Request for comment: Using identity stores and managing users in ADF

[John Stegeman]

Hello all,

Hope you have all had an enjoyable year and I wish you and your families health and peace in 2012.

I've been noodling over an idea for about the past 18 months, and Frank N rightly suggested a post on EMG to gather ideas. There is a steady stream of posts on the OTN forums regarding the general topic of identity management and ADF. I don't mean ADF security, but specifically using different authentication providers with ADF (LDAP, DB tables, DB accounts, etc) and how user management works (create users, assign roles, change passwords, etc). Most people want something within their application to do these types of user management activities, but as you may know, ADF doesn't have anything out-of-the-box for this. I'm thinking about putting together some papers/cookbooks/etc around these general topics. The purpose of this post is to solicit feedback/use cases/requirements in this area. 

I'll leave things fairly general for now, and look forward to feedback from the EMG. I'd also be happy to share authorship duties if there is anyone who would be interested!

Regards,

John

[John Flack]

John, I’m certainly interested in this – it sits in an area between JDeveloper/ADF and Weblogic, with a side trip off to an identity store like Oracle Internet Directory or OpenLDAP, or even the little identity store that is built into Weblogic Server.  Since it isn’t clearly an ADF issue or a Weblogic issue, it tends to fall through the cracks.  And it’s a problem we’re working through right now as we’re in test mode on our first ADF 11g application – all our production ADF applications are ADF 10gR3 running on OC4J, which was much easier to configure for identity management IMHO, though it had many fewer choices of identity providers.

 

Duncan Mills and Peter Koletzke have been doing a very good presentation about how to configure authentication and authorization for ADF.  Unfortunately, the presentation shows how to configure users, groups, and roles for the integrated Weblogic Server, but not how this relates to what you need to do on an external application server.

 

Thank you for considering this.

[Chad Thompson]

John:

This is a great idea - I'll add a few ideas around the 'basics'.

* I've noticed, too, that there are quite a few questions around using authentication providers, etc.  It would be useful to set up a basic cookbook example of an ADF app that requires a login, authenticates against the WebLogic provider, etc.

* For that matter, it might be nice to have an example of ADF in a "non-WebLogic" environment.  I haven't used ADF as such, actually - it might be nice to see how ADF Security works with other app servers.

* In the Weblogic centric world, though - there is quite a bit that ADF that relies on Weblogic for services - something like "Weblogic for ADF Developers" could be either an interesting few pages, or an entire book.  (!!)

-- 

Chad Thompson

--
You received this message because you are subscribed to the ADF Enterprise Methodology Group (http://groups.google.com/group/adf-methodology). To unsubscribe send email to adf-methodolo...@googlegroups.com
 
All content to the ADF EMG lies under the Creative Commons Attribution 3.0 Unported License (http://creativecommons.org/licenses/by/3.0/). Any content sourced must be attributed back to the ADF EMG with a link to the Google Group (http://groups.google.com/group/adf-methodology).

[Jakub Pawłowski]

Hi,

+1 for this idea.

In my point of view I would expect one but complete application code (e.g. as bounded task flow) showing how to manage users, groups and roles throught the WLS (OPSS) API. I had a few questions from customers is this possible to build such little managment panel into their ADF applications to manage security and avoid logging to WLS console.

[Madhan Ganapathy]

Hi,

  It's a good idea.

  Regarding the User Management tasks(Create Users, Assign Roles, etc.) from within the application, Oracle Fusion Applications

is doing that already with its own Custom UI and with some background processes for the integration with Oracle Identity 

Management(IDM), which is the backbone of Fusion Applications for Security. I am yet to dive deep to know the actual API's 

that are called.

  Regarding the general Fusion Middleware Security involving ADF and OPSS, I've come across this post that has a sample application,

which demonstrates the use of Oracle Platform Security Services (OPSS) through ADF. I have tested this application and its

working fine in my JDeveloper 11gR1.

 

Blog Post: http://fusionsecurity.blogspot.com/2009/07/opss-sample-application.html

Link for the Sample application mentioned in the Blog: http://www.oracle.com/technetwork/testcontent/ezshare-131779.zip

Thanks and Regards,

Madhan

[ugb]

Hi,
i like the idea. Maybe we need for ADF something like this with UI :

The Project Open Pro­vi­sion­ing ToolK­it (OpenPTK) http://www.openptk.org

It would be great to have for ervery Security Provider a ADF Library
and a quick guide with the topics:
- Setup
- Customize
- Using it in your own UIShell

mfg
Ulrich Gerkmann-Bartels

PS. Addition it would be nice to have a lightweight custom database
permission store implementation for ADF Security.

[Jean-Marc Desvaux]

Hi John,

Good idea.

