Tuesday, May 15, 2012

Missing New Feature in JDev ( - ADF Methods Security

New features are always good to have in JDeveloper - but missing new features, this is something really new :-) It looks like documentation is released faster than actual functionality. If you read What's New in This Guide in Release document, it provides new documentation section about how to setup security for ADF Methods (see Chapter 35). There are nice step by step instructions available in Chapter 35, how to enable security for ADF Methods. This guide says you need to have command component to execute ADF Method, also ADF Security must be enabled. Finally documentation says - "The Resource Grants page of the overview editor displays all methods that your application defines.". Well, may be I'm missing some magic check-box, but methods are not listed in the overview editor. I will be really happy, if its just me - and there is hidden check-box that enables this functionality.

Download test case application - ADFMethodSecurity.zip.

Documentation steps are pretty straightforward - see highlighted stament, it says methods will be shown automatically:

I have defined custom method inside AM implementation:

Custom ADF Method is exposed in Data Control:

Its all good for Web page - it is visible is security overview:

But not so good for ADF Method - its not visible (even Source Project selection is disabled), as supposed to be per documentation:

This is really powerful and required feature, sadly its missing - I hope it will be available with next release of JDev.


Frank Nimphius said...

Actually its not a missing feature but a problem with the documentation. What ADF methods really means in this context is to click the plus icon next to the ADF Method entry to crate a JPS ResourcePermission. This ResourcePermission then can have instances created which the document refers to as ADF Method. In your application you use security EL to check the resource permission grant for the current authenticated user. If you re-read the whole parapgraph in the doc, then this makes sense. The misleading line in the docs is the mention of MethodPermission, which I am not sure why it is there

Andrej Baranovskij said...

Thanks for update Frank, I also copy pasted your comment on same topic from here (http://andrejusb.blogspot.com/2012/04/how-to-search-in-range-with-single-adf.html):


Actually its not a missing feature but an ugly written section in the security guide. The following three sentences - copied from the same doc - explain how it really works

1) "ADF Security does not perform permission checking for ADF methods; you must enable permission checking in your application. Based on a resource permission you have granted to the user for the ADF method, the user interface will either enable or disable the command component."

2) "You create a resource permission to map the invoke permission action to the execute operation." This means that you press the plus icon for ADF method in the security editor to create a new Resource permission. This resource permission is what you then create instance of and grant to users. Doing so then gives sense to (3)

3) "You use the Expression Builder dialog that you display for the UI component display property to define an EL expression that checks the user's access rights to the method. When you run the application, the component will appear either enabled or disabled based on the outcome of the EL expression ADF method permission check."

The problem is that "ADF Method" neglects the fact that it is a resource permission. When the doc author talks about selecting an ADF method then he doesn't mean to select a method in a PageDef file but a Resource Permission defined as an ADF Method (confusing, I know).

I'll file a bug to get this explained