partner webcast – oracle adf security & best practices - 28 august 2012

1 Copyright © 2011, Oracle and/or its affiliates. All rights

reserved.

CUSTOMER LOGO

“This slide format serves to call attention to a quote from

a prominent customer, executive, or thought leader in

regards to a particular topic.”

Name

Title, Company Name

blogs.oracle.com/IMC


reserved.

ORACLE ADF SECURITY & BEST PRACTICES

Gokhan Gungor

Oracle ISV Migration Center FMW Consultant

[email protected]

mailto:[email protected]




reserved.

ISV Migration Center Team

• Who we Are ISV Migration Center Team is a team of senior technical consultants based in

Eastern and Central Europe and represents Oracle's technical investment for partners.

• Mission Statement Enable partners to rapidly and successfully adopt and implement Oracle

latest technology

• What do we Offer Whether you are selling Oracle technology, building business solutions,

including hosted Internet solutions or providing system integration and implementation services

for Oracle technology, IMC Team can help you succeed.

• How can we assist We offer a wide range of free services for partners such as one2one

assistance, webinars, seminars and hands-on workshops.

ISV Migration Center blog: http://blogs.oracle.com/imc

http://blogs.oracle.com/imc


reserved.

Program Agenda

• Security Risks, Patterns and Best Practices

• Oracle Platform Security Services and ADF Security

• Designing Security into ADF applications

• Deploying and Configuring security enabled ADF

applications on WebLogic Server


reserved.

Application security encompasses measures taken throughout

the application's life-cycle to prevent exceptions in the

security policy of an application or the underlying system

(vulnerabilities) through flaws in the design, development,

deployment, upgrade, or maintenance of the application.

Wikipedia

http://en.wikipedia.org/wiki/Security


reserved.

OWASP Top 10 Application Security Risks

1. Injection

2. Cross-Site Scripting (XSS)

3. Broken Authentication and Session Management

4. Insecure Direct Object References

5. Cross-Site Request Forgery (CSRF)


reserved.

OWASP Top 10 Application Security Risks

6. Security Misconfiguration

7. Insecure Cryptographic Storage

8. Failure to Restrict URL access

9. Insufficient Transport Layer Protection

10.Unvalidated Redirects and Forwards


reserved.

Security Design Patterns

• Single Access Point

– A security model is difficult to validate when it has multiple “front doors,” “back

doors,” and “side doors” for entering the application.

– Set up only one way to get into the system, and if necessary, create a mechanism

for deciding which sub-applications to launch.

• Check Point

– An application needs to be secured from break-in attempts, and appropriate

actions should be taken when such attempts occur.

– Create an object that encapsulates the algorithm for the enterprise's security

policy.


reserved.


• Role-Based Access Control

– Users have different security profiles, and some profiles are similar. If the user

base is large enough or the security profiles are complex enough, then managing

user-privilege relationships can become difficult.

– Create one or more role objects that define the permissions and access rights that

groups of users have.

• Session

– Many objects need access to shared values, but the values are not unique

throughout the system.

– Create a Session object, which holds all of the variables that need to be shared by

many objects.


reserved.


• Full View With Errors

– Users should not be allowed to perform illegal operations.

– Design the application so users see everything that they might have access to.

• Limited View

– Only let the users see what they have access to.

• Secure Access Layer

– Application security will be insecure if it is not properly integrated with the security

of the external systems it uses.


reserved.

Program Agenda







reserved.

What is OPSS

• An acronym for Oracle Platform Security Services

• The Oracle security platform for developers

• Derived out of JAZN, JPS and CSS

• Portable security services abstraction layer designed to save

development time and effort by providing a consistent security

experience across different platforms and environments

• Provides basic security services such as authentication, authorization,

auditing, role management, and credential management.


reserved.

Oracle Products using OPSS

Product Name What It Does How It Uses OPSS

Oracle ADF / WebCenter ADF is the framework used to

develop WebCenter applications

(portlets, etc.)

Uses CSS for authentication and JPS for authorization (JAAS). Leverages

application role, anonymous and authenticated role, policy store abstraction,

policy management, credential store framework

Oracle Web Services Manager

(OWSM)

Provides SOA and web services

security

Leverages JPS for authorization, key store services, and audit

Oracle SOA Suite Provides applications designed to

deploy SOA environments (BPEL,

ESB, etc.)

