Wednesday, September 28, 2011

ADF Library Feature & Security

JDev Version 11.1.2.

As we can break big application into small work-spaces and projects, I was wondering how we can implement security in that case. For example, consider and project, say Producer, which has all the task flows required by project, say Consumer. If Consumer project has enabled ADF Security, and the requirement is to make sure that a column of a table rendered in the Producer's task flow should be read only based on the roles defined in the jazn of Consumer project. In this case, how should we implement security.
This blog is about that.

For this, I am using the same project as I used for Effective Dates entities as Producer (to save time), as shown below:



The components relevant for this blog are highlighted above.
The FirstTaskFlow has only one view activity, as shown below:


And that view activity contains just one table created from DatedVO->DatedEO, as shown below:


I created 'ADF Library' deployment profile for View Controller project and deployed the project so that consumer applications can create a File System connection to use the task flow available in the ViewController project. Since the ViewController project is dependent on Model project as well, so the deployed jar automatically contains the BC4J components as well.

Then created a separate workspace, JarConsumerApp, as consumer application which will use the FirstTaskFlow of the producer application. Created a new File System Connection to point to the location of ViewController jar. Then later on added that ViewController jar to ConsumerViewController project as shown below:



As soon as we add the library, the AM entry gets visible in the Data Control section, and in the Project Properties->Libraries and Classpath section, the jar's entry gets added in ADF Libray section, as shown below:




Now, to add FirstTaskFlow to First.jspx, you first need to see that task flow in the Application Navigator. For this, select 'Show Libraries' as shown below:


Then, expand ADF Library->WEB-INF and drop the task flow to First.jspx page as region, as shown below:


After running, the First.jspx looks like as shown below:



It has only 1 row, and that is editable.
Now, I want to try two things:

1. The SysEffectiveDate column should be read-only on the UI for Non-Admin users.

For this, we need to enable ADF Security and do some setup on Consumer project only, ie. JarConsumerApp. After running the ADF Security wizard, I did the following:
  1. Added two new roles: Admin & NonAdmin.
  2. Created to new users: Admin & NonAdmin. Assigned Admin user to Admin role. Similarly assigned NonAdmin user to NonAdmin role, as shown below:



Then, in the Resource Grants section, select 'Resource Type' as Task Flow, and check the checkbox for 'Show task flows imported from ADF libraries' option.
Now, assign the view action on FirstTaskFlow to both Admin and NonAdmin roles, as shown below:




Similarly, do the same for First.jspx page as well, as shown below:




Now, to make SysEffectiveDate read-only, open FirstView.jspx of Producer project, and modify the input text field as shown below:




Now, redeploy the project, and run First.jspx again, this time logging in as NonAdmin user. The following screen appears:



As you can see, the SysEffectiveDate screen appears read-only, which means that security context of the producer project was able to figure out the roles defined in the consumer project.
Try logging in as Admin user, and then the following screen appears:



So, the EL expression is working fine.


2. Only Admin should be able to read DatedEO.

For this, we need to define at entity level that read operation is secured, as shown below:



Then, we need to modify jazn to tell which role can read DatedEO data, in our case its Admin, as shown below:



Now, run First.jspx again using NonAdmin user, the following screen comes up:



However, if logged in as Admin user, the following screen comes up:




As only Admin role is configured to perform 'read' action, on then data is displayed else not.
That's it.

No comments:

Post a Comment