oracle adf architecture tv - design - designing for security
DESCRIPTION
Slides from Oracle's ADF Architecture TV series covering the Design phase of ADF projects, covering how to design your ADF applications for security. Like to know more? Check out: - Subscribe to the YouTube channel - http://bit.ly/adftvsub - Design Playlist - http://www.youtube.com/playlist?list=PLJz3HAsCPVaSemIjFk4lfokNynzp5Euet - Read the episode index on the ADF Architecture Square - http://bit.ly/adfarchsquareTRANSCRIPT
1 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
2 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
Real World ADF Design & Architecture Principles Designing for Security
ORACLE PRODUCT
LOGO
3 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
Learning Objectives
• At the end of this module you should be able to:
– Identify security risks and how to mitigate risks – Understand common security design patterns – Understand the risk of multi channel access to your
application data – Know about ADF Security and what it is good for – Think out of the box when protecting your ADF applications
Image: imagerymajestic/ FreeDigitalPhotos.net
4 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
“Security is the degree of protection against danger, damage, loss, and crime."
Wikipedia http://en.wikipedia.org/wiki/Security
5 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. 5 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
We have a budget for security, but what security should we buy for our ADF application?
Maybe a firewall will do for a start.
Exercise
Image: imagerymajestic/ FreeDigitalPhotos.net
6 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
Program Agenda
• Application Security Risks • Security Principles & Pattern • Handling Data Entry • ADF Security • Single Sign-On • Securing ADF Applications
7 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
OWASP Top Ten List of Security Vulnerabilities
Image: OWASP / CC3.0
8 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
OWASP Top Ten List of Security Vulnerabilities
• SQL Injection – Free input text or URL parameter values an application passes to the
database unfiltered
• Broken authentication and session management – Predictable tokens that identify a user session or privilege (license key)
• Cross-Site Scripting (XSS) – The user input of custom
JavaScript that executes in the context of a web application
Image: jscreationzs/ FreeDigitalPhotos.net
9 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
OWASP Top Ten List of Security Vulnerabilities
• Insecure direct object referenced – e.g.: file references to user specific reports. If
file names can be predicted then anyone can download the file and see its content.
• Cross-Site Request Forgery (CSRF) – Cookie information or hidden field information that is used by applications
to identify a user session – Sites that intercept or redirect a request (phishing) can make use of this
information, replaying the initial request
Image: jscreationzs/ FreeDigitalPhotos.net
10 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
OWASP Top Ten List of Security Vulnerabilities • Security misconfiguration
– Configuration settings that weaken security enforcement – Risk area: Moving applications from development to production
• Insecure cryptographic storage – Sensitive data that is saved in the user session, on
the server or the local client with weak encryption or not encrypted at all
• Failure to restrict URL access – Direct URL access to resources may bypass
authorization and break business logic
Image: jscreationzs/ FreeDigitalPhotos.net
11 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
OWASP
• Failed Transport Layer Protection – Failing to ensure messages are not
changed on transit and that the server a message is sent to indeed is the server who should receive the request
• Unvalidated redirects and forwards – Tampered redirect information added to
return URL parameters
Top Ten List of Security Vulnerabilities
Image: jscreationzs/ FreeDigitalPhotos.net
12 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. 12 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
What is the best protection against all of these?
Image: imagerymajestic/ FreeDigitalPhotos.net
13 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. 13 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Image: Ambro+ imagerymajestic/ FreeDigitalPhotos.net
What is the best protection against all of these?
Education, security standards, code writing and review
guidelines
14 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
“We believe that […] programmers want to write good software. They surely don’t set out with the intention of putting security flaws in their code. Furthermore, because it’s possible for a program to satisfy a stringent functional specification and nevertheless bring a vulnerability to life, many (if not most) such flaws have been coded up by people who do their best and are satisfied with (even rewarded for) the result.."
Secure Coding: Principles and Practices
Mark G. Graff; Kenneth R. van Wyk
15 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
Security Dependencies
• Performance Impact – Fine grain security checks – Https overhead – Message encryption
• Usability – Periodical re-authentication – Complex password rules – Frequent password renewals – Access restrictions
• Business hours • Point of access Max.
Performance Max.
