Oracle® Application Server Containers for J2EE Security Guide
10g Release 2 (10.1.2) Part No. B14013-01 |
|
![]() Previous |
![]() Next |
This chapter discusses issues to be considered when deploying applications. It is divided into the following sections:
By default, if you associated your OC4J instance with infrastructure, the JAZN LDAP UserManager
is used for your newly-deployed application; otherwise, the JAZN XML UserManager
is used for your application. If for some reason you need to change your application's user manager, you can do so from the Application Server Control Console. For details, see the Application Server Control Console help screen "Modifying the User Manager for All Applications".
You map security roles for your application using the Security page of the Application Server Control Console. You use the following steps:
Select your application from the Application Server Control Console, then click the Security link.
Select a role from the list titled Security Roles.
Click the button Map Roles To Principals. A new screen appears headed Role: yourrole.
Click the checkbox next to the desired group or user. (There are two separate areas labeled Map Role To Groups and Map Role To Users.) Click Apply.
A confirmation screen appears. Click OK.
There are two different ways to grant permissions.
To grant RMI permission or administration
permission, use Oracle Enterprise Manager 10g Application Server Control Console; for details, see "Granting RMI Permission Or Administration Permission" .
To grant any permissions other than RMI permission or administration
permission, you use the JAZN Admintool. For details, see "Granting and Revoking All Other Permissions".
You can grant RMI or administration
permission to a group using Oracle Enterprise Manager 10g Application Server Control Console. To do this:
Select an application and navigate to the Security page.
Select the group's name from the list of groups. The Add/Edit Group Page appears.
Check whichever permissions you wish to add and click Apply.
You use the JAZN Admintool to grant and revoke user permissions. For basic information on running the JAZN Admintool, see "Admintool Overview" .
-grantperm
realm
{-user user|-rolerole
}|
principal_class principal_parameters} permission_class [permission_parameters
] -revokeperm
realm
{-user user|-rolerole
}|
principal_class principal_parameters} permission_class [permission_parameters
] -listperms
realm
{-user user|-rolerole
}|
principal_class principal_parameters} permission_class [permission_parameters
]
where principal_class
is the fully qualified name of a class that implements the principal interface (such as com.sun.security.auth.NTDomainPrincipal
) and principal_paramters
is a single String parameter.
The -grantperm
option grants the specified permission to a user (when called with -user
) or a role (when called with -role)
or a principal. The -revokeperm
option revokes the specified permission from a user or role or principal
A permission_descriptor
consists of a permission's explicit class name (for example, oracle.security.jazn.realm.RealmPermission
), its action, and its action and target parameters (for RealmPermission
, realmname
action
). Note that there may be multiple action and target parameters.
Note: If the Admintool gives the error messagePermission class not found , it means that the permission you wish to grant is not in the classpath. You must place the JAR containing the permission class in the jdk/jre/lib/ext directory so that the Admintool can locate it..
|
For example, to grant FilePermission
with target a.txt
and actions "read, write
" to user martha
in realm foo
, type:
java -jar jazn.jar -grantperm foo -user martha java.io.FilePermission a.txt read,write
Admintool shell:
JAZN:> grantperm foo -user martha java.io.FilePermission a.txt read,write
See Chapter 7, "Configuring the LDAP-Based Provider" or Chapter 8, "Configuring the XML-Based Provider" for details on creating users and groups in each provider.