java authentication and authorization servicesauthentication & authorization • authentication...
TRANSCRIPT
![Page 1: Java Authentication and Authorization ServicesAuthentication & Authorization • Authentication is the process of verifying the users’ identity. Typically this entails obtaining](https://reader035.vdocuments.mx/reader035/viewer/2022062317/5ee16060ad6a402d666c47d9/html5/thumbnails/1.jpg)
![Page 2: Java Authentication and Authorization ServicesAuthentication & Authorization • Authentication is the process of verifying the users’ identity. Typically this entails obtaining](https://reader035.vdocuments.mx/reader035/viewer/2022062317/5ee16060ad6a402d666c47d9/html5/thumbnails/2.jpg)
Java Authentication and Authorization Services for E-Business SuiteVeshaal SinghDirector, Applications Technology
![Page 3: Java Authentication and Authorization ServicesAuthentication & Authorization • Authentication is the process of verifying the users’ identity. Typically this entails obtaining](https://reader035.vdocuments.mx/reader035/viewer/2022062317/5ee16060ad6a402d666c47d9/html5/thumbnails/3.jpg)
The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions.The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.
![Page 4: Java Authentication and Authorization ServicesAuthentication & Authorization • Authentication is the process of verifying the users’ identity. Typically this entails obtaining](https://reader035.vdocuments.mx/reader035/viewer/2022062317/5ee16060ad6a402d666c47d9/html5/thumbnails/4.jpg)
<Insert Picture Here>
Program Agenda
• Current Scenarios• Problems• Solution• Benefits • Demonstration• Q & A
![Page 5: Java Authentication and Authorization ServicesAuthentication & Authorization • Authentication is the process of verifying the users’ identity. Typically this entails obtaining](https://reader035.vdocuments.mx/reader035/viewer/2022062317/5ee16060ad6a402d666c47d9/html5/thumbnails/5.jpg)
<Insert Picture Here>
Current Scenarios
![Page 6: Java Authentication and Authorization ServicesAuthentication & Authorization • Authentication is the process of verifying the users’ identity. Typically this entails obtaining](https://reader035.vdocuments.mx/reader035/viewer/2022062317/5ee16060ad6a402d666c47d9/html5/thumbnails/6.jpg)
ADF with e-Business Suite
• E-Business Suite ships with standard Modules• Needs to extend/develop module• Wants to develop using ADF• Ensure that it works with the e-Business Security
Model• Register as a Responsibility• Utilize the FND_USER for authentication• Leverage UMX and RBAC for authorization
![Page 7: Java Authentication and Authorization ServicesAuthentication & Authorization • Authentication is the process of verifying the users’ identity. Typically this entails obtaining](https://reader035.vdocuments.mx/reader035/viewer/2022062317/5ee16060ad6a402d666c47d9/html5/thumbnails/7.jpg)
EJB’s with e-Business Suite
• Healthcare platform is exposed using EJB’s• E-Business Suite does not support EJB’s.• There EJB’s run on a separate OC4J.• Ensure that it works with the e-Business Security
Model
![Page 8: Java Authentication and Authorization ServicesAuthentication & Authorization • Authentication is the process of verifying the users’ identity. Typically this entails obtaining](https://reader035.vdocuments.mx/reader035/viewer/2022062317/5ee16060ad6a402d666c47d9/html5/thumbnails/8.jpg)
Database Logic Application logic
EBS Technology Stack Topology
JSP
JMS
Web-Services
Servlets
EJB
Application
JSP
Forms
Reports
BC4J
OC4J
Web
Lis
tene
rUIX
9iAS 1.0.2.29i or 10g
Database
10gR2
Ext. TierJ2EE Server
Others..
