oracle adf architecture tv - design - designing for security


Real World ADF Design & Architecture Principles Designing for Security

ORACLE PRODUCT

LOGO


Learning Objectives

•  At the end of this module you should be able to:

–  Identify security risks and how to mitigate risks – Understand common security design patterns – Understand the risk of multi channel access to your

application data – Know about ADF Security and what it is good for –  Think out of the box when protecting your ADF applications

Image: imagerymajestic/ FreeDigitalPhotos.net


“Security is the degree of protection against danger, damage, loss, and crime."

Wikipedia http://en.wikipedia.org/wiki/Security

5 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. 5 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.

We have a budget for security, but what security should we buy for our ADF application?

Maybe a firewall will do for a start.

Exercise



Program Agenda

•  Application Security Risks •  Security Principles & Pattern •  Handling Data Entry •  ADF Security •  Single Sign-On •  Securing ADF Applications


OWASP Top Ten List of Security Vulnerabilities

Image: OWASP / CC3.0



•  SQL Injection –  Free input text or URL parameter values an application passes to the

database unfiltered

•  Broken authentication and session management –  Predictable tokens that identify a user session or privilege (license key)

•  Cross-Site Scripting (XSS) –  The user input of custom

JavaScript that executes in the context of a web application

Image: jscreationzs/ FreeDigitalPhotos.net



•  Insecure direct object referenced –  e.g.: file references to user specific reports. If

file names can be predicted then anyone can download the file and see its content.

•  Cross-Site Request Forgery (CSRF) –  Cookie information or hidden field information that is used by applications

to identify a user session –  Sites that intercept or redirect a request (phishing) can make use of this

information, replaying the initial request



OWASP Top Ten List of Security Vulnerabilities •  Security misconfiguration

–  Configuration settings that weaken security enforcement –  Risk area: Moving applications from development to production

•  Insecure cryptographic storage –  Sensitive data that is saved in the user session, on

the server or the local client with weak encryption or not encrypted at all

•  Failure to restrict URL access –  Direct URL access to resources may bypass

authorization and break business logic



OWASP

•  Failed Transport Layer Protection –  Failing to ensure messages are not

changed on transit and that the server a message is sent to indeed is the server who should receive the request

•  Unvalidated redirects and forwards –  Tampered redirect information added to

return URL parameters

Top Ten List of Security Vulnerabilities



What is the best protection against all of these?


13 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. 13 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Image: Ambro+ imagerymajestic/ FreeDigitalPhotos.net

What is the best protection against all of these?

Education, security standards, code writing and review

guidelines


“We believe that […] programmers want to write good software. They surely don’t set out with the intention of putting security flaws in their code. Furthermore, because it’s possible for a program to satisfy a stringent functional specification and nevertheless bring a vulnerability to life, many (if not most) such flaws have been coded up by people who do their best and are satisfied with (even rewarded for) the result.."

Secure Coding: Principles and Practices

Mark G. Graff; Kenneth R. van Wyk


Security Dependencies

•  Performance Impact –  Fine grain security checks –  Https overhead –  Message encryption

•  Usability –  Periodical re-authentication –  Complex password rules –  Frequent password renewals –  Access restrictions

•  Business hours •  Point of access Max.

Performance Max.

Usability

Max. Security


Program Agenda



Security Principles

•  Identify security threats –  Flooding, fire, earthquake, SQL exploits, identity fraud or theft, hackers,

denial of service …

•  Define other security requirements for the application –  Corporate requirements

•  e.g. single sign-on, shared identity management system, auditing, centralized security administration, data protection …

–  Application requirements •  e.g. enforce valid user input, ensure users only have access to what they are

allowed to access, ensure authenticated users …

•  Define security coding and review standards

Security By Design


Consider Security by Design


Security Design Patterns

•  Defense in depth •  Least privileged access •  Single access point •  Check point •  Roles •  Full view with errors •  Limited view •  Session


Web Authentication

•  Identifies a user by something he/she knows (secret) or owns (certificate)

•  Usually handled by the Java EE container accessing a configured identity store

•  Database schema authentication not a recommended model for Java EE applications –  Doesn't scale well –  The web is stateless and in no way compares to desktop applications

•  Authenticated user is exposed through security context to be accessible throughout an application


Program Agenda



What are the different channels that users can use to input data to our system?


Exercise


Data Entry

•  Users input •  Service interface

–  Web Service –  SOA Service –  PL/SQL

•  Java interface •  Request Parameters •  Cookies

The List of Data Entry You Cannot Trust


“Love all, trust a few."

- William Shakespeare


Validate All Data Entry

•  Data Format Pattern –  Ensures data entry matches a specific format –  Example: social security number, credit card, license key

•  Numeric / Character –  Ensures correct data types to be entered

•  Dependent Value –  Compares entered data with value of a related field –  Example: start date < end date


Find And Fix The Weakest Link

•  The best locks on your front door don't help if the windows are left wide open

•  Protect assets, not applications! •  A tale about a failed SQL injection

prevention attempt …


Program Agenda



Protecting ADF Applications View / Controller

Responsibility

How ?

