AppsDataSource and Java Authentication and Authorization Service for Oracle E-Business Suite

simplified architecture diagram showing client - app tier - database tier

[March 1, 2010: Patch 8571001 also includes extended error logging routines for use with external Java EE programs.  Patch  8571001 hasn't changed, but Note 974949.1 has just been updated to include documentation for error logging, as well as some improvements based on feedback I've been getting.  Keep that feedback coming!]

Oracle Application Object Library recently added new standard Java datasource and Java Authentication and Authorization Service (JAAS) features to Oracle E-Business Suite in Patch 8571001. These features are meant for use with Java EE programs deployed in application servers on external nodes; that is, nodes other than those where Oracle E-Business Suite middle tier is installed. These are lightweight implementations that can be used on an external application server without needing to install an entire Oracle E-Business Suite instance on the application server machine.

These features can be used with either Release 11i or Release 12.  For details, see:

AppsDataSource

The AppsDataSource standard data source enables access to the Oracle E-Business Suite APPS database schema from external Java EE environments without sharing the APPS schema password. Since the APPS database password is typically changed frequently, using these data sources insulates such programs from having to change their authentication information. Using these data sources also helps prevent wide exposure of the APPS password.

Using these standard data sources lets you control access to Oracle E-Business Suite data at the APPS schema level. For example, you can use AppsDataSource with BPEL processes and Oracle Service Bus services in Oracle Fusion Middleware. Within Oracle E-Business Suite, the AppsDataSource is used to control APPS database access as part of the integration of Oracle E-Business Suite with Oracle Access Manager using Oracle E-Business Suite AccessGate.

When using the AppsDataSource feature, access to the APPS database is controlled using a dedicated Oracle E-Business Suite user name and password ("applications user", also known as an "FND user") instead of the APPS password. This allows centralized maintenance of the APPS password and provides additional controls on who can access the APPS account.

Java Authentication and Authorization Service (JAAS)

Oracle E-Business Suite contains a repository of application users (FND users) and their associated roles (authorization for access to certain functional areas of the product). If you are developing a custom or third-party Java EE application to integrate with Oracle E-Business Suite, and you want to use that existing repository of users and roles for authentication and authorization for your Java EE application, you can use the Oracle E-Business Suite implementation of Java Authentication and Authorization Service (JAAS). This feature is intended to secure an HTTP resource or piece of application functionality at the Oracle E-Business Suite user level.

Authenticating a Java application via JAAS

For example, suppose you want to build a Java EE application using Oracle Fusion Middleware to integrate with Oracle E-Business Suite data. You would use both AppsDataSource and JAAS so you can secure who has access to your application functionality based on usernames and roles already in Oracle E-Business Suite.

The following diagram shows the relationship between the AppsDataSource and JAAS features and how users and roles are used in the JAAS and AppsDataSource setups:

Relationship between AppsDataSource and JAAS features and how users and roles are used in their setups

  • There are two different users, A (with Specialist role) and B (with Manager role), accessing a protected custom application (through a URL) on an external application server.
  • The custom application has a web.xml file that allows access for the Manager role as part of the JAAS setup.
  • User A does not have the Manager role, so is not allowed access to the custom application.
  • The external application server has an AppsDataSource set up to allow access to the Oracle E-Business Suite database using the dedicated AppsDataSource user that has the special UMX|APPS_SCHEMA_CONNECT role assigned to the dedicated user.
  • A repository of users and roles resides inside the Oracle E-Business Suite database.

Knowledge Document Topics

The Knowledge" Document 974949.1: "AppsDataSource, Java Authentication and Authorization Service, and Utilities for Oracle E-Business Suite" includes the following topics:

  • Applying Patch 8571001
  • Using Oracle E-Business Suite Data Sources
    • Configuring AppsDataSource on an OC4J Instance and on an Oracle WebLogic Server (WLS) Instance
    • Using AppsDataSource Directly from Java Programs
  • Oracle E-Business Suite Implementation of Java Authentication and Authorization Service (JAAS)
    • JAAS configuration for OC4J and Oracle WebLogic Server
    • Global Access for All Authenticated Oracle E-Business Suite Users
  • Utilities

Lightweight Tools for Java EE Applications

The lightweight implementations of AppsDataSource and JAAS are useful tools for easier integration of custom Java EE applications with Oracle E-Business Suite.

