X

The Latest Technology Stack News Directly from EBS Development

AppsDataSource and Java Authentication and Authorization Service for Oracle E-Business Suite

Steven Chan
Senior Director
simplified architecture diagram showing client - app tier - database tier

[March 1, 2010: Patch 8571001 also includes extended error logging routines for use with external Java EE programs.  Patch  8571001 hasn't changed, but Note 974949.1 has just been updated to include documentation for error logging, as well as some improvements based on feedback I've been getting.  Keep that feedback coming!]

Guest Author: Sara Woodhull

Oracle Application Object Library recently added new standard Java datasource and Java Authentication and Authorization Service (JAAS) features to Oracle E-Business Suite in Patch 8571001. These features are meant for use with Java EE programs deployed in application servers on external nodes; that is, nodes other than those where Oracle E-Business Suite middle tier is installed. These are lightweight implementations that can be used on an external application server without needing to install an entire Oracle E-Business Suite instance on the application server machine.

These features can be used with either Release 11i or Release 12.  For details, see:

AppsDataSource

The AppsDataSource standard data source enables access to the Oracle E-Business Suite APPS database schema from external Java EE environments without sharing the APPS schema password. Since the APPS database password is typically changed frequently, using these data sources insulates such programs from having to change their authentication information. Using these data sources also helps prevent wide exposure of the APPS password.

Using these standard data sources lets you control access to Oracle E-Business Suite data at the APPS schema level. For example, you can use AppsDataSource with BPEL processes and Oracle Service Bus services in Oracle Fusion Middleware. Within Oracle E-Business Suite, the AppsDataSource is used to control APPS database access as part of the integration of Oracle E-Business Suite with Oracle Access Manager using Oracle E-Business Suite AccessGate.

When using the AppsDataSource feature, access to the APPS database is controlled using a dedicated Oracle E-Business Suite user name and password ("applications user", also known as an "FND user") instead of the APPS password. This allows centralized maintenance of the APPS password and provides additional controls on who can access the APPS account.

Java Authentication and Authorization Service (JAAS)

Oracle E-Business Suite contains a repository of application users (FND users) and their associated roles (authorization for access to certain functional areas of the product). If you are developing a custom or third-party Java EE application to integrate with Oracle E-Business Suite, and you want to use that existing repository of users and roles for authentication and authorization for your Java EE application, you can use the Oracle E-Business Suite implementation of Java Authentication and Authorization Service (JAAS). This feature is intended to secure an HTTP resource or piece of application functionality at the Oracle E-Business Suite user level.

Authenticating a Java application via JAAS

For example, suppose you want to build a Java EE application using Oracle Fusion Middleware to integrate with Oracle E-Business Suite data. You would use both AppsDataSource and JAAS so you can secure who has access to your application functionality based on usernames and roles already in Oracle E-Business Suite.

The following diagram shows the relationship between the AppsDataSource and JAAS features and how users and roles are used in the JAAS and AppsDataSource setups:

Relationship between AppsDataSource and JAAS features and how users and roles are used in their setups

 

  • There are two different users, A (with Specialist role) and B (with Manager role), accessing a protected custom application (through a URL) on an external application server.
  • The custom application has a web.xml file that allows access for the Manager role as part of the JAAS setup.
  • User A does not have the Manager role, so is not allowed access to the custom application.
  • The external application server has an AppsDataSource set up to allow access to the Oracle E-Business Suite database using the dedicated AppsDataSource user that has the special UMX|APPS_SCHEMA_CONNECT role assigned to the dedicated user.
  • A repository of users and roles resides inside the Oracle E-Business Suite database.

Knowledge Document Topics

The Knowledge" Document 974949.1: "AppsDataSource, Java Authentication and Authorization Service, and Utilities for Oracle E-Business Suite" includes the following topics:

  • Applying Patch 8571001
  • Using Oracle E-Business Suite Data Sources
    • Configuring AppsDataSource on an OC4J Instance and on an Oracle WebLogic Server (WLS) Instance
    • Using AppsDataSource Directly from Java Programs
  • Oracle E-Business Suite Implementation of Java Authentication and Authorization Service (JAAS)
    • JAAS configuration for OC4J and Oracle WebLogic Server
    • Global Access for All Authenticated Oracle E-Business Suite Users
  • Utilities

Lightweight Tools for Java EE Applications

The lightweight implementations of AppsDataSource and JAAS are useful tools for easier integration of custom Java EE applications with Oracle E-Business Suite.

