Oracle® Application Server Containers for J2EE Security Guide
10g Release 2 (10.1.2) Part No. B14013-01 |
|
![]() Previous |
![]() Next |
This manual discusses how to make effective use of the Oracle Application Server Containers for J2EE (OC4J) security features.
This preface contains these topics:
Our goal is to make Oracle products, services, and supporting documentation accessible, with good usability, to the disabled community. To that end, our documentation includes features that make information available to users of assistive technology. This documentation is available in HTML format, and contains markup to facilitate access by the disabled community. Standards will continue to evolve over time, and Oracle is actively engaged with other market-leading technology vendors to address technical obstacles so that our documentation can be accessible to all of our customers. For additional information, visit the Oracle Accessibility Program Web site at:
http://www.oracle.com/accessibility/
Accessibility of Links to External Web Sites in Documentation
This documentation may contain links to Web sites of other companies or organizations that Oracle does not own or control. Oracle neither evaluates nor makes any representations regarding the accessibility of these Web sites.
This manual is intended for experienced Java developers, deployers, and application managers who want to understand the security features of OC4J. It discusses the Oracle Application Server Java Authentication and Authorization Service (JAAS) Provider in detail, as well as discussing security implications of individual J2EE features, including EJBs, the J2EE Connector Architecture, SSL, and CSIv2.
Our goal is to make Oracle products, services, and supporting documentation accessible, with good usability, to the disabled community. To that end, our documentation includes features that make information available to users of assistive technology. This documentation is available in HTML format, and contains markup to facilitate access by the disabled community. Standards will continue to evolve over time, and Oracle Corporation is actively engaged with other market-leading technology vendors to address technical obstacles so that our documentation can be accessible to all of our customers. For additional information, visit the Oracle Accessibility Program Web site at:
http://www.oracle.com/accessibility/
Accessibility of Code Examples in Documentation
JAWS, a Windows screen reader, may not always correctly read the code examples in this document. The conventions for writing code require that closing braces should appear on an otherwise empty line; however, JAWS may not always read a line of text that consists solely of a bracket or brace.
Accessibility of Links to External Web Sites in Documentation
This documentation may contain links to Web sites of other companies or organizations that Oracle Corporation does not own or control. Oracle Corporation neither evaluates nor makes any representations regarding the accessibility of these Web sites.
This document contains:
Chapter 1, "Concepts"—Concepts fundamental to application security.
Chapter 2, "Overview of JAAS in Oracle Application Server"—The Java Authentication and Authorization Service (JAAS) and the OracleAS JAAS Provider.
Chapter 3, "Understanding OC4J Security"—Security issues affecting J2EE applications in Oracle Application Server Containers for J2EE (OC4J).
Chapter 4, "Overall Security Configuration"—Security configuration decisions that affect your entire installation.
Chapter 5, "Configuring the OC4J Instance"—Security configuration decisions that are instance-specific.
Chapter 6, "Security Considerations During Application Deployment"—Security configuration decisions that occur during the deployment process.
Chapter 7, "Configuring the LDAP-Based Provider"—Security configuration decisions that are applicable only to the LDAP-based provider.
Chapter 8, "Configuring the XML-Based Provider"—Security configuration decisions that are applicable only to the XML-based provider.
Chapter 9, "Configuring External LDAP Providers"—Using third-party LDAP implementations with the OracleAS JAAS Provider.
Chapter 10, "Custom LoginModules"—User-developed JAAS LoginModules.
Chapter 11, "Configuring OC4J and SSL"—Configuring OC4J to use SSL in communicating with other application components.
Chapter 12, "Configuring EJB Security"—Security implications of EJB development.
Chapter 13, "Oracle HTTPS for Client Connections"—HTTPS and HTTPClient.
Chapter 14, "Password Management"—Protecting file-stored passwords with obfuscation.
Chapter 15, "Configuring CSIv2"— Common Secure Interoperability Version 2 protocol (CSIv2) settins for OC4J-based applications.
Chapter 16, "J2EE Connector Architecture Security"—Security implications of the J2EE Connector Architecture.
Chapter 17, "Security Support for EIS Connections"—J2EE Connector Architecture security and EIS connections.
Chapter 18, "Troubleshooting Security Issues"—Common security problems and how to fix them.
Chapter 19, "Security Tips"—Security best practices.
Appendix A, "OracleAS JAAS Provider Standards and Samples"—A sample jazn.xml
file and sample applications.
Appendix B, "Using the JAZN Admintool"—Reference guide for JAZN Admintool.
For more information, see these Oracle resources:
Oracle Identity Management Concepts and Deployment Planning Guide
Oracle Application Server Certificate Authority Administrator's Guide
Oracle Application Server Single Sign-On Administrator's Guide
Oracle Internet Directory Application Developer's Guide
Oracle Application Server Containers for J2EE Services Guide
Oracle Application Server Containers for J2EE Enterprise JavaBeans Developer's Guide
The OC4J Javadoc
Printed documentation is available for sale in the Oracle Store at:
http://oraclestore.oracle.com/
To download free release notes, installation documentation, white papers, or other collateral, please visit the Oracle Technology Network (OTN). You must register online before using OTN; registration is free and can be done at:
http://www.oracle.com/technology/membership/index.html
If you already have a username and password for OTN, then you can go directly to the documentation section of the OTN Web site at:
http://www.oracle.com/technology/index.html
For additional information, see:
The Sun Java and J2EE Web pages, especially the Java Authentication and Authorization Service (JAAS) Web site at :
The following conventions are also used in this manual:
Convention | Meaning |
---|---|
. . . | Vertical ellipsis points in an example mean that information not directly related to the example has been omitted. |
. . . | Horizontal ellipsis points in statements or commands mean that parts of the statement or command not directly related to the example have been omitted |
boldface text | Boldface type in text indicates a term defined in the text, the glossary, or in both locations. |
italic text | Italicized text indicates placeholders or variables for which you must supply particular values. |
[ ] | Brackets enclose optional clauses from which you can choose one or none. |