I will start working on an upgrade to OAM & OID 11g soon to migrate security infrastructure currently on OID 10g & OSSO 10g supporting both 10g & 11g ADF applications.
Being entitled to OID & OAM "basic" (under iAS 10g licencing) which only allows you to have Oracle tiers in the game, I will most probably stick to this choice.

For 11g authentication (which is the easiest part), we use ldap and the wls provider.
We have both a Form & an ADF application to maintain application users and roles in the database and at the same time sync at ldap level the users and groups using plsql packages. We don't explicitly rely on OPSS APIs.
All will stay as is in the new setup.

The ldap level is for authentication and first level access and the database security data is for more granular security.

-Jean-Marc

[Jan Vervecken]

hi John

Just wanted to point to some related forum threads:

- "ADF Security : identity store : tables in a SQL database"
at https://forums.oracle.com/forums/thread.jspa?threadID=2297519
(where Frank Nimphius suggested to create a sample for the use-case )
- "OPSS : addMembersToApplicationRole : The search for role failed"
at https://forums.oracle.com/forums/thread.jspa?threadID=2255413
(where I am trying to get feedback on the ((un)supported?) use-case in
a related service request)

regards
Jan Vervecken

[John Stegeman]

Thanks, everyone, for the comments. Unfortunately I need to put this project on hold for a bit of time, but I'm still very keen to push forward. I welcome additional comments, and as time becomes available, I'll update the discussion with a summary of what I plan to do and the order so that people can comment. I'd still love to collaborate with people to produce the deliverables.

Regards,

John

[fnimphiu]

One of my new year's resolutions is to follow discussions on this
forum more closely (especially now that the OTN forum is well handled
by the community, freeing some of my time). This one seems to be a
good opportunity to start with.
Btw.: Happy New Year.

Before John approached me with his idea for a cookbook, I already
decided to write my next Oracle Magazine article about development and
configuration of custom authentication providers. I plan to update
work I did for OC4J, which is to develop Java EE authentication for
database schema authentication and PLSQL stored procedure.
authentication. This then will come with a sample (publishing would be
in the Oracle Magazine May/June edition). So some work will be done on
this already.

What we first need is a "table of contents" to incrementally and
sequentially work on implementing. To shorten time-to--delivery, we
can publish each topic as blog entries (or whatever publication you
want to go for) and collate all the contributions to a full document
(Wiki or whitepaper) when all or most of the topics are covered.

So lets work on ideas for a table of contents. Later we can think
about use cases that would showcase the requirements per topic

Frank

[Amr Gawish]

Hi John,

This is interesting, and I'm always facing this requirement as part of any "Admin" Module of any ADF Application, to handle users/roles in that application, however I found using JMX my good resolution as ADF is always depending on Weblogic, and JMX can make use of this in its best ways, by retrieving User/Roles and if privileged to manipulate them as well.

I don't know but if this cookbook gonna see light, just don't forget JMX as a topic in it 

Best Regards,

Amr Gawish
Senior Oracle Middleware Consultant
     

[Edwin Biemond]

Great plan,

First I think we need some kind of overview guide to show what is
possible, explanation of the terms , what do you do where ,
restrictions.
after that we can zoom in.

A wiki would be great , then we can make this better, work together
and make it complete instead of lots of blogs or white papers.

thanks

On Jan 6, 4:50 pm, Amr Gawish <amr.gaw...@gmail.com> wrote:
> Hi John,
> This is interesting, and I'm always facing this requirement as part of any
> "Admin" Module of any ADF Application, to handle users/roles in that
> application, however I found using JMX my good resolution as ADF is always
> depending on Weblogic, and JMX can make use of this in its best ways,
> by retrieving User/Roles and if privileged to manipulate them as well.
>
> I don't know but if this cookbook gonna see light, just don't forget JMX as
> a topic in it
>
> Best Regards,
> Amr Gawish
> Senior Oracle Middleware Consultant

>  <http://www.amr-gawish.com>  <http://blog.amr-gawish.com>
> <http://www.twitter.com/agawish>
>   <http://www.linkedin.com/in/agawish>
> <https://plus.google.com/113754637895846356137/about>
>   <http://www.facebook.com/agawish>

[fnimphiu]

OPSS and thus ADF Security will require FMW, which means we are bound
to FMW supported servers. So I think we should first focus on WLS and
then Websphere, followed by any other server supported by FMW in the
future.

Ideally (an application developers wish) we find an option to abstract
account provisioning for ADF applications so that you write your code
once and then make it work on another platform only through re-
configuration (which could be on the OPSS lever or on a custom
application security layer, or ADF Security directly).