We'll be adding more information to the document about additional Oracle Application Object Library Java features in the coming several months, so check Knowledge" Document 974949.1 every so often. Happy coding!

Related Articles
Comments:

So I've read this article and also the note referenced (974949.1) and both say that the functionality provided by patch 8571001 is good for R11 and R12... yet when you go to download the patch, it appears to be only for R12.

Pls advise?

Posted by Jay Weinshenker on January 13, 2010 at 10:06 PM PST #

Hello Jay,

Apologies for the confusion. Patch 8571001 for R12 should be used for both 11i and R12 customers The patch is manually extracted, so you dont need to worry about the Release version in this case.

regards

Mike Shaw

Posted by Mike Shaw on January 13, 2010 at 10:32 PM PST #

Yes, it really is for both 11i and 12.

Thanks,

Sara

Posted by Sara Woodhull on January 14, 2010 at 01:06 AM PST #

This is little bit interesting in iam doing the basics of these now...Well through these article i got and good understanding.............Thank you.........

Posted by Aadil Sukry on January 15, 2010 at 11:41 AM PST #

In the example given above for JAAS how does the webapp know user A's role ? What is the implied mechanism for checking - a query against the role stored against that user in EBiz either directly via callout but what is the mechanism ? Is it through OID query (Group membership check), through webservice call to an API in eBiz ? Is this detail left deliberately vague to leave implementation specific options option ?

Posted by Steve on October 13, 2010 at 10:19 AM PDT #

We have a custom ADF apllication developed. We want to utilize existing R12 security for ADF application.

Looks like above AppsDataSource will give us out-of-box-solution. I am looking for setup instructions and apply role based security for ADF artifacts like pages/task-flows etc... Can some one point me to some links which talks about how exactly we use the R12 users/roles to secure ADF artificats(pages/task-flows etc..)

Thanks for help!!

Posted by Subba on October 25, 2010 at 10:42 PM PDT #

Hi Subba,

AppsDataSource is meant only to take care of the underlying database connection to the APPS database schema--it merely uses a dedicated FND User as a substitute for needing to propagate the APPS password. AppsDataSource does not handle authentication and authorization for individual application users--that's the JAAS feature.

The JAAS feature as described above is meant for use with plain Java EE applications, and ADF already has its own JAAS-compliant security setup. The Oracle E-Business Suite SDK for Java JAAS feature is based more on providing constraints for directory paths and URLs, while the ADF implementation is based around task flows.

Posted by Sara Woodhull on October 28, 2010 at 08:35 AM PDT #

Hi sara,

Thanks for your detailed reply.. It is very clear now.
Is there any way that we can utilize the existing R12 fnd global security in ADF.

Our concern is, we invoke external ADF application from existing R12 and want to utilize existing security rather than investing in re-designing security for custom ADF.

I understand from several links on web that, we must use in-built JAAS feature(using jazn-data.xml) to secure ADF artifacts like page/task-flows etc..

Now is there nay integration point for ADF custom and existing R12 apps? interms of using R12 security in ADF?
Is it possible to map the enterprise roles in jazn-data.xml to R12 application roles?

Please suggest if you have any documentation in this regrard. If not any other place I can reach out to get the ADF and R12 integration resources?

Thanks for your help!!

Posted by Subba on November 14, 2010 at 07:50 PM PST #

Good information.

I followed the article and have successfully setup AppsDataSource and JAAS for EBS in Weblogic Server. My problem is that the Weblogic server is not asking for any authentication page when I access the application. I was able to run the application HelloWorld.jar that came with the patch.

/HelloWorld/DataSourceServlet page gives the result, but its not asking for the authentication before it displays the results.

Any help will be appreciated.

Thanks,
Siva

Posted by Siva on February 09, 2011 at 07:16 AM PST #

Siva,

I'm sorry to hear that you've encountered an issue with this.

We can provide general conceptual guidance here, but I'm afraid that this blog isn't the best place to get technical support for specific issues like the one that you're working through.

Your best bet would be to log a formal Service Request via My Oracle Support (formerly Metalink) to get one of our specialists engaged.

Please feel free to forward your Service Request number to me if it gets stuck in the support process for some reason.

Regards,
Steven

Posted by Steven Chan on February 10, 2011 at 01:48 AM PST #

Hi
we have same requirement what subba had
We have a custom ADF apllication developed. We want to utilize existing R12 security for ADF application.

