Skip Headers

Oracle® Application Server Containers for J2EE Security Guide
10g Release 2 (10.1.2)
Part No. B14013-01
  Go To Documentation Library
Go To Product List
Solution Area
Go To Table Of Contents
Go To Index


17 Security Support for EIS Connections

This chapter discusses security considerations and how to configure security and authentication for EIS sign-on. The following topics are covered:

Overview of Security and Authentication Setup for EIS Connections

To ensure secure interactions between a J2EE application and an EIS, the J2EE Connector Architecture allows application components to associate a security context with connections established to the EIS. To accomplish this, the J2EE Connector Architecture security contract can work in conjunction with the standard Java Authentication and Authorization Service (JAAS). The following sections provide an overview:

Summary of J2EE Connector Architecture Security Contract

The J2EE Connector Architecture security contract, between an application server and a resource adapter, extends the connection management contract with functionality relating to secure connections. The security contract supports standard JAAS interfaces, allowing it to be independent of any particular security framework or mechanism. In particular, the security contract includes features for the following:

  • Propagating a security context, or subject, directly from a J2EE component to a resource adapter (for component-managed sign-on)

  • Propagating a security context, or subject, from an application server to a resource adapter (for container-managed sign-on)

The security contract supports two particular authentication mechanisms:

  • The commonly used "basic password" mechanism relies on a user name / password pair, contained together in a password credential object. The application server passes this object to the resource adapter for authentication.

  • The Kerberos version 5 mechanism ("Kerbv5" for short) is an authentication protocol distributed by the Massachusetts Institute of Technology. This mechanism uses a "generic credential" object that encapsulates credential information such as a Kerberos ticket. The application server passes this object to the resource adapter for verification.

Security contract functionality includes use of the following key interfaces:

  • This JAAS interface, which represents a subject, is for use in providing a custom plugin module.

  • This JAAS interface, which represents a resource principal, is for use in providing a custom plugin module.

  • This JAAS interface represents a JAAS login module.

  • This J2EE Connector Architecture class represents a user name / password pair for basic password authentication.

  • org.ietf.jgss.GSSCredential (in J2SE version 1.4): This interface represents a generic credential object for Kerberos version 5 authentication. (This replaces the J2EE Connector Architecture interface, which is deprecated.)


Reauthentication" may be supported in the ra.xml file of a resource adapter, through a value of true in the <reauthentication-support> element. In this case, it is possible for a managed connection to be reused even for aconnection request with a security context that differs from the security context with which the managed connection was initially created.

Summary of Component-Managed Versus Container-Managed Sign-On

Sign-on from a J2EE application to an EIS can be managed either by the application component or by the J2EE container (OC4J). Component-managed sign-on must be set up programmatically and does not involve OC4J-specific configuration. Container-managed sign-on can be set up either declaratively, through OC4J-specific configuration without any programming requirements, or programmatically, involving a combination of OC4J-specific configuration and programming requirements. Programmatic container-managed sign-on can use either a principal mapping class or a JAAS login module (both discussed later in this chapter).

The following list summarizes the options and the type of setup required for each. Bullets at each level represent choices.

  • Component-managed sign-on: requires web.xml or ejb-jar.xml <res-auth> setting of Application; programmatic setup for sign-on; no OC4J-specific configuration

  • Container-managed sign-on: requires web.xml or ejb-jar.xml <res-auth> setting of Container; setup for sign-on may be declarative or programmatic; OC4J-specific configuration, as follows, for each of the container-managed sign-on modes:

    • None: implies either component-managed sign-on or no security; specify through Application Server Control; reflected as use="none" in <security-config> element of oc4j-ra.xml

    • Declarative: OC4J configuration through principal mapping entries; configure through Application Server Control; reflected as use="principal-mapping-entries" with appropriate sub-elements in <security-config> element of oc4j-ra.xml

    • Programmatic: using either a principal mapping class or a JAAS login module:

      • Principal mapping class: implement PrincipalMapping interface directly or extend AbstractPrincipalMapping class (both in package oracle.j2ee.connector); configure directly through oc4j-ra.xml (no Application Server Control support) with use="principal-mapping-interface" and appropriate sub-elements in <security-config> element

      • JAAS login module: use a JAAS login module; configure directly through oc4j-ra.xml (no Application Server Control support) with use="jaas-module" and appropriate sub-elements in <security-config> element

Choices for container-managed sign-on in OC4J are also illustrated inFigure 17-1.

