Deploying Secure Applications 6-3

6.2.1 Deploying Java EE and Oracle ADF Applications with Fusion Middleware Control

This section focuses on the security configurations available when deploying an application that uses Oracle ADF security or a Java EE application that uses OPSS with Fusion Middleware Control on the WebLogic server. Specifically, it describes the options you find in the page Configure Application Security at the third stage of the deploy settings. The appearance of this page varies according to what is packaged in the EAR fie, as follows: ■ If the EAR file packages jazn-data.xml with application policies, the application policy migration section is shown. ■ If the EAR file packages credentials in cwallet.sso, the credential migration section is shown. ■ If the EAR file does not include any of the above, then the page displays the default Java EE security options. This page, showing the policy migration sections, is partially illustrated in the following graphic: Table 6–1 Tools to Deploy Applications after Development Application Type Tool to Use Pure Java EE Application Oracle WebLogic Administration Console, Fusion Middleware Control, WebSphere Application Server Administrator Console, WebSphere Application Server WASAdmin commands. The recommended tool is Oracle WebLogic Administration Console. Oracle ADF Application Fusion Middleware Control or OPSS script. The recommended tool is Fusion Middleware Control. 6-4 Oracle Fusion Middleware Application Security Guide The settings in this page concern the migration of application policies and credentials packed in application EAR file to the corresponding domain store, and they are explained next. Application Policy Migration Settings These settings control of the policy migration in the following scenarios: ■ If you are deploying the application for the first time, you typically want application policies to be migrated to the policy store. Therefore, select Append in the Application Policy Migration area. If for some reason you do not want the migration to take place, select instead Ignore . The option Overwrite is also supported. ■ If you are redeploying the application, and assuming that the migration of application policies has taken place in a previous deployment, you can choose Append , to merge the packed policies with the existing ones in the domain, or Ignore , to prevent policy migration. The option Ignore is typically selected when an application is redeployed and you want to leave the current application policies in the domain unchanged, that is, when you want to preserve changes to the policy store made during previous deployments. ■ When you choose Append, you can further specify which grants and roles should be migrated; the basic distinction is between ADF application roles and grants needed in a production environment, and development-time only roles and grants not needed in a production environment. To migrate ADF application roles and grants, and not to migrate development-time only security roles and grants, check the box Migrate only application roles and grants. Ignore identity store artifacts . Typically, this box is checked when deploying to a production environment. Note that when this box is checked, you will need to map application roles to enterprise groups once the application has been deployed. ■ When you choose Append, you can further specify a particular stripe different from the default stripe, which is the application name into which the application policies should be migrated, by entering the name of that stripe in the box Application Stripe Id . About Application Stripes: The policy store is logically partitioned in stripes, one for each application name specified in the file system-jazn-data.xml under the element applications. Each stripe identifies the subset of domain policies pertaining to a particular application. Deploying Secure Applications 6-5 ■ I f nothing is specified, the default settings are Append in deployment and Ignore in redeployment. Application Credential Migration Settings These settings control of the credential migration in the following scenarios: ■ If you are deploying the application for the first time, you typically want application credentials to be migrated to the credential store. Therefore, select Append in the Application Credential Migration area. ■ In any case first or succeeding deployment, if for some reason you do not want the migration to take place, select instead Ignore. ■ The option Overwrite is supported only when the WebLogic server is running in development mode. ■ If nothing is entered, the default is Ignore.

6.3 Deploying Oracle ADF Applications to a Test Environment

An Oracle ADF application is a Java EE application using JAAS authorization, and it is typically developed and tested using Oracle JDeveloper; this environment allows a developer to package the application and deploy it in the Embedded Oracle WebLogic Server integrated with the tool. When transitioning to a test or production environment, the application is deployed using Oracle Fusion Middleware Control to leverage all the Oracle ADF security features that the framework offers. For details, see Overview . For step-by-step instructions on how to deploy an Oracle ADF application with Fusion Middleware Control, see: Typical Use Cases: This page supports specifying the migration of policies in the following two most common scenarios: ■ Resolving inconsistent specifications found in the EAR file - The specifications in the EAR file are validated; if specifications regarding the application stripe found in the files web.application.xml, web.xml, and ejb-jar.xml packed in the EAR file are inconsistent that is, do not match, you can enter a new stripe to use or select one from the drop-down list. The specified value trumps any other specified value in the EAR file and it is used as the target of the migration and in the runtime environment. ■ Allowing two or more applications to share an application stripe - If your application is to share an existing stripe populated originally by some other application, you can specify that stripe. The Overwrite option should be used carefully when sharing an existing application stripe. Note: Application code using credentials may not work if the credential migration is ignored. Typically, one would choose the Ignore option under the assumption that the credentials are manually created with the same map and key, but with different values. 6-6 Oracle Fusion Middleware Application Security Guide ■ Section Deploy an Application Using Fusion Middleware Control in the Oracle Fusion Middleware Control online help system. ■ Section 8.4, Deploying and Undeploying Oracle ADF Applications, in Oracle Fusion Middleware Administrators Guide. This section is divided into the following topics: ■ Deploying to a Test Environment ■ Migrating from a Test to a Production Environment

6.3.1 Deploying to a Test Environment

The security options available at deployment are explained in Deploying Java EE and Oracle ADF Applications with Fusion Middleware Control . When deploying an Oracle ADF application to a test environment with Fusion Middleware Control, the following operations take place: Policy Management ■ Application-specific policies packed with the application are automatically migrated to the policy store when the application is deployed. Oracle JDeveloper automatically writes the necessary configuration for this migration to occur. Credential Management ■ Application-specific credentials packed with the application are automatically migrated to the credential store when the application is deployed. Oracle JDeveloper automatically writes the necessary configuration for this migration to occur. ■ The bootstrap credentials necessary to access LDAP repositories during migration are automatically produced by Fusion Middleware Control. For details about a manual setup, see Section 21.4.7, Specifying Bootstrap Credentials Manually. Identity Management Identities packed with the application are not migrated. The domain administrator must configure the domain authenticator with the Administration Console, update identities enterprise users and groups in the environment, as appropriate, and map application roles to enterprise users and groups with Fusion Middleware Control. Other Considerations ■ When deploying to a domain with LDAP-based security stores and to preserve application data integrity, it is recommended that the application be deployed at the cluster level or, otherwise, to just one managed server. Note: Before migrating a file-based policy store that is, the file jazn-data.xml to a production environment, verify that any grant contains no duplicate permissions. If a duplicate permission one that has the same name and class appears in a grant, the migration runs into an error and it is halted. In this case, manually edit the jazn-data.xml file to remove any duplicate permissions from a grant definition, and invoke the migration again.