Forum Stats

  • 3,770,452 Users
  • 2,253,116 Discussions
  • 7,875,461 Comments

Discussions

Role based Security in JET application

Rmathew-Oracle
Rmathew-Oracle Member Posts: 53
edited Dec 4, 2015 2:45PM in Oracle JET

Hi All,

    Please let me know if we have any samples/ documentation  on how to set up , role based access control in a JET application. I am looking for some guidance in terms of how it can integrate with an SSO solution based on OAM or SAML. The JET application will be deployed on a weblogic server and should be able to hide/show certain actions and pages based on application roles the logged in user has.

Regards,

Rekha

Answers

  • John 'JB' Brock-Oracle
    John 'JB' Brock-Oracle Posts: 2,700 Employee
    edited Dec 4, 2015 2:45PM

    Hi Rekha,

    Oracle JET is a pure client-side framework and has no knowledge of the server other than what you tell it. Since the pages that JET produces are all running in the browser, dynamically hiding or showing sections of the page would be a security issue since all of the data would exist in the DOM whether it is shown or not. 

    The proper way to do this would be to control which data is sent from the server in the first place, based on the authentication built into the REST service.  The JET application is not going to perform any kind of authentication or authorization.  It's the server that it is hosted from that would perform that task and the REST calls made from the application would perform whatever header manipulation is required to tell the REST service what data to send down to the application.

    You could do some page layout and rendering conditionally based on session tokens in cookies, but that is about the only thing you are going to get at the client side that wouldn't be exposed to the DOM in some way.

    Hope that helps