Figure 17-1 Flow Chart of Choices for OC4J Container-Managed Sign-On

Description of conmflow.gif follows
Description of the illustration conmflow.gif

Understanding Component-Managed Sign-On

When deploying an application that is to manage its EIS sign-on, use a <res-auth>Application</res-auth> setting in the appropriate descriptor file (web.xml for a Web component or ejb-jar.xml for an EJB component). The application component is then responsible for providing explicit security information for the sign-on. Here is an example:


No OC4J-specific configuration is required for component-managed sign-on.

Figure 17-2 shows the steps in component-managed sign-on, with the text that follows providing further detail.

Figure 17-2 Component-Managed Sign-On

Description of compsign.gif follows
Description of the illustration compsign.gif

  1. The client makes a request, which is associated with an incoming security context for the initiating principal.

  2. As part of servicing the request, the application component maps the incoming security context to an outgoing security context for the resource principal, or hard-codes an outgoing security context, then uses the outgoing security context to request a connection to the EIS.

  3. As part of the connection acquisition, the resource adapter signs on to the EIS using the outgoing security context provided by the application component.

  4. Once the connection is acquired, the application component can interact with the EIS under the established outgoing security context.

The following example is an excerpt from an application that performs component-managed sign-on:

Context initctx = new InitialContext();
// Perform JNDI lookup to obtain a connection factory.
javax.resource.cci.ConnectionFactory cxf =
// Assume a custom class ConnectionSpecImpl, used to store sign-on credentials.
com.myeis.ConnectionSpecImpl connSpec = ...
// Pass sign-on credentials through getConnection() method call.
javax.resource.cci.Connection cx = cxf.getConnection(connSpec);

Understanding Container-Managed Sign-On

When deploying an application that is to depend on OC4J to manage EIS sign-on, use a <res-auth>Container</res-auth> element in the appropriate descriptor file (web.xml for a Web component or ejb-jar.xml for an EJB component). OC4J is then responsible for providing security information for the sign-on. Example 17-2, "Extending AbstractPrincipalMapping" demonstrates the use of this element.

Example 17-1 The <res-auth> Element


For declarative container-managed sign-on, OC4J uses configuration information that you specify through Application Server Control. For programmatic container-managed sign-on—through either a principal mapping class or a JAAS login module—OC4J uses configuration information that you specify directly through the oc4j-ra.xml file. When an application tries to obtain a connection, OC4J uses the applicable mechanism to determine the outgoing security context and to perform authentication.

Figure 17-3 illustrates the steps in container-managed sign-on. These steps are detailed following the diagram.

Figure 17-3 Container-Managed Sign-On

Description of contsign.gif follows
Description of the illustration contsign.gif

  1. The client makes a request, which is associated with an incoming security context for the initiating principal.

  2. As part of servicing the request, the application component requests a connection to the EIS.

  3. As part of the connection acquisition, the container (the OC4J security context manager shown in Figure 17-3) maps the incoming security context to the outgoing security context for the resource principal. This is based on principal mapping entry elements, a principal mapping class, or a JAAS login module.

  4. The resource adapter logs on to the EIS using the outgoing security context provided by OC4J.

  5. Once the connection is acquired, the application component can interact with the EIS under the established outgoing security context.

