Skip Headers
Oracle® Fusion Middleware Programming Stand-alone Clients for Oracle WebLogic Server
12c Release 1 (12.1.1)

Part Number E24378-04
Go to Documentation Home
Home
Go to Table of Contents
Contents
Go to Feedback page
Contact Us

Go to previous page
Previous
Go to next page
Next
PDF · Mobi · ePub

14 Developing Security-Aware Clients

This chapter describes how you can develop WebLogic clients that use the Java Authentication and Authorization Service (JAAS) and Secure Sockets Layer (SSL) to create security-aware clients.

Developing Clients That Use JAAS

JAAS enforces access controls based on user identity and is the preferred method of authentication for most WebLogic Server clients. A typical use case is providing authentication to read or write to a file. For more information about how to implement JAAS authentication, see "Using JAAS Authentication in Java Clients" in Programming Security for Oracle WebLogic Server.

Note:

The WLS-IIOP client does not support JAAS. See Developing Clients that Use JNDI Authentication.

Developing Clients that Use JNDI Authentication

Users requiring client certificate authentication (also referred to as two-way SSL authentication) should use JNDI authentication, as described in "Using JNDI Authentication" in Programming Security for Oracle WebLogic Server.

Developing Clients That Use SSL

WebLogic Server provides Secure Sockets Layer (SSL) support for encrypting data transmitted between WebLogic Server clients and servers, Java clients, Web browsers, and other servers.

All SSL clients need to specify trust. Trust is a set of CA certificates that specify which trusted certificate authorities are trusted by the client. In order to establish an SSL connection, RMI clients need to trust the certificate authorities that issued the server's digital certificates. The location of the server's trusted CA certificate is specified when starting the RMI client.

By default, all trusted certificate authorities available from the JDK (...\jre\lib\security\cacerts) are trusted by RMI clients. However, if the server's trusted CA certificate is stored in one of the following trust keystores, you need to specify certain command line arguments in order to use the keystore:

Note:

When using the keytool utility, the default key pair generation algorithm is DSA. WebLogic Server does not support the use of the Digital Signature Algorithm (DSA). Specify another key pair generation and signature algorithm when using WebLogic Server.

You can find more information on how to implement SSL in "Configuring SSL" and "Configuring Identity and Trust" in Securing Oracle WebLogic Server.

Thin-Client Restrictions for JAAS and SSL

WebLogic thin-client applications only support JAAS authentication through the following methods:

WebLogic thin-clients only support two-way SSL by requiring the SSLContext to be provided by the SECURITY_CREDENTIALS property. For example, see the client code below:

Example 14-1 Client Code with sslcontext

.
.
.
System.out.println("Getting initial context");
Hashtable props = new Hashtable();
props.put(Context.INITIAL_CONTEXT_FACTORY,"weblogic.jndi.WLInitialContextFactory");
props.put(Context.PROVIDER_URL,"corbaloc:iiops:" + host + ":" + port +"/NameService");
 
props.put(Context.SECURITY_PRINCIPAL,"weblogic");
props.put(Context.SECURITY_CREDENTIALS, "welcome1");
 
//Set the ssl properties through system property
//set the path to the keystore file (one key inside the store)
System.setProperty("javax.net.ssl.keyStore", YOUR-KEY_STORE_FILE_PATH);
//set the keystore pass phrase
System.setProperty("javax.net.ssl.keyStorePassword",YOUR_KEY_STORE_PASS_PHRASE);
 
//Set the trust store
//set the path to the trust store file
System.setProperty("javax.net.ssl.trustStore",YOUR-TRUST_STORE_FILE_PATH);
//set the trust store pass phrase
System.setProperty("javax.net.ssl.trustStorePassword",YOUR_TRUST_STORE_PASS_PHRASE);
 
Context ctx = new InitialContext(props);
.
.
.

Security Code Examples

Security samples are provided with the WebLogic Server product. The samples are located in the SAMPLES_HOME\server\examples\src\examples\security directory. A description of each sample and instructions on how to build, configure, and run a sample, are provided in the package-summary.html file. You can modify these code examples and reuse them.