Skip Headers
Oracle® Containers for J2EE Security Guide
10
g
(10.1.3.5.0)
Part Number E13977-01
Home
Book List
Index
Contact Us
Next
View PDF
Contents
List of Examples
List of Figures
List of Tables
Title and Copyright Information
Preface
Audience
Documentation Accessibility
Related Documentation
Conventions
What's New
Changes in Release 10.1.3.5
Changes in Release 10.1.3.4
Changes in Release 10.1.3.1
Changes in Release 10.1.3.0.0
1
Basic Security Concepts
Application-Level Security
About Authentication
About Authorization
Access Control Lists and the Capability Model of Access Control
Role-Based Access Control
Transport-Level Security
Secure Sockets Layer and HTTPS
SSL Authentication
X.509 Certificates
Key Encryption and Exchange
2
Java Platform Security
J2EE Security Model
Web Application Authentication and Authorization
Web Application Standard Authentication Methods
Web Application URL-Based Authorization
Run-As Mode and Propagated Identities in Web Applications
Related Web Application APIs
Enterprise JavaBeans Authentication and Authorization
EJB Authentication
EJB Method-Based Authorization
Run-As Mode and Propagated Identities in EJB Applications
Related EJB APIs
Identity Propagation
Java 2 Security Model
Code-Based Security
Security Permissions
Protection Domains
Java 2 Authorization: Java 2 Security Policies
Java 2 Authorization: Security Managers and Access Controllers
Java Authentication and Authorization Service
Principals and Subjects
JAAS Authentication: Login Modules
About Login Modules
Stacking Login Modules
JAAS Authorization: JAAS Security Policies
JAAS Authorization: Subject Methods doAs() and doAsPrivileged()
Security Considerations during Development
Summary: Comparing Security Models for J2EE, Java 2, and JAAS
Steps to Develop a Secure J2EE Application
3
Overview of OC4J Security
Introducing the OracleAS JAAS Provider and Security Providers
Overview of the OracleAS JAAS Provider
Summary of JAAS Framework Features
Security Realms in the OracleAS JAAS Provider
Supported Security Providers
Introducing Authentication Features in the OC4J Environment
Supported Web Application Authentication Methods
Overview of OC4J Login Modules
Overview of Oracle Application Server Single Sign-On Alternatives
JAZNUserManager Delegation (File-Based Provider)
Introducing Authorization Features in the OC4J Environment
Overview of Security Role Mapping
Overview of General-Use Identity Management Frameworks and APIs
4
Overview of Security Administration
General OC4J Deployment and Configuration Features
Tools for Oracle Application Server and OracleAS JAAS Provider
Overview of Oracle Enterprise Manager 10
g
Application Server Control
Overview of the OracleAS JAAS Provider Admintool
Overview of Oracle Identity Management and Oracle Internet Directory Tools
Overview of Delegated Administration Services
Overview of Oracle Directory Manager
JMX and MBeans Administration
Overview of Configuration Files and Key Elements
The orion-application.xml File (<jazn> and <jazn-web-app> Elements)
The system-application.xml File
The system-jazn-data.xml File
Application-Specific jazn-data.xml File (Optional)
The jazn.xml File
OC4J System Application
Summary of OC4J Accounts
Predefined Accounts
Activation of the oc4jadmin Account (Standalone OC4J)
Creating and Configuring a New Administrator Account
Creating a New Administrator Account
Configuring a New Administrator Account for the System Application
Configuring an Anonymous User
Summary of Configuration Repositories and Security Management Tools
5
Authorization in OC4J
Java 2 Security and Code-Based Policy Management
Specifying a Java 2 Security Manager and Policy File
Using PrintingSecurityManager to Determine Required Java 2 Permissions
Creating or Updating a Java 2 Policy File
Authorization APIs, JAAS Mode, and JACC in the OC4J Environment
JAAS Authorization and OracleAS JAAS Provider JAAS Mode
Introduction to JAAS Mode
OracleAS JAAS Provider Realm and Policy APIs
OracleAS JAAS Provider APIs for Granting or Revoking Permissions
APIs for Checking Permissions
Setting a Subject Into the OC4J Container
Implementation of Java Authorization Contract for Containers
OracleAS JAAS Provider Policy Management