![Page 9: Java Authentication and Authorization ServicesAuthentication & Authorization • Authentication is the process of verifying the users’ identity. Typically this entails obtaining](https://reader035.vdocuments.mx/reader035/viewer/2022062317/5ee16060ad6a402d666c47d9/html5/thumbnails/9.jpg)
<Insert Picture Here>
External Tier Access
Problems and Existing Solutions
![Page 10: Java Authentication and Authorization ServicesAuthentication & Authorization • Authentication is the process of verifying the users’ identity. Typically this entails obtaining](https://reader035.vdocuments.mx/reader035/viewer/2022062317/5ee16060ad6a402d666c47d9/html5/thumbnails/10.jpg)
Apps Schema Access
• Issues• Apps Schema• Schema password keeps changing• Standard based access• Is it secured?
• Current Solution• Create a new schema and provide privileges• Provide apps password to external system
![Page 11: Java Authentication and Authorization ServicesAuthentication & Authorization • Authentication is the process of verifying the users’ identity. Typically this entails obtaining](https://reader035.vdocuments.mx/reader035/viewer/2022062317/5ee16060ad6a402d666c47d9/html5/thumbnails/11.jpg)
SolutionApplication Data Source
• Application Data Source Implementation• J2EE/JDBC standards based
• On the External Tier Application Server• Register the Application Data Source• Register the Node as trusted Node• Create a new Application User• Grant Role (shipped) to this User• Register this new User in the Application Server
![Page 12: Java Authentication and Authorization ServicesAuthentication & Authorization • Authentication is the process of verifying the users’ identity. Typically this entails obtaining](https://reader035.vdocuments.mx/reader035/viewer/2022062317/5ee16060ad6a402d666c47d9/html5/thumbnails/12.jpg)
EBS Security ModelAuthentication and Authorization
• Issues• Can I Utilize the existing Responsibility/Menu to Register
my custom/extended application?• Will I get the EBS Authentication/SSO?• Will I be able to leverage the Function Security?
• Current Solution• Need access to Apps Schema• Ship large AOL/J libraries on the external tier• Deal with the dependencies etc.• Need to understand the EBS security internals• Application logic needs to have the security call
![Page 13: Java Authentication and Authorization ServicesAuthentication & Authorization • Authentication is the process of verifying the users’ identity. Typically this entails obtaining](https://reader035.vdocuments.mx/reader035/viewer/2022062317/5ee16060ad6a402d666c47d9/html5/thumbnails/13.jpg)
New Requirements..
• Develop or extend e-Business Suite application using standard J2EE technologies
• Leverage EBS security• Authentication• Authorization• Secured connectivity
• Upgrade my Custom/Extended Application Technology stack
![Page 14: Java Authentication and Authorization ServicesAuthentication & Authorization • Authentication is the process of verifying the users’ identity. Typically this entails obtaining](https://reader035.vdocuments.mx/reader035/viewer/2022062317/5ee16060ad6a402d666c47d9/html5/thumbnails/14.jpg)
<Insert Picture Here>
EBS Security
Overview
![Page 15: Java Authentication and Authorization ServicesAuthentication & Authorization • Authentication is the process of verifying the users’ identity. Typically this entails obtaining](https://reader035.vdocuments.mx/reader035/viewer/2022062317/5ee16060ad6a402d666c47d9/html5/thumbnails/15.jpg)
Authentication & Authorization
• Authentication is the process of verifying the users’ identity. Typically this entails obtaining a user name and a password or some other credential from the user.
• Authorization is the process of verifying whether a user has access to protected resources.
Authentication
Andy
AuthenticationService
Is the user who hesays he is?
User NamePassword
Authorization
Andy
Resource
AuthorizationService
Some Action
Can this userperform this
action on me?
