Oracle ADF Architecture TV - Design - Designing for Security

Real World ADF Design & Architecture Principles
Designing for Security
ORACLE
PRODUCT
LOGO

Learning Objectives
•  At the end of this module you should be able to:
–  Identify security risks and how to mitigate risks
–  Understand common security design patterns
–  Understand the risk of multi channel access to your
application data
–  Know about ADF Security and what it is good for
–  Think out of the box when protecting your ADF applications
Image: imagerymajestic/ FreeDigitalPhotos.net

“Security is the degree of protection against danger,
damage, loss, and crime."
Wikipedia
http://en.wikipedia.org/wiki/Security

5 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.5 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
We have a budget for security, but what security
should we buy for our ADF application?
Maybe a firewall will do for a start.
Exercise

Program Agenda
•  Application Security Risks
•  Security Principles & Pattern
•  Handling Data Entry
•  ADF Security
•  Single Sign-On
•  Securing ADF Applications

OWASP
Top Ten List of Security Vulnerabilities
Image: OWASP / CC3.0

OWASP
•  SQL Injection
–  Free input text or URL parameter values an application passes to the
database unfiltered
•  Broken authentication and session management
–  Predictable tokens that identify a user session or privilege (license key)
•  Cross-Site Scripting (XSS)
–  The user input of custom
JavaScript that executes in the
context of a web application
Image: jscreationzs/ FreeDigitalPhotos.net

OWASP
•  Insecure direct object referenced
–  e.g.: file references to user specific reports. If
file names can be predicted then anyone can
download the file and see its content.
•  Cross-Site Request Forgery (CSRF)
–  Cookie information or hidden field information that is used by applications
to identify a user session
–  Sites that intercept or redirect a request (phishing) can make use of this
information, replaying the initial request

OWASP
•  Security misconfiguration
–  Configuration settings that weaken security enforcement
–  Risk area: Moving applications from development to production
•  Insecure cryptographic storage
–  Sensitive data that is saved in the user session, on
the server or the local client with weak encryption
or not encrypted at all
•  Failure to restrict URL access
–  Direct URL access to resources may bypass
authorization and break business logic

OWASP
•  Failed Transport Layer Protection
–  Failing to ensure messages are not
changed on transit and that the server a
message is sent to indeed is the server who
should receive the request
•  Unvalidated redirects and forwards
–  Tampered redirect information added to
return URL parameters

What is the best protection against all of these?

13 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.13 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Image: Ambro+ imagerymajestic/ FreeDigitalPhotos.net
What is the best protection against all of these?
Education, security standards,
code writing and review
guidelines

“We believe that […] programmers want to write good software. They surely don’t
set out with the intention of putting security flaws in their code.
Furthermore, because it’s possible for a program to satisfy a stringent functional
specification and nevertheless bring a vulnerability to life, many (if not most) such
flaws have been coded up by people who do their best and are satisfied with (even
rewarded for) the result.."
Secure Coding: Principles and Practices
Mark G. Graff; Kenneth R. van Wyk

Security Dependencies
•  Performance Impact
–  Fine grain security checks
–  Https overhead
–  Message encryption
•  Usability
–  Periodical re-authentication
–  Complex password rules
–  Frequent password renewals
–  Access restrictions
•  Business hours
•  Point of access Max.
Performance
Max.
Usability
Max.
Security

Program Agenda
•  ADF Security

Security Principles
•  Identify security threats
–  Flooding, fire, earthquake, SQL exploits, identity fraud or theft, hackers,
denial of service …
•  Define other security requirements for the application
–  Corporate requirements
•  e.g. single sign-on, shared identity management system, auditing, centralized
security administration, data protection …
–  Application requirements
•  e.g. enforce valid user input, ensure users only have access to what they are
allowed to access, ensure authenticated users …
•  Define security coding and review standards
Security By Design

Consider Security by Design

Security Design Patterns
•  Defense in depth
•  Least privileged access
•  Single access point
•  Check point
•  Roles
•  Full view with errors
•  Limited view
•  Session