Uses CSS for authentication and JPS for authorization and audit

Oracle Service Bus (OSB) Connects, mediates, and manages

SOA composites interaction

Uses CSS for authentication, identity assertion, authorization, role mapping,

credentials mapping, cert. lookup, audit, SSO, SSPI framework for third-party

integration

Oracle Entitlements Service (OES) Provides externalized fine-grained

authorization

Uses CSS for authentication, identity assertion, authorization, role mapping,

credentials mapping, cert. lookup, audit.

WebLogic Server (WLS) Container Java EE server / container Uses CSS for authentication, identity assertion, authorization, role mapping,

credentials mapping, cert. lookup, audit, SSO, SSPI framework for third-party

integration


reserved.

OPSS Architecture

• Authentication

• Authorization

• Auditing

• Role management

• Credential management


reserved.

OPSS architecture for WLS

web.xml

adf-config.xml

Oracle JDeveloper - Designtime

jazn-data.xml

weblogic.xml

Oracle WebLogic Server (OPSS) - Runtime

Users

Enterprise Roles Applic

ation

Role

s

system-jazn-data.xml

Gra

nts

Perm

issio

n

Target

Permission class

Actions

Identity Store OID

OVD

LDAP

Active Directory

Enterprise

Groups

Enterprise

Users

Credential Store

Deploy

RDBMS

LoginModule

Users

Groups

Roles

Permissions

Authentication

servlet


reserved.

ADF Security

• Provides declarative protection for ADF applications

• Designed to simplify security in ADF applications

• Enforces JEE authentication

– Delegated to WebLogic Server Authentication Providers

– Easy to configure via the "ADF Security Wizard"

• ADF bindings protected by JAAS based Authorization

– Leverages EL to protect UI components

• Provides support for XML & LDAP providers

• Integrated with JDeveloper design time and WLS


reserved.

ADF Security

• Task Flow Security

• ADF Security protects task flows based on JAAS permissions independently

from the availability of ADF bindings.

• Bounded task flows are secured by default.

• ADF Page Security

• Page definitions are secured by default.

• Page-level security is not checked within bounded task flows.

• Use nested task flows to add extra security to a page


reserved.

ADF Security

• ADF BC Entity Object Security

• Declarative Authorization

• Entities

• Entity Attributes


reserved.

Program Agenda







reserved.

ADF & OPSS Integration New Policy Editor


reserved.

ADF Security Policy Configuration

Enable/ Disable Security

Create Policy Roles

Define custom permissions

Group resource grants

Define EAR settings

Model IDM

- Users

- Groups


reserved.

ADF & OPSS Integration

• web.xml

– Defines the Oracle JpsFilter filter to set up the OPSS policy provider.

– Adds, ADF authentication servlet to trigger Java EE authentication.

– Defines required security roles.

• adf-config.xml

– Defines JAAS security context

– Enables the use of ADF security policies for permission checking.

– Enables the use of the ADF authentication servlet.

– Enables the use of ADF Security security policies for permission checking.

What Happens When You Enable ADF Security


reserved.

ADF & OPSS Integration

• jps-config.xml

– Defines the Oracle Platform Security Services context.

• weblogic.xml

– Maps the valid-users security role to the Oracle Platform Security Services

principal users.

• jazn-data.xml

– Sets the default jazn.com realm name for the XML identity store that you

configure for use with Integrated WebLogic Server.

What Happens When You Enable ADF Security


reserved.

Demonstration

Deploying and Configuring security enabled ADF applications on WebLogic Server


reserved.

Questions

©2011 Oracle Corporation

Gokhan Gungor

Oracle ISV Migration Center FMW Consultant

[email protected]

ISV Migration Center blog: http://blogs.oracle.com/imc







reserved.

CUSTOMER LOGO

“This slide format serves to call attention to a quote from

a prominent customer, executive, or thought leader in

regards to a particular topic.”

Name

Title, Company Name

blogs.oracle.com/IMC

partner webcast – oracle adf security & best practices - 28 august 2012

Technology