About OAM Security Provider for Glassfish

The OAM Security Provider for GlassFish Server is a JSR 196 Server Authentication Module (SAM) that provides authentication, authorization (optional), and single sign-on across JavaEE Web applications that are deployed on GlassFish Server. (See JSR 196: JavaTM Authentication Service Provider Interface for Containers for the specification and the related Javadocs.)

The OAM Security Provider enables GlassFish Server administrators to use Oracle Access Manager to control user access to business applications. The OAM Security Provider enables the following Oracle Access Manager functions forGlassFish Server users:

• Authenticator– This security provider uses Oracle Access Manager authentication services to authenticate users who access JavaEE applications deployed on GlassFish Server. Users are authenticated based on their credentials, such as user name and password, or client certificate.

  Authentication occurs when GlassFish Server directly receives unauthenticated requests from end-user clients for applications deployed on GlassFish Server. The OAM Security Provider challenges the user, collects the credentials and sends them to Oracle Access Manager via the configured AccessGate. The form of challenge issued (BASIC, FORM, Client-Certificate) and the security characteristics of the transport (SSL or PlainText) depend on the policies configured at Oracle Access Manager for the resource being accessed.

  Oracle Access Manager authenticates the credentials and, upon successful authentication, create an OBSSOSession. The OAM Security Provider receives this session and sets its identifier as an ORA_GF_ObSSOCookie in the response. This allows subsequent requests from the client for other resources protected by the same policy-domain to not require authentication, thereby achieving single sign-on (SSO) access to resources.

• Identity Asserter– The security provider uses Oracle Access Manager authentication services to validate already-authenticated Oracle Access Manager users using the OAM_REMOTE_USER header and creates an authenticated session.

  Identity assertion occurs when GlassFish Server is behind a proxy Oracle HTTP Server (OHS) that has an installed WebGate. The WebGate is responsible for challenging the user requests for resources. OHS then passes the OAM_REMOTE_USER header to the GlassFish Server.

  The OAM Security Provider tries to assert the identity of the user that was sent in the OAM_REMOTE_USER header.

• Authorizer – In this mode the OAM Security Provider additionally uses Oracle Access Manager authorization services to authorize users who are accessing a protected resource. The authorization is based on Oracle Access Manager policies.

Obtaining Oracle Access Manager Group Information

In the authentication function, the OAM Security Provider also tries to obtain group membership information for the authenticated user from the Oracle Access Manager backend. This information is set in a SecurityContext, which is then passed to the GlassFish Server authorization system to determine if access to the resource should be allowed.

The backend query is integrated into the JSR-196 CallerPrincipal Callback handling in the container and is transparent to the OAM Security Provider.

To obtain the group information, you configure an LDAPRealm in GlassFish Server to point to the OAM backend where the group information is stored. For example, you can use the Administration Console or the create-auth-realm command to add the following entry to the domain-specific domain.xml file:

<auth-realm classname="com.sun.enterprise.security.auth.realm.ldap.LDAPRealm
 name="ldaprealm">
<property name="jaas-context" value="ldapRealm" />
<property name="base-dn" value="o=company,c=us" />
<property name="directory" value="ldap://140.87.134.98:1389" />
<property name="search-bind-dn" value="cn=Directory Manager" />
<property name="search-bind-password" value="welcome1" />
</auth-realm>