Usability
Max. Security
16 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
Program Agenda
• Application Security Risks • Security Principles & Pattern • Handling Data Entry • ADF Security • Single Sign-On • Securing ADF Applications
17 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
Security Principles
• Identify security threats – Flooding, fire, earthquake, SQL exploits, identity fraud or theft, hackers,
denial of service …
• Define other security requirements for the application – Corporate requirements
• e.g. single sign-on, shared identity management system, auditing, centralized security administration, data protection …
– Application requirements • e.g. enforce valid user input, ensure users only have access to what they are
allowed to access, ensure authenticated users …
• Define security coding and review standards
Security By Design
18 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
Consider Security by Design
19 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
Security Design Patterns
• Defense in depth • Least privileged access • Single access point • Check point • Roles • Full view with errors • Limited view • Session
20 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
Web Authentication
• Identifies a user by something he/she knows (secret) or owns (certificate)
• Usually handled by the Java EE container accessing a configured identity store
• Database schema authentication not a recommended model for Java EE applications – Doesn't scale well – The web is stateless and in no way compares to desktop applications
• Authenticated user is exposed through security context to be accessible throughout an application
21 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
Program Agenda
• Application Security Risks • Security Principles & Pattern • Handling Data Entry • ADF Security • Single Sign-On • Securing ADF Applications
22 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. 22 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
What are the different channels that users can use to input data to our system?
Image: imagerymajestic/ FreeDigitalPhotos.net
Exercise
23 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
Data Entry
• Users input • Service interface
– Web Service – SOA Service – PL/SQL
• Java interface • Request Parameters • Cookies
The List of Data Entry You Cannot Trust
24 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
“Love all, trust a few."
- William Shakespeare
25 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
Validate All Data Entry
• Data Format Pattern – Ensures data entry matches a specific format – Example: social security number, credit card, license key
• Numeric / Character – Ensures correct data types to be entered
• Dependent Value – Compares entered data with value of a related field – Example: start date < end date
26 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
Find And Fix The Weakest Link
• The best locks on your front door don't help if the windows are left wide open
• Protect assets, not applications! • A tale about a failed SQL injection
prevention attempt …
27 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
Program Agenda
• Application Security Risks • Security Principles & Pattern • Handling Data Entry • ADF Security • Single Sign-On • Securing ADF Applications
28 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
Protecting ADF Applications View / Controller
Responsibility
How ?
• Authentication • Page Authorization • Field Authorization • Identity Propagation • Input Validation
• Container Managed Authentication • Validators
Binding
Responsibility
How ?
ADF
• Page Security • Task Flow Security
• J2EE Authentication • JAAS Authorization • Validators
Business Service
Responsibility
How ?
• Business method authorization • Identity propagation • CRUD authorization • Input Validation
• JAAS • JEE authorization context • Validation rules
Database
Responsibility
How ?
• DML authorization • Read authorization • PLSQL authorization
• VPD • Database Proxy • Sys_context
29 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
Oracle Platform Security Service (OPSS)
• Standards-based, portable, integrated, enterprise-grade Oracle security framework for Java SE and Java EE applications
• Provides security to Oracle Fusion Middleware including WebLogic Server, Server Oriented Architecture (SOA) applications, Oracle WebCenter, Oracle ADF applications, and Oracle Entitlement Server
• Designed to be portable to third-party application servers • Provides an abstraction layer that insulate developers from security and
identity management implementation details • Decreases application development, administration, and maintenance costs • Does a better job than security available in the Java and Java EE standard
30 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
ADF & OPSS Architecture Overview
LDAP/DB Servers
AuthN AuthZ
WebLogic Server ADF Application
CSF
File Based
OPSS API (JAAS Integration)
ADFSecurity Context
Java EE Application Deployment
31 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
ADF Security
• Authentication handled by Java EE Container • Authorization automatically enforced on
– Bounded task flows – Pages in unbounded task flows
• Views in bounded task flows are protected through task flow security • Fine grain view protection in bounded task flows can be declaratively
defined using nested bounded task flows – ADF Business Components entities and attributes
• Authorization is based on JAAS permissions • Authorization policies are declaratively defined
Framework Features
32 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
ADF Security
• Security Expression Language – #{securityContext.authenticated} – #{securityContext.userName} – #{securityContext.userInRole['roleList']} – #{securityContext.userInAllRoles['roleList']} – #{securityContext.taskflowViewable['target']} – #{securityContext.regionViewable['target']} – #{securityContext.userGrantedResource['permission']} – #{securityContext.userGrantedPermission['permission']}
• Security Java API
Programmatic Features
33 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
ADF Security
• Create custom Permissions based on the OPSS Resource Permission – Use for Menu security, UI component security
• Declaratively define view permissions for pages in bounded task flows – Authorization needs to be enforced by your program code using EL or Java
• ADF Security Groovy access from ADF Business Components – Query view objects based on the authenticated user
Programmatic Features
34 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
OPSS and ADF Security Vocabulary
• User – Individual user identities defined in your identity management system
• Enterprise Roles – Enterprise user groups defined in your identity management system for use
across application boundaries
• Application Roles – ADF application specific roles that provide an abstraction layer for enterprise user
groups – Permissions are granted to application roles
You Must Get This Right!
