Saturday, July 5, 2008

Declarative Security in JDeveloper/ADF 11g

In JDeveloper 11g, with a help of Oracle ADF framework you can in easy and straightforward way add security to your application. And this way is based on declarative approach, no coding is needed. Main goal of this post is not to describe about how to configure security, but more about how it can be applied in your applications.

Let's take a case when there is a requirement to open the same form in different modes (editable/read-only) for users with different sets of roles assigned. With JDeveloper 11g you can implement this requirement in 3 quick steps. I will describe those steps here, also you can download developed sample application - DeclarativeSecurity.zip. In order to run this sample, you need to have standard HR schema in your database. Additionally, you need to use this system-jazn-data.xml file, where two users are defined - john (managers) and scott (clerks). For both users password - welcome is defined.

Three steps you need to use in order to implement declarative security:

1. Entity Object level security

This step will allow to secure row data. In Entity Object wizard, define Security Operation Mapping. I have secured two standard Actions - Update and Delete for Jobs Entity:


When security options are defined, specify authorization for Jobs Entity. In my sample, I allowed Update and Delete actions only for users with managers role:


2. Page Definition level security

In this step we will secure Actions defined in Page Definition:


Example of Security definition for Delete action:


In Authorization settings, I have specified Delete action availability only for managers role:


3. Expression Language

And last step is to specify using EL, disabled property for button component. This will allow to have button in disabled state, when user is not authorized to perform associated action. EL expression is pointing to Action security in Page Definition:


All 3 steps are explained, now will show how it works. At first, let's login as scott user, this user have clerks role assigned:


Security definition in Entity Object makes row data read-only, since clerks are not allowed to modify it. Delete button also appears disabled:


But, what is nice, when Search Find button is pressed, Oracle ADF automatically puts form into Find mode:


And finally, when entering using john account:


Since john is granted with permission to update and delete existing rows, form appears in edit mode with Save and Delete buttons enabled:

6 comments:

pete said...

Hi Andrejus,

The download links don't seem to work any more.

Is this still valid for 11gR1?

Andrej Baranovskij said...

Hi Pete,

I'm in the process of migration to the new server. Samples will be available in a couple of days.

If you can drop me an email, I can send you app for this post.

Its valid for 11gR1, except security in Page Definition. Also you can check my newer post - http://andrejusb.blogspot.com/2008/10/adf-security-11g-and-adf-business.html (sample can be downloaded)

Regards,
Andrej

Robert said...

Hi,
I am trying to locate in ADF 11g production version security editor for method in page definition level. Could you share with me how did you manage to open for that delete binding?
Thanks
Robert

Andrej Baranovskij said...

Hi Robert,

They have changed this in Production, its not possible anymore to define permissions in Page Definition. All permissions are defined now in central jazn-data.xml file. Actions from Page Definition can't be secured anymore.

You can check - 28 Adding Security to a Fusion Web Application.

Regards,
Andrejus

Robert said...

Hi Andrejus,
I have checked that and it is as you saying. I have tried to you jazn for method invocation as per document but it is not working for me. Could you try to suggest how to do it using your example?

I am sure I missed something so some real example will be helpfull or maybe updated sample for production will be also good.

Thanks in advance
Robert

Robert said...

Hi Andrejus,
I did further investigation and I have succeed ;-)

All that is required is to add in page definition file permission tag to specify details.

< methodAction IterBinding="OmsWorkOrdersVO1Iterator" id="generateSRFs"
RequiresUpdateModel="true" Action="invokeMethod"
MethodName="generateSRFs" IsViewObjectMethod="false"
DataControl="AppModuleDataControl"
InstanceName="bindings.OmsWorkOrdersVO1Iterator.currentRow"
IsLocalObjectReference="true">
< permission xmlns="http://xmlns.oracle.com/adf/security"
permissionClass="oracle.adf.share.security.authorization.MethodPermission"
target="generateSRFs">
< privilege-map operation="execute" privilege="invoke"/>
< /permission>
< /methodAction >

After this row in JAZN-DATA.XML is working fine

< permission>
< class>oracle.adf.share.security.authorization.MethodPermission< /class>
< name>generateSRFs< /name>
< actions>invoke< /actions>
< /permission>