Skip to main content

Using MethodPermission for securing business service methods

In this post, I'm sharing some tips on using MethodPermission for securing business service methods. In fact this post is an excerpt from  Chapter 14 Securing Fusion Web Applications from my book Oracle ADF Real World Developer’s Guide. This chapter is absolutely free for you. You just need to click on the link given below to grab this resource :) 

Download 
To download the complete Chapter, click here

Securing business service methods

Preventing unauthorized access to business services is very critical for any enterprise application. ADF security offers method permission definitions for the purpose of addressing such scenarios. Method permissions check if a user has the right to execute a method defined in the application. ADF security allows you to secure access to methods defined in the application through the
oracle.adf.share.security.authorization.MethodPermission class.

To define method permissions in an application, perform the following steps:
1. Open the jazn-data.xml in the overview editor and select the Resources Grant tab.
2. Choose ADF Method as Resource Type. Add a new Resource value.
3. In the Create Resource dialog, specify a fully qualified class name along with a method name as value for the Name field. For example, if you are defining the method permission for updateDeparment() defined in the class model. service.HRServiceAppModuleImpl, the Name field is specified as
model. service.HRServiceAppModuleImpl.updateDeparment.
4. Click on OK to save the changes and dispose of the dialog.

You can use security expressions to refer to the method permission definitions to
control the display of action enabled UI components in a page. The ADF security
framework also exposes APIs for checking the method permission which can be used
to programmatically check the user privileges in the code. The following example
illustrates the usage of method permissions in an application.

An example using method permissions

Let us see how method permissions can be used in an EL expression to control the display property of a command component. The following is an example for a method permission definition in jazn-data.xml.
This definition describes the updateDeparment() method in the com.packtpub.adfguide.service.HRServiceAppModuleImpl class:

 <jazn-data ...>  
 ...  
 <resources>  
 <resource>  
 <name> model.service.HRServiceAppModuleImpl.updateDeparment</name>  
 <display-name>updateDeparment</display-name>  
 <description>updateDeparment</description>  
 <type-name-ref>ADFMethodResourceType</type-name-ref>  
 </resource>  
 </resources>  
 </jazn-data>  


When you grant method permissions to an application role, the IDE will generate a
corresponding entry for the grantee in jazn-data.xml as follows:
 <permission>  
 <class>oracle.adf.share.security.authorization.MethodPermission</class>  
 <name>model.service.HRServiceAppModuleImpl.updateDeparment</name>  
 <actions>invoke</actions>  
 </permission>  

Using method permissions in an EL expression

The following component tag illustrates how the method permission that we defined
in this example can be referenced through EL to enable or disable components based
on the user rights for accessing the underlying operation:

 <af:commandButton actionListener="#{bindings.updateDeparment.execute}"  
 text="Update Department Details"  
 disabled="#{!securityContext.userGrantedPermission['permissionCla  
 ss=oracle.adf.share.security.authorization.MethodPermission,target=  
 model.service.HRServiceAppModuleImpl.updateDeparment,action=invoke']}"  
 id="cb6"/>  

Using method permission APIs

The following code snippet illustrates the APIs for checking whether a user has access to a specific business method. The oracle.adf.share.security.authorization.MethodPermission instance used in this example refers to the permission settings for the updateDeparment() method that we defined at the beginning of this example.
//In application module implementation class

 public void updateDeparment() {  
   Permission permission = new MethodPermission  
     ("model.service.HRServiceAppModuleImpl.updateDeparment","invoke");  
   SecurityContext securityCtx = ADFContext.getCurrent().getSecurityContext();  
   boolean userHasPermission = securityCtx.hasPermission(permission);  
   if(userHasPermission){  
   //user is authorized to call this method  
   //Add your business logic here  
   _doUpdate();  
   }  
 }  

Comments

sumathi kalpana said…




Great thoughts you got there, believe I may possibly try just some of it throughout my daily life.







How to Register a Business

Popular posts from this blog

How to set Bind Variable Values at runtime ?

In this post I'm sharing a couple of approaches for programmatically setting bind variables values at run time. This post is an attempt to explain 'When to use what ?'[ In case if you are familiar with 'Bind Variables' in ADF BC, please refer Section 5.10, Working with Bind Variables in Fusion Developer's Guide ]

1. Set the Bind Variable value using RowSet::setNamedWhereClauseParam(...)

You can use use the setNamedWhereClauseParam(...) method on the ViewObject interface (which extends oracle.jbo.RowSet) to set the value for bind variables. Please note this sets the value on default RowSet. In other words, this doesn't have any effect on the secondary RowSets that you/system generates.
ViewObject vo = am.findViewObject("EmployeesView1"); vo.setNamedWhereClauseParam("bindVarDeptId", new Number(10)); vo.executeQuery();
2. Set the Bind Variable value using ViewObject's VariableValueManager::setVariableValue(...)

VariableValueManager Ma…

Happy New Year 2018 !

We can't go back and change the beginning, but we always can start where we are and change the ending. Believe in yourself and you will be unstoppable!

Wishing you and your family a very happy new year 2018 !!!