![Page 16: Java Authentication and Authorization ServicesAuthentication & Authorization • Authentication is the process of verifying the users’ identity. Typically this entails obtaining](https://reader035.vdocuments.mx/reader035/viewer/2022062317/5ee16060ad6a402d666c47d9/html5/thumbnails/16.jpg)
OverviewEBS Security
Function SecurityData Security
Role Based Access Control
Delegated AdministrationProvisioning Services
Self Service Features
![Page 17: Java Authentication and Authorization ServicesAuthentication & Authorization • Authentication is the process of verifying the users’ identity. Typically this entails obtaining](https://reader035.vdocuments.mx/reader035/viewer/2022062317/5ee16060ad6a402d666c47d9/html5/thumbnails/17.jpg)
Function Security
OverviewEBS Security
![Page 18: Java Authentication and Authorization ServicesAuthentication & Authorization • Authentication is the process of verifying the users’ identity. Typically this entails obtaining](https://reader035.vdocuments.mx/reader035/viewer/2022062317/5ee16060ad6a402d666c47d9/html5/thumbnails/18.jpg)
Function Security• Functions represent basic entry points / operations / secured
resources that do not have any data context, for example:
• “Page X”• “Region Y”• Typically done using responsibilities in the eBusiness suite
Employee HRSelf Service
Manager HRSelf Service
Hiring / Firing
Transfers
Promotions
Compensation
Personal Info
Job Posts
Pay Slip
![Page 19: Java Authentication and Authorization ServicesAuthentication & Authorization • Authentication is the process of verifying the users’ identity. Typically this entails obtaining](https://reader035.vdocuments.mx/reader035/viewer/2022062317/5ee16060ad6a402d666c47d9/html5/thumbnails/19.jpg)
Function SecurityData Security
![Page 20: Java Authentication and Authorization ServicesAuthentication & Authorization • Authentication is the process of verifying the users’ identity. Typically this entails obtaining](https://reader035.vdocuments.mx/reader035/viewer/2022062317/5ee16060ad6a402d666c47d9/html5/thumbnails/20.jpg)
Data Security• What business objects / documents hold sensitive data & need to be
secured• For example: Expense Reports, Employees
• What secured operations can be performed on each object• For example: update, delete, reject, approve, escalate• Secured operations are represented as privileges aka permissions
• Authorization Policy: grant [someone] access to perform [a set of operations] on a given [set of business documents]:• [Managers] can • [view, approve, reject, update]• [expense reports]• [filed by their direct reports]
• Sets of business documents are identified through instance sets (SQL predicates)
![Page 21: Java Authentication and Authorization ServicesAuthentication & Authorization • Authentication is the process of verifying the users’ identity. Typically this entails obtaining](https://reader035.vdocuments.mx/reader035/viewer/2022062317/5ee16060ad6a402d666c47d9/html5/thumbnails/21.jpg)
Function SecurityData Security
Role Based Access Control
![Page 22: Java Authentication and Authorization ServicesAuthentication & Authorization • Authentication is the process of verifying the users’ identity. Typically this entails obtaining](https://reader035.vdocuments.mx/reader035/viewer/2022062317/5ee16060ad6a402d666c47d9/html5/thumbnails/22.jpg)
Role Based Access Control
• RBAC standard (ANSI INCITS 359-2004)• A role consists of
• Other roles (via inheritance)• Responsibilities (via inheritance)• Function Security Policies• Data Security Policies
• A user can be assigned with several roles• A role can be assigned to several users
![Page 23: Java Authentication and Authorization ServicesAuthentication & Authorization • Authentication is the process of verifying the users’ identity. Typically this entails obtaining](https://reader035.vdocuments.mx/reader035/viewer/2022062317/5ee16060ad6a402d666c47d9/html5/thumbnails/23.jpg)
Use Cases
• Grant access to a set of Sales Managers• Need access to:
• HR Self Service• Manager + Employee access
• Sales Online • Sales Manager access
• Expenses • Manager + Employee access
• iProcurement• Manager + Employee access
![Page 24: Java Authentication and Authorization ServicesAuthentication & Authorization • Authentication is the process of verifying the users’ identity. Typically this entails obtaining](https://reader035.vdocuments.mx/reader035/viewer/2022062317/5ee16060ad6a402d666c47d9/html5/thumbnails/24.jpg)
Access Control before..