Granting Permissions through the OracleAS JAAS Provider Admintool
Using OracleAS JAAS Provider Policy Management APIs
OracleAS JAAS Provider Policy Configuration
Policy Repository Setting in jazn.xml
Policy Configuration in system-jazn-data.xml
Policy Configuration in Oracle Internet Directory
Specification of the Oracle Policy Provider
Authorization Coding and Configuration
Using J2EE Authorization APIs
Obtaining a Subject
Using the checkPermission() Method
Configuring and Using JAAS Mode
Enabling the Java Authorization Contract for Containers
System Property to Enable JACC Features
System Properties to Specify the JACC Provider
Authorization Strategies
Considering J2EE Security
Considering Java 2 Security
Considering JAAS Security
6
General Tasks for OC4J Security
Tasks for Password Management
Using Password Indirection
Specifying a Password Manager in system-application.xml
Password Obfuscation in OC4J Configuration Files
Using Security Realms in OC4J
Default Realm with the File-Based Provider or Oracle Identity Management
Evaluation of Default Realm for File-Based Provider, Oracle Identity Management
Using the Default Realm
Using a Nondefault Realm
Using Multiple Realms
Omitting the Realm Name When Retrieving an Authenticated Principal
Deployment Tasks for Security
Overview of Deployment Considerations
Deploying an Application
Deploying an Application through Application Server Control
Specifying a Security Provider
Considering the File-Based Provider Versus Oracle Identity Management
Specifying the Security Provider through Application Server Control
Mapping Security Roles
Application Role Definitions and References
Specifying Security Role Mapping through Application Server Control
Mapping J2EE Roles to Deployment Roles in OC4J Configuration Files
Using the OC4J PUBLIC Role to Allow General Access by Authenticated Users
Post-Deployment Tasks for Security
Navigating to the Security Provider Page for Your Application
Tasks to Share a Library
Loading the Library as an OC4J Shared Library
Importing the Library into Your Application
7
File-Based Security Provider
Tools for File-Based Provider Policy and Realm Management
Configuring the File-Based Provider in Application Server Control
Configuring the File-Based Provider during Application Deployment
Changing to the File-Based Provider after Deployment
Managing Application Realms through Application Server Control
Search for a Realm
Create a Realm
Delete a Realm
Managing Application Users through Application Server Control
Search for a User
Create a User
Delete a User
Edit a User
Managing Roles through Application Server Control
Search for a Role
Create a Role
Delete a Role
Edit a Role
Administering Instance-Level Security through Application Server Control
File-Based Provider Settings in OC4J Configuration Files
Settings in the <jazn> Element for the File-Based Provider
Scenarios for <jazn> Settings in orion-application.xml
Configuration to Automatically Create an Application-Specific jazn-data.xml File
Supplying an Application-Specific jazn-data.xml File
Realm Configuration in the Repository File
Policy Configuration in the Repository File
Predefined OC4J Accounts in system-jazn-data.xml
OracleAS JAAS Provider Migration Tool
Overview of the Migration Tool
Migration Tool Command Syntax
Migration Tool APIs
Migrating Principals from the principals.xml File
Using the File-Based Provider Across an OC4J Group
OC4J Basic Group Features
Cluster MBean Browser Features and the J2EEServerGroup MBean
8
Oracle Identity Management
Initial Considerations for OC4J Support of Oracle Identity Management
Overview of Oracle Identity Management Key Components
Overview of Oracle Internet Directory
About Distinguished Names
Overview of Oracle Single Sign-On
SSO-Enabled J2EE Environment: Typical Scenario
Prerequisite: Oracle Application Server Infrastructure
Steps to Use the Oracle Identity Management Security Provider
Associate Oracle Internet Directory with OC4J
Associating Oracle Internet Directory with OC4J
Changing the Oracle Internet Directory Association
Required Accounts Created in Oracle Internet Directory
Oracle Internet Directory Association in jazn.xml
Considering Multiple OC4J Instances when Associating Oracle Internet Directory