Looks like above AppsDataSource will give us out-of-box-solution. I am looking for setup instructions and apply role based security for ADF artifacts like pages/task-flows etc... Can some one point me to some links which talks about how exactly we use the R12 users/roles to secure ADF artificats(pages/task-flows etc..)

how can we use ebussiness suite security in ADF?
how can we pass user role and other security info when we calling ADF page from OAF?
please sugges?
appriciate your help

Posted by guest on January 04, 2012 at 09:08 PM PST #

Hi,

We are currently working on documentation around how to use EBS R12 security with ADF, but we aren't done yet. Please check back on the blog periodically. We will definitely post an announcement article when we have any new materials on the topic!

Thanks,

Sara

Posted by Sara Woodhull on January 05, 2012 at 02:14 PM PST #

Hi Sara,

I am just also looking to register my interest in the EBS R12 / ADF security.

I've just seen the web cast replay around extending EBS, and have also found a lot of the resources currently mentioned. But I guess as you are aware, there doesn't seem to be anything specific around accessing ebusiness roles.

Awaiting this paper!!!!! Do you have any updates on when this paper will be released.

Thanks again,

Simon

Posted by guest on January 23, 2012 at 06:04 PM PST #

We just recently downloaded and tested the EBS SDK for Java. The AppsDataSource works very well. However, we found a number of issues with the JAAS Plugin. The most critical is the fact that the query it uses to pick up a user's roles appears to: 1) filter out FND responsibilities, and 2) pick up end-dated roles. Note that I have opened an SR on this and a pre-defect has been opened.

Beyond that, the JAAS Plugin is delivered as an Oracle Platform Security Services (OPSS) authenticator, but there is no integration with the Weblogic identity store. That means that, while you can use the JAAS APIs to verify a user's password and ask if the user is in a given role (with the caveats mentioned above), you cannot use Enterprise Manager to map EBS roles to application roles. I'm also not sure to what extent it allows a developer to set up security for an ADF application based on EBS permissions.

In conclusion, while we very much like the idea of the JAAS Plugin and we see a lot of potential, it does not appear to be very usable at the moment. If I am wrong, please let me know (and I do hope that I'm wrong :-)

Posted by Ara on January 25, 2012 at 11:39 AM PST #

Hi Simon,

Believe me, I'm just as eager as you are to see this EBS R12/ ADF security information out! We're making progress, but we're still working on it...

Thanks,

Sara

Posted by Sara Woodhull on January 25, 2012 at 11:10 PM PST #

Hi Ara,

I'm glad to hear that you find the AppsDataSource helpful!

Regarding the JAAS issue, please feel free to forward your Service Request number to me so I can follow up on it.

Thanks,

Sara

Posted by Sara Woodhull on January 25, 2012 at 11:11 PM PST #

Sorry, Sara, your e-mail info is not published. SR # 3-5146090851, "Bug in EBS SDK for Java". Doesn't really seem to be moving...

Posted by Ara on January 30, 2012 at 04:39 PM PST #

Hi Ara,

Thanks for the SR details. We're reviewing it now.

Thanks,

Sara
SaraDOTwoodhullAToracleDOTcom

Posted by Sara Woodhull on February 03, 2012 at 01:47 PM PST #

Hi,

I'm looking for a way to create/modify/remove user accounts (login/password) and application profils in Oracle EBS 11 from a third party application.

Does the AppsDataSource and Java Authentication and Authorization Service for Oracle E-Business Suite give the possibility to do that ?

Best Regards,

Posted by jc on February 08, 2012 at 06:49 AM PST #

Hi, JC,

No, we don't offer any APIs to create/modify/remove user accounts via external applications.

You can integrate your E-Business Suite environment with Oracle Internet Directory, which, in turn, can be integrated with a third-party LDAP directory. Any changes made in the third-party LDAP will provision user updates to the E-Business Suite.

For more details, see:

In-Depth: Using Third-Party Identity Managers with the E-Business Suite Release 11i
http://blogs.oracle.com/stevenChan/entry/indepth_using_thirdparty_ident

Regards,
Steven

Posted by Steven Chan on February 09, 2012 at 10:12 AM PST #

Hi Ara,

Regarding end-dated roles appearing: when you end-date a role, there is a Workflow process that updates any users who have the role assigned to end-date the assignment. If the Workflow Deferred Agent Listener isn’t running, or the end-dating hasn’t worked its way through the process yet, you could see end-dated roles from the JAAS setup. That’s what happened in our development environment where I replicated your results, and we think that’s what happened in your case.