[Jan Vervecken]

hi Frank

- about "Ideally (an application developers wish) we find an option to

abstract account provisioning for ADF applications so that you write
your code once and then make it work on another platform only through

re-configuration (which could be on the OPSS lever or on a custom

application security layer, or ADF Security directly)."

To try to find such abstract account provisioning for ADF
applications, maybe someone can just start writing the application
that is needed to manage users.
While doing so, one could keep an eye on the stuff that would be
needed to implement it that might not be readily available and
abstract it into interfaces.
I can imagine stuff like an AppUserService or AppUser being involved
(but those will evolve/grow while such application is being written):
package adfemg.im;
public interface AppUserService
{
public AppUser readAppUser(String pUsername);
public int createAppUser(AppUser pAppUser);
// ...
}
and
package adfemg.im;
public interface AppUser
{
public void setUsername(String pUsername);
public String getUsername();
public void setPassword(String pPassword);
public String getPassword();
public void setFirstname(String pFirstname);
public String getFirstname();
//...
}

Once done, it should be (more) clear what API is needed.
At that point one could review if some similar API already exists.
(Who knows some part of http://www.openptk.org could fit, as suggested
in this thread before, or something else.)
Once such API is chosen or created, some implementations (found or
created) could be reviewed (preferably through re-configuration).

But, as some would say "one size doesn't fit all", and sure this
approach would cover only a specific set of use-cases.
In a way that is a good thing (as those use-cases are covered then),
and there is nothing that prevents to evolve the API to cover more use-
cases.

It is just an idea.

regards
Jan Vervecken

[fnimphiu]

Jan,

I agree that we need to partition work load and involve the EMG (after
all this is what Chris had in mind when founding this group).

Beside of the API you outline, we also need a way to define some sort
of contract/configuration so that an implementation of the interface
can be dynamically configured. This way your application (assuming you
sell it) can be easier customized and deployed to multiple systems
with different authentication APIs. Kind of a pluggable architecture

Frank

[fnimphiu]

I got another input from a reader of my Oracle Magazine column. He
finds it difficult to set up end-to-end security with ADF because the
information we (Oracle) provide is distributed across different books
in the FMW documentation. The scenario he likes to see covered in a
single document is implementation of security in ADF, deployment to
WLS, configuration of WLS, as well as the use and integration of OAM
for authentication. So I think we need to step back and look at the
broad picture of what is required in terms of table of contents.

[Maiko Rocha]

That's a common scenario for WebCenter customers too, specially because that also involves BPEL, Forums and more specifically UCM that does not leverage OPSS in 11g. I've been working internally with some colleagues on my team at Oracle and we should be coming out with a series of security-related posts that should cover part if not all of what is being discussed in this thread. 

[Jean-Marc Desvaux]

Frank,

As posted earlier, I've just started a "submarine" exploration of docs, blogs etc.. to upgrade my 10g setup. It will lead to an internal doc detailing step by step installation of OAM, Security setup in ADF, deployment to WLS, config of WLS for Security and integration with OAM for authentication and authorisation and single sign on.

We will share it once completed (depending on the abyssal creatures encountered during the exploration, it may take a bit of time :)

-Jean-Marc

[Yannick Ongena]

Just a note... Isn't that what OAM and OVD is all about?
There are so many vendors for identity management. If you want to integrate
the management of users (creation, update assign roles, etc) into your ADF
application, you need to know the how to access the API of your identity
store. if you are accessing an AD you have to write completely different
code when accessing an OID.
It's a good idea to discuss a global interface but in the end, it's useless
when you don't have a working implementation of the adapters.

-----Original Message-----
From: adf-met...@googlegroups.com
[mailto:adf-met...@googlegroups.com] On Behalf Of fnimphiu
Sent: 11 January 2012 15:24
To: ADF Enterprise Methodology Group
Subject: [ADF EMG] Re: Request for comment: Using identity stores and
managing users in ADF

Jan,

Frank

--

You received this message because you are subscribed to the ADF Enterprise
Methodology Group (http://groups.google.com/group/adf-methodology). To
unsubscribe send email to adf-methodolo...@googlegroups.com

All content to the ADF EMG lies under the Creative Commons Attribution 3.0
Unported License (http://creativecommons.org/licenses/by/3.0/). Any content
sourced must be attributed back to the ADF EMG with a link to the Google
Group (http://groups.google.com/group/adf-methodology).

-----
No virus found in this message.
Checked by AVG - www.avg.com
Version: 2012.0.1901 / Virus Database: 2109/4735 - Release Date: 01/10/12

[fnimphiu]

Jean-Marc,

would this document also become publicly available (as you mention it
to be an internal doc)?