Configure SSO (Optional)
Run the SSO Registration Tool
Transfer the osso.conf File to the OC4J Instance
Run the osso1013 Script
Synchronization of OracleAS JAAS Provider User Context with Servlet Sessions
Restart the Oracle HTTP Server and OC4J Instances
Configure Oracle Identity Management as the Security Provider
Specifying Oracle Identity Management during Deployment
Changing to Oracle Identity Management after Deployment
Settings for Authentication Method with Oracle Identity Management
OC4J Configuration for Oracle Single Sign-On Authentication
Using Digest Authentication with Oracle Internet Directory
Realm Management for the LDAP-Based Provider
Overview of OracleAS JAAS Provider Realms for Oracle Identity Management
Realm Hierarchy for the OracleAS JAAS Provider
Relation of JAAS Provider Realms to Oracle Internet Directory Realms
Access Control Lists and OracleAS JAAS Provider Directory Entries
Realm Management for Oracle Identity Management
Managing Realms in Oracle Internet Directory
Changing Your Default Realm
Using Multiple Realms and Oracle Single Sign-On with OC4J
LDAP-Based Provider Settings in OC4J Configuration Files
Configuring LDAP User and SSL Properties
Configuring LDAP Connection Properties
Configuring LDAP Caching Properties
Tips and Troubleshooting for the LDAP-Based Provider
Checking Configuration (JAZN-LDAP)
Using ldapsearch to Retrieve Realm Names from Oracle Internet Directory
Avoiding OC4J Restart for Oracle Internet Directory Changes to Take Effect
Accessing the Oracle Single Sign-On Administration Pages
9
Login Modules
Initial Login Module Considerations
Specification of the Oracle Login Configuration Provider
Login Module Notes and Tips
Login Modules Supplied with OC4J
RealmLoginModule
DBTableOraDataSourceLoginModule
DBTableOraDataSourceLoginModule Options
Configuring DBTableOraDataSourceLoginModule in Application Server Control
Configuring DBTableOraDataSourceLoginModule in the Admintool
Sample DBTableOraDataSourceLoginModule Settings in system-jazn-data.xml
Principals for DBTableOraDataSourceLoginModule
Implementing DBLoginModuleEncodingInterface for Password Encryption
Previous Functionality: DataSourceUserManager (Deprecated)
Introducing Custom JAAS Login Modules
Summary of Choices for Packaging Login Modules
Packaging Login Modules within the J2EE Application
Providing Login Modules as Optional Packages
Providing Login Modules as OC4J Shared Libraries
Configuring the Custom Security Provider in Application Server Control
Specifying and Configuring a Custom Security Provider during Deployment
Editing a Custom Login Module Configuration during Deployment
Adding a Custom Login Module during Deployment
Changing to a Custom Security Provider after Deployment
Adding a Login Module to the Custom Security Provider
Updating a Login Module in the Custom Security Provider
Deleting a Login Module in the Custom Security Provider
Using Admintool to Configure Login Modules and Grant RMI Permission
Configuring Login Modules through the Admintool
Granting RMI Permission through the Admintool
Summary of Login Module Configuration in OC4J Configuration Files
Login Module Settings in system-jazn-data.xml
Login Modules Settings in orion-application.xml
Settings in <jazn-loginconfig> in orion-application.xml
Settings in <jazn> for Login Modules
Settings in <namespace-access> for Access to JNDI Context
Specifying the Mapping Attribute
Login Module Settings in oc4j-ra.xml (J2EE Connector Architecture)
Step by Step: Integrating a Custom Login Module with OC4J
Develop the Login Module
Configure and Package the Login Module
Configuration to Enable Login Module Usage
Configuration of the Login Module
Configure Namespace Access and Role Mappings (as applicable)
Deploy the Login Module
Grant RMI Permission (as applicable)
Set JNDI Properties (as applicable)
Custom Login Module Example
SampleLoginModule Code
SamplePrincipal Code
10
External LDAP Security Providers
Overview of External LDAP Provider Configuration and Administration
Configuring External LDAP Providers in Application Server Control
Specifying and Configuring an External LDAP Provider during Deployment
Changing to an External LDAP Provider after Deployment