Expenses Mgr
Employee HRSelf Service
Manager HRSelf Service
iProcurementMgr
Sales OnlineMgr
Users directly assigned ResponsibilitiesResponsibility
ExpensesEmployee
iProcurementEmployee
![Page 25: Java Authentication and Authorization ServicesAuthentication & Authorization • Authentication is the process of verifying the users’ identity. Typically this entails obtaining](https://reader035.vdocuments.mx/reader035/viewer/2022062317/5ee16060ad6a402d666c47d9/html5/thumbnails/25.jpg)
..With RBAC: Basic Approach
SalesManager
Employee
Sales Rep Manager
Expenses
Employee HRSelf Service
Manager HRSelf Service
iProcurement
Sales Online
Role InheritanceRole
![Page 26: Java Authentication and Authorization ServicesAuthentication & Authorization • Authentication is the process of verifying the users’ identity. Typically this entails obtaining](https://reader035.vdocuments.mx/reader035/viewer/2022062317/5ee16060ad6a402d666c47d9/html5/thumbnails/26.jpg)
..With RBAC: Basic Approach (2)
Employee HRSelf Service
Manager HRSelf Service
Hiring / Firing
Transfers
Promotions
Compensation
Personal Info
Job Posts
Pay Slip
• Before RBAC & with Basic RBAC Approach:• A Responsibility includes both the menu and the permissions to
access the menu items
Menu Item
![Page 27: Java Authentication and Authorization ServicesAuthentication & Authorization • Authentication is the process of verifying the users’ identity. Typically this entails obtaining](https://reader035.vdocuments.mx/reader035/viewer/2022062317/5ee16060ad6a402d666c47d9/html5/thumbnails/27.jpg)
RBAC: Advanced Approach
Human Resources
• With Advanced Approach:• Separation of Navigation & Access Control• A Responsibility represents an Application Menu• Menu items disabled by default (grant = false)
Hiring / Firing
Transfers
Promotions
Compensation
Personal Info
Job Posts
Pay Slip
Employee
Manager
![Page 28: Java Authentication and Authorization ServicesAuthentication & Authorization • Authentication is the process of verifying the users’ identity. Typically this entails obtaining](https://reader035.vdocuments.mx/reader035/viewer/2022062317/5ee16060ad6a402d666c47d9/html5/thumbnails/28.jpg)
Manager
Employee
RBAC: Advanced Approach (2)
Human Resources
Personal Info
Job Posts
Pay Slip
Employee
Employee
Manager
Hiring / Firing
Transfers
Promotions
Compensation
Manager
• Menu items (functions) granted to Roles• Menus automatically pruned in the
Navigator• Users only see the menus they have
access to• Not all Apps support this approach due to
legacy security implementations• Responsibility level Profiles etc
![Page 29: Java Authentication and Authorization ServicesAuthentication & Authorization • Authentication is the process of verifying the users’ identity. Typically this entails obtaining](https://reader035.vdocuments.mx/reader035/viewer/2022062317/5ee16060ad6a402d666c47d9/html5/thumbnails/29.jpg)
RBAC Benefits
• Reduces / Simplifies Administration• Mass updates via single operation• Coexists with existing Security Setups • Basic Approach: Try it now!
• Consolidate your existing Responsibilities into Roles
• Advanced Approach• Reduces # Responsibilities and Menus
![Page 30: Java Authentication and Authorization ServicesAuthentication & Authorization • Authentication is the process of verifying the users’ identity. Typically this entails obtaining](https://reader035.vdocuments.mx/reader035/viewer/2022062317/5ee16060ad6a402d666c47d9/html5/thumbnails/30.jpg)
<Insert Picture Here>
New Requirements
Standardized External Authentication and Authorization Service
![Page 31: Java Authentication and Authorization ServicesAuthentication & Authorization • Authentication is the process of verifying the users’ identity. Typically this entails obtaining](https://reader035.vdocuments.mx/reader035/viewer/2022062317/5ee16060ad6a402d666c47d9/html5/thumbnails/31.jpg)
<Insert Picture Here>
JAAS
Java Authentication and Authorization Service
![Page 32: Java Authentication and Authorization ServicesAuthentication & Authorization • Authentication is the process of verifying the users’ identity. Typically this entails obtaining](https://reader035.vdocuments.mx/reader035/viewer/2022062317/5ee16060ad6a402d666c47d9/html5/thumbnails/32.jpg)
JAASWhat is JAAS?
