Page 1
1 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
CUSTOMER LOGO
“This slide format serves to call attention to a quote from
a prominent customer, executive, or thought leader in
regards to a particular topic.”
Name
Title, Company Name
blogs.oracle.com/IMC
Page 2
2 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
ORACLE ADF SECURITY & BEST PRACTICES
Gokhan Gungor
Oracle ISV Migration Center FMW Consultant
[email protected]
Page 3
3 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
ISV Migration Center Team
• Who we Are ISV Migration Center Team is a team of senior technical consultants based in
Eastern and Central Europe and represents Oracle's technical investment for partners.
• Mission Statement Enable partners to rapidly and successfully adopt and implement Oracle
latest technology
• What do we Offer Whether you are selling Oracle technology, building business solutions,
including hosted Internet solutions or providing system integration and implementation services
for Oracle technology, IMC Team can help you succeed.
• How can we assist We offer a wide range of free services for partners such as one2one
assistance, webinars, seminars and hands-on workshops.
ISV Migration Center blog: http://blogs.oracle.com/imc
Page 4
4 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Program Agenda
• Security Risks, Patterns and Best Practices
• Oracle Platform Security Services and ADF Security
• Designing Security into ADF applications
• Deploying and Configuring security enabled ADF
applications on WebLogic Server
Page 5
5 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Application security encompasses measures taken throughout
the application's life-cycle to prevent exceptions in the
security policy of an application or the underlying system
(vulnerabilities) through flaws in the design, development,
deployment, upgrade, or maintenance of the application.
Wikipedia
http://en.wikipedia.org/wiki/Security
Page 6
6 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
OWASP Top 10 Application Security Risks
1. Injection
2. Cross-Site Scripting (XSS)
3. Broken Authentication and Session Management
4. Insecure Direct Object References
5. Cross-Site Request Forgery (CSRF)
Page 7
7 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
OWASP Top 10 Application Security Risks
6. Security Misconfiguration
7. Insecure Cryptographic Storage
8. Failure to Restrict URL access
9. Insufficient Transport Layer Protection
10.Unvalidated Redirects and Forwards
Page 8
8 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Security Design Patterns
• Single Access Point
– A security model is difficult to validate when it has multiple “front doors,” “back
doors,” and “side doors” for entering the application.
– Set up only one way to get into the system, and if necessary, create a mechanism
for deciding which sub-applications to launch.
• Check Point
– An application needs to be secured from break-in attempts, and appropriate
actions should be taken when such attempts occur.
– Create an object that encapsulates the algorithm for the enterprise's security
policy.
Page 9
9 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Security Design Patterns
• Role-Based Access Control
– Users have different security profiles, and some profiles are similar. If the user
base is large enough or the security profiles are complex enough, then managing
user-privilege relationships can become difficult.
– Create one or more role objects that define the permissions and access rights that
groups of users have.
• Session
– Many objects need access to shared values, but the values are not unique
throughout the system.
– Create a Session object, which holds all of the variables that need to be shared by
many objects.
Page 10
10 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Security Design Patterns
• Full View With Errors
– Users should not be allowed to perform illegal operations.
– Design the application so users see everything that they might have access to.
• Limited View
– Only let the users see what they have access to.
• Secure Access Layer
– Application security will be insecure if it is not properly integrated with the security
of the external systems it uses.
Page 11
11 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Program Agenda
• Security Risks, Patterns and Best Practices
• Oracle Platform Security Services and ADF Security
• Designing Security into ADF applications
• Deploying and Configuring security enabled ADF
applications on WebLogic Server
Page 12
12 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
What is OPSS
• An acronym for Oracle Platform Security Services
• The Oracle security platform for developers
• Derived out of JAZN, JPS and CSS
• Portable security services abstraction layer designed to save
development time and effort by providing a consistent security
experience across different platforms and environments
• Provides basic security services such as authentication, authorization,
auditing, role management, and credential management.
Page 13
13 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Oracle Products using OPSS
Product Name What It Does How It Uses OPSS
Oracle ADF / WebCenter ADF is the framework used to
develop WebCenter applications
(portlets, etc.)
Uses CSS for authentication and JPS for authorization (JAAS). Leverages
application role, anonymous and authenticated role, policy store abstraction,
policy management, credential store framework
Oracle Web Services Manager
(OWSM)
Provides SOA and web services
security
Leverages JPS for authorization, key store services, and audit
Oracle SOA Suite Provides applications designed to
deploy SOA environments (BPEL,
ESB, etc.)
