1 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
Nov 11, 2014
1 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
2 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
Real World ADF Design & Architecture Principles Designing for Security
ORACLE PRODUCT
LOGO
3 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
Learning Objectives
• At the end of this module you should be able to:
– Identify security risks and how to mitigate risks – Understand common security design patterns – Understand the risk of multi channel access to your
application data – Know about ADF Security and what it is good for – Think out of the box when protecting your ADF applications
Image: imagerymajestic/ FreeDigitalPhotos.net
4 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
“Security is the degree of protection against danger, damage, loss, and crime."
Wikipedia http://en.wikipedia.org/wiki/Security
5 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. 5 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
We have a budget for security, but what security should we buy for our ADF application?
Maybe a firewall will do for a start.
Exercise
Image: imagerymajestic/ FreeDigitalPhotos.net
6 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
Program Agenda
• Application Security Risks • Security Principles & Pattern • Handling Data Entry • ADF Security • Single Sign-On • Securing ADF Applications
7 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
OWASP Top Ten List of Security Vulnerabilities
Image: OWASP / CC3.0
8 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
OWASP Top Ten List of Security Vulnerabilities
• SQL Injection – Free input text or URL parameter values an application passes to the
database unfiltered
• Broken authentication and session management – Predictable tokens that identify a user session or privilege (license key)
• Cross-Site Scripting (XSS) – The user input of custom
JavaScript that executes in the context of a web application
Image: jscreationzs/ FreeDigitalPhotos.net
9 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
OWASP Top Ten List of Security Vulnerabilities
• Insecure direct object referenced – e.g.: file references to user specific reports. If
file names can be predicted then anyone can download the file and see its content.
• Cross-Site Request Forgery (CSRF) – Cookie information or hidden field information that is used by applications
to identify a user session – Sites that intercept or redirect a request (phishing) can make use of this
information, replaying the initial request
Image: jscreationzs/ FreeDigitalPhotos.net
10 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
OWASP Top Ten List of Security Vulnerabilities • Security misconfiguration
– Configuration settings that weaken security enforcement – Risk area: Moving applications from development to production
• Insecure cryptographic storage – Sensitive data that is saved in the user session, on
the server or the local client with weak encryption or not encrypted at all
• Failure to restrict URL access – Direct URL access to resources may bypass
authorization and break business logic
Image: jscreationzs/ FreeDigitalPhotos.net
11 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
OWASP
• Failed Transport Layer Protection – Failing to ensure messages are not
changed on transit and that the server a message is sent to indeed is the server who should receive the request
• Unvalidated redirects and forwards – Tampered redirect information added to
return URL parameters
Top Ten List of Security Vulnerabilities
Image: jscreationzs/ FreeDigitalPhotos.net
12 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. 12 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
What is the best protection against all of these?
Image: imagerymajestic/ FreeDigitalPhotos.net
13 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. 13 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Image: Ambro+ imagerymajestic/ FreeDigitalPhotos.net
What is the best protection against all of these?
Education, security standards, code writing and review
guidelines
14 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
“We believe that […] programmers want to write good software. They surely don’t set out with the intention of putting security flaws in their code. Furthermore, because it’s possible for a program to satisfy a stringent functional specification and nevertheless bring a vulnerability to life, many (if not most) such flaws have been coded up by people who do their best and are satisfied with (even rewarded for) the result.."
Secure Coding: Principles and Practices
Mark G. Graff; Kenneth R. van Wyk
15 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
Security Dependencies
• Performance Impact – Fine grain security checks – Https overhead – Message encryption
• Usability – Periodical re-authentication – Complex password rules – Frequent password renewals – Access restrictions
• Business hours • Point of access Max.
Performance Max.
