OTN)ADF Code CornerJDev/ADF Forum
TutorialsAnd more..
ADF books
Our Main Resources
![Page 52: Oracle ADF Case Study](https://reader033.vdocuments.site/reader033/viewer/2022042513/54827cf8b079592e0c8b4802/html5/thumbnails/52.jpg)
ADF EMG• A place to discuss best practices and methodologies
for JDeveloper ADF enterprise applications• Founded mid-2008, now 400+ members• Focus is Fusion Tech Stack (ADF Faces, ADF BC)
• Sessions at ODTUG, OOW• Expert bloggers• Sub Groups: Expert Panel (Ex: Inter-Region communication
Expert Panel, Security Expert Panel)
http://groups.google.com/group/adf-methodology
![Page 53: Oracle ADF Case Study](https://reader033.vdocuments.site/reader033/viewer/2022042513/54827cf8b079592e0c8b4802/html5/thumbnails/53.jpg)
Thank You