•  Authentication •  Page Authorization •  Field Authorization •  Identity Propagation •  Input Validation

•  Container Managed Authentication •  Validators

Binding

Responsibility

How ?

ADF

•  Page Security • Task Flow Security

•  J2EE Authentication •  JAAS Authorization •  Validators

Business Service

Responsibility

How ?

•  Business method authorization •  Identity propagation •  CRUD authorization •  Input Validation

•  JAAS •  JEE authorization context •  Validation rules

Database

Responsibility

How ?

•  DML authorization •  Read authorization •  PLSQL authorization

•  VPD •  Database Proxy •  Sys_context


Oracle Platform Security Service (OPSS)

•  Standards-based, portable, integrated, enterprise-grade Oracle security framework for Java SE and Java EE applications

•  Provides security to Oracle Fusion Middleware including WebLogic Server, Server Oriented Architecture (SOA) applications, Oracle WebCenter, Oracle ADF applications, and Oracle Entitlement Server

•  Designed to be portable to third-party application servers •  Provides an abstraction layer that insulate developers from security and

identity management implementation details •  Decreases application development, administration, and maintenance costs •  Does a better job than security available in the Java and Java EE standard


ADF & OPSS Architecture Overview

LDAP/DB Servers

AuthN AuthZ

WebLogic Server ADF Application

CSF

File Based

OPSS API (JAAS Integration)

ADFSecurity Context

Java EE Application Deployment


ADF Security

•  Authentication handled by Java EE Container •  Authorization automatically enforced on

–  Bounded task flows –  Pages in unbounded task flows

•  Views in bounded task flows are protected through task flow security •  Fine grain view protection in bounded task flows can be declaratively

defined using nested bounded task flows –  ADF Business Components entities and attributes

•  Authorization is based on JAAS permissions •  Authorization policies are declaratively defined

Framework Features


ADF Security

•  Security Expression Language –  #{securityContext.authenticated} –  #{securityContext.userName} –  #{securityContext.userInRole['roleList']} –  #{securityContext.userInAllRoles['roleList']} –  #{securityContext.taskflowViewable['target']} –  #{securityContext.regionViewable['target']} –  #{securityContext.userGrantedResource['permission']} –  #{securityContext.userGrantedPermission['permission']}

•  Security Java API

Programmatic Features


ADF Security

•  Create custom Permissions based on the OPSS Resource Permission –  Use for Menu security, UI component security

•  Declaratively define view permissions for pages in bounded task flows –  Authorization needs to be enforced by your program code using EL or Java

•  ADF Security Groovy access from ADF Business Components –  Query view objects based on the authenticated user

Programmatic Features


OPSS and ADF Security Vocabulary

•  User –  Individual user identities defined in your identity management system

•  Enterprise Roles –  Enterprise user groups defined in your identity management system for use

across application boundaries

•  Application Roles –  ADF application specific roles that provide an abstraction layer for enterprise user

groups –  Permissions are granted to application roles

You Must Get This Right!


OPSS architecture for WLS Design-Time

web.xml

adf-config.xml

Oracle JDeveloper - Designtime

jazn-data.xml

weblogic.xml

Users

Groups

Roles

Permissions

Authentication servlet


OPSS architecture for WLS Runtime (Production)

Oracle WebLogic Server (OPSS) - Runtime

Users

Enterprise Roles App

licat

ion

Rol

es

system-jazn-data.xml

Gra

nts

Per

mis

sion

Target

Permission class

Actions

Identity Store OID

OVD

LDAP

Active Directory

Enterprise Groups

Enterprise Users

Credential Store RDBMS

LoginModule


What You Should Know

•  Grant permissions to application roles only –  Easier to administrate –  No dependency to identity management system

•  Security administrator should use Oracle Enterprise Manager Fusion Middleware Control to map application roles to enterprise roles (aka. enterprise groups) –  Post deployment

•  ADF applications can be configured to "override" or "merge with" existing policies

ADF Security Authorization Best Practices



•  Though the framework doesn't enforce authorization on views contained in bounded task flows, it doesn't mean you can't do it –  Create region permission for view in bounded task flow –  Enforce permission using security EL or Java

ADF Security Authorization Best Practices



•  All permissions and application roles must be copied to the master (aka. "top level" or "super web") application –  ADF library may contain jazn-data.xml file, which however is not

enforced at runtime –  ADF regions added through ADF libraries must have their security grants

defined in the master application.

•  Security Permissions are automatically deployed to Web Logic Server system-jazn-data.xml file when deploying the application EAR file

Security Deployment


So ADF Security is “The Solution”


41 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. 41 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Image: Amrbo+imagerymajestic/ FreeDigitalPhotos.net

So ADF Security is “The Solution”

No, it is just a tool in ADF that you use to implement security.


