Skip Headers

OracleŽ Application Server Containers for J2EE Security Guide
10g (9.0.4)
Part Number Part No. B10325-02
Go To Documentation Library
Home		 Go To Product List
Solution Area		 Go To Table Of Contents
Contents		 Go To Index
Index

Go to previous page Go to next page

A
JAAS Provider Standards and Samples

This appendix provides supplemental samples and standards.

This appendix contains these topics:

Sample jazn-data.xml Code

This section presents a sample jazn-data.xml file which illustrates the specific standards that XML files must conform to. This jazn-data.xml file contains a realm, jazn.com, users (two with obfuscated passwords) and roles.

See Also:

Example A-1 Sample jazn-data.xml File

<?xml version="1.0" encoding="UTF-8" standalone='yes'?>
<!DOCTYPE jazn-data PUBLIC "JAZN-XML Data" 
"http://xmlns.oracle.com/ias/dtds/jazn-data.dtd">
<jazn-data>


<!-- JAZN Realm Data -->
<jazn-realm>
  <realm>
    <name>jazn.com</name>
    <users>
      <user>
        <name>SCOTT</name>
        <display-name>SCOTT</display-name>
        <credentials>{903}oZZYqmGc/iyCaDrD4qs2FHbXf3LAWtMN</credentials>
      </user>
      <user>
        <name>admin</name>
        <display-name>OC4J Administrator</display-name>
        <description>OC4J Administrator</description>
        <credentials>{903}FVb95KHGyzR9MkAS2Ru/72P/Ol6eOsQD</credentials>
      </user>
      <user>
        <name>anonymous</name>
        <description>The default guest/anonymous user</description>
      </user>
      <user>
        <name>pwForScott</name>
        <description>Password for database user Scott</description>
        <credentials>{903}pjbjHNP53w3haB3ygstBpsglEhQJ1dnN</credentials>
      </user>
      <user>
        <name>user</name>
        <description>The default user</description>
        <credentials>{903}Zg4KSjPqwZ6FGsCWbxiFSJpPFJNrq9Ww</credentials>
      </user>
      <user>
        <name>pwForSSL</name>
        <description>Password for ssl key and trust stores</description>
        <credentials>{903}uMg+4/e5znCrcQSH36NjbrkpHdgC6oMh</credentials>
      </user>
      <user>
        <name>pwForSystem</name>
        <description>Password for database system user </description>
        <credentials>{903}IUHuvYYGY5R9trDfQp7qY//livlqHjVV</credentials>
      </user>
    </users>
    <roles>
      <role>
        <name>administrators</name>
        <display-name>Realm Admin Role</display-name>
        <description>Administrative role for this realm.</description>
        <members>
          <member>
            <type>user</type>
            <name>admin</name>
          </member>
        </members>
      </role>
      <role>
        <name>jmxusers</name>
        <display-name>JMX users</display-name>
        <description>Allows access to application level user defined 
MBeans</description>
        <members>
        </members>
      </role>
      <role>
        <name>users</name>
        <members>
          <member>
            <type>user</type>
            <name>user</name>
          </member>
          <member>
            <type>user</type>
            <name>SCOTT</name>
          </member>
          <member>
            <type>role</type>
            <name>administrators</name>
          </member>
        </members>
      </role>
      <role>
        <name>guests</name>
        <members>
          <member>
            <type>user</type>
            <name>anonymous</name>
          </member>
          <member>
            <type>role</type>
            <name>users</name>
          </member>
        </members>
      </role>
    </roles>
  </realm>
</jazn-realm>


<!-- JAZN Policy Data -->
<jazn-policy>
  <grant>
    <grantee>
      <principals>
        <principal>
          <realm-name>jazn.com</realm-name>
          <type>role</type>
          <class>oracle.security.jazn.spi.xml.XMLRealmRole</class>
          <name>jazn.com/jmxusers</name>
        </principal>
      </principals>
    </grantee>
    <permissions>
      <permission>
        <class>com.evermind.server.rmi.RMIPermission</class>
        <name>login</name>
      </permission>
    </permissions>
  </grant>
  <grant>
    <grantee>
      <principals>
        <principal>
          <realm-name>jazn.com</realm-name>
          <type>role</type>
          <class>oracle.security.jazn.spi.xml.XMLRealmRole</class>
          <name>jazn.com/users</name>
        </principal>
      </principals>
    </grantee>
    <permissions>
      <permission>
        <class>com.evermind.server.rmi.RMIPermission</class>
        <name>login</name>
      </permission>
    </permissions>
  </grant>
  <grant>
    <grantee>
      <principals>
        <principal>
          <realm-name>jazn.com</realm-name>
          <type>role</type>
          <class>oracle.security.jazn.spi.xml.XMLRealmRole</class>
          <name>jazn.com/administrators</name>
        </principal>
      </principals>
    </grantee>
    <permissions>
      <permission>
        <class>oracle.security.jazn.policy.AdminPermission</class>
        