• JAAS Specifications offers the necessary methods for authentication and authorization for J2EE and core Java applications.
• It abstracts the underlying mechanism of control.
• Authentication• User login
• Authorization• Access Control
![Page 33: Java Authentication and Authorization ServicesAuthentication & Authorization • Authentication is the process of verifying the users’ identity. Typically this entails obtaining](https://reader035.vdocuments.mx/reader035/viewer/2022062317/5ee16060ad6a402d666c47d9/html5/thumbnails/33.jpg)
JAAS implementation for EBSNew Solution
• E-Biz light-weight LoginModule, compliant with JAAS specifications, works with JDK or J2EE environments.
• Implement JAAS Authentication using AOL security System
• Implement JAAS Authorization using UMX roles.
![Page 34: Java Authentication and Authorization ServicesAuthentication & Authorization • Authentication is the process of verifying the users’ identity. Typically this entails obtaining](https://reader035.vdocuments.mx/reader035/viewer/2022062317/5ee16060ad6a402d666c47d9/html5/thumbnails/34.jpg)
Client
JAAS for EBSDeployment Diagram
JSP
FormsReports
BC4J
OC4J
Web
Lis
tene
r
UIX
9i or 10g
DB Tier
10gR2
Mid-Tier
Web
Lis
tene
r
Ext J2EE Application
Server
E-BusinessLoginModule
ADFWeb-Services
EJB
1. Access
7 Allow if User in Role
4 Send Credentials
6 Add Roles2 Delegate5 Verify
CredentialsAdd Roles
3 Request Credentials
![Page 35: Java Authentication and Authorization ServicesAuthentication & Authorization • Authentication is the process of verifying the users’ identity. Typically this entails obtaining](https://reader035.vdocuments.mx/reader035/viewer/2022062317/5ee16060ad6a402d666c47d9/html5/thumbnails/35.jpg)
Key Benefits
• Utilize standard Java development technologies
• Security using Java Standards• Data Source• Java Authentication and Authorization Services
• Runs on any J2EE compliant Servers
• Standards based development and deployment model
• Upgrade the development technology without getting tied to EBS technology stack
![Page 36: Java Authentication and Authorization ServicesAuthentication & Authorization • Authentication is the process of verifying the users’ identity. Typically this entails obtaining](https://reader035.vdocuments.mx/reader035/viewer/2022062317/5ee16060ad6a402d666c47d9/html5/thumbnails/36.jpg)
Availability
• Today
• Works for both 11i and R12 versions
![Page 37: Java Authentication and Authorization ServicesAuthentication & Authorization • Authentication is the process of verifying the users’ identity. Typically this entails obtaining](https://reader035.vdocuments.mx/reader035/viewer/2022062317/5ee16060ad6a402d666c47d9/html5/thumbnails/37.jpg)
<Insert Picture Here>
Demonstration
![Page 38: Java Authentication and Authorization ServicesAuthentication & Authorization • Authentication is the process of verifying the users’ identity. Typically this entails obtaining](https://reader035.vdocuments.mx/reader035/viewer/2022062317/5ee16060ad6a402d666c47d9/html5/thumbnails/38.jpg)
Order Management Extension
• Extension has been developed in ADF for the Order Management Application Module shipped by standard EBS.