Program Agenda



Single Sign-On In Oracle ADF Architecture Pillar Architecture

Fine Grained

Two for One Deal

Multi-Access Channel

Pillar

Cylinder

One time authentication for all buildings

One time authentication for all pillars


Single Sign-On Best Practices

•  Implementing your own single sign-on solution for Oracle ADF applications is a proven path to failure –  Failure to keep authenticated user session state

(OTN forum reports) –  Performance problems coded into your applications –  Insecure token and credential sharing

•  ADF Security works well with Oracle Access Managed (OAM) for single sign-on –  Works across FMW product boundaries including SOA, WebCenter, Oracle Forms

•  Kerberos is an alternative Windows based SSO solution –  Kerberos/SPNEGO and Oracle WebLogic Server


Oracle ADF Without Single Sign-On

adf_domain

Secured ADF Application

Oracle Internet Directory

WLS Authentication Provider

1

2

3

4


Oracle ADF Single Sign-On With OAM

adf_domain Oracle HTTP Server

OAM Web Gate


1

2



Oracle ADF With Single Sign-On Using OAM

adf_domain idm_domain Oracle HTTP Server

OAM Web Gate

Secured ADF Application Oracle Internet

Directory

Oracle Access Manager

1

2




OAM Web Gate



OAM Session

OAM_ID

1

2





OAM Web Gate

OAMAuthnCookie



OAM Session

OAM_ID

1

3

2



Program Agenda



Ok, ADF Security is on my list. What else?


Exercise


ADF Business Components

•  Define ADF Security permissions for entities and entity attributes –  Permissions are enforced by ADF framework –  In addition, hide control like delete buttons if a user is not allowed to

delete an entity using security EL

•  Avoid dynamically built SQL statements, and use view objects and view criteria with named bind variables.

•  Validate input variables, before issuing executeQuery, on the view object


ADF Controller

•  Navigate using control flows and avoid navigation through redirects •  Configure exception handler activities in all bounded task flows •  Protect task flow access using ADF Security

–  Framework enforces user authorization –  In addition, hide navigation UI control using security EL if a user is not

allowed to access a task flow

•  Ensure task flows that use JSF documents are not accessible from browsers –  Enforce single point of access for your application


ADF Binding Layer

•  Use the "viewable" property on bindings to check user permission using security EL –  If viewable is determined to false, associated UI component will render

read only

•  Configure a custom error handler in DataBindings.cpx to control information displayed to users –  Distinguish between authorized personnel and users when displaying

and logging error messages


ADF View

•  Hide all UI components users are not supposed to see or use – Use Security EL on the "rendered" property

•  Look for ways to simplify security configuration by grouping protected components

What about the "display" property?



Input Validation

•  ADF View –  Validator / Converter

• Components • Managed bean

–  Value change event handlers –  Client side scripts

•  ADF Binding –  Binding element validator


Input Validation

•  ADF Business Components –  Entity validation

•  Across attribute validation like dependent field validation –  Entity attribute validation

•  Validates individual attribute values –  Transaction Level

•  Entity setting to defer validation to before commit


You there – tall guy, blue shirt, sitting in the back. What else?


Exercise


Think Out Of The Box!


Some Ideas •  Servlet filter •  Phase listeners •  Component validators •  Bind variables •  Custom Resource Permissions & Security EL or Java •  Move page documents into /public_html/WEB-INF •  Managed beans, View- and EntityImpl •  MDS customization classes •  RDBMS security (label security, triggers ...)


Conclusion •  Become aware of what your business is afraid of what

you want to protect within your application •  Security must be implemented on all application

layers •  Permission should be granted to roles and never to

users directly •  ADF Security is a tool that makes it easier to enforce

authentication and authorization in ADF applications. However, it is not all you need.

•  Application security requires you to be creative and think out-of the box. Not all tools you can use for security have the name "security" in them


Further Reading

•  Security for Everyone – Oracle Magazine article –  http://www.oracle.com/technetwork/issue-archive/2012/12-jan/o12adf-1364748.html

•  ADF Security documentation –  Oracle JDeveloper and ADF Documentation Library –  Fusion Developer Guide

•  "Enabling ADF Security in a Fusion Web Application"

•  ADF Insider Recordings –  ADF Security overview

•  http://download.oracle.com/otn_hosted_doc/jdeveloper/11gdemos/AdfSecurity/AdfSecurity.html

–  Security Deployment •  http://download.oracle.com/otn_hosted_doc/jdeveloper/11gdemos/adf_security1/adf_security1.html •  http://download.oracle.com/otn_hosted_doc/jdeveloper/11gdemos/adf_security2/adf_security2.html

–  Single Sign-on •  http://download.oracle.com/otn_hosted_doc/jdeveloper/11gdemos/adf_oam_integration/adf_oam_integration.html

oracle adf architecture tv - design - designing for security

Technology

bounded task flows

security vulnerabilities image

oracle adf applications

application roles

user session

abstraction layer

adf security

time authentication