Web Authentication
•  Identifies a user by something he/she knows (secret) or owns
(certificate)
•  Usually handled by the Java EE container accessing a configured
identity store
•  Database schema authentication not a recommended model for
Java EE applications
–  Doesn't scale well
–  The web is stateless and in no way compares to desktop applications
•  Authenticated user is exposed through security context to be
accessible throughout an application

Program Agenda
•  ADF Security

What are the different channels that users can
use to input data to our system?
Exercise

Data Entry
•  Users input
•  Service interface
–  Web Service
–  SOA Service
–  PL/SQL
•  Java interface
•  Request Parameters
•  Cookies
The List of Data Entry You Cannot Trust

“Love all, trust a few."
- William Shakespeare

Validate All Data Entry
•  Data Format Pattern
–  Ensures data entry matches a specific format
–  Example: social security number, credit card, license key
•  Numeric / Character
–  Ensures correct data types to be entered
•  Dependent Value
–  Compares entered data with value of a related field
–  Example: start date < end date

Find And Fix The Weakest Link
•  The best locks on your front door don't
help if the windows are left wide open
•  Protect assets, not applications!
•  A tale about a failed SQL injection
prevention attempt …

Program Agenda
•  ADF Security

Protecting ADF Applications
View / Controller
Responsibility
How ?
• Authentication
• Page Authorization
• Field Authorization
• Identity Propagation
• Input Validation
• Container Managed
Authentication
• Validators
Binding
Responsibility
How ?
ADF
• Page Security
• Task Flow Security
• J2EE Authentication
• JAAS Authorization
• Validators
Business Service
Responsibility
How ?
• Business method
authorization
• Identity propagation
• CRUD authorization
• Input Validation
• JAAS
• JEE authorization
context
• Validation rules
Database
Responsibility
How ?
• DML authorization
• Read authorization
• PLSQL authorization
• VPD
• Database Proxy
• Sys_context

Oracle Platform Security Service (OPSS)
•  Standards-based, portable, integrated, enterprise-grade Oracle security
framework for Java SE and Java EE applications
•  Provides security to Oracle Fusion Middleware including WebLogic Server,
Server Oriented Architecture (SOA) applications, Oracle WebCenter, Oracle
ADF applications, and Oracle Entitlement Server
•  Designed to be portable to third-party application servers
•  Provides an abstraction layer that insulate developers from security and
identity management implementation details
•  Decreases application development, administration, and maintenance costs
•  Does a better job than security available in the Java and Java EE standard

ADF & OPSS Architecture Overview
LDAP/DB Servers
AuthN AuthZ
WebLogic Server
ADF Application
CSF
File Based
OPSS API (JAAS Integration)
ADFSecurity Context
Java EE Application Deployment

ADF Security
•  Authentication handled by Java EE Container
•  Authorization automatically enforced on
–  Bounded task flows
–  Pages in unbounded task flows
•  Views in bounded task flows are protected through task flow security
•  Fine grain view protection in bounded task flows can be declaratively
defined using nested bounded task flows
–  ADF Business Components entities and attributes
•  Authorization is based on JAAS permissions
•  Authorization policies are declaratively defined
Framework Features

ADF Security
•  Security Expression Language
–  #{securityContext.authenticated}
–  #{securityContext.userName}
–  #{securityContext.userInRole['roleList']}
–  #{securityContext.userInAllRoles['roleList']}
–  #{securityContext.taskflowViewable['target']}
–  #{securityContext.regionViewable['target']}
–  #{securityContext.userGrantedResource['permission']}
–  #{securityContext.userGrantedPermission['permission']}
•  Security Java API
Programmatic Features

ADF Security
•  Create custom Permissions based on the OPSS Resource
Permission
–  Use for Menu security, UI component security
•  Declaratively define view permissions for pages in bounded task
flows
–  Authorization needs to be enforced by your program code using EL or Java
•  ADF Security Groovy access from ADF Business Components
–  Query view objects based on the authenticated user
Programmatic Features

OPSS and ADF Security Vocabulary
•  User
–  Individual user identities defined in your identity management system
•  Enterprise Roles
–  Enterprise user groups defined in your identity management system for use
across application boundaries
•  Application Roles
–  ADF application specific roles that provide an abstraction layer for enterprise user
groups
–  Permissions are granted to application roles
You Must Get This Right!

