DevOps, CI/CD and Automation

Announcement

For appeals, questions and feedback about Oracle Forums, please email oracle-forums-moderators_us@oracle.com. Technical questions should be asked in the appropriate category. Thank you!

Interested in getting your voice heard by members of the Developer Marketing team at Oracle? Check out this post for AppDev or this post for AI focus group information.

Mobile Application Framework Security

Namit Kakkar-OracleApr 13 2015 — edited May 7 2015

This article provides an overview of the security framework within the Oracle Mobile Application Framework (MAF), and describes the steps for configuring a mobile application to participate in security.

When a secured application feature is accessed, MAF presents the user with the Login screen. Once the user successfully enters the valid credentials, MAF renders the intended web, UI component or feature and, based on the user’s privileges and roles, the corresponding feature or application component will be enabled or disabled for that user.

Here are the steps to follow for implementing the MAF security feature in a mobile application.

Create a MAF application

To create a new application, choose Mobile Application Framework Application.

Give the name MyMobileApp.

Open the maf.feature.xml file and create 3 features for the current purpose.

Create a few features like HR, Accounts, Finance and Operations.

Under Device Access, check the Network permission for all features.

Deploy the MAF application to the emulator.

Authentication

For Authentication, create an Application Development Framework (ADF) Fusion Web Application.

Configure ADF security on the application.

Select the ADF Authentication radio button--we need this ADF application for authentication purposes only. Choose the defaults in the wizard and complete it.

Create users in the ADF application (e.g., testuser1,testuser2, etc.).

Deploy the application to the application server.

Validate the HTTP Basic authentication by hitting the application URL in browse.

http://192.168.2.2:7101/SecurityApp-ViewController-context-root/faces/index.jsf

Use testuser1/testuser1 as login credentials to test the ADF app security . Once authenticated user will land up on success page

Authorization

ADF mobile use standard HTTP mechanism for authentication, thus, to enable applications to obtain the roles and privileges of a specific user, there is a need to implement a REST web service called the Access Control Service.

Create POJO java class ACSRequest and generated the accessors and constructors

package view;

import javax.xml.bind.annotation.XmlRootElement;

@XmlRootElement

public class ACSRequest {

private String userId;

private String[] filterMask;

private String[] roleFilter;

private String[] privilegeFilter;

public ACSRequest() {

    _super();_

}

public ACSRequest(String userId, String[] filterMask, String[] roleFilter, String[] privilegeFilter) {

    _super();_

    _this.userId = userId;_

    _this.filterMask = filterMask;_

    _this.roleFilter = roleFilter;_

    _this.privilegeFilter = privilegeFilter;_

}

public void setUserId(String userId) {

    _this.userId = userId;_

}

public String getUserId() {

    _return userId;_

}

public void setFilterMask(String[] filterMask) {

    _this.filterMask = filterMask;_

}

public String[] getFilterMask() {

    _return filterMask;_

}

public void setRoleFilter(String[] roleFilter) {

    _this.roleFilter = roleFilter;_

}

public String[] getRoleFilter() {

    _return roleFilter;_

}

public void setPrivilegeFilter(String[] privilegeFilter) {

    _this.privilegeFilter = privilegeFilter;_

}

public String[] getPrivilegeFilter() {

    _return privilegeFilter;_

}

Create POJO class ACSResponse and generate its accessor

package view;

import javax.xml.bind.annotation.XmlRootElement;

@XmlRootElement

public class ACSResponse {

private String userId;

private String\[\] roles;

private String\[\] privileges;

public ACSResponse() {

    super();

    roles = new String\[0\];

    privileges = new String\[0\];

}

public ACSResponse(String p\_userId, String\[\] p\_roles, String\[\] p\_privileges) {

    super();

    userId = p\_userId;

    roles = p\_roles;

    privileges = p\_privileges;

}

public String getUserId(){

    return userId;

}

public void setUserId(String p\_id){

    userId = p\_id;

}

public String\[\] getRoles(){

    return roles;

}

public void setRoles(String\[\] p\_roles){

    roles = p\_roles;

}

public String\[\] getPrivileges(){

    return privileges;

}

public void setPrivileges(String\[\] p\_privileges){

    roles = p\_privileges;

}

}

By default, POJO mapping is not enabled in Jersey. It is thus essential to add the following init parameter to the Jersey servlet declaration in the web.xml for the application.