We'll be adding more information to the document about additional Oracle Application Object Library Java features in the coming several months, so check Knowledge" Document 974949.1 every so often. Happy coding!

Related Articles

Join the discussion

Comments ( 46 )
  • Jay Weinshenker Thursday, January 14, 2010

    So I've read this article and also the note referenced (974949.1) and both say that the functionality provided by patch 8571001 is good for R11 and R12... yet when you go to download the patch, it appears to be only for R12.

    Pls advise?


  • Mike Shaw Thursday, January 14, 2010

    Hello Jay,

    Apologies for the confusion. Patch 8571001 for R12 should be used for both 11i and R12 customers The patch is manually extracted, so you dont need to worry about the Release version in this case.

    regards

    Mike Shaw


  • Sara Woodhull Thursday, January 14, 2010

    Yes, it really is for both 11i and 12.

    Thanks,

    Sara


  • Aadil Sukry Friday, January 15, 2010

    This is little bit interesting in iam doing the basics of these now...Well through these article i got and good understanding.............Thank you.........


  • Steve Wednesday, October 13, 2010

    In the example given above for JAAS how does the webapp know user A's role ? What is the implied mechanism for checking - a query against the role stored against that user in EBiz either directly via callout but what is the mechanism ? Is it through OID query (Group membership check), through webservice call to an API in eBiz ? Is this detail left deliberately vague to leave implementation specific options option ?


  • Subba Tuesday, October 26, 2010

    We have a custom ADF apllication developed. We want to utilize existing R12 security for ADF application.

    Looks like above AppsDataSource will give us out-of-box-solution. I am looking for setup instructions and apply role based security for ADF artifacts like pages/task-flows etc... Can some one point me to some links which talks about how exactly we use the R12 users/roles to secure ADF artificats(pages/task-flows etc..)

    Thanks for help!!


  • Sara Woodhull Thursday, October 28, 2010

    Hi Subba,

    AppsDataSource is meant only to take care of the underlying database connection to the APPS database schema--it merely uses a dedicated FND User as a substitute for needing to propagate the APPS password. AppsDataSource does not handle authentication and authorization for individual application users--that's the JAAS feature.

    The JAAS feature as described above is meant for use with plain Java EE applications, and ADF already has its own JAAS-compliant security setup. The Oracle E-Business Suite SDK for Java JAAS feature is based more on providing constraints for directory paths and URLs, while the ADF implementation is based around task flows.


  • Subba Monday, November 15, 2010

    Hi sara,

    Thanks for your detailed reply.. It is very clear now.

    Is there any way that we can utilize the existing R12 fnd global security in ADF.

    Our concern is, we invoke external ADF application from existing R12 and want to utilize existing security rather than investing in re-designing security for custom ADF.

    I understand from several links on web that, we must use in-built JAAS feature(using jazn-data.xml) to secure ADF artifacts like page/task-flows etc..

    Now is there nay integration point for ADF custom and existing R12 apps? interms of using R12 security in ADF?

    Is it possible to map the enterprise roles in jazn-data.xml to R12 application roles?

    Please suggest if you have any documentation in this regrard. If not any other place I can reach out to get the ADF and R12 integration resources?

    Thanks for your help!!


  • Siva Wednesday, February 9, 2011

    Good information.

    I followed the article and have successfully setup AppsDataSource and JAAS for EBS in Weblogic Server. My problem is that the Weblogic server is not asking for any authentication page when I access the application. I was able to run the application HelloWorld.jar that came with the patch.

    /HelloWorld/DataSourceServlet page gives the result, but its not asking for the authentication before it displays the results.

    Any help will be appreciated.

    Thanks,

    Siva


  • Steven Chan Thursday, February 10, 2011

    Siva,

    I'm sorry to hear that you've encountered an issue with this.

    We can provide general conceptual guidance here, but I'm afraid that this blog isn't the best place to get technical support for specific issues like the one that you're working through.

    Your best bet would be to log a formal Service Request via My Oracle Support (formerly Metalink) to get one of our specialists engaged.

    Please feel free to forward your Service Request number to me if it gets stuck in the support process for some reason.