Usability
Max. Security
16 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
Program Agenda
• Application Security Risks • Security Principles & Pattern • Handling Data Entry • ADF Security • Single Sign-On • Securing ADF Applications
17 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
Security Principles
• Identify security threats – Flooding, fire, earthquake, SQL exploits, identity fraud or theft, hackers,
denial of service …
• Define other security requirements for the application – Corporate requirements
• e.g. single sign-on, shared identity management system, auditing, centralized security administration, data protection …
– Application requirements • e.g. enforce valid user input, ensure users only have access to what they are
allowed to access, ensure authenticated users …
• Define security coding and review standards
Security By Design
18 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
Consider Security by Design
19 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
Security Design Patterns
• Defense in depth • Least privileged access • Single access point • Check point • Roles • Full view with errors • Limited view • Session
20 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
Web Authentication
• Identifies a user by something he/she knows (secret) or owns (certificate)
• Usually handled by the Java EE container accessing a configured identity store
• Database schema authentication not a recommended model for Java EE applications – Doesn't scale well – The web is stateless and in no way compares to desktop applications
• Authenticated user is exposed through security context to be accessible throughout an application
21 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
Program Agenda
• Application Security Risks • Security Principles & Pattern • Handling Data Entry • ADF Security • Single Sign-On • Securing ADF Applications
22 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. 22 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
What are the different channels that users can use to input data to our system?
Image: imagerymajestic/ FreeDigitalPhotos.net
Exercise
23 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
Data Entry
• Users input • Service interface
– Web Service – SOA Service – PL/SQL
• Java interface • Request Parameters • Cookies
The List of Data Entry You Cannot Trust
24 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
“Love all, trust a few."
- William Shakespeare
25 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
Validate All Data Entry
• Data Format Pattern – Ensures data entry matches a specific format – Example: social security number, credit card, license key
• Numeric / Character – Ensures correct data types to be entered
• Dependent Value – Compares entered data with value of a related field – Example: start date < end date
26 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
Find And Fix The Weakest Link
• The best locks on your front door don't help if the windows are left wide open
• Protect assets, not applications! • A tale about a failed SQL injection
prevention attempt …
27 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
Program Agenda
• Application Security Risks • Security Principles & Pattern • Handling Data Entry • ADF Security • Single Sign-On • Securing ADF Applications
28 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
Protecting ADF Applications View / Controller
Responsibility
How ?
• Authentication • Page Authorization • Field Authorization • Identity Propagation • Input Validation
• Container Managed Authentication • Validators
Binding
Responsibility
How ?
ADF
• Page Security • Task Flow Security
• J2EE Authentication • JAAS Authorization • Validators
Business Service
Responsibility
How ?
• Business method authorization • Identity propagation • CRUD authorization • Input Validation
• JAAS • JEE authorization context • Validation rules
Database
Responsibility
How ?
• DML authorization • Read authorization • PLSQL authorization
• VPD • Database Proxy • Sys_context
29 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
Oracle Platform Security Service (OPSS)
• Standards-based, portable, integrated, enterprise-grade Oracle security framework for Java SE and Java EE applications
• Provides security to Oracle Fusion Middleware including WebLogic Server, Server Oriented Architecture (SOA) applications, Oracle WebCenter, Oracle ADF applications, and Oracle Entitlement Server
• Designed to be portable to third-party application servers • Provides an abstraction layer that insulate developers from security and
identity management implementation details • Decreases application development, administration, and maintenance costs • Does a better job than security available in the Java and Java EE standard
30 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
ADF & OPSS Architecture Overview
LDAP/DB Servers
AuthN AuthZ
WebLogic Server ADF Application
CSF
File Based
OPSS API (JAAS Integration)
ADFSecurity Context
Java EE Application Deployment
31 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
ADF Security
• Authentication handled by Java EE Container • Authorization automatically enforced on
– Bounded task flows – Pages in unbounded task flows
• Views in bounded task flows are protected through task flow security • Fine grain view protection in bounded task flows can be declaratively
defined using nested bounded task flows – ADF Business Components entities and attributes
• Authorization is based on JAAS permissions • Authorization policies are declaratively defined
Framework Features
32 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
ADF Security
• Security Expression Language – #{securityContext.authenticated} – #{securityContext.userName} – #{securityContext.userInRole['roleList']} – #{securityContext.userInAllRoles['roleList']} – #{securityContext.taskflowViewable['target']} – #{securityContext.regionViewable['target']} – #{securityContext.userGrantedResource['permission']} – #{securityContext.userGrantedPermission['permission']}
• Security Java API
Programmatic Features
33 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
ADF Security
• Create custom Permissions based on the OPSS Resource Permission – Use for Menu security, UI component security
• Declaratively define view permissions for pages in bounded task flows – Authorization needs to be enforced by your program code using EL or Java
• ADF Security Groovy access from ADF Business Components – Query view objects based on the authenticated user
Programmatic Features
34 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
OPSS and ADF Security Vocabulary
• User – Individual user identities defined in your identity management system
• Enterprise Roles – Enterprise user groups defined in your identity management system for use
across application boundaries
• Application Roles – ADF application specific roles that provide an abstraction layer for enterprise user
groups – Permissions are granted to application roles
You Must Get This Right!