Jannick,

>It's a good idea to discuss a global interface but in the end, it's useless
>when you don't have a working implementation of the adapters.

but exactly this is the idea. Developers code against an interface and
adapters need to be created and configured to make the code working on
a specific platform. So when the interface is defined, we may create
one or two adapters here at EMG. Then if you need other identify
management platform support, you just write your adapter conforming to
the interface and you should be done. Unless I mis interpret your
comment and you say that OAM and OID could be such a generic adapter
to other system. Still the problem I would see is that people may not
want to install OAM or OID to get authentication for their ADF
applications

Frank

[Jean-Marc Desvaux]

>would this document also become publicly available (as you mention it 
>to be an internal doc)?  

Yes publicly available.

[fnimphiu]

Thanks - Good to know.

Not sure if this is on the road map for your document, but what I
would be interested in is kin dog guidance of when to use which
combination of security products and how they relate. My understanding
is that SSO could with OAM, but that there also is Oracle Enterprise
SSO sounding like doing the same. So would it be possible to define a
recommendation of what ADF developers should/could use for security
based on the expected user number, the size of the application and the
possible integration of SOA, UCM or WebCenter? If there is a single
architecture for all, then the better, but I guess there is a "starter
package", an "advanced package" and then the "enterprise package".

Kean-Marc, I am in HQ this week and the next. If you are out there
too, maybe we can meet to go over some of these topics. (To all EMG
members: I am not planning to take things offline but take an
opportunity to progress and get my thinking sorted)

Frank

[Jean-Marc Desvaux]

Frank, 

No I 'm not in Oracle HQ this week (could have been the case if I went to the UG leaders meeting, planned this week I think, but it's not the case, our UG is too young to start attending these things).

I may check in the process for LDAP & SSO alternatives on non-Oracle side.

To what I've gathered so far, on Oracle side, primarily today the solution is in OID/OAM at different type & level of licencing but the setup for ADF is using the same whole big setup, you are just restricted by usage.

For example you can't add a non-Oracle party in the SSO process unless you licenced OAM directly but if you have iAS EE licences, you can use OAM & OID for Oracle only integration (Basic licences).

As far as we talk technical only but not licencing, then the setup on Oracle side today seems restricted to either the old OSSO & OID 10g (which can still be used for 11g tiers but you have to leave with OC4J in the mix) or the new OAM/OID 11g for an Enterprise setup or for an ADF only setup, there are other ways, for ex. SAML for SSO (no S.Sign out) and other LDAP repo as Id store can be used.

Unfortunately I won't have time to try many scenario but mainly the one applying to my env, e.g to support ADF, Forms and Reports mainly.

In this case, OAM/OID is the way to go, so my effort will be put mainly there.

-Jean-Marc

[Amr Gawish]

One Question Frank,

How can we help?

Best Regards,

Amr Gawish
Senior Oracle Middleware Consultant

     

--

[fnimphiu]

Amr,

I think what we need - to some point in time - is an end-to-end
security coverage for a recommended infrastructure for different
application sizes and requirements. For example, customers that don't
have more than 5000 users and that don't need SSO, what are their
option. If the same customer has a need for SSO,what would need to
change? If the ADF application by the same customer integrates with
other products (say BPM) that also need security, what are the options
then. Its just an example of what I am currently trying to understand.
At the end it would be good to have some sort of matrix of security
requirements and how these can be addressed by Oracle security
products (as Jean-Marc mentions, leaving cencing cost aside). This
thread started with the question for user provisioning at runtime. So
once we understand the options and the components involved I am sure
we could also provide better help here at EMG for customers who need
e.g. to renew passwords in teh scope of their ADF application.

[Regee Chacko]

After going through the steps to secure an ADF application, I think it
as too complicated.

The steps seems to be too much scattered.
To protect a page I have to set permissions for Task Flow, Web Page,
Entity, Entity attributes.
Assuming that I have some custom actions to be secured like Approve,
Reject etc, i need to create custom permissions.

Isn't there a simpler method where I can see all the related
components for a page/task flow at one place and set the permissions?

What I have in my mind is something like below

Role:
Screen/Function Privileges
Purchase Order Show In Menu
Create
Update
Delete
Export Data
Approve/Reject

Items Show In Menu
Create
Update
Delete
Export Data

Vendors Show In Menu
Create
Update
Delete
Export Data
Change Status


Is this possible with the preset set of options? This type of screen
must be available to the administrator of the application.

Regee

[fnimphiu]

Btw.:

I found this blog entry about OPSS user handling you may find useful:
http://ramannanda.blogspot.com/2011/09/opss-adf-security-utility.html

Frank

[fnimphiu]

>Isn't there a simpler method where I can see all the related
>components for a page/task flow at one place and set the permissions?

This is what entitlement grants are for

Frank