• Sample ADF application from OTN (Order management)
• Module is registered as Order Management ADF Responsibility
• ADF runs on a separate application Server 10g
• Role has been created for the ADF responsibility
• User has been granted this new ADF Role
![Page 39: Java Authentication and Authorization ServicesAuthentication & Authorization • Authentication is the process of verifying the users’ identity. Typically this entails obtaining](https://reader035.vdocuments.mx/reader035/viewer/2022062317/5ee16060ad6a402d666c47d9/html5/thumbnails/39.jpg)
Order Management Demo
![Page 40: Java Authentication and Authorization ServicesAuthentication & Authorization • Authentication is the process of verifying the users’ identity. Typically this entails obtaining](https://reader035.vdocuments.mx/reader035/viewer/2022062317/5ee16060ad6a402d666c47d9/html5/thumbnails/40.jpg)
Related Sessions: ATG
ThursdaySeptember 25, 2008
09.00 Centralize your Oracle E-Business Suite SearchPowered by Oracle Secure Enterprise SearchRajesh Ghosh and Veshaal Singh, OracleMoscone West 2007
10.30 Customer Case Study: Forsythe Technologies IncOracle E-Business Suite SOA ImplementationSamuel Tong, Forsythe Technologies Inc and Neeraj Chauhan, OracleMoscone West 2007
![Page 41: Java Authentication and Authorization ServicesAuthentication & Authorization • Authentication is the process of verifying the users’ identity. Typically this entails obtaining](https://reader035.vdocuments.mx/reader035/viewer/2022062317/5ee16060ad6a402d666c47d9/html5/thumbnails/41.jpg)
Related Sessions: ATG
ThursdaySeptember 25, 2008
12.00 Managing Oracle E-Business Suite Customizations and Patches, using Oracle Enterprise ManagerUma Prabhala, OracleMoscone West 2005
13.30 Opening Up Oracle Application Framework Applications through Web Services and Portlets Ramkumar Sekar, OracleMoscone West 2005
13.30 Understanding the Oracle Diagnostics Security Model and Support for Custom Responsibility Angelo Rosado, OracleMoscone West 2007
![Page 42: Java Authentication and Authorization ServicesAuthentication & Authorization • Authentication is the process of verifying the users’ identity. Typically this entails obtaining](https://reader035.vdocuments.mx/reader035/viewer/2022062317/5ee16060ad6a402d666c47d9/html5/thumbnails/42.jpg)
Demogrounds
• Oracle Applications Management Pack for Oracle E-Business Suite
• Oracle iSetup and Oracle Diagnostics Framework
• Oracle E-Business Suite Cloning Techniques
• Native Service Enablement of Oracle E-Business Suite
• Integration Repository and E-Business Suite Adapter
• Oracle SOA Suite for Oracle E-Business Suite
• The Next-Generation Semantic Search Experience
• Design and Develop New Searchable Objects, Using the Search Modeler
• Powered by Oracle Enterprise Search
• Extract Portlets from Oracle OAF Applications
• Generate, Test, Deploy, and Integrate Web Services
• Desktop Integrators Using Oracle Web Applications Desktop Integrator
Oracle Secure Enterprise SearchPod K26
E-Business Suite Lifecycle Management
Web Services / Portlets in Oracle OAFPod K25
SOA Enablement of E-Business SuitePod K24Pod K30
![Page 43: Java Authentication and Authorization ServicesAuthentication & Authorization • Authentication is the process of verifying the users’ identity. Typically this entails obtaining](https://reader035.vdocuments.mx/reader035/viewer/2022062317/5ee16060ad6a402d666c47d9/html5/thumbnails/43.jpg)
For More Information
http://search.oracle.com
Applications technology
orhttp://www.oracle.com/
![Page 44: Java Authentication and Authorization ServicesAuthentication & Authorization • Authentication is the process of verifying the users’ identity. Typically this entails obtaining](https://reader035.vdocuments.mx/reader035/viewer/2022062317/5ee16060ad6a402d666c47d9/html5/thumbnails/44.jpg)
Conclusion
• The new solution is a light weight JAAS login module implementation independent of APPS schema password and large-sized AOL/J libraries.
• The new solution makes application code independent of Authentication & Authorization code.
• The solution works in any J2EE compliant application server and configurable at deployment time.
![Page 45: Java Authentication and Authorization ServicesAuthentication & Authorization • Authentication is the process of verifying the users’ identity. Typically this entails obtaining](https://reader035.vdocuments.mx/reader035/viewer/2022062317/5ee16060ad6a402d666c47d9/html5/thumbnails/45.jpg)
![Page 46: Java Authentication and Authorization ServicesAuthentication & Authorization • Authentication is the process of verifying the users’ identity. Typically this entails obtaining](https://reader035.vdocuments.mx/reader035/viewer/2022062317/5ee16060ad6a402d666c47d9/html5/thumbnails/46.jpg)