    Regards,

    Steven


  • guest Thursday, January 5, 2012

    Hi

    we have same requirement what subba had

    We have a custom ADF apllication developed. We want to utilize existing R12 security for ADF application.

    Looks like above AppsDataSource will give us out-of-box-solution. I am looking for setup instructions and apply role based security for ADF artifacts like pages/task-flows etc... Can some one point me to some links which talks about how exactly we use the R12 users/roles to secure ADF artificats(pages/task-flows etc..)

    how can we use ebussiness suite security in ADF?

    how can we pass user role and other security info when we calling ADF page from OAF?

    please sugges?

    appriciate your help


  • Sara Woodhull Thursday, January 5, 2012

    Hi,

    We are currently working on documentation around how to use EBS R12 security with ADF, but we aren't done yet. Please check back on the blog periodically. We will definitely post an announcement article when we have any new materials on the topic!

    Thanks,

    Sara


  • guest Tuesday, January 24, 2012

    Hi Sara,

    I am just also looking to register my interest in the EBS R12 / ADF security.

    I've just seen the web cast replay around extending EBS, and have also found a lot of the resources currently mentioned. But I guess as you are aware, there doesn't seem to be anything specific around accessing ebusiness roles.

    Awaiting this paper!!!!! Do you have any updates on when this paper will be released.

    Thanks again,

    Simon


  • Ara Wednesday, January 25, 2012

    We just recently downloaded and tested the EBS SDK for Java. The AppsDataSource works very well. However, we found a number of issues with the JAAS Plugin. The most critical is the fact that the query it uses to pick up a user's roles appears to: 1) filter out FND responsibilities, and 2) pick up end-dated roles. Note that I have opened an SR on this and a pre-defect has been opened.

    Beyond that, the JAAS Plugin is delivered as an Oracle Platform Security Services (OPSS) authenticator, but there is no integration with the Weblogic identity store. That means that, while you can use the JAAS APIs to verify a user's password and ask if the user is in a given role (with the caveats mentioned above), you cannot use Enterprise Manager to map EBS roles to application roles. I'm also not sure to what extent it allows a developer to set up security for an ADF application based on EBS permissions.

    In conclusion, while we very much like the idea of the JAAS Plugin and we see a lot of potential, it does not appear to be very usable at the moment. If I am wrong, please let me know (and I do hope that I'm wrong :-)


  • Sara Woodhull Thursday, January 26, 2012

    Hi Simon,

    Believe me, I'm just as eager as you are to see this EBS R12/ ADF security information out! We're making progress, but we're still working on it...

    Thanks,

    Sara


  • Sara Woodhull Thursday, January 26, 2012

    Hi Ara,

    I'm glad to hear that you find the AppsDataSource helpful!

    Regarding the JAAS issue, please feel free to forward your Service Request number to me so I can follow up on it.

    Thanks,

    Sara


  • Ara Tuesday, January 31, 2012

    Sorry, Sara, your e-mail info is not published. SR # 3-5146090851, "Bug in EBS SDK for Java". Doesn't really seem to be moving...


  • Sara Woodhull Friday, February 3, 2012

    Hi Ara,

    Thanks for the SR details. We're reviewing it now.

    Thanks,

    Sara

    SaraDOTwoodhullAToracleDOTcom


  • jc Wednesday, February 8, 2012

    Hi,

    I'm looking for a way to create/modify/remove user accounts (login/password) and application profils in Oracle EBS 11 from a third party application.

    Does the AppsDataSource and Java Authentication and Authorization Service for Oracle E-Business Suite give the possibility to do that ?

    Best Regards,


  • Steven Chan Thursday, February 9, 2012

    Hi, JC,

    No, we don't offer any APIs to create/modify/remove user accounts via external applications.

    You can integrate your E-Business Suite environment with Oracle Internet Directory, which, in turn, can be integrated with a third-party LDAP directory. Any changes made in the third-party LDAP will provision user updates to the E-Business Suite.

