OracleŽ Application Server Containers for J2EE Security Guide 10g (9.0.4) Part Number Part No. B10325-02 |
|
This chapter discusses managing passwords within XML files. It contains the following sections:
Many OC4J components require passwords for authentication. Embedding these passwords into deployment and configuration files poses a security risk, especially if the permissions on the files allow them to be read by any user. To avoid this problem, OC4J provides two solutions:
The JAAS configuration files, jazn.xml
and jazn-data.xml
, contain user names and passwords for JAAS authorization. To protect these files, OC4J uses password obfuscation.
Whenever you update jazn.xml or jazn-data.xml
, OC4J reads the file, then rewrites it with obfuscated (encrypted) versions of all passwords. In all other OC4J configuration files, you can avoid exposing password cleartext by using password indirection, as "Creating An Indirect Password" explains below.
The JAAS Provider does not obfuscate passwords in orion-application.xml
. This means that you should not embed passwords within a <jazn>
element that is stored in orion-application.xml
.
If you are using the LDAP-based provider, you should create a separate jazn.xml
file that contains a <jazn>
element defining your application; this file does not contain any user or group data. This <jazn>
element looks like:
<jazn provider="LDAP" location="yourlocation
">
<property name="ldap.name" value="cn=orcladmin" />
<property name="ldap.password" value="!welcome1" />
</jazn>
You then create a <jazn>
element in orion-application.xml
that points to the jazn.xml
file using the config
attribute, as in:
<jazn config="./jazn.xml" />
JAZN automatically obfuscates the password stored in this separate jazn.xml
file the first time it reads this file.
If you prefer, you can directly edit jazn-data.xml
with a text editor. The next time OC4J reads jazn-data.xml
, it will rewrite the file with all passwords obfuscated and unreadable.
Setting the clear
attribute of the <credentials>
element to true
enables you to use clear (human-readable) passwords in the jazn-data.xml
file.
<credentials clear="true">welcome</credentials>
<credentials>!welcome</credentials>
The following OC4J XML configuration and deployment files support password indirection in one or more entities:
data-sources.xml
--password
attribute of <data-source>
element
ra.xml
-- <res-password>
element
rmi.xml
-- password
attribute of <cluster>
element
application.xml
-- password
attributes of <resource-provider> and <commit-coordinator>
elements
jms.xml
-- <password>
element
internal-settings.xml
-- <sep-property>
element, attributes name="
keystore-password
" and name=
" truststore-password
"
To make any of these passwords indirect, replace the literal password string with a string containing "->
" followed by either the username or by the realm and username separated by a slash ("/
").
<data-source password="->Scott">
-- Use JaznUserManager
to look up Scott
in the JaznUserManager,
and use the password stored there.
<res-password="->customers/Scott">
-- Use JaznUserManager
to look up Scott
in the customers
realm, and use the password stored there.
<cluster password="martha">
--The literal string "martha
" is the password; the password is not indirect.
The <password-manager>
element specifies the UserManager
that the global application uses to look up indirect passwords. (See "Creating An Indirect Password" .) If this element is omitted, the UserManager
of the global application is used for authentication and authorization of indirect passwords. The <jazn>
element within a <password-manager>
element can be different from the <jazn>
element at the top level.
For example, you can use an LDAP-based UserManager
for the regular UserManager
, but use an XML-based UserManager
to authenticate indirect passwords. This is the only way to use indirect passwords in LDAP.
For full details, see"Specifying a UserManager In orion-application.xml" .
|
![]() Copyright © 1996, 2003 Oracle Corporation. All Rights Reserved. |
|