18-4 Oracle Fusion Middleware Application Security Guide interface to provision users and roles, manage user and role profiles, and change user passwords. Applications are expected to use the SPML interface for all write and update operations on users and roles.

18.3.4 OPSS for User and Role Profiling

OPSS exposes the User and Role API, a standard, privacy-enabled interface to read identity and role data without having to open explicit connections to the underlying data repositories. For details, see Chapter 25, Developing with the User and Role API.

18.3.5 OPSS for User Authorization

OPSS provides a scalable, extensible, role-based authorization framework that allows applications to specify and control their security artifacts, including entitlements, roles, and grants. The application defines security policies stored in the policy store that are enforced at runtime by the authorization engine. For details, see Chapter 23, Authorization for Java SE Applications.

18.3.6 OAPM for Application Policy Management

OAPM is used to manage security artifacts once the application has been deployed. Working with OPSS, OAPM facilitates many administration tasks, such as managing entitlements and roles, and mapping application roles to enterprise groups.

18.3.7 OPSS for Cryptography

OPSS provides other security services, including the Credential Store Framework for storing application credentials, cryptographic toolkits for message confidentiality, a toolkit to manage keys, and the audit framework for security auditing. For a complete list of developer tool APIs, see Appendix H, References.

18.4 Security Life Cycle of an Application

This section introduces the phases of the security life cycle of an application. It is assumed that the application uses ADF and that it is developed in the Oracle JDeveloper environment. The phases of the security life cycle of an application are the development phase, the deployment phase, and the management phase. The participants are the product manager or application architect, application developers, and application security administrators. For a summary of tasks, see Summary of Tasks per Participant per Phase .

18.4.1 Development Phase

In the development phase developers design the application to work with the full range of security options available in Oracle Fusion Middleware. Developers have access to a rich set of security services exposed by Oracle JDeveloper, the built-in ADF framework, and the Oracle WebLogic Server. All these components are based on OPSS, which ensures a consistent approach to security throughout the application’s life span. Integrating Java EE Application Security with OPSS 18-5 Typically, a developer uses the ADF Security Wizard, an authorization editor, and an expression language editor, all within Oracle JDeveloper; additionally, he uses OPSS APIs to achieve more complex security tasks. Thus, some parts of the application use declarative security, other use programmatic security, and they both rely on security features available in the development and run-time environment. Application developers also define policy seed data application entitlements and roles according to the application’s security requirements, which is kept in a source control system together with application source code.

18.4.2 Deployment Phase

Once completed, an application is typically tested in a staging environment before being deployed to a production environment. In a production environment, both the application and the run-time services are integrated with other security components, such as user directories, single sign-on systems, user provisioning systems, and auditing. The security services usually change with the phase: for example, during development, a developer relies on a file or Oracle Wallet to store user credentials, but, in a production environment, credentials are stored in an LDAP directory. In the deployment phase, typically, an administrator migrates the policy seed data to the production policy store, and maps application roles to enterprise groups to effect application security policies.

18.4.3 Management Phase

The management phase starts once an application has been deployed to a production environment. In this phase, application administrators or enterprise security administrators manage day-to-day security tasks, such as granting users access to application resources, reviewing audit logs, responding to security incidents, and applying security patches.

18.4.4 Summary of Tasks per Participant per Phase

The following tables summarize the major responsibilities per participant in each of the security life cycle phases. Table 18–1 Security Tasks for the Application Architect Phase Task Development Defines high-level application roles based on functional security and data security requirements. Populates the initial file-based application policy store jazn-data.xml. Deployment Defines real-world customer scenarios to be tested by the QA team. Management Understands and identifies the requirements to customize application policies. Considers defining templates for vertical industries. 18-6 Oracle Fusion Middleware Application Security Guide

18.5 Getting Started with Application Security Integration

Application security defines and enforces users’ access to application resources. Access to resources vary depending on the level of risk associated with those resources. Thus, developers must secure application resources against unauthorized use by designing and implementing a robust security and identity model. Oracle Fusion Middleware prescribes a number of tools and procedures for defining and implementing such a model. The security low-level details are hidden from application developers because they use pre-integrated frameworks that enable both declarative and programmatic approaches.

