Skip Headers

Table of Contents Image OracleŽ Application Server Containers for J2EE Security Guide
10g (9.0.4)
Part Number B10325-02
Go To Documentation Library
Home		 Go To Product List
Solution Area		 Go To Index
Index

Go to next page

Contents

Title and Copyright Information

List of Tables

List of Figures

List of Examples

Send Us Your Comments

Preface

Audience
Documentation Accessibility
Organization
Related Documentation
Conventions

1 Introduction

The Java 2 Security Model
Principals and Subjects
Principals
Subjects
Authentication and Authorization
Secure Communications
Secure Sockets Layer
Certificates
HTTPS
Identity Propagation
Developing Secure J2EE Applications

Part I JAAS

2 Overview of JAAS in Oracle Application Server

The JAAS Provider
Provider Types
What Is JAAS?
Login Module Authentication
Roles
Realms
Applications
Policies and Permissions
Sun Policy Example
XML-Based Example
JAAS Framework Features
User Managers
Using JAZNUserManager
Using XMLUserManager
Specifying UserManagers
Capability Model of Access Control
Role-Based Access Control (RBAC)
Role Hierarchy
Role Activation

3 Configuring And Deploying the JAAS Provider

LDAP-Based Provider Environment Settings
J2EE Deployment Descriptors
OC4J Deployment Descriptors
JAAS Provider Configuration Files
Specifying JAAS as the Policy Provider (Optional)
Locating jazn.xml
The <jazn> Tag
The <jazn> Tag and the XML-Based Provider
The <jazn> Tag and the LDAP-Based Provider
The <property> Subelement Of <jazn>
Specifying Authentication (auth-method)
Specifying auth-method in web.xml
Specifying auth-method in orion-web.xml and orion-application.xml
Specifying auth-method in orion-application.xml
Configuring Servlet Authorization (runas-mode and doasprivileged-mode) in <jazn-web-app>
Mapping Security Roles In Servlets (run-as)
Configuring RealmLoginModule
Enabling RealmLoginModule Using A Text Editor
Configuring the JAAS Provider To Use SSL With Oracle Internet Directory
Configuring For EJB RMI Client Access
Configuring Caching (LDAP-Based Provider Only)
Session Cache Details
Disabling Caching
Configuration
Specifying a UserManager In orion-application.xml
Using the <principals> element and principals.xml

4 JAAS Provider Administration Tasks

JAAS Provider Management Overview
Realm and Policy Management
Realm and Policy Management Tools
JAAS Provider Realm Framework
Realm Management in XML-Based Environments
XML-Based Realms
XML-Based Realm and Policy Information Storage
Realm Management in LDAP-Based Environments
LDAP-Based Realm Types
LDAP-Based Realm Data Storage
LDAP-Based Realm Permissions
JAAS Provider Policy Administration
Oracle Internet Directory Administration
AdminPermission Class
Policy Partitioning
JAAS Provider Debug Logging

5 Using the JAZN Admintool

Before You Start
Authentication and the JAZN Admintool (XML-based Provider Only)
Specifying an Admintool LoginModule in jazn-data.xml
JAZN Admintool Command-Line Options
Syntax
Admintool Authentication (XML-based Provider Only)
Clustering Operations
Configuration Operations
Interactive Shell
Login Modules
Migration Operations
Miscellaneous
Password Management (XML-based Provider only)
Policy Operations
Realm Operations
Adding Clustering Support (XML-based Provider Only)
Adding and Removing Login Modules
Adding and Removing Policy Permissions (XML-based Provider Only)
Adding and Removing Principals (XML-based Provider Only)
Adding and Removing Realms
Adding and Removing Roles
Adding and Removing Users (XML-based Provider Only)
Checking Passwords (XML-based Provider Only)
Configuration Operations
Granting and Revoking Permissions
Granting and Revoking Roles
Listing Login Modules
Listing Permissions
Listing Permission Information
Listing Principal Classes
Listing Principal Class Information
Listing Realms
Listing Roles
Listing Users
Migrating Principals from the principals.xml File (XML-based Provider Only)
Setting Passwords (XML-based Provider only)
Using the JAZN Admintool Shell
Navigating the JAZN Admintool Shell
add: Creating Provider Data
cd: Navigating Provider Data
clear: Clearing the Screen
exit: Exiting the JAZN Shell
help: Listing JAZN Admintool Shell Commands
ls: Listing Data
man: Viewing JAZN Admintool Man Pages
pwd: Displaying The Working Directory
rm: Removing Provider Data
set: Updating Values
Admintool Shell Directory Structure

6 Security and J2EE Applications

Introduction
Security Considerations During Development and Deployment
Development
Deployment
OC4J and the JAAS Provider
OC4J Integration
JAZNUserManager
Replacing principals.xml
JAZNUserManager Features
Authentication Environments
Integrating the JAAS Provider with SSO-Enabled Applications
SSO-Enabled J2EE Environments: A Typical Scenario
Integrating the JAAS Provider with SSL-Enabled Applications
SSL-Enabled J2EE Environments: A Typical Scenario
Integrating the JAAS Provider with Basic Authentication
Basic Authentication J2EE Environments: Typical Scenario
J2EE and JAAS Provider Role Mapping
J2EE Security Roles
JAAS Provider Roles and Users
Oracle Application Server Containers for J2EE Group Mapping to J2EE Security Roles
Authentication in the J2EE Environment
Running with an Authenticated Identity
Retrieving Authentication Information
Authorization in the J2EE Environment

