Using MethodPermission for securing business service methods

In this post, I'm sharing some tips on using MethodPermission for securing business service methods. In fact this post is an excerpt from  Chapter 14 Securing Fusion Web Applications from my book Oracle ADF Real World Developer’s Guide. This chapter is absolutely free for you. You just need to click on the link given below to grab this resource :) 

Download 
To download the complete Chapter, click here

Securing business service methods

Preventing unauthorized access to business services is very critical for any enterprise application. ADF security offers method permission definitions for the purpose of addressing such scenarios. Method permissions check if a user has the right to execute a method defined in the application. ADF security allows you to secure access to methods defined in the application through the
oracle.adf.share.security.authorization.MethodPermission class.

To define method permissions in an application, perform the following steps:
1. Open the jazn-data.xml in the overview editor and select the Resources Grant tab.
2. Choose ADF Method as Resource Type. Add a new Resource value.
3. In the Create Resource dialog, specify a fully qualified class name along with a method name as value for the Name field. For example, if you are defining the method permission for updateDeparment() defined in the class model. service.HRServiceAppModuleImpl, the Name field is specified as
model. service.HRServiceAppModuleImpl.updateDeparment.
4. Click on OK to save the changes and dispose of the dialog.

You can use security expressions to refer to the method permission definitions to
control the display of action enabled UI components in a page. The ADF security
framework also exposes APIs for checking the method permission which can be used
to programmatically check the user privileges in the code. The following example
illustrates the usage of method permissions in an application.

An example using method permissions

Let us see how method permissions can be used in an EL expression to control the display property of a command component. The following is an example for a method permission definition in jazn-data.xml.
This definition describes the updateDeparment() method in the com.packtpub.adfguide.service.HRServiceAppModuleImpl class:

 <jazn-data ...>  
 ...  
 <resources>  
 <resource>  
 <name> model.service.HRServiceAppModuleImpl.updateDeparment</name>  
 <display-name>updateDeparment</display-name>  
 <description>updateDeparment</description>  
 <type-name-ref>ADFMethodResourceType</type-name-ref>  
 </resource>  
 </resources>  
 </jazn-data>  


When you grant method permissions to an application role, the IDE will generate a
corresponding entry for the grantee in jazn-data.xml as follows:
 <permission>  
 <class>oracle.adf.share.security.authorization.MethodPermission</class>  
 <name>model.service.HRServiceAppModuleImpl.updateDeparment</name>  
 <actions>invoke</actions>  
 </permission>  

Using method permissions in an EL expression

The following component tag illustrates how the method permission that we defined
in this example can be referenced through EL to enable or disable components based
on the user rights for accessing the underlying operation:

 <af:commandButton actionListener="#{bindings.updateDeparment.execute}"  
 text="Update Department Details"  
 disabled="#{!securityContext.userGrantedPermission['permissionCla  
 ss=oracle.adf.share.security.authorization.MethodPermission,target=  
 model.service.HRServiceAppModuleImpl.updateDeparment,action=invoke']}"  
 id="cb6"/>  

Using method permission APIs

The following code snippet illustrates the APIs for checking whether a user has access to a specific business method. The oracle.adf.share.security.authorization.MethodPermission instance used in this example refers to the permission settings for the updateDeparment() method that we defined at the beginning of this example.
//In application module implementation class

 public void updateDeparment() {  
   Permission permission = new MethodPermission  
     ("model.service.HRServiceAppModuleImpl.updateDeparment","invoke");  
   SecurityContext securityCtx = ADFContext.getCurrent().getSecurityContext();  
   boolean userHasPermission = securityCtx.hasPermission(permission);  
   if(userHasPermission){  
   //user is authorized to call this method  
   //Add your business logic here  
   _doUpdate();  
   }  
 }  

Comments

sumathi kalpana said…




Great thoughts you got there, believe I may possibly try just some of it throughout my daily life.







How to Register a Business

Disclaimer

The views expressed on this blog are my own and do not necessarily reflect the views of my employer.