X

The blog for hints & tips about Oracle Application Development Framework and Mobile Application Framework

  • ADFv
    February 17, 2011

How to protect UI components using OPSS Resource Permissions

Frank Nimphius
Master Principal Product Manager

ADF security protects ADF bound pages, bounded task flows
and ADF Business Components entities with framework specific JAAS permissions
classes (RegionPermission,
TaskFlowPermission and EntityPermission).

If used in combination with the ADF security expression language and security
checks performed in Java, this protection already provides you with fine
grained access control that can also be used to secure UI components like
buttons and input text field. For example, the EL shown below disables the user
profile panel tabs for unauthenticated users:

<af:panelTabbed
id="pt1" position="above">

  ...

  <af:showDetailItem

       text="User
Profile" id="sdi2"                               

       disabled="#{!securityContext.authenticated}">

  </af:showDetailItem>

  ...

</af:panelTabbed>

The next example disables a panel tab item if the
authenticated user is not granted access to the bounded task flow exposed in a
region on this tab:

<af:panelTabbed
id="pt1" position="above">

  ...

  <af:showDetailItem
text="Employees Overview" id="sdi4"
                  
    
disabled="#{!securityContext.taskflowViewable

        ['/WEB-INF/EmployeeUpdateFlow.xml#EmployeeUpdateFlow']}">

  </af:showDetailItem>

  ...

</af:panelTabbed>

Security expressions like shown above allow developers to
check the user permission, authentication and role membership status before
showing UI components. Similar, using Java, developers can use code like shown
below to verify the user authentication status:

ADFContext
adfContext = ADFContext.getCurrent();

SecurityContext securityCtx = adfContext.getSecurityContext();

boolean userAuthenticated = securityCtx.isAuthenticated();

Note that the Java code lines use the same security context
reference that is used with expression language.

But is this all that there is? No ! The goal of ADF Security is to enable all ADF developers to
build secure web application with JAAS (Java Authentication and Authorization
Service). For this, more fine grained protection can be defined using the ResourcePermission, a
generic JAAS permission class owned by the Oracle Platform Security Services
(OPSS).  Using the ResourcePermission  class, developers can grant permission to
functional parts of an application that are not protected by page or task flow
security.

For example, an application menu allows creating and
canceling product shipments to customers. However, only a specific user group -
or application role, which is the better way to use ADF Security - is allowed
to cancel a shipment.











To enforce this rule, a permission is needed that can be
used declaratively on the UI to hide a menu entry and programmatically in Java
to check the user permission before the action is performed.

Note that multiple lines of defense are what you should implement in your application development.
Don't just rely on UI protection through hidden or disabled command options.

To create menu protection permission for an ADF Security
enable application, you choose Application
| Secure | Resource Grants
from the Oracle JDeveloper menu.

The opened editor shows a visual representation of the jazn-data.xml file
that is used at design time to define security policies and user identities for
testing. An option in the Resource
Grants
section is to create a new Resource
Type
.

A list of pre-defined types exists for you to create policy
definitions for. Many of these pre-defined types use the ResourcePermission class.


To create a custom Resource
Type
, for example to protect application menu functions, you click the
green plus icon next to the Resource
Type
select list.


The Create Resource
Type
editor that opens allows you to add a name for the resource type, a
display name that is shown when granting resource permissions and a description.
The ResourcePermission
class name is already set. In the menu protection sample, you add the following
information:



Name:

MenuProtection

Display Name:

Menu Protection

Description:

Permission to grant menu item permissions


OK the dialog to
close the resource permission creation.

To create a resource policy that can be used to check user
permissions at runtime, click the green
plus
icon in the Resources
section of the Resource Grants
section.


In the Create
Resource
dialog, provide a name for the menu option you want to protect. To
protect the cancel shipment menu option,
create a resource with the following settings



Resource Type:

Menu Protection

Name:

Cancel Shipment

Display Name:

Cancel Shipment

Description:

Grant allows user to cancel customer good shipment

 

A new resource Cancel
Shipment
is added to the Resources
panel. Initially the resource is not granted to any user, enterprise or
application role. To grant the resource, click the green plus icon in the Granted To section, select the Add Application Role option and choose one
or more application roles in the opened dialog.


Finally, you click the process
action to define the policy. Note that permission can have multiple actions
that you can grant individually to users and roles. The cancel shipment
permission for example could have another action "view" defined to
determine which user should see that this option exist and which users don't.


To use the cancel
shipment
permission, select the disabled
property on a command item, like af:commandMenuItem and click the arrow icon on the right.
From the context menu, choose the Expression
Builder
entry. Expand the ADF
Bindings | securityContext
node and click the userGrantedResource option.

Hint: You can
expand the Description panel below
the EL selection panel to see an example of how the grant should look like.

The EL that is created needs to be manually edited to show
as

#{!securityContext.userGrantedResource[

              'resourceName=Cancel
Shipment;resourceType=MenuProtection;action=process']}


OK the dialog so
the permission checking EL is added as a value to the disabled property. Running the application and expanding the Shipment menu shows the Cancel Shipments menu item disabled for
all users that don't have the custom menu protection resource permission
granted.

Note: Following
the steps listed above, you create a JAAS permission and declaratively
configure it for function security in an ADF application. Do you need to understand
JAAS for this? No!  This is one of the
benefits that you gain from using the ADF development framework.


To implement multi lines of defense for your application,
the action performed when clicking the enabled "Cancel Shipments"
option should also check if the authenticated user is allowed to use process
it. For this, code as shown below can be used in a managed bean

public
void onCancelShipment(ActionEvent actionEvent) {    

  SecurityContext securityCtx =

      ADFContext.getCurrent().getSecurityContext();

  //create instance of ResourcePermission(String
type, String name,

  //String action)

  ResourcePermission resourcePermission =


    new
ResourcePermission("MenuProtection","Cancel Shipment",

                           "process");     

  boolean userHasPermission =   

      securityCtx.hasPermission(resourcePermission);

  if (userHasPermission){



      //execute
privileged logic here

  }

}

Note: To learn
more abput ADF Security, visit

http://download.oracle.com/docs/cd/E17904_01/web.1111/b31974/adding_security.htm#BGBGJEAH

Note: A monthly summary of OTN Harvest blog postings can be downloaded from ADF Code Corner. The monthly summary is a PDF document that contains supporting screen shots for some of the postings:

http://www.oracle.com/technetwork/developer-tools/adf/learnmore/index-101235.html

Be the first to comment

Comments ( 0 )
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.