Skip Headers

Oracle9iAS Containers for J2EE Services Guide
Release 2 (9.0.2)

Part Number A95879-01
Go To Documentation Library
Go To Product List
Solution Area
Go To Table Of Contents
Go To Index

Go to previous page Go to next page

Developing Secure J2EE Applications

This chapter describes how to develop secure Java2 Platform, Enterprise Edition (J2EE) applications using the JAAS Provider and Oracle9iAS Containers for J2EE (OC4J).

This chapter contains these topics:

Developing Secure J2EE Applications Overview

J2EE application developers develop, deploy, and manage Web enabled, server-centric, enterprise level Java applications that are deployed in multiple tier environments. Using the JAAS provider enables developers to make these applications secure.

In J2EE applications, the JAAS provider is integrated with OC4J and provides the JAZNUserManager, an implementation of the OC4J UserManager.

After the creation of realms and related components described in Chapter 7, "Managing the JAAS Provider", the JAAS Provider can be integrated into J2EE applications to provide the following services:

Authentication in the J2EE Environment

Authentication is the process of verifying the identity of a user in a computing system, often as a prerequisite to granting access to resources in a system. User authentication in the J2EE environment is performed with the following:

Before HTTP requests can be dispatched to the target servlet, the JAZNUserManager gets the authenticated user information (set by mod_osso) from the HTTP request object and sets the JAAS subject in OC4J.

Running with the Permissions and Roles Associated with an Authenticated Identity (Optional)

You can choose to configure the JAZNUserManager so that a filter enables the target servlet to run with the permissions and roles associated with an authenticated identity or run-as identify. To do this, configure the jazn-web-app element.

See Also:

Chapter 7 of the Oracle9i Application Server Security Guide and "JAZNUserManager" for further information on options and configuration of the JAZNUserManager filter, including the jazn-web-app element

Interception of Servlet Invocation

The JAZNUserManager intercepts calls from Oracle9iAS Single Sign-On or the JAAS Provider RealmLoginModule and retrieves authentication information to identify the username and role.

Retrieving Authentication Information

The following javax.servlet.HttpServletRequest APIs retrieve authentication information within the servlet:

(Optional if the Filter Element Has Been Set)

If the filter element has been set, JAZNUserManager performs the following when doFilter(ServletRequest request, ServletResponse response, FilterChain chain) is invoked:

The filter element constructs an JAZNServletRequest request for the HTTP request.

(End of Optional Section)

Authorization begins with a call to Subject.doAs().

Authorization in the J2EE Environment

Authorization is the process of granting the permissions and privileges entitled to the user.

Once the user is authenticated, the JAZNUserManager invokes the target servlet within a Subject.doAs() block to enable JAAS-based authorization in the target servlets.

Authorization is achieved through the following:

Testing and Executing the J2EE Application

After completing all configuration tasks, follow these steps to test or execute the JAAS Provider within OC4J. These steps assume the following:

To build and configure your application, a sample application, callerInfo, has been provided. Chapter 5, "Quick Start JAAS Provider Demo" describes how to quickly run this sample application. This chapter elaborates on the information in Chapter 5 and discusses available configuration options.

See Also:

Chapter 7 of the Oracle9i Application Server Security Guide for detailed configuration information

Setting Up

You must perform the following tasks to test and run a J2EE application:

Task 1: Install Ant (Optional)

You can install Ant, an XML-based build tool (similar to make), from Apache's Jakarta Project or plan to use jar directly. If you do not have Ant installed, you can download it from:

Once you have installed Ant, and before running it, you must configure files as described in the next section, "Task 2: Modify OC4J Files".

Task 2: Modify OC4J Files

In order to run a servlet, you need to modify several OC4J Files.

Modifying OC4J Files Where OC4J is Not Running

Deploying an Application When the OC4J Server is Running

If the OC4J server is already up and running, you can perform the following steps to deploy your application.

java -jar $J2EE_HOME/admin.jar 
ormi://oc4j_host:rmi_port admin_user admin_password 
-deploy -file $J2EE_HOME/jazn/demo/myApp1/myApp1.ear -deploymentName callerInfo

java -jar $J2EE_HOME/admin.jar ormi://oc4j_host:rmi_port admin_user admin_password -bindWebApp myApp1 myApp1-web default-web-site /jazn