35 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
OPSS architecture for WLS Design-Time
web.xml
adf-config.xml
Oracle JDeveloper - Designtime
jazn-data.xml
weblogic.xml
Users
Groups
Roles
Permissions
Authentication servlet
36 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
OPSS architecture for WLS Runtime (Production)
Oracle WebLogic Server (OPSS) - Runtime
Users
Enterprise Roles App
licat
ion
Rol
es
system-jazn-data.xml
Gra
nts
Per
mis
sion
Target
Permission class
Actions
Identity Store OID
OVD
LDAP
Active Directory
Enterprise Groups
Enterprise Users
Credential Store RDBMS
LoginModule
37 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
What You Should Know
• Grant permissions to application roles only – Easier to administrate – No dependency to identity management system
• Security administrator should use Oracle Enterprise Manager Fusion Middleware Control to map application roles to enterprise roles (aka. enterprise groups) – Post deployment
• ADF applications can be configured to "override" or "merge with" existing policies
ADF Security Authorization Best Practices
38 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
What You Should Know
• Though the framework doesn't enforce authorization on views contained in bounded task flows, it doesn't mean you can't do it – Create region permission for view in bounded task flow – Enforce permission using security EL or Java
ADF Security Authorization Best Practices
39 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
What You Should Know
• All permissions and application roles must be copied to the master (aka. "top level" or "super web") application – ADF library may contain jazn-data.xml file, which however is not
enforced at runtime – ADF regions added through ADF libraries must have their security grants
defined in the master application.
• Security Permissions are automatically deployed to Web Logic Server system-jazn-data.xml file when deploying the application EAR file
Security Deployment
40 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. 40 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
So ADF Security is “The Solution”
Image: imagerymajestic/ FreeDigitalPhotos.net
41 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. 41 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Image: Amrbo+imagerymajestic/ FreeDigitalPhotos.net
So ADF Security is “The Solution”
No, it is just a tool in ADF that you use to implement security.
42 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
Program Agenda
• Application Security Risks • Security Principles & Pattern • Handling Data Entry • ADF Security • Single Sign-On • Securing ADF Applications
43 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
Single Sign-On In Oracle ADF Architecture Pillar Architecture
Fine Grained
Two for One Deal
Multi-Access Channel
Pillar
Cylinder
One time authentication for all buildings
One time authentication for all pillars
44 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
Single Sign-On Best Practices
• Implementing your own single sign-on solution for Oracle ADF applications is a proven path to failure – Failure to keep authenticated user session state
(OTN forum reports) – Performance problems coded into your applications – Insecure token and credential sharing
• ADF Security works well with Oracle Access Managed (OAM) for single sign-on – Works across FMW product boundaries including SOA, WebCenter, Oracle Forms
• Kerberos is an alternative Windows based SSO solution – Kerberos/SPNEGO and Oracle WebLogic Server
45 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
Oracle ADF Without Single Sign-On
adf_domain
Secured ADF Application
Oracle Internet Directory
WLS Authentication Provider
1
2
3
4
46 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
Oracle ADF Single Sign-On With OAM
adf_domain Oracle HTTP Server
OAM Web Gate
Secured ADF Application
1
2
Oracle Internet Directory
47 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
Oracle ADF With Single Sign-On Using OAM
adf_domain idm_domain Oracle HTTP Server
OAM Web Gate
Secured ADF Application Oracle Internet
Directory
Oracle Access Manager
1
2
48 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
Oracle ADF With Single Sign-On Using OAM
adf_domain idm_domain Oracle HTTP Server
OAM Web Gate
Secured ADF Application
Oracle Access Manager
OAM Session
OAM_ID
1
2
Oracle Internet Directory
49 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
Oracle ADF With Single Sign-On Using OAM
adf_domain idm_domain Oracle HTTP Server
OAM Web Gate
OAMAuthnCookie
Secured ADF Application
Oracle Access Manager
OAM Session
OAM_ID
1
3
2
Oracle Internet Directory
50 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
Program Agenda
• Application Security Risks • Security Principles & Pattern • Handling Data Entry • ADF Security • Single Sign-On • Securing ADF Applications
51 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. 51 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
Ok, ADF Security is on my list. What else?
