19-2 Oracle Fusion Middleware Application Security Guide 2. The developer defines Java EE logical roles and assigns them privileges through security constraints, all through configuration in standard Java EE deployment descriptors. 3. The components are assembled and combined into an Enterprise Archive EAR file. As part of this process, the assembler specifies options appropriate to the environment. 4. The assembler defines application-level security constraints and resolves potential conflicts between module-level configurations. 5. The EAR file is deployed to Oracle WebLogic Server. As part of the deployment process, the deployer may map Java EE roles to deployment users and roles. 6. The system administrator maintains and manages the deployed application. This task includes creating and managing roles and users in the deployment environment as required by the application customers. For finer-grained code-based or subject-based access control using Java 2 or JAAS features, the traditional steps include: 1. The developer identifies any resources that may be accessed and must be protected as appropriate. 2. The developer defines permissions to protect these resources. 3. The developer implements code for runtime authorization checks. 4. The system administrator maintains any necessary policy configuration to enforce the desired permissions. Policy provisioning should be completed prior to runtime. Oracle ADF and OPSS provide these enhancements: ■ At Design Time - modeling of application roles, defining resources as permissions, and assigning permissions to roles. Application credential management is supported, for example, ADF connections can store credentials in the Credential Store Framework during design time. ■ At Deployment Time - policy and credential migration options are available ■ Post-deployment, the administrator performs essential tasks such as mapping application roles to enterprise users or groups which are reflected at run-time

19.1.2 Challenges of Securing Java Applications

Java developers face some challenges in developing secure applications: ■ The Java EE standard does not define any API for fine-grained authorization, credential mapping, role mapping, auditing, or integration with single-sign. ■ Developers need to acquire in-depth security knowledge at the expense of focusing on application business logic. ■ There is no consistent security experience across platforms. For example, custom security solutions often develop their own security framework, which is often not portable across platforms. ■ Custom solutions for securing Java EE applications often lack support for large enterprise security deployments.