OPSS architecture for WLS
Design-Time
web.xml
adf-config.xml
Oracle JDeveloper - Designtime
jazn-data.xml
weblogic.xml
Users
Groups
Roles
Permissions
Authentication
servlet

OPSS architecture for WLS
Runtime (Production)
Oracle WebLogic Server (OPSS) - Runtime
Users
Enterprise Roles
Application
Roles
system-jazn-data.xml
Grants
Permission
Target
Permission class
Actions
Identity Store OID
OVD
LDAP
Active Directory
Enterprise
Groups
Enterprise
Users
Credential Store
RDBMS
LoginModule

What You Should Know
•  Grant permissions to application roles only
–  Easier to administrate
–  No dependency to identity management system
•  Security administrator should use Oracle Enterprise Manager
Fusion Middleware Control to map application roles to enterprise
roles (aka. enterprise groups)
–  Post deployment
•  ADF applications can be configured to "override" or "merge
with" existing policies
ADF Security Authorization Best Practices

•  Though the framework doesn't enforce authorization on views
contained in bounded task flows, it doesn't mean you can't do it
–  Create region permission for view in bounded task flow
–  Enforce permission using security EL or Java
ADF Security Authorization Best Practices

•  All permissions and application roles must be copied to the master
(aka. "top level" or "super web") application
–  ADF library may contain jazn-data.xml file, which however is not
enforced at runtime
–  ADF regions added through ADF libraries must have their security grants
defined in the master application.
•  Security Permissions are automatically deployed to Web Logic
Server system-jazn-data.xml file when deploying the application
EAR file
Security Deployment

So ADF Security is “The Solution”

41 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.41 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Image: Amrbo+imagerymajestic/ FreeDigitalPhotos.net
So ADF Security is “The Solution”
No, it is just a tool in ADF that
you use to implement security.

Program Agenda
•  ADF Security

Single Sign-On In Oracle ADF Architecture
Pillar Architecture
Fine Grained
Two for One
Deal
Multi-Access
Channel
Pillar
Cylinder
One time authentication
for all buildings
One time authentication
for all pillars

Single Sign-On Best Practices
•  Implementing your own single sign-on solution for Oracle ADF applications
is a proven path to failure
–  Failure to keep authenticated user session state
(OTN forum reports)
–  Performance problems coded into your applications
–  Insecure token and credential sharing
•  ADF Security works well with Oracle Access Managed (OAM) for single
sign-on
–  Works across FMW product boundaries including SOA, WebCenter, Oracle Forms
•  Kerberos is an alternative Windows based SSO solution
–  Kerberos/SPNEGO and Oracle WebLogic Server

Oracle ADF Without Single Sign-On
adf_domain

Secured ADF
Application
Oracle
Internet

Directory

WLS Authentication
Provider
1
2
3
4

Oracle ADF Single Sign-On With OAM
adf_domain

Oracle
HTTP
Server

OAM
Web
Gate

Secured ADF
Application
1
2
Oracle
Internet

Directory

Oracle ADF With Single Sign-On Using OAM
adf_domain
idm_domain

Oracle
HTTP
Server

OAM
Web
Gate

Secured ADF
Application
Oracle
Internet

Directory

Oracle Access
Manager
1
2

adf_domain
idm_domain

Oracle
HTTP
Server

OAM
Web
Gate

Secured ADF
Application
Oracle Access
Manager
OAM Session
OAM_ID
1
2
Oracle
Internet