External LDAP Provider Settings in system-jazn-data.xml
Creating Necessary Accounts and Granting Necessary Permissions
Creating the Administrative User and Roles and Granting RMI Permission
Granting RMI Permission to an LDAP Principal
Granting Additional Permissions to External LDAP Principals
Using JAAS Mode with External LDAP Providers
Sample Configuration for Sun Java System Directory Server
Sample LDIF Description
Sample Entries in OC4J Configuration Files
Settings in system-jazn-data.xml for Sun Java System Directory Server
Settings in orion-application.xml for an External LDAP Server
Using SSL with External LDAP Providers
Initial SSL Considerations for External LDAP Providers
Configuring OC4J to Use SSL with an External LDAP Provider
Configuring the External LDAP Provider for SSL
11
Oracle Access Manager
Getting Started with Oracle Access Manager
Overview of Oracle Access Manager
Oracle Access Manager Prerequisites
Oracle Access Manager Architecture
Top-Level Summary of Configuration Stages for Oracle Access Manager
Running the Policy Manager
Oracle Access Manager Concepts
About Oracle Access Manager Resource Types
About Oracle Access Manager Authentication
About the Oracle Access Manager Single Sign-On Cookie
About Using HTTP Header Variables for Authentication
Configuring Oracle Access Manager
Configure Oracle Access Manager Form-Based Authentication
Create a Login Form
Define Form-Based Authentication in Policy Manager
Configure the credential_mapping Plug-In for Form-Based Authentication
Configure the validate_password Plug-In for Form-Based Authentication
Configure Oracle Access Manager Basic Authentication
Define Basic Authentication in Policy Manager
Configure the credential_mapping Plug-In for Basic Authentication
Configure the Resource Type
Configure the Name and Operation of the Resource Type
Configure and Protect the URL of the Configured Resource Type
Configure the Return Action Attributes
Protect the Action URL
Configuring OC4J with the Access Manager SDK
Create OC4J Instances as Needed
Configure the Access Manager SDK to Each OC4J Instance
Configure the Access Manager SDK Library Path for Each OC4J Instance
Configuring opmn.xml for Oracle Access Manager
Creating Required Accounts in the LDAP Server
Configuring the Application
Protect the Application URLs in web.xml
Settings for Application Deployment
Configure Oracle Access Manager SSO in orion-application.xml
Protect the Application URLs in Oracle Access Manager
Configure the Oracle Access Manager Login Module
Test the Application
Granting Permissions to Oracle Access Manager Principals
Granting RMI Permission to an Oracle Access Manager Principal
Granting Required Permissions to Additional Oracle Access Manager Principals
Confirming Configured Realm Names for Oracle Access Manager Principals
Considerations for Oracle Application Server SOA Applications
Configure Logout for Oracle Application Server SOA Applications
Troubleshooting Login to Oracle Application Server SOA Applications
Oracle Access Manager Examples for J2EE Applications
Web Application Using HTTP Header Variables through Oracle Access Manager
Configure Name and Password in Policy Manager
Configure HTTP Header Variables for the Oracle Access Manager Login Module
Secure the Web Application That Uses HTTP Headers
Web Application Using the Oracle Access Manager ObSSOCookie
Configure User Name and Password for the Oracle Access Manager Login Module
Secure the Web Application That Uses ObSSOCookie
EJB Application Using Oracle Access Manager
Oracle Access Manager Support and Examples for Web Services
Web Service with Username Token Authentication for Oracle Access Manager
Web Service with X.509 Token Authentication for Oracle Access Manager
Web Service with SAML Token Authentication for Oracle Access Manager
Troubleshooting the Oracle Access Manager Setup
12
User and Role API Framework
Overview of User and Role (Identity Management) API Framework
User and Role API Features to Replace UserManager, User, Group
User and Role API Framework and Providers
Summary of User and Role Interfaces and Classes
User and Role Interface Descriptions
User and Role Class Descriptions
User and Role API Usage Models