<init-param>

        _\<param-name>com.sun.jersey.api.json.POJOMappingFeature\</param-name>_

<param-value>true</param-value>

    _\</init-param>_

Create a service class UserRessource and generate a REST service on it. Based on the userid assign some static roles and privileges to it for the testing purpose

package view;

import javax.ws.rs.Consumes;

import javax.ws.rs.POST;

import javax.ws.rs.Path;

import javax.ws.rs.Produces;

import javax.ws.rs.core.Response;

@Path("user")

@Consumes("application/json")

@Produces("application/json")

public class UserRessource {

public UserRessource() {

}

@POST

public Response postData(ACSRequest request) {

    // Replace this with actual logic.

    ACSResponse rolesAndPrivileges = null;

if("testuser1".equalsIgnoreCase(request.getUserId())){

  rolesAndPrivileges   = new ACSResponse(request.getUserId(),

new String[] { "role1" },

new String[] { "priv1" });

if("testuser4".equalsIgnoreCase(request.getUserId())){

    rolesAndPrivileges   = new ACSResponse(request.getUserId(),

new String[] { "role4" },

new String[] { "priv4" });

if("testuser3".equalsIgnoreCase(request.getUserId())){

    rolesAndPrivileges   = new ACSResponse(request.getUserId(),

new String[] { "role3" },

new String[] { "priv3" });

    }

    Response.ResponseBuilder builder = Response.ok(rolesAndPrivileges);

    return builder.build();

}

}

Test the web service and using http analyze check the request and response of the web service.

http://192.168.2.2:7101/rest/resources/user

MAF Application Security

Open the maf-feature.xml and click enable security checkbox for say feature Accounts, Finance and operations.

Open the maf-application.xml and open the security tab from the left menu

Authentication using HTTP Basic Protocol

Under the Authentication and Access Control section create new Application/Configuration Login Server.

Choose the same URL from step above from secured ADF application for the authentication of the user.

Use the default Auto login values.

For Authorization choose the same Rest service URL from step 17 and add Filter list of user Role and privileges. For testing purpose we choose same static roles and privileges which we have used earlier.

URL: http://192.168.2.2:7101/rest/resources/user

Authentication us****ing Oracle Mobile and Social Identity Management

You can select the Mobile-Social authentication server type in the Create MAF Login Connection dialog to configure a connection for mobile applications to authenticate with the Oracle Access Manager (OAM) server.

OAM back end for this connection type must be running Oracle Mobile and Social server and 10g Web Gate (a web server plug-in that intercepts HTTP requests for resources and forwards them to the OAM server for authentication and authorization).

Click the Mobile-Social tab and enter the URL to the Oracle Access Management Mobile and Social server and enter the mobile application service domain.

Click the Auto Login tab and configure the parameters as described step above.

Click the Authorization tab and configure the parameters as described in step above.

Authentication using OAuth Configuration

We can use the Create MAF Login Connection dialog to configure how third-party applications (clients) gain limited access to protected data or services stored on a remote server. The Relying Party authentication provided by Oracle Mobile and Social server enables an application to authenticate against a third-party OAuth provider. Oracle Web Services Manager (OWSM) Lite Mobile ADF Application Agent injects the cookie into the security header of the web service call.

Authentication using Web SSO Authentication

We can use the Create MAF Login Connection dialog to configure a cross-domain single sign-on

Choose the created log in server connection for each feature.

Deploy the application and test.

Add some constraints to the feature so that only person having right privileges can access the feature.

Deploy the application again and check again.

Only operations feature is enabled before login as it does not have any constraint on privileges.

Testuser1 has “priv1” and we have set access constraint on HR feature, so once login only the user will see the HR feature and not rest of features.

References

http://docs.oracle.com/middleware/mobile200/mobile/develop/maf-securing.htm#BCGGCBCF

About the Author

Namit Kakkar is a Principal Consultant in Oracle Consulting Services- Global Service Delivery, where his focus is on ADF, Webcenter, and Oracle mobile applications.

Jeff Brown-Oracle

Hi,

I'm sorry this thread was not addressed in a timely fashion. If you still have unanswered questions could I request you please open an SR regarding this matter?

Thanks and Best Regards,

---Jeff Brown

Global Customer Support Engineer, Middleware Certification Support and Community Team

1 - 1

Added on Apr 13 2015

#legacy-documents, #mobile-application-framework, #oracle-mobile

0 comments

3,889 views