The following example is an excerpt from an application that depends on container-managed sign-on:

Context initctx = new InitialContext();

// perform JNDI lookup to obtain a connection factory
javax.resource.cci.ConnectionFactory cxf =
// For container-managed sign-on, no security information is passed in the
// getConnection call
javax.resource.cci.Connection cx = cxf.getConnection();

Using Declarative Container-Managed Sign-On

This section describes how to set up authentication through OC4J-specific configuration of principal mapping entries. We refer to this as "declarative container-managed sign-on" (as opposed to "programmatic container-managed sign-on"). You can configure this through Application Server Control.

Specify a default resource user and a set of principal mapping entries. Each principal mapping entry specifies an initiating principal and a corresponding resource principal. If the actual initiating principal (OC4J user) during program execution matches one of the initiating principals you specified, then the corresponding resource principal is used for sign-on to the EIS. If the actual initiating principal does not match any you specified, then the default resource user is used for sign-on to the EIS, assuming one is provided or defined. If no default resource user is specified, then a null subject will be passed to the EIS. In this case, the EIS has the option of signing on with its own default.

Use the following steps in the Application Server Control Console:

  1. From the Connection Factories tab of the appropriate Resource Adapter page, choose to create or edit a connection factory, as desired.

  2. Go to the Security tab for the connection factory you are creating or editing.

  3. Choose to enable security for container-managed sign-on.

  4. Specify declarative principal mappings. This is to specify the default resource user.

    1. Specify the default resource user name.

    2. Specify a password for the default resource user, either indirectly or by typing the desired password. For an indirect password, specify a key (which might just be the user name, for example). OC4J uses the key to do a lookup in the User Manager (such as through the jazn-data.xml file).

  5. Specify initiating user mappings. Specify a mapping for each initiating principal that you want to map to a resource principal. You can edit an existing row ro change an existing mapping, or add another row to specify a new mapping. For each mapping:

    1. Specify the initiating user—the user name of an initiating principal.

    2. Specify the resource user—the user name for a corresponding resource principal.

    3. Specify the resource password—a password for the mapped resource principal. As with the default principal mapping, you can do this either directly or indirectly.

Table 17-1 summarizes how these settings correspond to XML entities in the oc4j-ra.xml file. An example follows the table.

Table 17-1 Properties for Declarative Container-Managed Sign-On

Application Server Control Property Corresponding XML Entity Description
Enable security for container-managed sign-on <security-config> element use attribute Being enabled corresponds to use="principal-mapping-entries" (assuming declarative container-managed sign-on). Being disabled corresponds to use="none".
Default Resource User <res-user> sub-element of <default-mapping> User name for the default resource principal.
Indirect Password or Password (for Declarative Principal Mappings) <res-password> sub-element of <default-mapping> Password for the default resource principal, specified either indirectly or directly.
Initiating User <initiating-user> sub-element of <principal-mapping-entry> User name for an initiating principal that you want to map to a resource principal.
Resource User <res-user> sub-element of <principal-mapping-entry> User name for a resource principal that you want to map to an initiating principal. (Each initating-user/resource-user pair uses a separate <principal-mapping-entry> element.)
Resource Password <res-password> sub-element of <principal-mapping-entry> Password for the resource principal, specified either indirectly or directly.

<oc4j-connector-factories ... >
   <connector-factory ... >
      <security-config use="principal-mapping-entries">

Using Programmatic Container-Managed Sign-On

OC4J can manage programmatic authentication, either through an OC4J-specific mechanism that uses a principal mapping class, or through a pluggable JAAS mechanism that uses a JAAS login module. The following sections discuss these mechanisms plus additional features:

Using a Principal Mapping Class

One option in OC4J for programmatic container-managed sign-on is to use an Oracle feature that implements principal mapping. The application must include a principal mapping class, which is a class that implements the oracle.j2ee.connector.PrincipalMapping interface. A developer can accomplish this by implementing the interface directly, or by extending the oracle.j2ee.connector.AbstractPrincipalMapping class, supplied by Oracle for convenience. You must configure a principal mapping class through the oc4j-ra.xml file. The following sections describe aspects of using a principal mapping class:

Understanding the PrincipalMapping Interface APIs

Table 17-2 describes how OC4J uses methods of the PrincipalMapping interface.