18.5.1 Oracle Platform Security Services

OPSS provides an abstraction layer in the form of standard application programming APIs that insulate developers from security implementation details. For example, when using OPSS, developers need not be concerned with low-level details of cryptographic key management, or interfacing with user repositories and identity management infrastructures. Application developers use ADF declarative security in Oracle JDeveloper to integrate with OPSS, so that, in the development phase, OPSS services can be invoked directly from Oracle JDeveloper through wizards, and later on, in the deployment phase, systems and security administrators can configure OPSS services using OEM or command-line tools. OPSS also includes OSDT, a set of Java-based cryptographic libraries supporting XML signature, XML encryption, XML Key Management Specification XKMS, SAML, WS-Security, and other non-XML standards such as SecureMultipurpose Internet Mail Extensions SMIME and Online Certificate Status Protocol OCSP. Table 18–2 Security Tasks for the Application Developer Phase Task Development Uses tools and processes, specifically Oracle JDeveloper, to build the application and to create security artifacts, such as application roles and permissions. Uses FND Grants to specify data-level security. Tests the application using a local policy store with sample users and roles. Deployment Assists the QA team to troubleshoot and resolve runtime issues. Table 18–3 Security Tasks for the Application Security Administrator Phase Task Deployment Uses deployment services to migrate security seed data in jazn-data.xml to the production policy store. Maps application roles to enterprise groups so that security policies can be enforced. Management Applies patches and upgrades software, as necessary. Manages users and roles, as enterprise users and the application role hierarchy changes overtime. Manages policies packed with the application and creates new ones. Integrates with and manages the IAM infrastructure. Integrating Java EE Application Security with OPSS 18-7

18.5.2 Use Case 1 - Java EE Application

The ezshare application, an example of Java EE application whose security has been integrated with OPSS and that uses permission-based grants, is available by clicking Sample Application in the Resources area of the following page: http:www.oracle.comtechnologyproductsid_ mgmtopssindex.html .

18.6 Required Security Features

This section describes the features that an application integrating with OPSS must implement. These features are: ■ Credentials ■ Authentication ■ Authorization ■ User and Role Management

18.6.1 Credentials

If the application uses an external system as the credential store, then the passwords stored in such external system must be secured using the Credential Store Framework CSF. Otherwise, the application must use an LDAP-based OID store as the credential store and CSF to access and manage data in that store. In any case, the application must use the CSF to access and manage credentials. For details, see Integrating the Credential Store . For further information about CSF, see Section 24.2, Overview of Application Development with CSF.

18.6.2 Authentication

An application integrating authentication with OPSS must use one of the following models: ■ Secure a servlet using container authentication web.xml. ■ Secure an EJB using container authentication ejb-jar.xml. ■ Use programmatic authentication. A combination of the above models should be considered when the same code or authentication configuration is shared by both Java SE and Java EE components. Regardless of the model, the component servlet, EJB, Web must use an OID identity store. For details about integration, see Integrating Authentication . For further information about authentication, see also Chapter 22, Authentication for Java SE Applicaitons.

18.6.3 Authorization

An application integrating authorization with OPSS must use one of the following models: ■ Policy-based authorization against an OID LDAP-based policy store. ■ Container-based authorization to secure servlets, EJBs, and Web components. 18-8 Oracle Fusion Middleware Application Security Guide For details about integration, see Integrating Authorization . For further information about programmatic authorization, see also Chapter 22, Authentication for Java SE Applicaitons.

18.6.4 User and Role Management

An application integrating with OPSS must use the User and Role API to manage users and external roles programmatically. This API facilitates the use of identity services without the developer having to know low-level details such as the location of a user account or the particular physical implementation of roles. The User and Role API supports the following operations: ■ Create, update, delete, modify, get attributes, and change password on a user profile. ■ Create, update, delete, modify, and get attributes on a role. For details about the User and Role API, see Chapter 25, Developing with the User and Role API.

18.7 Integrating Authentication

This section explains the most important points of the following topics: ■ Container-Based Authentication ■ Oracle WebLogic Server Authentication Providers ■ Programmatic Authentication ■ Single Sign-On through OPSS

18.7.1 Container-Based Authentication

To enable user authentication during the development phase, developers run the ADF security wizard that generates the necessary OPSS configuration and specify authentication methods in the application deployment descriptor web.xml. At run time, the container authenticates the end user of an application in one of the following ways: basic, form, or client cert. In most situations, form-based authentication is the appropriate choice. The container obtains the authentication data such as user name and password from the user, which is processed by the Oracle WebLogic Server to establish a user session. OPSS then queries Oracle WebLogic Server for the authenticated subject when a protected resource is to be accessed.

18.7.2 Oracle WebLogic Server Authentication Providers

OPSS uses authentication providers available in Oracle WebLogic Server. These providers validate user credentials or system processes based on a user name-password combination or a digital certificate. They also make user identity information available through subjects to other components in a domain when needed. Available authentication providers include the Default Authenticator and the external LDAP stores. For details, see section Authentication Providers in Oracle Fusion Middleware Developing Security Providers for Oracle WebLogic Server.