For the callerInfo demo, enter the following:

java -jar $J2EE_HOME/admin.jar 
ormi://oc4j_host:rmi_port admin_user admin_password
-file $J2EE_HOME/jazn/demo/callerInfo/callerInfo.ear 
-deploymentName callerInfo

java -jar $J2EE_HOME/admin.jar ormi://oc4j_host:rmi_port admin_user admin_password -bindWebApp callerInfo callerInfo-web default-web-site /jazn

See Also:

  • Oracle9iAS Containers for J2EE User's Guide for further information on OC4J configuration

  • Chapter 7 of the Oracle9i Application Server Security Guide for further information on JAAS Provider configuration

Task 3: Change Default Configurations

The default realm is set to sample_subrealm. To change to another realm, you must modify the jazn element of the OC4J orion-application.xml (in the directory jazn/demo/callerinfo/etc/) as follows:

Using XML-Based Realms (Default)

Using LDAP-Based Realms

Since the installation defaults to the XML-based provider type, you need to modify certain files if you are using the LDAP provider type environment.


You must use the Oracle9iAS Infrastructure installation type if you use the LDAP provider type environment.

In the orion-application.xml file in directory jazn/demo/ callerinfo/etc/, make the following changes:

Using SSL and SSO Integration

If you are using SSO or SSL integration, make the following addition to the mod_oc4j.conf file to add redirection information.

Oc4jMount /jazn/* ajp13_worker 
Oc4jMount /jazn ajp13_worker 

Assuming that ajp13_worker is a defined worker in the oc4j.conf file, this directs any request matching /jazn/* to be handled by ajp13_worker. Any request matching /jazn/ is to be handled by ajp13_worker.

Using SSO

If you are using SSO integration, make the following change in the orion-web.xml:

Task 4: Build the Directory

To build the directory, either use jar or Ant to create a new directory (build) containing the .EAR and .WAR files for your application.

To build the directory using Ant:

  1. Open a command line shell.

  2. Go to the jazn/myApp1/myApp1 directory

    For the callerInfo demo, go to jazn/demo/callerInfo directory,

  3. Type: ant

Starting an Application

This is the first real JAAS provider test.

To start your application:

  1. Start the Oracle HTTP Server listener as follows:

  2. Start OC4J with the JAAS provider by entering the following:

    java -jar oc4j.jar 

    Or start OC4J with the JAAS provider in secure mode (assuming that you have configured your java2.policy) with the SecurityManager:

    java -jar oc4j.jar 
  3. Run the servlet from a Web browser using:


    Or to run the sample application, use:


    where 1234 is the port configured for your HTTP listener.

    See Also:

    Oracle9iAS Containers for J2EE User's Guide

Sample J2EE Application

This sections shows the sample J2EE application, callerInfo, which you can run using the commands described in "Testing and Executing the J2EE Application" or in Chapter 5, "Quick Start JAAS Provider Demo".

Sample J2EE Application callerInfo

import java.util.Date;
import java.util.Properties;
import javax.naming.*;
import javax.servlet.*;
import javax.servlet.http.*;

 * A simple demo that exercises the Servlet security APIs. 
 * @author rkng
public class CallerInfo extends HttpServlet {

    public CallerInfo() 
    public void init(ServletConfig config) 
	throws ServletException 
    public void doGet(HttpServletRequest request, HttpServletResponse response)
	throws ServletException, IOException 
	ServletOutputStream out = response.getOutputStream();

	out.println("<HTML><BODY bgcolor=\"#FFFFFF\">");
	out.println("Time stamp: " + new Date().toString());
	out.println("request.getRemoteUser = " + request.getRemoteUser() + "<br>");
	out.println("request.isUserInRole('FOO') = " + request.isUserInRole("FOO") + 
	out.println("request.isUserInRole('ar_manager') = " + 
request.isUserInRole("ar_manager") + "<br>");
	out.println("request.isUserInRole('ar_developer') = " + 
request.isUserInRole("ar_developer") + "<br>");
	out.println("request.getUserPrincipal = " + request.getUserPrincipal() + 

Discussion of the J2EE Sample Application Code

When the call to callerInfo is successful, the browser displays a message similar to the following:

Time stamp: Fri Aug 24 19:11:37 PDT 2001 request.getRemoteUser =
request.isUserInRole('FOO') = false
request.isUserInRole('ar_manager') = false
request.isUserInRole('ar_developer') = true
request.getUserPrincipal = ([JAZNUserAdaptor: user=[XMLRealmUser:

Go to previous page Go to next page
Copyright © 2002 Oracle Corporation.

All Rights Reserved.
Go To Documentation Library
Go To Product List
Solution Area
Go To Table Of Contents
Go To Index