Image: imagerymajestic/ FreeDigitalPhotos.net
Exercise
52 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
ADF Business Components
• Define ADF Security permissions for entities and entity attributes – Permissions are enforced by ADF framework – In addition, hide control like delete buttons if a user is not allowed to
delete an entity using security EL
• Avoid dynamically built SQL statements, and use view objects and view criteria with named bind variables.
• Validate input variables, before issuing executeQuery, on the view object
53 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
ADF Controller
• Navigate using control flows and avoid navigation through redirects • Configure exception handler activities in all bounded task flows • Protect task flow access using ADF Security
– Framework enforces user authorization – In addition, hide navigation UI control using security EL if a user is not
allowed to access a task flow
• Ensure task flows that use JSF documents are not accessible from browsers – Enforce single point of access for your application
54 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
ADF Binding Layer
• Use the "viewable" property on bindings to check user permission using security EL – If viewable is determined to false, associated UI component will render
read only
• Configure a custom error handler in DataBindings.cpx to control information displayed to users – Distinguish between authorized personnel and users when displaying
and logging error messages
55 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
ADF View
• Hide all UI components users are not supposed to see or use – Use Security EL on the "rendered" property
• Look for ways to simplify security configuration by grouping protected components
What about the "display" property?
Image: imagerymajestic/ FreeDigitalPhotos.net
56 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
Input Validation
• ADF View – Validator / Converter
• Components • Managed bean
– Value change event handlers – Client side scripts
• ADF Binding – Binding element validator
57 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
Input Validation
• ADF Business Components – Entity validation
• Across attribute validation like dependent field validation – Entity attribute validation
• Validates individual attribute values – Transaction Level
• Entity setting to defer validation to before commit
58 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. 58 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
You there – tall guy, blue shirt, sitting in the back. What else?
Image: imagerymajestic/ FreeDigitalPhotos.net
Exercise
59 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
Think Out Of The Box!
60 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
Some Ideas • Servlet filter • Phase listeners • Component validators • Bind variables • Custom Resource Permissions & Security EL or Java • Move page documents into /public_html/WEB-INF • Managed beans, View- and EntityImpl • MDS customization classes • RDBMS security (label security, triggers ...)
61 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
Conclusion • Become aware of what your business is afraid of what
you want to protect within your application • Security must be implemented on all application
layers • Permission should be granted to roles and never to
users directly • ADF Security is a tool that makes it easier to enforce
authentication and authorization in ADF applications. However, it is not all you need.
• Application security requires you to be creative and think out-of the box. Not all tools you can use for security have the name "security" in them
62 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
Further Reading
• Security for Everyone – Oracle Magazine article – http://www.oracle.com/technetwork/issue-archive/2012/12-jan/o12adf-1364748.html
• ADF Security documentation – Oracle JDeveloper and ADF Documentation Library – Fusion Developer Guide
• "Enabling ADF Security in a Fusion Web Application"
• ADF Insider Recordings – ADF Security overview
• http://download.oracle.com/otn_hosted_doc/jdeveloper/11gdemos/AdfSecurity/AdfSecurity.html
– Security Deployment • http://download.oracle.com/otn_hosted_doc/jdeveloper/11gdemos/adf_security1/adf_security1.html • http://download.oracle.com/otn_hosted_doc/jdeveloper/11gdemos/adf_security2/adf_security2.html
– Single Sign-on • http://download.oracle.com/otn_hosted_doc/jdeveloper/11gdemos/adf_oam_integration/adf_oam_integration.html
63 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.