« The Poetry of Wisdom in Oracle Documentation: E.g. PPR and List Of Values | Main | Gotchas when using memory scope prefixes in EL to access managed beans »
How-to protect your ADF pages
By frank.nimphius | March 8, 2010
A great discussion on the JDeveloper forum on OTN brough a new addition to ADF application security that I like to share.
Chapter 30 of the Oracle® Fusion Middleware Fusion Developer’s Guide for Oracle Application Development Framework 11g Release 1 explains the JAAS protection mechanism for ADF pages and Task Flows. In here it is recommended that you reduce the number of JSF pages in the adfc-config.xml file to the absolute minimum and only give ADF Security permissions to those documents that need to be accessible from a browser request.
All other pages should be located in bounded task flows, which you can protect declaratively against GET requests, as they are issued from a browser URL. Bounded task flows need to be ganted to users through application roles to be accessible.
The discussion on OTN is about protecting the phyical JSPX files. If you are an authenticated and authorized user, then you could directly access the JSPX page, e.g. calling localhost:7101/myapp/faces/Departments.jspx. This then serves the page – though it may not be fully functional because it is not launched within the controller context.
The recommendation therefore is to store JSPX documents under the WEB-INF directory of the public_html folder. This solves the problem of users accessing physical files directly
Frank
Ps.: Note that if moving JSPX documents into the WEB-INF folder is not an option for you, you can write a servlet filter that checks the incoming request URL for the resource it accesses. If a jspx file is accessed you would return a http 403 error.
Topics: ADF, ADF Faces RC, Security | No Comments »
Comments are closed.