Step by Step: Basic Usage Model
Step by Step: OC4J Integration Usage Model
Permission Requirements for the OC4J Integration Feature
User and Role Properties File
Example: Basic User and Role API Framework
Example: OC4J Integration with User and Role API Framework
13
Pluggable Identity Management Framework
Overview of OracleAS JAAS Provider Identity Management Framework
Need for a Pluggable Identity Management Framework
How the Identity Management Framework Works
Overview of Identity Management Framework Programmatic Implementation
Overview of Identity Management Framework Configuration
Use of the Identity Management Framework by OC4J Java Single Sign-On
Identity Management Framework Programmatic Interfaces
Identity Token Interface and Oracle Implementations
Token Collector Interface and Oracle Implementation
Token Asserter Interface
Identity Callback Handler Interface
Oracle Callback Implementations
Identity Callback
HTTP Request Callback
Login Module Requirements
Subject Asserter Interface
Packaging Your Identity Management Framework Implementation Classes
Identity Management Framework Configuration
Configuring Identity Management Framework Properties
Configuring the Identity Management Framework Login Module
Configuring an Application to Use the Identity Management Framework
Considerations for Multiple OC4J Instances
Summary of How to Use the Identity Management Framework
Sample Use Case: Using a Header-Based Identity Token
Sample Token Collector: CollectorImpl.java
Sample Token Asserter: TokenAsserterImpl.java
Sample Configuration: jazn.xml
14
OC4J Java Single Sign-On
Overview of OC4J Java SSO
Need for an OC4J Container-Level Java Single Sign-On Solution
How Java SSO Works
Single Sign-On Interaction and Logical Flow
Java SSO Runtime Operations
Java SSO Implementation of the Identity Management Framework
Java SSO Deployment Scenarios
Summary of Java SSO Configuration
About the Java SSO Login Page and Error Page
Localization Support for the Java SSO Login Page and Error Pages
Customizing the Login Page or Error Page
Java SSO Setup and Configuration
Configuring Java SSO through Application Server Control
Start the javasso Application
Set Java SSO Properties and Generate the Symmetric Key
Configure the Security Provider for the javasso Application
Configure the Security Provider for Partner Applications
Enable Partner Applications to Use Java SSO
Java SSO Configuration Properties
Java SSO Configuration Property Descriptions
Default Java SSO Property Settings for Single-Instance OC4J Installations
Configuration for Enabling Partner Applications for Java SSO
Configuration for Special Scenarios
Considerations with the File-Based Provider and Two OC4J Instances
General Considerations for Multiple OC4J Instances
Considerations When Using the 10.1.3.1 Patch over 10.1.3.0.0
Java SSO APIs
Java SSO Logout API
Summary of How to Use Java SSO
Troubleshooting Java SSO
15
SSL Communication with OC4J
Integrating the Security Provider with SSL-Enabled Applications
Using Keys and Certificates with OC4J and Oracle HTTP Server
Using SSL with Standalone OC4J
Using SSL in OPMN-Managed OC4J without Oracle HTTP Server
Configure OC4J with SSL (Scenario without Oracle HTTP Server)
Configure OPMN to Support HTTPS (Scenario without Oracle HTTP Server)
Using SSL in OPMN-Managed OC4J with Oracle HTTP Server
Configure OC4J with SSL (Scenario with Oracle HTTP Server)
Configure AJP over SSL
Configure AJPS between OC4J and Oracle HTTP Server
Configure OPMN to Support AJPS (Scenario with Oracle HTTP Server)
Sample Configuration Files for SSL
Requesting Client Authentication
Overview of OC4J Client Authentication Mode
Client Authentication to OC4J
Oracle HTTP Server Authentication to OC4J in Oracle Application Server
Client Authentication to Oracle HTTP Server
Troubleshooting and Debugging SSL
Common SSL Errors and Solutions
General SSL Debugging: javax.net.debug Property
Enabling ORMIS for OC4J
Configuring ORMIS for Standalone OC4J
Configure server.xml for the RMI Configuration File Location
Configure rmi.xml for ORMIS
Disable ORMI with ORMIS Enabled (Optional)
Configuring ORMIS for OC4J in an Oracle Application Server Environment
Configuring ORMIS Access Restrictions