Regarding the question about why you can use UMX roles but not FND responsibilities with the JAAS feature: UMX roles follow RBAC requirements such as role hierarchy and can be used to implement standard Auth* models. Responsibilities are not RBAC compliant; they have a flat structure (one level) and cannot be combined into role hierarchies. That’s why responsibilities are not included for use with the JAAS feature.

Thanks,

Sara

Posted by Sara Woodhull on February 20, 2012 at 02:22 PM PST #

If one has issues with this, what product group handles this. For example I had an Apps Data Source configured and working. I deleted the domain and recreated two, one accessing the same instance, the one accessing a new instance. The new instance works, and the redefined one doesn't.

I don't expect this kind of problem to answer here, but is this an EBS patch? What group should I report this to?

Posted by Bruce Beck on March 09, 2012 at 11:49 AM PST #

Hi Bruce,

Problems with the Oracle E-Business Suite SDK for Java (including the AppsDataSource) should go to the Oracle E-Business Suite, ATG support.

Thanks,

Sara

Posted by Sara Woodhull on March 09, 2012 at 01:02 PM PST #

Hi,

1) Is the document/whitepaper on how to implement R12 security with ADF application available?

2) Also, can Appsdatasource be used to make calls to Oracle e-business suite PLSQL APIs ?

3) For building an ADF application that needs to make calls to Oracle e-business suite APIs, is it required to have SOA suite installed as well?

Regards,

alister

Posted by guest on July 01, 2012 at 11:51 PM PDT #

Hi Alister,

For security specifically with ADF, there are two choices: JAAS or through Oracle E-Business Suite session management. In the latest version of the documentation (now a PDF attachment to the MOS note 974949.1), the JAAS-with-ADF case is already fully documented. It’s a little different than the plain-Java-application case. Session management is available, and it’s documented for the plain-Java-application case, but the session management-with-ADF case is still an “exercise for the reader” for now.

Regarding calling PL/SQL APIs and whether you need SOA Suite to call Oracle E-Business Suite PL/SQL APIs through the AppsDataSource: yes, you can call PL/SQL APIs through AppsDataSource, and no, you shouldn’t need the SOA Suite for that. You would just call the PL/SQL the same way you would normally call it from ADF.

Thanks,

Sara

Posted by Sara Woodhull on July 02, 2012 at 01:01 PM PDT #

Hi everyone,

In case you are following comments here but not the main blog, we've just released a new version of the Oracle E-Business Suite SDK for Java, and you can read the announcement here: https://blogs.oracle.com/stevenChan/entry/new_version_of_e_business

Thanks,

Sara

Posted by Sara Woodhull on July 09, 2012 at 12:47 PM PDT #

I set-up a prototype application on OAS using steps on https://blogs.oracle.com/ebusinesssuiteintegration/entry/jaas_for_ebusiness_suite. Initially, my EBS instance used it's own authentication. When I go to my protected application, I receive a login prompt. I enter my EBS credentials and am authenticated to my test application. So far so good. Next, I enabled SSO on my EBS instance. When I go to the EBS instance, I am redirected so that I am logged in without having to enter credentials. However when I go to my test application, I still receive the login prompt and not SSO. What am I missing?

Thanks,
Steve

Posted by Steve Wardell on February 07, 2014 at 11:41 AM PST #

Hi Steve,

There are a LOT of moving parts in what you describe, and I'm afraid that this blog isn't the best place to get technical support for specific issues like the one that you're working through.

Please take a look at the materials listed here: https://blogs.oracle.com/jruiz/entry/adf_and_oracle_e_business2, especially the listed forum postings. If those don't help, your best bet would be to log a formal Service Request via My Oracle Support (formerly Metalink) to get one of our specialists engaged. Problems with the Oracle E-Business Suite SDK for Java (including the AppsDataSource) should go to the Oracle E-Business Suite, ATG support.

Thanks,

Sara

Posted by Sara Woodhull on February 07, 2014 at 01:56 PM PST #

Post a Comment:
  • HTML Syntax: NOT allowed
About

Search

Categories
Archives
« April 2014
SunMonTueWedThuFriSat
  
1
4
5
6
7
8
9
10
11
12
13
14
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today