    For more details, see:

    In-Depth: Using Third-Party Identity Managers with the E-Business Suite Release 11i

    http://blogs.oracle.com/stevenChan/entry/indepth_using_thirdparty_ident

    Regards,

    Steven


  • Sara Woodhull Monday, February 20, 2012

    Hi Ara,

    Regarding end-dated roles appearing: when you end-date a role, there is a Workflow process that updates any users who have the role assigned to end-date the assignment. If the Workflow Deferred Agent Listener isn’t running, or the end-dating hasn’t worked its way through the process yet, you could see end-dated roles from the JAAS setup. That’s what happened in our development environment where I replicated your results, and we think that’s what happened in your case.

    Regarding the question about why you can use UMX roles but not FND responsibilities with the JAAS feature: UMX roles follow RBAC requirements such as role hierarchy and can be used to implement standard Auth* models. Responsibilities are not RBAC compliant; they have a flat structure (one level) and cannot be combined into role hierarchies. That’s why responsibilities are not included for use with the JAAS feature.

    Thanks,

    Sara


  • Bruce Beck Friday, March 9, 2012

    If one has issues with this, what product group handles this. For example I had an Apps Data Source configured and working. I deleted the domain and recreated two, one accessing the same instance, the one accessing a new instance. The new instance works, and the redefined one doesn't.

    I don't expect this kind of problem to answer here, but is this an EBS patch? What group should I report this to?


  • Sara Woodhull Friday, March 9, 2012

    Hi Bruce,

    Problems with the Oracle E-Business Suite SDK for Java (including the AppsDataSource) should go to the Oracle E-Business Suite, ATG support.

    Thanks,

    Sara


  • guest Monday, July 2, 2012

    Hi,

    1) Is the document/whitepaper on how to implement R12 security with ADF application available?

    2) Also, can Appsdatasource be used to make calls to Oracle e-business suite PLSQL APIs ?

    3) For building an ADF application that needs to make calls to Oracle e-business suite APIs, is it required to have SOA suite installed as well?

    Regards,

    alister


  • Sara Woodhull Monday, July 2, 2012

    Hi Alister,

    For security specifically with ADF, there are two choices: JAAS or through Oracle E-Business Suite session management. In the latest version of the documentation (now a PDF attachment to the MOS note 974949.1), the JAAS-with-ADF case is already fully documented. It’s a little different than the plain-Java-application case. Session management is available, and it’s documented for the plain-Java-application case, but the session management-with-ADF case is still an “exercise for the reader” for now.

    Regarding calling PL/SQL APIs and whether you need SOA Suite to call Oracle E-Business Suite PL/SQL APIs through the AppsDataSource: yes, you can call PL/SQL APIs through AppsDataSource, and no, you shouldn’t need the SOA Suite for that. You would just call the PL/SQL the same way you would normally call it from ADF.

    Thanks,

    Sara


  • Sara Woodhull Monday, July 9, 2012

    Hi everyone,

    In case you are following comments here but not the main blog, we've just released a new version of the Oracle E-Business Suite SDK for Java, and you can read the announcement here: https://blogs.oracle.com/stevenChan/entry/new_version_of_e_business

    Thanks,

    Sara


  • Steve Wardell Friday, February 7, 2014

    I set-up a prototype application on OAS using steps on https://blogs.oracle.com/ebusinesssuiteintegration/entry/jaas_for_ebusiness_suite. Initially, my EBS instance used it's own authentication. When I go to my protected application, I receive a login prompt. I enter my EBS credentials and am authenticated to my test application. So far so good. Next, I enabled SSO on my EBS instance. When I go to the EBS instance, I am redirected so that I am logged in without having to enter credentials. However when I go to my test application, I still receive the login prompt and not SSO. What am I missing?

    Thanks,

    Steve


  • Sara Woodhull Friday, February 7, 2014

    Hi Steve,

    There are a LOT of moving parts in what you describe, and I'm afraid that this blog isn't the best place to get technical support for specific issues like the one that you're working through.

    Please take a look at the materials listed here: https://blogs.oracle.com/jruiz/entry/adf_and_oracle_e_business2, especially the listed forum postings. If those don't help, your best bet would be to log a formal Service Request via My Oracle Support (formerly Metalink) to get one of our specialists engaged. Problems with the Oracle E-Business Suite SDK for Java (including the AppsDataSource) should go to the Oracle E-Business Suite, ATG support.

    Thanks,

    Sara


  • guest Monday, April 21, 2014

    Hi.