Directory

adf_domain
idm_domain

Oracle
HTTP
Server

OAM
Web
Gate

OAMAuthnCookie
Secured ADF
Application
Oracle Access
Manager
OAM Session
OAM_ID
1
3
2
Oracle
Internet

Directory

Program Agenda
•  ADF Security

Ok, ADF Security is on my list.
What else?
Exercise

ADF Business Components
•  Define ADF Security permissions for entities and entity attributes
–  Permissions are enforced by ADF framework
–  In addition, hide control like delete buttons if a user is not allowed to
delete an entity using security EL
•  Avoid dynamically built SQL statements, and use view objects and
view criteria with named bind variables.
•  Validate input variables, before issuing executeQuery, on the view
object

ADF Controller
•  Navigate using control flows and avoid navigation through redirects
•  Configure exception handler activities in all bounded task flows
•  Protect task flow access using ADF Security
–  Framework enforces user authorization
–  In addition, hide navigation UI control using security EL if a user is not
allowed to access a task flow
•  Ensure task flows that use JSF documents are not accessible from
browsers
–  Enforce single point of access for your application

ADF Binding Layer
•  Use the "viewable" property on bindings to check user permission
using security EL
–  If viewable is determined to false, associated UI component will render
read only
•  Configure a custom error handler in DataBindings.cpx to control
information displayed to users
–  Distinguish between authorized personnel and users when displaying
and logging error messages

ADF View
•  Hide all UI components users are not supposed to see or use
–  Use Security EL on the "rendered" property
•  Look for ways to simplify security configuration
by grouping protected components
What about the "display" property?

Input Validation
•  ADF View
–  Validator / Converter
•  Components
•  Managed bean
–  Value change event handlers
–  Client side scripts
•  ADF Binding
–  Binding element validator

Input Validation
•  ADF Business Components
–  Entity validation
•  Across attribute validation like dependent field validation
–  Entity attribute validation
•  Validates individual attribute values
–  Transaction Level
•  Entity setting to defer validation to before commit

You there – tall guy, blue shirt, sitting in the back.
What else?
Exercise

Think Out Of The Box!

Some Ideas
•  Servlet filter
•  Phase listeners
•  Component validators
•  Bind variables
•  Custom Resource Permissions & Security EL or Java
•  Move page documents into /public_html/WEB-INF
•  Managed beans, View- and EntityImpl
•  MDS customization classes
•  RDBMS security (label security, triggers ...)

Conclusion
•  Become aware of what your business is afraid of what
you want to protect within your application
•  Security must be implemented on all application
layers
•  Permission should be granted to roles and never to
users directly
•  ADF Security is a tool that makes it easier to enforce
authentication and authorization in ADF applications.
However, it is not all you need.
•  Application security requires you to be creative and
think out-of the box. Not all tools you can use for
security have the name "security" in them

Further Reading
•  Security for Everyone – Oracle Magazine article
–  http://www.oracle.com/technetwork/issue-archive/2012/12-jan/o12adf-1364748.html
•  ADF Security documentation
–  Oracle JDeveloper and ADF Documentation Library
–  Fusion Developer Guide
•  "Enabling ADF Security in a Fusion Web Application"
•  ADF Insider Recordings
–  ADF Security overview
•  http://download.oracle.com/otn_hosted_doc/jdeveloper/11gdemos/AdfSecurity/AdfSecurity.html
–  Security Deployment
•  http://download.oracle.com/otn_hosted_doc/jdeveloper/11gdemos/adf_security1/adf_security1.html
•  http://download.oracle.com/otn_hosted_doc/jdeveloper/11gdemos/adf_security2/adf_security2.html
–  Single Sign-on
•  http://download.oracle.com/otn_hosted_doc/jdeveloper/11gdemos/adf_oam_integration/adf_oam_integration.html

Oracle ADF Architecture TV - Design - Designing for Security

More Related Content

What's hot (20)

Similar to Oracle ADF Architecture TV - Design - Designing for Security (20)

Recently uploaded (20)

Oracle ADF Architecture TV - Design - Designing for Security