Recently I had a long meeting on customer side, to discuss and describe various ADF Security management strategies in production environment. Good news - at the end, everyone left this meeting happy and with correct understanding of benefits given by ADF Security. I will describe how you can manage Application and Enterprise security roles, as well as Permissions, after ADF application deployment on production WebLogic server.
Download sample application - ApplicationRoles.zip. This application contains one Application level role - accountants, for testing purposes it is mapped to Enterprise level role - Accountants:
There is test user defined - dev1, granted with Enterprise role:
Application contains one JSPX page and one ADF Task Flow with fragment. JSPX page is granted to be viewable for any authenticated user:
ADF Task Flow only to accountants Application role:
Sample application is configured not to migrate any users or groups defined inside local jazn-data.xml. This means we will consume users and groups defined in WebLogic server, without uploading those ones from development environment:
After deploying application, I can see there are no users uploaded from development environment, thats what I want:
Now, when deployment is done, we can open application control screen in Oracle Enterprise Manager 11g. There is Security group in the menu - it gives access to application policies and roles. This means we can manage ADF Security directly, even after application was deployed on the server, without redeployment:
I can see two Application Policies defined based on authenticated-role and accountants roles:
We can access Application Role - accountants:
And see details for this role:
Interesting thing, I can still see that Application Role accountants is mapped to Accountants group (Enterprise Role). It should not be visible, because with deployment profile I have declared not to upload any users or groups from development environment. I will try to delete this mapping:
However, delete operation fails with error - such role is not found:
This means it is good practice to remove any mapping between Application and Enterprise Roles in development environment, before doing actual deployment:
After removing role mapping in jazn-data.xml and redeploying, I can see correct picture - no Groups assigned to Application Role:
Now I will switch to WebLogic console, and I will define new Group (Enterprise Role) - FinanceG. This role may come from Active Directory, etc:
I have defined new user on WebLogic server as well - john:
This user is granted with group - FinanceG:
Now its time to open Oracle Enterprise Manager 11g and map FinanceG group with Application Role - accountants:
Through Oracle Enterprise Manager 11g we can browse and assign groups from WebLogic server. All users from FinanceG group, will be able to access resources protected by accountants Application Role:
Login as user john, granted FinanceG group:
Both - page and ADF Task Flow are rendered:
If I would login as user scott, who is not granted with FinanceG group:
Region from ADF Task Flow will not be rendered, thats correct because user scott is not authorized to access this region without accountants Application Role:
Let's say organization security policy is changing and it is not allowed anymore to show Countries page without proper role assignment. You may think, application change and redeployment will be required. However, there is easy way - we can change Application Policies directly in Oracle Enterprise Manager 11g. Open Application Policies screen and select main page permission granted to authenticated role:
Grant this permission to accountants Application Role:
Remove authenticated role from the list:
Application becomes secured completely only by accountants Application Role:
All users from different groups, not mapped with accountants Application Role, will be unauthorized to access application (user scott in this case):
This is very helpful and comprehensive.
ReplyDeleteThanks,
pino
One shall deserve to be an Oracle Ace. You deserve it.
ReplyDeleteThanks :)
ReplyDeleteThanks for such a nice article.
ReplyDeletepossible manage user, role, group from jsf page?
ReplyDeleteYou can achieve this with WebCenter Security Management Task Flows. Or if you dont have WebCenter license, you can code with OPSS API - http://andrejusb.blogspot.com/2011/01/fusion-middleware-11g-security-retrieve.html
ReplyDeleteAndrejus
As per the Web Center administation guide chapter 29, "For most environments, and especially production environments, you must
ReplyDeletereassociate your policy store with an external LDAP such as Oracle Internet Directory
(OID), or a database". Assuming we use OID to store the policy and credentail store, can we still use EM console to map the enterprise groups with the application roles ? Can we modify the application policies using the EM console ?
Yes, you can.
ReplyDeleteAndrejus
In the example, we need the Oracle Enterprise Manager to assign Application Roles to the User groups and users. I guess, Oracle Enterprise Manager would only come with SOA suite and hence a cost overhead to the customer. Can you please detail if we have an alternate way of assigning application roles without using Enterprise Manager.
ReplyDeleteThanks in advance
Thanks for sharing your knowledge !!!. Really deserve to be a ORACE ACE DIRECTOR.
ReplyDeleteI spent lot of time understanding difference between the adf application roles to enterprise roles. Your blog really helped a lot.Thanks!.
ReplyDeleteWe have configured application role to Enterprise role mapping through EM as per your above blog article and removed Enterprise roles and the mapping of application role to Enterprise role in the EAR. But when we redeploy the application (as a fresh one or as an version update), earlier created Enterprise role to Application role mapping is not available for new deployment in the WLS. Your advise is very much appreciated.
ReplyDelete