    I am having an issue getting the baseline security working inside of the ADF application, when I set up both web.xml and weblogic.xml, i.e. if I bring up the application once those files are set, I still get the my application page, where as I would of expected an error saying that I can not access this page, since I am currently not associated with the role that I have established inside of the ADF security framework.

    I have followed the documentation step by step in order to set up these two files, and am trying to do this initial test to verify that security is initially working in the application overall, before connecting up to the EBS part.

    Can you let me know what I am doing incorrectly here please.

    Thanks.


  • Steven Chan Monday, April 21, 2014

    Hi, Guest,

    I'm sorry to hear that you've encountered an issue with this.

    We can provide general conceptual guidance here, but I'm afraid that this blog isn't the best place to get technical support for specific issues like the one that you're working through.

    Your best bet would be to log a formal Service Request via My Oracle Support (formerly Metalink) to get one of our specialists engaged.

    Please feel free to forward your Service Request number to me if it gets stuck in the support process for some reason.

    Regards,

    Steven


  • guest Wednesday, December 3, 2014

    hi, very interested discussion in this Blog and its helpful for me to know the history of ebs SDK ,

    i start to read about EBS SDK and i will do this exercise

    But i wonder do i have to use Weblogic or can i use GlassFish ?

    Regard's

    Hasan


  • Sara Woodhull Wednesday, December 3, 2014

    Hi Hasan,

    Oracle WebLogic Server is what we use with the EBS SDK here at Oracle, and I strongly recommend that you use that (it's free to download and try out). You can _try_ using Glassfish, but if you have trouble with it, none of us here would be able to help you.

    We have not tested the EBS SDK with Glassfish, and there is no documentation on using Glassfish with the EBS SDK. If you needed help with it, you would have to move to Oracle WebLogic Server anyway so Oracle Support could help you.

    Thanks,

    Sara


  • guest Sunday, December 7, 2014

    hi,

    lets say i have hybrid OAF Page with ADF UI Component and i need to expose this hybrid page to the internet,

    we have DMZ zone and already EBS(12.1.3) application server there ,

    so do i have to add another Weblogic server on the DMZ zone in case of hybrid pages(OAF with ADF UI component), also what is the required ports i need to open between ebs (application server,apps database) and Weblogic server which contain my integrated ADF application

    thanks


  • guest Sunday, December 7, 2014

    hi,

    is it possible to use ebs sdk with adf essential?


  • Sara Woodhull Monday, December 8, 2014

    Hi Guest,

    "is it possible to use ebs sdk with adf essential?"

    Yes, it should be possible to use the EBS SDK for Java with Oracle ADF Essentials. However, ADF Essentials may not have the ADF features you need for your application, so you may need the full Oracle ADF for your purposes. Also, keep in mind that the testing and documentation of the EBS SDK for Java is based on the full Oracle ADF with Oracle WebLogic Server, so if you are working with some other combination, it may be difficult for us to help you if you run into any issues.

    Thanks,

    Sara


  • Sara Woodhull Tuesday, December 9, 2014

    Hi Guest,

    Regarding using Oracle ADF for a hybrid OA Framework page in a DMZ: It's probably a good idea to have a separate Oracle WebLogic Server in the DMZ. However, while we can provide general conceptual guidance here, but I'm afraid that this blog isn't the best place to get technical support for specific issues like the one that you're working through.

    Your best bet would be to log a formal Service Request via My Oracle Support (formerly Metalink) to get one of our specialists engaged.

    Please feel free to forward your Service Request number to me if it gets stuck in the support process for some reason.

    Thanks,

    Sara


  • guest Tuesday, April 28, 2015

    Hi Steven, How are you?

    I'm i

    I'm on a client that has several integrations. Most using Orale ODI. IS it possible setting ODI with JAAS?

    I have other question, the connection ODI JDBC with EBS should be with the custom schema or XXISV or for each integration must create a new schema?

    Thank you

    Regards

    Tiago


  • guest Wednesday, January 6, 2016

    Hi Steven/Sara,

    I am working on EBS-ADF integration. I have figured out all the steps to work on this but facing issues after setting up AppsdataSource. I am following the document E28169_01.PDF which comes with the EBSSDK for java. In that, they mentioned to "2.1.5.3 Deploy AppsDataSource Code on Oracle WebLogic Server" which I am not sure about. Can you please let me know what that is about and if you can share any of the sample code snippets, it would be really helpful.

    thanks.


