1 / 16

Making the Model Secure

Learn how to implement secure authentication and authorization using Java Authentication and Authorization Services (JAAS) in web applications. Understand the goals and overview of J2EE security architecture and learn to use ADF Model Security design-time features. Practice setting up single sign-on authentication, creating users and roles, adding authorizations, and testing the implemented security scheme.

crystalbarnes
Download Presentation

Making the Model Secure

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Making the Model Secure

  2. Objectives • After completing this lesson, you should be able to do the following: • Define Java Authentication and Authorization Services (JAAS) • Define security issues with respect to Web applications • Use ADF Model Security design-time features • Use the ADF Business Components Browser to test your security model

  3. Goals of J2EE Security Architecture • To decouple security logic from application logic • To maintain platform and vendor independence • To ensure fine-grained access control to resources • To enable portable and secure Web applications

  4. Overview of J2EE Security Architecture • Use JAAS APIs to: • Authenticate a client to access the system • Determine who the user is. • Can they prove it? • Authorize clients to access resources • Determine the role of the authenticated user. • What actions can a user perform? User Authentication Authorization Read/Write Application

  5. Java Authentication and Authorization Services • JAAS is a framework that: • Provides a Java API package to enable applications to authenticate and enforce security • Allows definition of logical security names (principals) that are mapped to users or roles defined in the run-time environment • Allows fine-grained authorization to manage how clients can access resources • A JAAS provider implements the JAAS framework and applies the Java2 Security Model.

  6. Java Authentication and Authorization Services • JAAS supports the following authorization, authentication, and user community (realm) features: • Principals • Subjects • Login module authentication • Roles • Realms • Policies and permissions • JDeveloper provides wizards and dialogs that help manage these objects.

  7. JDeveloper, JAAS, and Securing the ADF Model • JDeveloper provides application security by using JAAS. • ADF Business Components use the JAAS security definitions to enforce security in the model. • You can set access roles on entities and attributes. • The ADF Business Component Browser uses this property to control model security during development and testing. • JDeveloper deployment uses these access roles to build deployment descriptors.

  8. Enabling JAAS Authentication for ADF Business Components • Set the jbo.security.enforce application property to enable authentication and authorization. • Select • None: No authentication • Test: Will test the login scheme but will not authenticate users • Must: Full authentication • Auth: Full authentication and authorization • Modify java.security to use the Oracle login provider.

  9. The jbo.security.enforce Application Property 1. Select the Application Module Configuration Editor. 2. Click the Properties tab. 3. Set the jbo.security.enforce property.

  10. Setting Entity Permissions

  11. Entity Privileges • The users role can update new rows. • The administrators role can update any rows. • The guests role can only read any row.

  12. Attribute Permissions • Attributes inherit entity permissions. • Permissions can be overridden at the attribute level. • The most restrictive permissions apply—for example: • If you set read-only at the entity level, you cannot set update at the attribute level. • Update at the entity level can have read-only at the attribute level.

  13. Using the Business Components Browser • Choose Test from the Application Module context menu. • Choose AppModuleLocal for the testing configuration.

  14. Testing Entity and Attribute Authorization

  15. Summary • In this lesson, you should have learned how to: • Set the login configurator for ADF BC applications • Enable JAAS authentication for ADF BC • Add users and roles • Add role-specific permissions to entities and attributes • Test an ADF BC application security scheme

  16. Practice 8-1: Overview • This practice covers the following topics: • Setting up SSO authentication • Creating users and roles • Adding authorizations • Testing the authorizations

More Related