<name>oracle.security.jazn.realm.RealmPermission$jazn.com$createrealm</name>
      </permission>
      <permission>
        <class>oracle.security.jazn.realm.RealmPermission</class>
        <name>jazn.com</name>
        <actions>dropuser</actions>
      </permission>
      <permission>
        <class>com.evermind.server.AdministrationPermission</class>
        <name>administration</name>
        <actions>administration</actions>
      </permission>
      <permission>
        <class>oracle.security.jazn.realm.RealmPermission</class>
        <name>jazn.com</name>
        <actions>modifyrealmmetadata</actions>
      </permission>
      <permission>
        <class>com.evermind.server.rmi.RMIPermission</class>
        <name>login</name>
      </permission>
      <permission>
        <class>oracle.security.jazn.policy.AdminPermission</class>
        
<name>oracle.security.jazn.realm.RealmPermission$jazn.com$createrole</name>
      </permission>
      <permission>
        <class>oracle.security.jazn.policy.RoleAdminPermission</class>
        <name>jazn.com/*</name>
      </permission>
      <permission>
        <class>oracle.security.jazn.realm.RealmPermission</class>
        <name>jazn.com</name>
        <actions>createrealm</actions>
      </permission>
      <permission>
        <class>oracle.security.jazn.policy.AdminPermission</class>
        
<name>oracle.security.jazn.realm.RealmPermission$jazn.com$droprole</name>
      </permission>
      <permission>
        <class>oracle.security.jazn.policy.AdminPermission</class>
        
<name>oracle.security.jazn.realm.RealmPermission$jazn.com$droprealm</name>
      </permission>
      <permission>
        <class>oracle.security.jazn.policy.AdminPermission</class>
        
<name>oracle.security.jazn.realm.RealmPermission$jazn.com$modifyrealmmetadata</n
ame>
      </permission>
      <permission>
        <class>oracle.security.jazn.realm.RealmPermission</class>
        <name>jazn.com</name>
        <actions>droprealm</actions>
      </permission>
      <permission>
        <class>oracle.security.jazn.policy.AdminPermission</class>
        <name>oracle.security.jazn.policy.RoleAdminPermission$jazn.com/*$</name>
      </permission>
    </permissions>
  </grant>
</jazn-policy>


<!-- Permission Class Data -->
<jazn-permission-classes>
</jazn-permission-classes>


<!-- Principal Class Data -->
<jazn-principal-classes>
</jazn-principal-classes>


<!-- Login Module Data -->
<jazn-loginconfig>
  <application>
    <name>oracle.security.jazn.tools.Admintool</name>
    <login-modules>
      <login-module>
        <class>oracle.security.jazn.realm.RealmLoginModule</class>
        <control-flag>required</control-flag>
        <options>
          <option>
            <name>debug</name>
            <value>false</value>
          </option>
          <option>
            <name>addAllRoles</name>
            <value>true</value>
          </option>
        </options>
      </login-module>
    </login-modules>
  </application>
  <application>
    <name>oracle.security.jazn.oc4j.JAZNUserManager</name>
    <login-modules>
      <login-module>
        <class>oracle.security.jazn.realm.RealmLoginModule</class>
        <control-flag>required</control-flag>
        <options>
          <option>
            <name>addAllRoles</name>
            <value>true</value>
          </option>
        </options>
      </login-module>
    </login-modules>
  </application>
</jazn-loginconfig>

</jazn-data>

Supplemental Code Samples

The following code samples are intended as supplemental information. This section presents the following:

Supplementary Code Sample: Creating an Application Realm

The following code sample creates an Application Realm with the objects shown in Table A-1. The objects to be modified are presented in bold.

