Mobile Application Framework Security

Version 5

    This article provides an overview of the security framework within the Oracle Mobile Application Framework (MAF), and describes the steps for configuring a mobile application to participate in security.

     

    When a secured application feature is accessed, MAF presents the user with the Login screen. Once the user successfully enters the valid credentials, MAF renders the intended web, UI component or feature and, based on the user’s privileges and roles, the corresponding feature or application component will be enabled or disabled for that user.

     

    Here are the steps to follow for implementing the MAF security feature in a mobile application.


    Create a MAF application

     

    To create a new application, choose Mobile Application Framework Application.


    1.jpg

    Give the name MyMobileApp.

    001CreateApp.png

    003CreateApp.jpg




    004CreateApp.jpg


    004CreateApp.jpg

    005CreateApp.jpg


    Open the maf.feature.xml file and create 3 features for the current purpose.

     

    006maf-feature.jpg

    3.jpg

    010AccountsPage.jpg011AccountsPage.jpg

     

     

    Create a few features like HR, Accounts, Finance and Operations.

    4.jpg

    Under Device Access, check the Network permission for all features.

    5.jpg

    Deploy the MAF application to the emulator.

    6.jpg

    Authentication

     

    For Authentication, create an Application Development Framework (ADF) Fusion Web Application.


    015FusionApplication.jpg016FusionApp.jpg017FusionApp.jpg

    Configure ADF security on the application.


    018ConfigureSecurity.jpg

    Select the ADF Authentication radio button--we need this ADF application for authentication purposes only. Choose the defaults in the wizard and complete it.

    019ConfigureSecurity.jpg020ConfigureSecurity.jpg021ConfigureSecurity.jpg022ConfigureSecurity.jpg023ConfigureSecurity.jpg


    Create users in the ADF application (e.g., testuser1,testuser2, etc.).

    12.jpg

    Deploy the application to the application server.

    13.jpg

    Validate the HTTP Basic authentication by hitting the application URL in browse.


    http://192.168.2.2:7101/SecurityApp-ViewController-context-root/faces/index.jsf

     

     

    14.jpg

    Use testuser1/testuser1 as login credentials to test the ADF app security . Once authenticated user will land up on success page

     

    15.jpg

     

     

     

    Authorization

     

    ADF mobile use standard HTTP mechanism for authentication, thus, to enable applications to obtain the roles and privileges of a specific user, there is a need to implement a REST web service called the Access Control Service.


    Create POJO java class ACSRequest and generated the accessors and constructors


        

    package view;
    
    
    import javax.xml.bind.annotation.XmlRootElement;
    
    @XmlRootElement
    public class ACSRequest {
    
     private String userId;
     private String[] filterMask;
     private String[] roleFilter;
     private String[] privilegeFilter;
    
     public ACSRequest() {
            super();
     }
    
     public ACSRequest(String userId, String[] filterMask, String[] roleFilter, String[] privilegeFilter) {
            super();
            this.userId = userId;
            this.filterMask = filterMask;
            this.roleFilter = roleFilter;
            this.privilegeFilter = privilegeFilter;
     }
    
    
     public void setUserId(String userId) {
            this.userId = userId;
     }
    
     public String getUserId() {
            return userId;
     }
    
     public void setFilterMask(String[] filterMask) {
            this.filterMask = filterMask;
     }
    
     public String[] getFilterMask() {
            return filterMask;
     }
    
     public void setRoleFilter(String[] roleFilter) {
            this.roleFilter = roleFilter;
     }
    
     public String[] getRoleFilter() {
            return roleFilter;
     }
    
     public void setPrivilegeFilter(String[] privilegeFilter) {
            this.privilegeFilter = privilegeFilter;
     }
    
     public String[] getPrivilegeFilter() {
            return privilegeFilter;
     }
      }
    



    Create POJO class ACSResponse and generate its accessor

     

    package view;
    
    import javax.xml.bind.annotation.XmlRootElement;
    
    @XmlRootElement
    public class ACSResponse {
        
        private String userId;
        private String[] roles;
        private String[] privileges;
        
        public ACSResponse() {
            super();
            roles = new String[0];
            privileges = new String[0];
        }
        
        public ACSResponse(String p_userId, String[] p_roles, String[] p_privileges) {
            super();
            userId = p_userId;
            roles = p_roles;
            privileges = p_privileges;
        }
    
        
        public String getUserId(){
            return userId;
        }
        
        public void setUserId(String p_id){
            userId = p_id;
        }
        
        public String[] getRoles(){
            return roles;
        }
        
        public void setRoles(String[] p_roles){
            roles = p_roles;
        }
    
        public String[] getPrivileges(){
            return privileges;
        }
        
        public void setPrivileges(String[] p_privileges){
            roles = p_privileges;
        }
    }
    


    By default, POJO mapping is not enabled in Jersey. It is thus essential to add the following init parameter to the Jersey servlet declaration in the web.xml for the application.


