Sunday, December 26, 2010

Understanding Oracle UCM 11g and Oracle ADF 11g Security Integration

Combination of Oracle UCM 11g and Oracle WebCenter/ADF 11g technologies will help you to implement document management applications. There is a special area you should keep in mind - security. Sometimes is not too obvious and can make your system open for hacking attacks. I will describe possible scenario how one user can view all documents and how to prevent this with UCM security accounts, if tight security must be enabled for your system.

Download sample application for this post - UCMNewFolderDC.zip.

As a condition for our experiment, all Content Repository folders are protected by security group - HumanResources:


File is being uploaded by redsam1 user for employee #id = 206:


Another file for employee #id = 200:


When user selects employee, UCM path is calculated and it restricts from navigation through other folders. If user selects employee #id = 200, this means WebCenter Content Manager ADF task flow will bring documents only from that folder mapped with employee #id = 200. If user is restricted to see employee #id = 206 data, this means documents are unaccessible as well? No - we still can open documents. While employee #id = 200 is selected, right click on any of the documents and select Copy Link:


Copy paste this link into new tab of the same browser:


Selected image is rendered as expected:


Now we can remove document and folder names from URL path, try to open root folder:


And here we go - we can see documents folders for other employees (even it is prevented in WebCenter Content Management ADF task flow):


Even more, we can enter into other employee (#206) documents folder:


View and download existing documents:


Of course, this can be done only by the user, who is authorized to login into the system. But still, this user can view other users documents without authorization, simply by changing hardcoded URL path directly:


Document is downloaded:


If documents stored inside different folders share common security level, it is enough to apply only one Security Group - then users assigned with that Security Group will be able to browse through those folders using URL path. However, if users of the same Security Group are not allowed to browse through other users folders, additionally to UCM Security Groups, we need to apply UCM Security Accounts. In theory, we could have different Security Groups for different users, but then we will end up in too many different Security Groups. This means, we should apply intersection between Security Groups and Security Accounts in UCM Content Repository.

I will explain how to assign Security Account through Oracle Content Server User Admin applet (from Admin Applets section):


For this exercise I'm using two users - redsam1 and redsam2, both of them are declared in UCM:


In the same applet, from Security menu I can define different accounts, for example - DepartmentOneGroup and DepartmentTwoGroup. I will use these account to grant them to the users:


By default, every user is granted full access to the documents without accounts:


I will revoke full access to the documents without accounts and grant DepartmentOneGroup account for redsam1:


Another user - redsam2, is granted with DepartmentTwoGroup account:


Once accounts are granted to the users, we need to update existing folders with proper accounts, otherwise these folders will be inaccessible. Folder #200 is granted for DepartmentOneGroup account:


Folder #206 is granted for DepartmentTwoGroup account.

We can test configured Content Repository accounts security. Login with user redsam1:


User redsam1 is granted with DepartmentOneGroup, same account as one configured for folder #200:


While folder #206 is configured for DepartmentTwoGroup account, and is inaccessible for user redsam1 as expected:


Go back into folder #200 and open one of the available documents in new tab:


Document:


Will be rendered by URL:


If we try to change URL to point to the root folder:


Content will be hidden and inaccessible, because root folder is not assigned with any account and user redsam1 is not granted access to folders without accounts (as per configuration above):


Let's login as another user - redsam2:


Folder #206 is granted for DepartmentTwoGroup account and is visible for redsam2 user:


We can open documents from #206 folder:


But can not change folder and open documents from another account, for example folder #200:


Content Repository resource will be not found (as expected):


Our experiment is successful, combination of Security Group and and Account allows to prevent users to open unauthorized folders, even they are granted with the same Security Group.

If you need to create Oracle UCM Content Repository folder programmatically, add one more parameter through RIDC API - dDocAccount:


You can retrieve account name for current user, for example - through ADF Security Context populated from WebLogic security provider:


Content Repository folder will be created programmatically, user can upload documents:


Current user account name will be assigned to the folder:


And to the uploaded content as well:

Oracle UCM 11g and ADF Data Control Connection

Oracle WebCenter 11g provides out of the box ADF task flows for Oracle UCM 11g content repository management - Oracle Universal Content Management 11g and Oracle ADF/WebCenter 11g Integration. It might be not enough, especially when implementing custom solutions. For those custom cases, we have option to define Data Control connection and retrieve information about stored documents through Bindings layer. One practical use case - select and retrieve ID's for the selected documents, store those ID's into database table. I will describe in this blog, how to retrieve selected documents ID's from Data Control defined on Content Repository connection.

Sample application allows user to select documents from custom list-of-values screen and retrieves ID's of these documents for future processing - UCMNewFolderDC.zip.

Oracle WebCenter 11g ADF task flow for Content Repository provides all required functionality:


However if we want to implement custom screens, for example like this custom list-of-values with documents for selected employee, we need to use Data Control generated for Content Repository connection:


Users will be able to select multiple documents and store their selection into database (custom functionality):


ID's and names for the selected documents are retrieved and can be processed in ADF:


Data Control for Content Management connection is created directly from Content Repository connection:


By default, document ID is not included into Data Control attributes list. You should add one more attribute, name it id (or give any other name you like) and change type to Long:


JCR Path points to Oracle UCM 11g Content Repository metadata structure. You will retrieve document ID, by pointing to jcr:content/idc:metadata/idc:dID. This will bring ID for current document:


Standard ADF Data Control is generated, there is getItems(path, type) method to retrieve list of documents from Content Repository by predefined path and type (all, documents or folders):


Drag and drop Return variable of getItems(path, type) method into ADF Faces fragment/page and create ADF Faces table component (filtering, sorting and selection features are provided by default):


Name column is combined to show document name:


And same time to open content by document URI:


Oracle UCM 11g Data Control method getItems(path, type) provides two parameters - path and type. Sample application retrieves folder path dynamically and brings only documents (no folders):


Custom list-of-values dialog listener is retrieving keys of the selected rows and accessing id/name values for each selected document:


There is one trick, when you want to enable multiple selection and access selected row keys in Java. First, make sure multiple selection property is set:


Then make sure, this line is removed from ADF Faces table tag:

selectionState= "#{bindings.findAllDepartments1.collectionModel.selectedRow}"

Otherwise, it will return always only one selected key. Based on my blog post from 2007 for ADF 10g, seems like some things never change - Multi-selection feature and ADF Faces af:table component.