7 Custom LoginModules

Custom JAAS LoginModule Integration with OC4J
Packaging and Deployment
Deploying as Standard Extensions or Optional Packages
Deploying Within the J2EE Application
Using the OC4J Classloading Mechanism
Using the JAAS Provider Classloading Mechanism
Configuration
jazn-data.xml
<jazn-loginconfig>
<jazn-policy>
orion-application.xml
<jazn>
<security-role-mapping>
<library>
Simple Login Module J2EE Integration
Development
Packaging
Deployment

8 JAAS and Enterprise Manager

Startup
Editing Global Security Settings
Editing Individual Security Settings
Selecting a UserManager
Mapping Security Roles
Creating Users
Creating Groups
Deleting Users Or Groups
Editing Users
Assigning Users To Groups
Granting Permissions To Groups

Part II Other Technologies

9 Java 2 Security

Introduction
Permissions
Protection Domains
JAAS Provider Permission Classes
Creating a Java 2 Policy File
The Java 2 Security Manager
Using PrintingSecurityManager To Debug Java 2 Policy

10 Password Management

Introduction
Password Obfuscation In jazn-data.xml and jazn.xml
Hand-editing jazn-data.xml
Creating An Indirect Password
Indirect Password Examples
Specifying a UserManager In orion-application.xml

11 Oracle HTTPS for Client Connections

Introduction
Overview of SSL Keys and Certificates
Creating Keys and Certificates With OC4J and Oracle HTTP Server
Example: Creating an SSL Certificate and Generating Your Own Signature
Requesting Client Authentication
Oracle HTTPS And Clients
HTTPConnection Class
OracleSSLCredential Class (OracleSSL Only)
Overview of Oracle HTTPS Features
SSL Cipher Suites
Choosing a Cipher Suite
SSL Cipher Suites Supported by OracleSSL
SSL Cipher Suites Supported by JSSE
Access Information About Established SSL Connections
Security-Aware Applications Support
java.net.URL Framework Support
Specifying Default System Properties
javax.net.ssl.KeyStore
javax.net.ssl.KeyStorePassword
Potential Security Risk with Storing Passwords in System Properties
Oracle.ssl.defaultCipherSuites (OracleSSL only)
Oracle HTTPS Example
Initializing SSL Credentials In OracleSSL
Verifying Connection Information
Transferring Data Using HTTPS
Using HTTPClient with JSSE
Configuring HTTPClient To Use JSSE
Configuring Oracle HTTP Server and OC4J for SSL
Oracle HTTP Server Configuration Steps for SSL
OC4J Configuration Steps for SSL
Configuring OC4J Standalone for SSL
Requesting Client Authentication with OC4J Standalone
HTTPS Common Problems and Solutions

12 EJB Security

EJB JNDI Security Properties
JNDI Properties in jndi.properties
JNDI Properties Within Implementation
Configuring Security
Granting Permissions in Browser
Authenticating and Authorizing EJB Applications
Specifying Users and Groups
Specifying Logical Roles in the EJB Deployment Descriptor
Specifying Unchecked Security for EJB Methods
Specifying the runAs Security Identity
Mapping Logical Roles to Users and Groups
Specifying a Default Role Mapping for Undefined Methods
Specifying Users and Groups by the Client
Specifying Credentials in EJB Clients
Credentials in JNDI Properties
Credentials in the InitialContext

13 J2EE Connector Architecture Security

Deploying Resource Adapters
The oc4j-ra.xml Descriptor
The <security-config> Element
The oc4j-connectors.xml Descriptor
Specifying Container-Managed or Component-Managed Sign-On
Authentication in Container-Managed Sign-On
JAAS Pluggable Authentication
The InitiatingPrincipal and InitiatingGroup Classes
JAAS and the <connector-factory> Element
User-Created Authentication Classes
Extending AbstractPrincipalMapping
Modifying oc4j-ra.xml

14 Configuring CSIv2

Introduction to CSIv2 Security Properties
EJB Server Security Properties in internal-settings.xml
CSIv2 Security Properties in internal-settings.xml
CSIv2 Security Properties in ejb_sec.properties
Trust Relationships
CSIv2 Security Properties in orion-ejb-jar.xml
The <transport-config> element
The <as-context> element
The <sas-context> element
DTD
EJB Client Security Properties in ejb_sec.properties

15 Security Tips

HTTPS
Overall Security
JAAS

A JAAS Provider Standards and Samples

Sample jazn-data.xml Code
Supplemental Code Samples
Supplementary Code Sample: Creating an Application Realm
Supplementary Code Sample: Modifying User Permissions

B JAAS Provider Schemas

Schema for jazn-data.xml
Schema for jazn.xml

Index

Go to next page
Oracle
Copyright © 1996, 2003 Oracle Corporation.
All Rights Reserved.
Go To Documentation Library
Home		 Go To Product List
Solution Area		 Go To Index
Index