      

     <init-param>
                <param-name>com.sun.jersey.api.json.POJOMappingFeature</param-name>
     <param-value>true</param-value>
            </init-param>
    


    Create a service class UserRessource and generate a REST service on it. Based on the userid assign some static roles and privileges to it for the testing purpose


    package view;
    
    import javax.ws.rs.Consumes;
    import javax.ws.rs.POST;
    import javax.ws.rs.Path;
    import javax.ws.rs.Produces;
    import javax.ws.rs.core.Response;
    
    
    @Path("user")
    @Consumes("application/json")
    @Produces("application/json")
    public class UserRessource {
        public UserRessource() {
        }
    
        @POST
        public Response postData(ACSRequest request) {
            
            // Replace this with actual logic.
            
            ACSResponse rolesAndPrivileges = null;
            
     if("testuser1".equalsIgnoreCase(request.getUserId())){
          rolesAndPrivileges   = new ACSResponse(request.getUserId(), 
     new String[] { "role1" }, 
     new String[] { "priv1" });
          
            }
            
     if("testuser4".equalsIgnoreCase(request.getUserId())){
            rolesAndPrivileges   = new ACSResponse(request.getUserId(),
     new String[] { "role4" }, 
     new String[] { "priv4" });
            
            }
            
     if("testuser3".equalsIgnoreCase(request.getUserId())){
            rolesAndPrivileges   = new ACSResponse(request.getUserId(),
     new String[] { "role3" }, 
     new String[] { "priv3" });
            
            }
            
            Response.ResponseBuilder builder = Response.ok(rolesAndPrivileges);
            return builder.build();
        }
    }
    


     

    Test the web service and using http analyze check the request and response of the web service.

     

    http://192.168.2.2:7101/rest/resources/user

     

    17.jpg

     

    MAF Application Security


    Open the maf-feature.xml and click enable security checkbox for say feature Accounts, Finance and operations.

     

    024maf-securityenable.jpg

     

    Open the maf-application.xml and open the security tab from the left menu


    19.jpg

     

    Authentication using HTTP Basic Protocol

     

    Under the Authentication and Access Control section create new Application/Configuration Login Server.



    Choose the same URL from step above from secured ADF application for the authentication of the user.

     

    Use the default Auto login values.

     

     

    025LoginConn.jpg026LoginConn.jpg027LoginConn.jpg

    For Authorization choose the same Rest service URL from step 17 and add Filter list of user Role and privileges. For testing purpose we choose same static roles and privileges which we have used earlier.


    URL: http://192.168.2.2:7101/rest/resources/user



    028LoginConn.jpg

    030LoginConn.jpg

     


    Authentication using Oracle Mobile and Social Identity Management


    You can select the Mobile-Social authentication server type in the Create MAF Login Connection dialog to configure a connection for mobile applications to authenticate with the Oracle Access Manager (OAM) server.

     

    OAM back end for this connection type must be running Oracle Mobile and Social server and 10g Web Gate (a web server plug-in that intercepts HTTP requests for resources and forwards them to the OAM server for authentication and authorization).


    24.jpg

    Click the Mobile-Social tab and enter the URL to the Oracle Access Management Mobile and Social server and enter the mobile application service domain.


    25.jpg


    Click the Auto Login tab and configure the parameters as described step above.


    Click the Authorization tab and configure the parameters as described in step above.

     

     

    Authentication using OAuth Configuration

     

     

    We can use the Create MAF Login Connection dialog to configure how third-party applications (clients) gain limited access to protected data or services stored on a remote server. The Relying Party authentication provided by Oracle Mobile and Social server enables an application to authenticate against a third-party OAuth provider. Oracle Web Services Manager (OWSM) Lite Mobile ADF Application Agent injects the cookie into the security header of the web service call.

    26.jpg

    27.jpg

     

     

    Authentication using Web SSO Authentication

     

    We  can use the Create MAF Login Connection dialog to configure a cross-domain single sign-on

     

    28.jpg29.jpg

     

    Choose the created log in server connection for each feature.

     

    30.jpg

     

    Deploy the application and test.


    31.jpg

    32.jpg


    Add some constraints to the feature so that only person having right privileges can access the feature.



    33.jpg

     

    34.jpg

     

    35.jpg

     

    Deploy the application again and check again.


    Only operations feature is enabled before login as it does not have any constraint on privileges.


    36.jpg


    Testuser1 has “priv1” and we have set access constraint on HR feature, so once login only the user will see the HR feature and not rest of features.


    37.jpg

    Login with testuser3, Finance feature is visible.


    38.jpg


    References


    http://docs.oracle.com/middleware/mobile200/mobile/develop/maf-securing.htm#BCGGCBCF

     

     

    About the Author

     

    Namit Kakkar is a Principal Consultant in Oracle Consulting Services- Global Service Delivery, where his focus is on ADF, Webcenter, and Oracle mobile applications.