Oracle ADF with Google Firebase (Part II - Secure CRUD)

JDev: 12.2.1.3.0
Source: GitHub

In my previous blog - Oracle ADF with Google Firebase - I wrote about integrating ADF Faces with a NoSQL database like Google Firebase. Till now I only discussed about fetching data from an insecure connection. But in a real world scenario, we would want the REST APIs to be secured so that only an authenticated user should be able to access the database.

This article will extend the previous application further by securing the REST APIs with a web token, and will ensure that a Bearer token is required in order to access the data. This article will also showcase generic crud operations.

Google Firebase also allows provides it's own authentication system, however, we will not be using that, since our application will be hosted on WebLogic server, which is supposed to take care of authentication and authorization. What we would do is to generate a secure token once WebLogic authenticates and authorizes the user, and use this token to access the database.

The first step towards this would be to lock my database against an unauthorized user. I would modify the database rules as shown below:


What this means is, if I simply try to access any of the data nodes (e.g. https://hrstore-test.firebaseio.com/Employees.json) from my browser, I would receive an error.


Once the user is checked by WebLogic, the next steps would be to initialize the Firebase instance and generate a web token. Before this, we would need a service-account private key json file. This file can be downloaded from Firebase project settings > service accounts > Generate new private key.


In the initFirebase method, I use this file to initialize the Firebase instance, with a name of my choice (hrstore in this case).

In the generateAccessToken method, I make use of the same file to generate a token. This token is passed onto the REST APIs as an Authorization token.

The sample application showcases the usage of this token for GET, PUT and DELETE methods. For PUT method, a POJO is converted into a JSON object using an ObjectMapper. This is needed as the firebase database stores data as JSON tree, and thus JSON is the only mode of transport.


I use my own PropertyNamingStrategy, so that the members of the generated JSON object would have the first letter capitalized. A sample JSON object generated from a Department POJO would be:

{
   "DepartmentId": 100,
   "DepartmentName": "Test department",
   "ManagerId": 101,
   "LocationId": 1700
}

This gives me an additional advantage of mapping the exact column names with the ADF BC's view object attribute names.

The following generic getData, saveData and deleteData methods showcase generic approach for GET, PUT and DELETE operations:


 

There is no clear documentation on the life-span of the token, but according to some online discussions, it is about one hour. Each rest call verifies the return status, and re-generates the key when it is 401 (unauthorized).

For a complete list of SDK jars, refer to GoogleLib. This project can be built into a war file and can be deployed to WebLogic as a shared library. This library can be referenced from your application via weblogic.xml as "google-shared-lib".

Update: refer to the next article on this topic - Oracle ADF with Google Cloud Storage.

Cheers!

Comments