OracleŽ Application Server Containers for J2EE Security Guide 10g (9.0.4) Part Number Part No. B10325-02 |
|
These hints come from the Security Best Practices document, available from Oracle Technology Network (http://otn.oracle.com
). Check the OTN Web site for updates.
Oracle HTTP Server (OHS) has several features that provide security to an application without requiring you to modify the application. You should evaluate and leverage these features before coding similar features yourself. HTTP security features include:
REMOTE_USER
). It also supports single sign-on, thus reusing existing login mechanisms.
Other suggestions for securing HTTPS:
For a relatively low cost, HTTPS-to-HTTP appliances can change throughput on a 500MHz UNIX machine from 20-30 transactions per second to 6000 transactions per second, making this trade-off decision easier.
Moreover, these appliances provide much better solutions than adding mathematics or cryptography cards to UNIX, Windows, or Linux boxes.
Ensure that sequential HTTPS transfers are requested through the same Web server. Expect 40 to 50 milliseconds of CPU time to initiate SSL sessions on a 500 MHz machine. Most of this CPU time is spent in the key exchange logic, where the bulk encryption key is exchanged. Caching the bulk encryption will significantly reduces CPU overhead on subsequent accesses, provided that the accesses are routed to the same Web server.
If secure pages are composed of many GIF, JPEG, or other files to be displayed on the same screen, it is probably not worth the effort to segregate secure from nonsecure static content. The SSL key exchange (a major consumer of CPU cycles) is likely to be called exactly once in any case, and the overhead of bulk encryption is not that high.
In a simple test to connect and disconnect to an SSL-enabled server, the elapsed time for 5 connections was 11.4 seconds without SSL session caching; with session caching enabled, the elapsed time was 1.9 seconds.
The default SSLSessionCacheTimeout is 300 seconds. Note that the duration of an SSL session is unrelated to the use of HTTP persistent connections. You can change the SSLSessionCacheTimeout directive in httpd.conf file to meet your application needs.
principals.xml
(including storing passwords in cleartext). The OracleAS JAAS Provider provides a similar simple security model as a default, without storing passwords in cleartext. The JAAS Provider also offers tight integration with OracleAS Infrastructure (including SSO and OID) out of the box.
UserManager
class to build a custom user manager, leveraging the rich functionality provided by the JAAS Provider, SSO, and OID gives you more time to focus on actual business logic instead of infrastructure code. Both SSO and OID provide APIs to integrate with external authentication servers and directories respectively.
These extensions provide a more scalable and manageable framework for security policies covering a large user population.
|
![]() Copyright © 1996, 2003 Oracle Corporation. All Rights Reserved. |
|