Configuring Clients to Use ORMIS
Specify the Appropriate Java Naming Provider URL
Specify the Keystore and Password
Enabling ORMI Tunneling through HTTPS
Configuring a TCPS Data Source
16
Oracle Security for Client Connections
Using Non-SSL Client Authentication
Basic-Based Client Authentication
Digest-Based Client Authentication
NTLM-Based Client Authentication
HTTPS and Clients
Overview of Client-Side HTTPS Features
Supported Keystore Formats
Accessing Information for Established SSL Connections
Support for java.net.URL Framework
SSL Cipher Suites
Supported Default System Properties
Property javax.net.ssl.keyStore
Property javax.net.ssl.keyStorePassword
Property javax.net.ssl.keyStoreType
Property javax.net.ssl.trustStore
Property javax.net.ssl.trustStorePassword
Property javax.net.ssl.trustStoreType
Using HTTPClient with JSSE
Prerequisites for using JSSE
Configuring HTTPClient to Use JSSE
HTTPClient Support for SSL Host Name Verification
Enabling Host Name Verification through System Property Setting
Enabling Host Name Verification Programmatically
Using the Oracle Standard Host Name Verifier
Verifying Additional Connection Information
Migrating from Oracle Java SSL to JSSE
Code Samples for Migration to JSSE
Additional Changes Relevant for Migration to JSSE
Features for Oracle Java SSL (Deprecated)
Specifying Oracle Java SSL as the SSL Implementation for HTTPClient
OracleSSLCredential Class for Oracle Java SSL
Security-Aware Applications Support in Oracle Java SSL
Using HTTPClient with Oracle Java SSL
Sample Code (Oracle Java SSL)
Initializing SSL Credentials in Oracle Java SSL
System Property Features with Oracle Java SSL
Specifying Cipher Suites for Oracle Java SSL
Property Oracle.ssl.defaultCipherSuites
Method setSSLEnabledCipherSuites()
SSL Cipher Suites Supported by Oracle Java SSL
17
Web Application Security Configuration
Specifying the Authentication Method (auth-method)
Specifying auth-method in web.xml
Specifying auth-method in orion-application.xml
Using Basic Authentication Fallback in Digest Authentication Mode
Using Form-Based Authentication
Setting Standard Configuration for Form-Based Authentication
Setting the OC4J Flag for Client-Side Redirects
Using Client-Cert Authentication
Configuring OC4J for Client-Cert Authentication
Client-Cert Execution Flow in OC4J
Web Application Security Role and Constraint Configuration
Configuring J2EE Roles and Security Constraints
Linking Application Roles to J2EE Roles
Definition of Deployment Roles and Users
Specifying a Run-As Security Identity for a Web Application
OC4J Mapping of J2EE Roles to Deployment Roles
18
EJB Security Configuration
Authenticating and Authorizing EJB Applications
Specifying J2EE Roles and Method Permissions in the EJB Deployment Descriptor
Specifying Unchecked Security for EJB Methods
Specifying a Run-As or Caller Security Identity for an EJB
Mapping J2EE Roles to Deployment Users and Roles
Configuring Namespace Access
Specifying a Default Role Mapping for Unidentified Methods
Specifying Credentials in EJB Clients
Credentials in JNDI Properties
Credentials in the InitialContext
Permitting EJB RMI Client Access
Granting Permissions in the Browser
Configuring Anonymous EJB Lookup
Enabling and Configuring Subject Propagation for ORMI
Overview of Subject Propagation in OC4J
Enabling Subject Propagation for ORMI
Set the Subject Propagation System Property
Enable JAAS Mode
Grant RMI Permission for Subject Propagation
Sharing Principal Classes for Subject Propagation
Removing and Configuring Subject Propagation Restrictions
19
Common Secure Interoperability Protocol
CSIv2 Security Properties in internal-settings.xml (EJB Server)
CSIv2 Security Properties in ejb_sec.properties (EJB Client)
CSIv2 Security Properties in orion-ejb-jar.xml
The <transport-config> element
The <as-context> element
The <sas-context> element
Example: <ior-security-config>
20
Security Support for Resource Adapters
Overview of Security and Authentication Setup for EIS Connections
Summary of J2EE Connector Architecture Security Contract
Summary of Component-Managed Versus Container-Managed Sign-On
Summary of Security-Related Resource Adapter Configuration Elements