  • Sara Woodhull Wednesday, January 6, 2016

    Hi Guest,

    Regarding having issues with AppsDataSource and "2.1.5.3 Deploy

    AppsDataSource Code on Oracle WebLogic Server", that document is written in a step-by-step manner that assumes you are following each step (and using Oracle WebLogic Server).

    If you are using EBS 12.2, you should be doing all of your EBS SDK for Java and ADF work in a SEPARATE managed server domain in Oracle WebLogic Server from the EBS domain (in fact, a separate machine with a separate Oracle WebLogic Server installation is preferred).

    However, while we can provide general conceptual guidance here, I'm afraid that this blog isn't the best place to get technical support for specific issues like the one that you're working through.

    Your best bet would be to log a formal Service Request via My Oracle Support (formerly Metalink) to get one of our specialists engaged.

    Please feel free to forward your Service Request number to me if it gets stuck in the support process for some reason.

    Thanks,

    Sara


  • guest Wednesday, January 6, 2016

    Thank you Sara for the quick response.

    Yes, we are using EBS 12.2.4 and a seperate oracle WebLogic server for ADF applications to run and EBS SDK for Java. I want a conceptual guidance regarding what "AppsdataSource Code" is it referring it to (not the exact code). We are implementing "Session Manaement" and not JAAS for our integration approach.

    I do have an idea that both Session Management and JAAS cannot be implemented combonely and we wanted to use a seamless navigation b/w EBS and ADF which made us use Sesson management. I do have all other information except the "AppsDataSource Code" part.

    And also, as we are using Session Management, I did skip some of the implementations of the document which are related to JAAS and working only on Session Management part. Please correct me if I am in wrong path(by avoiding the JAAS related implementation.)


  • Sara Woodhull Wednesday, January 6, 2016

    Hi Guest,

    "AppsDataSource code" simply refers to the fndext.jar file.

    Thanks,

    Sara


  • guest Wednesday, January 6, 2016

    Hi Sara,

    Thanks alot for the information. This is what I am trying to find out.


  • Fadi Abadir Tuesday, March 1, 2016

    Hi Sara

    We need to open ADF URL from inside EBS using WLS but on same domain and same physical server. When we replaced fndext.jar this caused problem to EBS not being able to open. Is it feasible to use JAAS to share session context and to configure it on same WLS domain of EBS?


  • Sara Woodhull Thursday, March 3, 2016

    Hi Fadi,

    No, you must have two different Oracle WebLogic Server domains.

    Thanks,

    Sara


  • Fadi Abadir Thursday, March 3, 2016

    The environment which we are working on is with the following criteria:

    1. EBS Version is: 12.2.0

    2. WLS Version is: 10.3.6

    3. I am following Oracle document (Doc ID 974949.1), and documentation "Oracle® E-Business Suite Software Development Kit for Java,

     Part No. E28169-02.

    4. The documentation itself has conflict, in page 1-3 it indicated about EBS SDK: "These features are meant for use with Java EE programs deployed in application servers on external nodes, that is, nodes other than those where the Oracle E-Business Suite is installed.

    and in page 2-3 it indicated a note: "

    Note: If the Oracle E-Business Suite application server and Oracle WebLogic Server are running on the same physical machine (not recommended, but occasionally done for development purposes), then you should use the standard DBC file instead of the one created by AdminDesktop.

    5. When I create a user and assign the needed role to it, then running autoconfig everything is OK. But after building new fndext.jar (steps mentioned in section

    2.1.5​) on WLS then shut it down then moving new fndext.jar to WLS library directories then startup it again, WLS startup but EBS does not and gives the error page viewed below:

    Error 404 not found


  • Steven Chan Friday, March 4, 2016

    Hello, Fadi,

    I'm sorry to hear that you've encountered an issue with this.

    We can provide general conceptual guidance here, but I'm afraid that this blog isn't the best place to get technical support for specific issues like the one that you're working through.

    Your best bet would be to log a formal Service Request via My Oracle Support (formerly Metalink) to get one of our specialists engaged.

    Please feel free to forward your Service Request number to me if it gets stuck in the support process for some reason.

    Regards,

    Steven


Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.Captcha

Recent Content