Table 17-2 Method Descriptions for PrincipalMapping Interface

Method Signature Use by OC4J
void init (java.util.Properties prop) OC4J calls init() to initialize the settings for the PrincipalMapping instance, passing in property values specified under the <principal-mapping-interface> element in oc4j-ra.xml. (See "Configuring a Principal Mapping Class".) The implementation class can use the properties to set either a default user name and password, information for LDAP connection, or a default mapping.
void setManagedConnectionFactory (ManagedConnectionFactory mcf) OC4J calls setManagedConnectionFactory() to provide the PrincipalMapping instance with a ManagedConnectionFactory instance (for connections to the EIS), which is used in creating a PasswordCredential instance.
void setAuthenticationMechanisms (java.util.Map authMechanisms) OC4J calls setAuthenticationMechanisms() to pass the authentication mechanisms supported by the resource adapter to the PrincipalMapping instance. The key in the map that is passed is a string containing the supported mechanism type, such as "BasicPassword" or "Kerbv5". The value corresponding to the key is a string containing the fully qualified name of the corresponding credentials interface, as declared in a <credential-interface> element in ra.xml, such as for the PasswordCredential interface. The map can contain multiple entries if the resource adapter supports multiple authentication mechanisms.
Subject mapping (Subject initiatingSubject) OC4J calls mapping() to instruct the PrincipalMapping instance to perform the principal mapping. A Subject instance for the OC4J user (initiating principal) is passed in, and this method returns a Subject instance for the resource principal, for use by the resource adapter for sign-on to the EIS. (The implementation may return null if the proper resource principal cannot be determined.)

Extending the AbstractPrincipalMapping Class

As a convenience, OC4J provides the abstract class AbstractPrincipalMapping, which implements the PrincipalMapping interface. This class provides default implementations of the the the setManagedConnectionFactory() and setAuthenticationMechanism() methods, as well as utility methods to accomplish the following:

  • Retrieve the managed connection factory used for connections to the EIS.

  • Retrieve the authentication mechanisms supported by the resource adapter.

  • Determine whether the resource adapter supports the basic password authentication mechanism.

  • Determine whether the resource adapter supports the Kerberos version 5 authentication mechanism.

  • Extract a Principal instance from a Subject instance.

When extending the AbstractPrincipalMapping class, developers need only implement the init() and mapping() methods.

The methods exposed by the AbstractPrincipalMapping class are summarized in Table 17-3.

Table 17-3 Method Descriptions for AbstractPrincipalMapping Class

Method Signature Description
abstract void init (java.util.Properties prop) The subclass must implement the init() method. See Table 17-2 for a description.
void setManagedConnectionFactory (ManagedConnectionFactory mcf) The subclass need not implement the setManagedConnectionFactory() method. See Table 17-2 for a description.
void setAuthenticationMechanisms (java.util.Map authMechanisms) The subclass need not implement the setAuthenticationMechanisms() method. See Table 17-2 for a description. Note that the subclass can use the isBasicPasswordSupported() and isKerbv5Supported() methods (described later in this table) to determine which authentication mechanism is supported by the resource adapter. The subclass can also use the getAuthenticationMechanisms() method to retrieve the authentication mechanisms.
abstract Subject mapping (Subject initiatingSubject) The subclass must implement the mapping() method. See Table 17-2 for a description.
ManagedConnectionFactory getManagedConnectionFactory () The getManagedConnectionFactory() utility method returns the ManagedConnectionFactory instance (for connections to the EIS), which might be required to create a PasswordCredential instance.
java.util.Map getAuthenticationMechanisms () The getAuthenticationMechanisms() utility method returns a map of all authentication mechanisms supported by the resource adapter. See setManagedConnectionFactory() in Table 17-2 for a description of the map.
boolean isBasicPasswordSupported () The isBasicPasswordSupported() utility method determines whether the basic password authentication mechanism is supported by the resource adapter.
boolean isKerbv5Supported () The isKerbv5Supported() utility method determines whether the Kerbv5 authentication mechanism is supported by the resource adapter.
Principal getPrincipal (Subject) The getPrincipal() utility method extracts the Principal instance from the OC4J user Subject instance passed from OC4J.

