AppsDataSource and Java Authentication and Authorization Service for Oracle E-Business Suite
By Sara Woodhull on Jan 13, 2010
[March 1, 2010: Patch 8571001 also includes extended error logging routines for use with external Java EE programs. Patch 8571001 hasn't changed, but Note 974949.1 has just been updated to include documentation for error logging, as well as some improvements based on feedback I've been getting. Keep that feedback coming!]
Oracle Application Object Library recently added new standard Java datasource and Java Authentication and Authorization Service (JAAS) features to Oracle E-Business Suite in Patch 8571001. These features are meant for use with Java EE programs deployed in application servers on external nodes; that is, nodes other than those where Oracle E-Business Suite middle tier is installed. These are lightweight implementations that can be used on an external application server without needing to install an entire Oracle E-Business Suite instance on the application server machine.
These features can be used with either Release 11i or Release 12. For details, see:
- AppsDataSource, Java Authentication and Authorization Service, and Utilities for Oracle E-Business Suite (Note 974949.1)
The AppsDataSource standard data source enables access to the Oracle E-Business Suite APPS database schema from external Java EE environments without sharing the APPS schema password. Since the APPS database password is typically changed frequently, using these data sources insulates such programs from having to change their authentication information. Using these data sources also helps prevent wide exposure of the APPS password.
Using these standard data sources lets you control access to Oracle E-Business Suite data at the APPS schema level. For example, you can use AppsDataSource with BPEL processes and Oracle Service Bus services in Oracle Fusion Middleware. Within Oracle E-Business Suite, the AppsDataSource is used to control APPS database access as part of the integration of Oracle E-Business Suite with Oracle Access Manager using Oracle E-Business Suite AccessGate.
When using the AppsDataSource feature, access to the APPS database is controlled using a dedicated Oracle E-Business Suite user name and password ("applications user", also known as an "FND user") instead of the APPS password. This allows centralized maintenance of the APPS password and provides additional controls on who can access the APPS account.
Java Authentication and Authorization Service (JAAS)
Oracle E-Business Suite contains a repository of application users (FND users) and their associated roles (authorization for access to certain functional areas of the product). If you are developing a custom or third-party Java EE application to integrate with Oracle E-Business Suite, and you want to use that existing repository of users and roles for authentication and authorization for your Java EE application, you can use the Oracle E-Business Suite implementation of Java Authentication and Authorization Service (JAAS). This feature is intended to secure an HTTP resource or piece of application functionality at the Oracle E-Business Suite user level.
Authenticating a Java application via JAAS
For example, suppose you want to build a Java EE application using Oracle Fusion Middleware to integrate with Oracle E-Business Suite data. You would use both AppsDataSource and JAAS so you can secure who has access to your application functionality based on usernames and roles already in Oracle E-Business Suite.
The following diagram shows the relationship between the AppsDataSource and JAAS features and how users and roles are used in the JAAS and AppsDataSource setups:
- There are two different users, A (with Specialist role) and B (with Manager role), accessing a protected custom application (through a URL) on an external application server.
- The custom application has a web.xml file that allows access for the Manager role as part of the JAAS setup.
- User A does not have the Manager role, so is not allowed access to the custom application.
- The external application server has an AppsDataSource set up to allow access to the Oracle E-Business Suite database using the dedicated AppsDataSource user that has the special UMX|APPS_SCHEMA_CONNECT role assigned to the dedicated user.
- A repository of users and roles resides inside the Oracle E-Business Suite database.
Knowledge Document Topics
The Knowledge" Document 974949.1: "AppsDataSource, Java Authentication and Authorization Service, and Utilities for Oracle E-Business Suite" includes the following topics:
- Applying Patch 8571001
- Using Oracle E-Business Suite Data Sources
- Configuring AppsDataSource on an OC4J Instance and on an Oracle WebLogic Server (WLS) Instance
- Using AppsDataSource Directly from Java Programs
- Oracle E-Business Suite Implementation of Java Authentication and Authorization Service (JAAS)
- JAAS configuration for OC4J and Oracle WebLogic Server
- Global Access for All Authenticated Oracle E-Business Suite Users
Lightweight Tools for Java EE Applications
The lightweight implementations of AppsDataSource and JAAS are useful tools for easier integration of custom Java EE applications with Oracle E-Business Suite.
We'll be adding more information to the document about additional Oracle Application Object Library Java features in the coming several months, so check Knowledge" Document 974949.1 every so often. Happy coding!Related Articles