35 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
OPSS architecture for WLS Design-Time
web.xml
adf-config.xml
Oracle JDeveloper - Designtime
jazn-data.xml
weblogic.xml
Users
Groups
Roles
Permissions
Authentication servlet
36 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
OPSS architecture for WLS Runtime (Production)
Oracle WebLogic Server (OPSS) - Runtime
Users
Enterprise Roles App
licat
ion
Rol
es
system-jazn-data.xml
Gra
nts
Per
mis
sion
Target
Permission class
Actions
Identity Store OID
OVD
LDAP
Active Directory
Enterprise Groups
Enterprise Users
Credential Store RDBMS
LoginModule
37 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
What You Should Know
• Grant permissions to application roles only – Easier to administrate – No dependency to identity management system
• Security administrator should use Oracle Enterprise Manager Fusion Middleware Control to map application roles to enterprise roles (aka. enterprise groups) – Post deployment
• ADF applications can be configured to "override" or "merge with" existing policies
ADF Security Authorization Best Practices
38 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
What You Should Know
• Though the framework doesn't enforce authorization on views contained in bounded task flows, it doesn't mean you can't do it – Create region permission for view in bounded task flow – Enforce permission using security EL or Java
ADF Security Authorization Best Practices
39 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
What You Should Know
• All permissions and application roles must be copied to the master (aka. "top level" or "super web") application – ADF library may contain jazn-data.xml file, which however is not
enforced at runtime – ADF regions added through ADF libraries must have their security grants
defined in the master application.
• Security Permissions are automatically deployed to Web Logic Server system-jazn-data.xml file when deploying the application EAR file
Security Deployment
40 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. 40 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
So ADF Security is “The Solution”
Image: imagerymajestic/ FreeDigitalPhotos.net
41 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. 41 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Image: Amrbo+imagerymajestic/ FreeDigitalPhotos.net
So ADF Security is “The Solution”
No, it is just a tool in ADF that you use to implement security.
42 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
Program Agenda
• Application Security Risks • Security Principles & Pattern • Handling Data Entry • ADF Security • Single Sign-On • Securing ADF Applications
43 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
Single Sign-On In Oracle ADF Architecture Pillar Architecture
Fine Grained
Two for One Deal
Multi-Access Channel
Pillar
Cylinder
One time authentication for all buildings
One time authentication for all pillars
44 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
Single Sign-On Best Practices
• Implementing your own single sign-on solution for Oracle ADF applications is a proven path to failure – Failure to keep authenticated user session state
(OTN forum reports) – Performance problems coded into your applications – Insecure token and credential sharing
• ADF Security works well with Oracle Access Managed (OAM) for single sign-on – Works across FMW product boundaries including SOA, WebCenter, Oracle Forms
• Kerberos is an alternative Windows based SSO solution – Kerberos/SPNEGO and Oracle WebLogic Server
45 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
Oracle ADF Without Single Sign-On
adf_domain
Secured ADF Application
Oracle Internet Directory
WLS Authentication Provider
1
2
3
4
46 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
Oracle ADF Single Sign-On With OAM
adf_domain Oracle HTTP Server
OAM Web Gate
Secured ADF Application
1
2
Oracle Internet Directory
47 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
Oracle ADF With Single Sign-On Using OAM
adf_domain idm_domain Oracle HTTP Server
OAM Web Gate
Secured ADF Application Oracle Internet
Directory
Oracle Access Manager
1
2
48 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
Oracle ADF With Single Sign-On Using OAM
adf_domain idm_domain Oracle HTTP Server
OAM Web Gate
Secured ADF Application
Oracle Access Manager
OAM Session
OAM_ID
1
2
Oracle Internet Directory
49 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
Oracle ADF With Single Sign-On Using OAM
adf_domain idm_domain Oracle HTTP Server
OAM Web Gate
OAMAuthnCookie
Secured ADF Application
Oracle Access Manager
OAM Session
OAM_ID
1
3
2
Oracle Internet Directory
50 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
Program Agenda
• Application Security Risks • Security Principles & Pattern • Handling Data Entry • ADF Security • Single Sign-On • Securing ADF Applications
51 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. 51 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
Ok, ADF Security is on my list. What else?