The oc4j-ra.xml File <security-config> Element
The oc4j-connectors.xml File <security-permission> Element
Understanding Component-Managed Sign-On
Understanding Container-Managed Sign-On
Authentication in Container-Managed Sign-On
Using Declarative Container-Managed Sign-On
Using Programmatic Container-Managed Sign-On
Using a Principal Mapping Class
Understanding the PrincipalMapping Interface APIs
Extending the AbstractPrincipalMapping Class
Configuring a Principal Mapping Class
Using a JAAS Login Module for an EIS Connection
The InitiatingPrincipal and InitiatingGroup Classes
JAAS and the <connector-factory> Element
21
Configuring Windows Native Authentication
Overview of WNA
Prerequisites for Configuring WNA
Step 1: Configure the Linux Host System as a Kerberos Client
Step 2: Create a User Account in Active Directory
Step 3: Generate and Test the Keytab File for the Linux Host
Step 4: Configure the OC4J Instance
Set Security System Properties for OC4J
Edit the System JAZN Configuration File
Edit the JAZN Configuration File
Edit Application Deployment Descriptors
Step 5: Configuring a Browser and Testing WNA
A
Tips and Troubleshooting for OC4J Security
Best Practices for OC4J Security
JAAS Best Practices
HTTPS Best Practices
General OC4J Security Tips and Troubleshooting
File jazn.xml Not Found
Authentication Issues
Failure to Specify OracleAS JAAS Provider as the JAAS Provider
Realm Issues
Realm Names Omitted from User Names
Specifying Default Realm to Solve Authentication Failure
Logging
Using Oracle Diagnostic Logging with the OracleAS JAAS Provider
Using Standard JDK Logging with the OracleAS JAAS Provider Admintool
B
OracleAS JAAS Provider Samples
Security Configuration for Sample Servlet
Configuration in system-jazn-data.xml
Configuration in web.xml
Configuration in orion-application.xml
Sample Servlet: Invoking J2EE Security APIs
Sample Servlet: Granting Permissions
Sample Servlet: Checking Permissions
JAAS Mode Configuration in orion-application.xml
Servlet Code for Authorization
C
OracleAS JAAS Provider Admintool Reference
Getting Started with the Admintool
Running the Admintool
User Repository Location for the Admintool
Authentication for the Admintool
Using Custom Principals and Permissions with the Admintool
Summary of Admintool Command-Line Syntax and Options
Admintool Shell
Shell Support for Admintool Command-Line Options
Admintool Shell Directory Structure
Summary of Admintool Special Shell Commands
add, mkdir, and mk: Creating Provider Data
cd: Navigating Provider Data
clear: Clearing the Screen
exit: Exiting the Admintool Shell
help: Listing Admintool Shell Commands
ls: Listing Data
man: Viewing Admintool man Pages
pwd: Displaying the Working Directory
rm: Removing Provider Data
set: Updating Values
Admintool Administrative Functions
Adding and Removing Login Modules
Adding and Removing Realms (File-Based Provider Only)
Adding and Removing Roles (File-Based Provider Only)
Adding and Removing Users (File-Based Provider Only)
Setting Passwords (File-Based Provider Only)
Checking Passwords (File-Based Provider Only)
Administrative Operations
Granting and Revoking Permissions
Granting and Revoking Roles
Listing Login Modules
Listing Permissions
Listing Realms
Listing Roles
Listing Users
Converting from the principals.xml File to JAAS
D
OracleAS JAAS Provider Configuration Files
Hierarchy of jazn.xml
Elements and Attributes of jazn.xml
<jazn>
<property>
Hierarchy of system-jazn-data.xml
Elements and Attributes of system-jazn-data.xml
<actions>
<application>
<class>
<codesource>
<control-flag>
<credentials>
<description>
<display-name>
<grant>
<grantee>
<guid>
<jacc-repository>
<jazn-data>
<jazn-loginconfig>
<jazn-permission-classes>
<jazn-policy>
<jazn-principal-classes>
<jazn-realm>
<login-module>
<login-modules>
<member>
<members>
<name>
<name>
<option>
<options>
<permission>
<permissions>
<principal>
<principals>
<realm>
<realm-name>
<role>
<roles>
<type>
<type>
<url>
<user>
<users>
<value>
E
Third Party Licenses
Apache
The Apache Software License
Apache SOAP
Apache SOAP License
mod_mm and mod_ssl
OpenSSL
OpenSSL License
Perl
Perl Kit Readme
mod_perl 1.29 License
mod_perl 1.99_16 License
Perl Artistic License
Preamble
Definitions
Index