Preface

This manual discusses how to make effective use of the Oracle Application Server Containers for J2EE (OC4J) security features.

This preface contains these topics:

• Documentation Accessibility

• Intended Audience

• Organization

• Related Documents

• Conventions

Documentation Accessibility

Our goal is to make Oracle products, services, and supporting documentation accessible, with good usability, to the disabled community. To that end, our documentation includes features that make information available to users of assistive technology. This documentation is available in HTML format, and contains markup to facilitate access by the disabled community. Standards will continue to evolve over time, and Oracle is actively engaged with other market-leading technology vendors to address technical obstacles so that our documentation can be accessible to all of our customers. For additional information, visit the Oracle Accessibility Program Web site at:

http://www.oracle.com/accessibility/

Accessibility of Links to External Web Sites in Documentation

 This documentation may contain links to Web sites of other companies or organizations that Oracle does not own or control. Oracle neither evaluates nor makes any representations regarding the accessibility of these Web sites.

Intended Audience

This manual is intended for experienced Java developers, deployers, and application managers who want to understand the security features of OC4J. It discusses the Oracle Application Server Java Authentication and Authorization Service (JAAS) Provider in detail, as well as discussing security implications of individual J2EE features, including EJBs, the J2EE Connector Architecture, SSL, and CSIv2.

Documentation Accessibility

Our goal is to make Oracle products, services, and supporting documentation accessible, with good usability, to the disabled community. To that end, our documentation includes features that make information available to users of assistive technology. This documentation is available in HTML format, and contains markup to facilitate access by the disabled community. Standards will continue to evolve over time, and Oracle Corporation is actively engaged with other market-leading technology vendors to address technical obstacles so that our documentation can be accessible to all of our customers. For additional information, visit the Oracle Accessibility Program Web site at:

http://www.oracle.com/accessibility/

Accessibility of Code Examples in Documentation

 JAWS, a Windows screen reader, may not always correctly read the code examples in this document. The conventions for writing code require that closing braces should appear on an otherwise empty line; however, JAWS may not always read a line of text that consists solely of a bracket or brace.

Accessibility of Links to External Web Sites in Documentation

 This documentation may contain links to Web sites of other companies or organizations that Oracle Corporation does not own or control. Oracle Corporation neither evaluates nor makes any representations regarding the accessibility of these Web sites.

Organization

This document contains:

• Chapter 1, "Concepts"—Concepts fundamental to application security.

• Chapter 2, "Overview of JAAS in Oracle Application Server"—The Java Authentication and Authorization Service (JAAS) and the OracleAS JAAS Provider.

• Chapter 3, "Understanding OC4J Security"—Security issues affecting J2EE applications in Oracle Application Server Containers for J2EE (OC4J).

• Chapter 4, "Overall Security Configuration"—Security configuration decisions that affect your entire installation.

• Chapter 5, "Configuring the OC4J Instance"—Security configuration decisions that are instance-specific.

• Chapter 6, "Security Considerations During Application Deployment"—Security configuration decisions that occur during the deployment process.

• Chapter 7, "Configuring the LDAP-Based Provider"—Security configuration decisions that are applicable only to the LDAP-based provider.

• Chapter 8, "Configuring the XML-Based Provider"—Security configuration decisions that are applicable only to the XML-based provider.

• Chapter 9, "Configuring External LDAP Providers"—Using third-party LDAP implementations with the OracleAS JAAS Provider.

• Chapter 10, "Custom LoginModules"—User-developed JAAS LoginModules.

• Chapter 11, "Configuring OC4J and SSL"—Configuring OC4J to use SSL in communicating with other application components.

• Chapter 12, "Configuring EJB Security"—Security implications of EJB development.

• Chapter 13, "Oracle HTTPS for Client Connections"—HTTPS and HTTPClient.

• Chapter 14, "Password Management"—Protecting file-stored passwords with obfuscation.

• Chapter 15, "Configuring CSIv2"— Common Secure Interoperability Version 2 protocol (CSIv2) settins for OC4J-based applications.

• Chapter 16, "J2EE Connector Architecture Security"—Security implications of the J2EE Connector Architecture.

• Chapter 17, "Security Support for EIS Connections"—J2EE Connector Architecture security and EIS connections.

• Chapter 18, "Troubleshooting Security Issues"—Common security problems and how to fix them.

• Chapter 19, "Security Tips"—Security best practices.

• Appendix A, "OracleAS JAAS Provider Standards and Samples"—A sample jazn.xml file and sample applications.

• Appendix B, "Using the JAZN Admintool"—Reference guide for JAZN Admintool.

Related Documents

For more information, see these Oracle resources:

• Oracle Application Server Security Guide

• Oracle Application Server Administrator's Guide

• Oracle Identity Management Concepts and Deployment Planning Guide

• Oracle Application Server Certificate Authority Administrator's Guide

• Oracle Application Server Single Sign-On Administrator's Guide

• Oracle Internet Directory Administrator's Guide

• Oracle Internet Directory Application Developer's Guide

• Oracle Application Server Containers for J2EE Services Guide

• Oracle Application Server Containers for J2EE Enterprise JavaBeans Developer's Guide

• Oracle Application Server Web Services Developer's Guide

• The OC4J Javadoc

Printed documentation is available for sale in the Oracle Store at:

http://oraclestore.oracle.com/

To download free release notes, installation documentation, white papers, or other collateral, please visit the Oracle Technology Network (OTN). You must register online before using OTN; registration is free and can be done at:

http://www.oracle.com/technology/membership/index.html

If you already have a username and password for OTN, then you can go directly to the documentation section of the OTN Web site at:

http://www.oracle.com/technology/index.html

For additional information, see:

• The Sun Java and J2EE Web pages, especially the Java Authentication and Authorization Service (JAAS) Web site at :

  http://java.sun.com/products/jaas/overview.html

Conventions

The following conventions are also used in this manual:

Convention	Meaning
. . .	Vertical ellipsis points in an example mean that information not directly related to the example has been omitted.
. . .	Horizontal ellipsis points in statements or commands mean that parts of the statement or command not directly related to the example have been omitted
boldface text	Boldface type in text indicates a term defined in the text, the glossary, or in both locations.
italic text	Italicized text indicates placeholders or variables for which you must supply particular values.
[ ]	Brackets enclose optional clauses from which you can choose one or none.