Image: imagerymajestic/ FreeDigitalPhotos.net
Exercise
52 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
ADF Business Components
• Define ADF Security permissions for entities and entity attributes – Permissions are enforced by ADF framework – In addition, hide control like delete buttons if a user is not allowed to
delete an entity using security EL
• Avoid dynamically built SQL statements, and use view objects and view criteria with named bind variables.
• Validate input variables, before issuing executeQuery, on the view object
53 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
ADF Controller
• Navigate using control flows and avoid navigation through redirects • Configure exception handler activities in all bounded task flows • Protect task flow access using ADF Security
– Framework enforces user authorization – In addition, hide navigation UI control using security EL if a user is not
allowed to access a task flow
• Ensure task flows that use JSF documents are not accessible from browsers – Enforce single point of access for your application
54 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
ADF Binding Layer
• Use the "viewable" property on bindings to check user permission using security EL – If viewable is determined to false, associated UI component will render
read only
• Configure a custom error handler in DataBindings.cpx to control information displayed to users – Distinguish between authorized personnel and users when displaying
and logging error messages
55 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
ADF View
• Hide all UI components users are not supposed to see or use – Use Security EL on the "rendered" property
• Look for ways to simplify security configuration by grouping protected components
What about the "display" property?
Image: imagerymajestic/ FreeDigitalPhotos.net
56 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
Input Validation
• ADF View – Validator / Converter
• Components • Managed bean
– Value change event handlers – Client side scripts
• ADF Binding – Binding element validator
57 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
Input Validation
• ADF Business Components – Entity validation
• Across attribute validation like dependent field validation – Entity attribute validation
• Validates individual attribute values – Transaction Level
• Entity setting to defer validation to before commit
58 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. 58 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
You there – tall guy, blue shirt, sitting in the back. What else?
Image: imagerymajestic/ FreeDigitalPhotos.net
Exercise
59 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
Think Out Of The Box!
60 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
Some Ideas • Servlet filter • Phase listeners • Component validators • Bind variables • Custom Resource Permissions & Security EL or Java • Move page documents into /public_html/WEB-INF • Managed beans, View- and EntityImpl • MDS customization classes • RDBMS security (label security, triggers ...)
61 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
Conclusion • Become aware of what your business is afraid of what
you want to protect within your application • Security must be implemented on all application
layers • Permission should be granted to roles and never to
users directly • ADF Security is a tool that makes it easier to enforce
authentication and authorization in ADF applications. However, it is not all you need.
• Application security requires you to be creative and think out-of the box. Not all tools you can use for security have the name "security" in them
62 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
Further Reading
• Security for Everyone – Oracle Magazine article – http://www.oracle.com/technetwork/issue-archive/2012/12-jan/o12adf-1364748.html
• ADF Security documentation – Oracle JDeveloper and ADF Documentation Library – Fusion Developer Guide
• "Enabling ADF Security in a Fusion Web Application"
• ADF Insider Recordings – ADF Security overview
• http://download.oracle.com/otn_hosted_doc/jdeveloper/11gdemos/AdfSecurity/AdfSecurity.html
– Security Deployment • http://download.oracle.com/otn_hosted_doc/jdeveloper/11gdemos/adf_security1/adf_security1.html • http://download.oracle.com/otn_hosted_doc/jdeveloper/11gdemos/adf_security2/adf_security2.html
– Single Sign-on • http://download.oracle.com/otn_hosted_doc/jdeveloper/11gdemos/adf_oam_integration/adf_oam_integration.html
63 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.