Table A-1 Objects In Sample Application Realm Creation Code
Objects Names

sample organization

dev.com

adminUser (optional)

John.Singh

adminRole

administrator

sample realm name

devRealm

Example A-2 Application Realm Creation Code

import oracle.security.jazn.spi.ldap.*;
import oracle.security.jazn.*;
import oracle.security.jazn.realm.*;

import java.util.*;

/**
 * Creates an application realm.
 */

public class CreateRealm extends Object
{
    public CreateRealm() {};

    public static void main (String[] args) {
      CreateRealm test = new CreateRealm();
      test.createAppRealm();
    }

    void createAppRealm() {
    Realm realm=null;


 try {
     Hashtable prop = new Hashtable();
     prop.put(Realm.LDAPProperty.USERS_SEARCHBASE,"cn=users,o=dev.com");
 
     // specifying the following LDAP directory object class 
       // is optional.  When specified, it will
     // be used as a filter to search for users
     prop.put(Realm.LDAPProperty.USERS_OBJ_CLASS,"orclUser");

     // adminUser is optional
    String adminUser = "John.Singh";

     String adminRole = "administrator";

     RealmManager realmMgr = JAZNContext.getRealmManager();

     InitRealmInfo realmInfo = new
     InitRealmInfo(InitRealmInfo.RealmType.APPLICATION_REALM, adminUser,
     adminRole, prop);
     realm = realmMgr.createRealm("devRealm", realmInfo);
     } 

catch (Exception e) {
     e.printStackTrace();
    }
  }

}

Supplementary Code Sample: Modifying User Permissions

Example A-3 demonstrates granting java.io.FilePermission to a user named Jane.Smith. The objects to be modified are presented in bold.

Table A-2 lists the objects in Example A-3.

Table A-2 Objects In Sample Modifying User Permissions Code
Objects Names Comments

RealmUser user

Jane.Smith

codesource cs

file:/home/task.jar

File path

report.data

Path is the pathname of the file.

sample organization

abc.com

abc.com does not appear in this code directly.

sample External Realm

abcRealm

Example A-3 Modifying User Permissions Code

Code Sample
import oracle.security.jazn.*;
import oracle.security.jazn.policy.*;
import oracle.security.jazn.realm.*;
import java.lang.*;
import java.security.*;
import java.util.*;
import java.net.*;
import java.io.*;

public class Init {

    public static void main(String[] args) {
     
    try {
      RealmManager realmMgr = JAZNContext.getRealmManager();
            Realm realm = realmMgr.getRealm("abcRealm");
            UserManager userMgr = realm.getUserManager();
            RoleManager roleMgr = realm.getRoleManager();
            final JAZNPolicy policy = JAZNContext.getPolicy();

            final RealmUser user = userMgr.getUser("Jane.Smith");

            AccessController.doPrivileged (new PrivilegedAction() {
                    public Object run() {

                try {

                  CodeSource cs = new CodeSource(new URL("

                            file:/home/task.jar"), null);
                    HashSet prop = new HashSet();
                    prop.add((Principal) user);

                    // assign permission to principals
                    policy.grant(new Grantee(prop, cs), new
                             FilePermission("report.data", "read"));

                    return null;
                        } catch (JAZNException e1) {
                            e1.printStackTrace();
                        } catch (java.net.MalformedURLException e2) {
                            e2.printStackTrace();
                        }
                    return null;
                    }
                }
             );

        } catch (JAZNException e) {
            e.printStackTrace();
        }
    }
}
Discussion Of Sample Code

The sample code shown in Example A-3 grants a user, Jane.Smith, permission to use the sample application, AccessTest1 as follows:

The name cs is assigned to the file:/home/task.jar, which includes the sample application AccessTest1: 

CodeSource cs = new CodeSource(new URL("

                            file:/home/task.jar"), null);

Jane.Smith is the user added to the hashset prop: 

HashSet prop = new HashSet();
                    prop.add((Principal) user);

Jane.Smith is granted permission, on the Codesource cs, to read the file report.data. 

policy.grant(new Grantee(prop, cs), new
                             FilePermission("report.data", "read"));

Go to previous page Go to next page
Oracle
Copyright © 1996, 2003 Oracle Corporation.
All Rights Reserved.
Go To Documentation Library
Home		 Go To Product List
Solution Area		 Go To Table Of Contents
Contents		 Go To Index
Index