Uses CSS for authentication and JPS for authorization and audit
Oracle Service Bus (OSB) Connects, mediates, and manages
SOA composites interaction
Uses CSS for authentication, identity assertion, authorization, role mapping,
credentials mapping, cert. lookup, audit, SSO, SSPI framework for third-party
integration
Oracle Entitlements Service (OES) Provides externalized fine-grained
authorization
Uses CSS for authentication, identity assertion, authorization, role mapping,
credentials mapping, cert. lookup, audit.
WebLogic Server (WLS) Container Java EE server / container Uses CSS for authentication, identity assertion, authorization, role mapping,
credentials mapping, cert. lookup, audit, SSO, SSPI framework for third-party
integration
Page 14
14 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
OPSS Architecture
• Authentication
• Authorization
• Auditing
• Role management
• Credential management
Page 15
15 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
OPSS architecture for WLS
web.xml
adf-config.xml
Oracle JDeveloper - Designtime
jazn-data.xml
weblogic.xml
Oracle WebLogic Server (OPSS) - Runtime
Users
Enterprise Roles Applic
ation
Role
s
system-jazn-data.xml
Gra
nts
Perm
issio
n
Target
Permission class
Actions
Identity Store OID
OVD
LDAP
Active Directory
Enterprise
Groups
Enterprise
Users
Credential Store
Deploy
RDBMS
LoginModule
Users
Groups
Roles
Permissions
Authentication
servlet
Page 16
16 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
ADF Security
• Provides declarative protection for ADF applications
• Designed to simplify security in ADF applications
• Enforces JEE authentication
– Delegated to WebLogic Server Authentication Providers
– Easy to configure via the "ADF Security Wizard"
• ADF bindings protected by JAAS based Authorization
– Leverages EL to protect UI components
• Provides support for XML & LDAP providers
• Integrated with JDeveloper design time and WLS
Page 17
17 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
ADF Security
• Task Flow Security
• ADF Security protects task flows based on JAAS permissions independently
from the availability of ADF bindings.
• Bounded task flows are secured by default.
• ADF Page Security
• Page definitions are secured by default.
• Page-level security is not checked within bounded task flows.
• Use nested task flows to add extra security to a page
Page 18
18 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
ADF Security
• ADF BC Entity Object Security
• Declarative Authorization
• Entities
• Entity Attributes
Page 19
19 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Program Agenda
• Security Risks, Patterns and Best Practices
• Oracle Platform Security Services and ADF Security
• Designing Security into ADF applications
• Deploying and Configuring security enabled ADF
applications on WebLogic Server
Page 20
20 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
ADF & OPSS Integration New Policy Editor
Page 21
21 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
ADF Security Policy Configuration
Enable/ Disable Security
Create Policy Roles
Define custom permissions
Group resource grants
Define EAR settings
Model IDM
- Users
- Groups
Page 22
22 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
ADF & OPSS Integration
• web.xml
– Defines the Oracle JpsFilter filter to set up the OPSS policy provider.
– Adds, ADF authentication servlet to trigger Java EE authentication.
– Defines required security roles.
• adf-config.xml
– Defines JAAS security context
– Enables the use of ADF security policies for permission checking.
– Enables the use of the ADF authentication servlet.
– Enables the use of ADF Security security policies for permission checking.
What Happens When You Enable ADF Security
Page 23
23 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
ADF & OPSS Integration
• jps-config.xml
– Defines the Oracle Platform Security Services context.
• weblogic.xml
– Maps the valid-users security role to the Oracle Platform Security Services
principal users.
• jazn-data.xml
– Sets the default jazn.com realm name for the XML identity store that you
configure for use with Integrated WebLogic Server.
What Happens When You Enable ADF Security
Page 24
24 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Demonstration
Deploying and Configuring security enabled ADF applications on WebLogic Server
Page 25
25 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Questions
©2011 Oracle Corporation
Gokhan Gungor
Oracle ISV Migration Center FMW Consultant
[email protected]
ISV Migration Center blog: http://blogs.oracle.com/imc
Page 26
26 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
CUSTOMER LOGO
“This slide format serves to call attention to a quote from
a prominent customer, executive, or thought leader in
regards to a particular topic.”
Name
Title, Company Name
blogs.oracle.com/IMC