Wednesday, October 22, 2008

ADF Security 11g and ADF Business Components

Looks like in JDeveloper 11g, ADF Security works as it should work. In this post I will cover ADF Security part, related only to ADF Business Components. For example, Oracle Business Component Browser can be used now to test security configuration in Model layer. It wasn't working in 10g and in 11g Technology Preview builds, however in Production it works!

Now, if you will run secured Application Module with Oracle Business Component Browser, you will get authentication dialog:


This dialog was raised in previous JDeveloper builds as well, however authentication never was passed, it works now.

You can download my sample application - ADFSecurity.zip. This sample is configured with ADF Security and contains 3 users (all with welcome1 password):
  • john (role: clerk)
  • susan (role: manager)
  • steve (role: developer)
Sample application contains one Entity object - Jobs. This entity is secured for update action:


Two roles are authorized to update on entity level - manager and clerk:


Additionally, JobTitle attribute is secured for update action:


This action is authorized only to manager role:


If you will run Application Module with susan (role: manager) user:


All entity attributes will be available for udate:


With john (role: clerk) user:


All attributes except JobTitle can be updated. It happens, because only manager role is authorized to update JobTitle attribute:


If Application Module will be tested with steve (role: developer) user:


User will not be able to update any attribute, since this user is not authorized for update action:

6 comments:

  1. Hi Sir,

    Could you please help me solve a Jdeveloper query about Toplink. The problem is described here

    http://www.club-oracle.com/forums/f14/confuse-with-toplink-t155/

    ReplyDelete
  2. hi Andrejus

    I have posted a related question on the JDeveloper forum:
    " ADF BC Entity Object read security "
    http://forums.oracle.com/forums/thread.jspa?threadID=824435

    regards
    Jan Vervecken

    ReplyDelete
  3. Jan,

    read access is only on the Entity Object, not the attribute level. To do this on the attribute level, use the viewable property in the binding layer in combination with EL

    ReplyDelete
  4. hi Andrejus,
    Thanks for the article, it's very helpful.
    By the way, I have a question:how can I get a value from BC as an anonymous user? In my webcenter login Page I need to show some values that need to be retrieved from BC, but login hasn't been performed yet in that moment. Is there some setting to do on application module, or shall I disable security on it?
    Thanks
    Matteo

    ReplyDelete
  5. Above solution works fine when all permissions has been granted to resources before deployment. When if an application has thousand of resources and all users and groups/roles are in database. How we can assign resource permissions at run time by using ADF Security layer. I am seeing only programming and EL but ADF Security should provide this feature by using programming.

    ReplyDelete
  6. This is possible. We were implementing custom ADF interface with OPSS API usage to manage ADF Security mappings on runtime. Alternative could be security mapping through Enterprise Manager.

    Regards,
    Andrejus

    ReplyDelete