JAAS for e-Business Suite
By Veshaal Singh on Feb 19, 2009
This is an extension to the blog posted by Steven Chan which highlighted my session on Java Authentication and Authorization (JAAS) for e-Business Suite at the OOW'08. Let us look at how does the LoginModule helps in doing the Authentication and Authorization with the current architecture of EBS(e-Business Suite).
In e-Business Suite , we store the user information mainly at two places. If EBS is single sign on (SSO) enabled, Oracle Internet Directory(OID) stores user credentials. Otherwise FND_USER table stores user credentials. The LoginModule carries out the Authentication transparently without an application having to know as how the EBS instance is configured.
In EBS the authorization is done either on Function or on a Role. In a Function Based Authorization,each time a user accesses a function, a runtime check is made if the user is granted the function through a responsibility. If yes, the access is permitted, otherwise the access is denied. From 11.5.10 release onwards, EBS supports Role based access control (RBAC) mechanism through which a given user is granted a set of roles that allows access to a particular resource. In Role Based Authorization, the same principle is used in the implementation of LoginModule. The roles assigned to a given user are used for authorization checks.
Time to take an example and explain in detail. So here we go.
Using & Configuring e-Business Suite JAAS LoginModule
Let us configure a simple HelloWorld servlet to use Oracle EBS LoginModule. Assume that you want HelloWorld servlet to be accessed only by valid EBS users having EBS role called 'UMX|HELLOWORLD'. You can download the sample code from internet for HelloWorld servlet. Lets call this instance 'EBS' and assume that HelloWorld servlet is running on an external Application server called 'MYSERVER'. The configuration steps are as follows:
- Apply the ARU patch 7211409 on the EBS instance 'EBS'. This is the same instance against which HelloWorld servlet authenticates and authorizes its users.
- Successful patch application on 'EBS' creates a signed jar file called fndext.jar in $FND_TOP/java/jar directory. This is the jar file that contains the JAAS LoginModule implementation.
- Download this jar file to 'MYSERVER'. This is the same application server where HelloWorld servlet is running. To download file, you can simply use any FTP tool.
- Create a war file consisting WEB-INF/lib/fndext.jar, WEB_INF/classes/helloworld/HelloWorld.class and WEB-INF/web.xml. Sample web.xml is provided below for your convenience.
- Configure HelloWorld servlet to use EBS Login Module for Authentication and Authorization. The below steps are for OC4J for Oracle Application Server. For other Application Server, please refer to application server specific documentation.
- Open Enterprise Manager's Application Server Control page.
- Deploy your application. One of the steps during your application deployment is to specify ‘Security Provider’ . The page is displayed asking for which JAAS login Module Class to use and its parameters.
- For Login Module Class, you have to specify oracle.apps.fnd.ext.jaas.security.auth.login.AppsLoginModule. This class takes two mandatory parameters: ConnectionMode and ConnectionReference. You have add these two parameters for this class.
- Enter the value for ConnectionMode parameter as ‘datasource’. The value of ‘datasource’ directs AppsLoginModule class to use a datasource object to connect to EBS database.
- The JNDI reference to the above datasource is mentioned in the parameter ConnectionReference. Configure a datasource for EBS instance and enter this JNDI reference name for the value of ConnectionReference parameter. For example, ‘jdbc/appsDs’
- Create a role called 'UMX|HELLOWORLD' on e-Business Suite instance i.e. EBS. Follow the steps below
- Login into the connecting E-Business Suite instance EBS as SYSADMIN. This is the instance which you want your application to authenticate and authorize its users.
- Navigate to User Management Roles & Role Inheritance.
- Click on Create Role button.
- Create a role called UMX|HELLOWORLD.
- Now, Navigate to User Management users.
- Assign the role UMX| HELLOWORLD to all users that you want to have access to your HelloWorld Servlet application.
Ready to test!!
Try accessing your application. You will be authenticated and then allowed access if authorized, i.e., if you are granted the role UMX|HELLOWORLD.