Note: In cases where there are multiple principals in a subject (which is not typical), this method would retrieve the first principal. (There is also a getPrincipals() method, and the "first" principal is the first element of the collection of principals that this method would return.)

Example 17-2, "Extending AbstractPrincipalMapping", extends the AbstractPrincipalMapping class to provide a principal mapping from the OC4J user to the EIS default user and password. This assumes a default user and password is specified under the <principal-mapping-interface> element in oc4j-ra.xml, as shown in "Configuring a Principal Mapping Class".

Example 17-2 Extending AbstractPrincipalMapping


import java.util.*;
import javax.resource.spi.*;
import oracle.j2ee.connector.AbstractPrincipalMapping;

public class MyMapping extends AbstractPrincipalMapping
  String m_defaultUser;
  String m_defaultPassword;

  public void init(Properties prop)
    if (prop != null)
      // Retrieves the default user and password from the properties
      m_defaultUser = prop.getProperty("user");
      m_defaultPassword = prop.getProperty("password");
  public Subject mapping(Subject initiatingSubject)
    // This implementation is for BasicPassword authentication
    // mechanism. Return if the resource adapter does not support it.
    if (!isBasicPasswordSupported())
      return null;
    // Use the utility method to retrieve the Principal from the incoming Subject
    // (security context), corresponding to the OC4J user. 
    // This code is included here only as an example.
    // The principal obtained is not actually used in this example.
    Principal principal = getPrincipal(initiatingSubject);
    char[] resPasswordArray = null;    
    if (m_defaultPassword != null)
      resPasswordArray = m_defaultPassword.toCharArray();
    // Create a PasswordCredential using the default user name and
    // password, and add it to the Subject, as in "Option A" in the
    // J2EE Connector Architecture specification.
    PasswordCredential cred =
      new PasswordCredential(m_defaultUser, resPasswordArray);
    return initiatingSubject;

Configuring a Principal Mapping Class

To use a principal mapping class, you must update oc4j-ra.xml to include a <principal-mapping-interface> element for the class. This is a sub-element of the <security-config> element and must include the following:

  • An <impl-class> sub-element to specify the fully qualified name of the principal mapping class

  • Property settings appropriate to the principal mapping class implementation—for the class shown in the preceding section, a <property> sub-element with name="user" and a value setting to specify the default user name for EIS sign-on, and a <property> sub-element with name="password" and a value setting to specify the password for the default user, as shown in the following example.

   <connector-factory name="..." location="...">
      <security-config use="principal-mapping-interface">
            <property name="user" value="scott" />
            <property name="password" value="tiger" />


You can use password indirection to hide the password. For a full discussion of password indirection, see Chapter 14, "Password Management".

Using a JAAS Login Module

Alternatively, you can manage sign-on to an EIS programmatically through JAAS. For details, see Chapter 10, "Custom LoginModules".

OC4J Support for Groups in Programmatic Container-Managed Sign-On

Principal mapping classes and JAAS login modules, in addition to mapping from individual OC4J users to EIS users, can map from OC4J groups to EIS users.

The oracle.j2ee.connector package contains the InitiatingPrincipal class, which implements the Principal interface and represents OC4J users, and the InitiatingGroup class, which also implements the Principal interface but represents OC4J groups. OC4J creates an InitiatingPrincipal intance and incorporates it into the Subject instance that it passes either to the initialize() method of a login module, or to the mapping() method of a principal mapping class.

The InitiatingPrincipal class also has a getGroups() method. This returns a java.util.Set instance with a collection of InitiatingGroup instances that represent the OC4J groups or JAZN roles that the OC4J user belongs to. The group membership is defined in OC4J-specific descriptor files such as jazn-data.xml (depending on the user manager).