Monday, April 24, 2017

ADF BC Groovy Expression Security Policy Configuration

Today I'm going to explain how to configure Groovy expression security policy. This could be helpful, if you dont want to change trustMode property to trusted everywhere across the app, but looking for single configuration point.

My sample app - GroovyPermissionApp.zip, contains bind variable with expression reference pointing towards custom method located in AM implementation class:


JDEV 12.2.1.2 returns compilation error for Groovy expression, can't resolve applicationModule property:


Such kind of checks can be disabled in Model project configuration. Uncheck option for Groovy Expression Type Validation:


JDEV 12.2.1.2 by default creates Groovy expressions in untrusted mode. If you change it to trusted, expression would work OK. However, if your app contains many expressions like this, you may want to ignore trustMode property:


If you run ADF BC tester in JDEV 12.2.1.2, it will show error text in the log for untrusted expression. ADF BC tester will fail to start, if there is any error - we logged this issue with Oracle Support. Property applicationModule can't be resolved, when trustMode is set to untrusted:


To disable this check, we can create new class extending ExprSecurityPolicy class. Override checkProperty method to allow calls to applicationModule property:


This class should be registered in adf-config.xml:


Try to run ADF BC tester again. Error about applicationModule will be gone. This time it will complain about permission error to call getCurrentRegion method:


Method access can be granted by annotation in AM implementation class:


ADF BC tester runs, and returns VO row data:

5 comments:

Vladimir Zhilyaev said...

Nice one! Would like more topics about power of groovy in adf bc =)

Wesso said...

Nice post but if I have more methods like getCurrentRegion do I have to write that expression @AlowUntrusted...... for each method? I think make the groovy trusted is easiest than do all this ;)

Andrej Baranovskij said...

Yes. But this is designed for generic solutions, when you want to allow access to generic method, which is used in many places. Then you dont need to set trusted in 1000's of places for same method from generic class.

Andrejus

Wesso said...

UMMM Great you are true . Thank you Andrejus.

Ahmed Mamdouh said...

Can I use this method against UI labels as an expression? As I got (JBO-25151: Accessing the applicationModule property on class oracle.jbo.server.ViewRowImpl is not permitted) when I use adf.object.applicationModule.getLabel('DEPTID')