Skip Headers
Oracle® Application Server Containers for J2EE Security Guide
10
g
Release 2 (10.1.2)
Part No. B14013-01
Home
Solution Area
Index
Next
Contents
List of Examples
List of Figures
List of Tables
Title and Copyright Information
Send Us Your Comments
Preface
Documentation Accessibility
Intended Audience
Documentation Accessibility
Organization
Related Documents
Conventions
1
Concepts
The Java 2 Security Model
Permissions
Protection Domains
OracleAS JAAS Provider Permission Classes
Principals
Subjects
Authentication and Authorization
Secure Communications
Secure Sockets Layer
Certificates
HTTPS
Identity Propagation
Developing Secure J2EE Applications
2
Overview of JAAS in Oracle Application Server
The OracleAS JAAS Provider
Provider Types
What Is JAAS?
Login Module Authentication
Roles
Realms
Applications
Policies and Permissions
XML-Based Example
JAAS Framework Features
User Managers
Using JAZNUserManager
Using XMLUserManager
Capability Model of Access Control
Role-Based Access Control (RBAC)
Role Hierarchy
Role Activation
Changes Since Release 9.0.4
3
Understanding OC4J Security
Introduction
Security Considerations During Development and Deployment
Development
Deployment
OC4J and the OracleAS JAAS Provider
OC4J Integration
JAZNUserManager
Authentication Environments
Enabling OracleAS Single Sign-On in J2EE Applications
OracleAS Single Sign-On-Enabled J2EE Environments: A Typical Scenario
Integrating the OracleAS JAAS Provider with SSL-Enabled Applications
Integrating the OracleAS JAAS Provider with Basic Authentication
Basic Authentication J2EE Environments: Typical Scenario
Authentication in the J2EE Environment
Running with an Authenticated Identity
Retrieving Authentication Information
Authorization in the J2EE Environment
Security Role Mapping
J2EE Security Roles
Deployment Roles and Users
OC4J Group Mapping to J2EE Security Roles
4
Overall Security Configuration
Choosing the XML-Based or LDAP-Based Provider
Locating jazn.xml, jazn-data.xml, and the <jazn> element
Locating jazn.xml
Locating jazn-data.xml
Locating the <jazn> element
Admintool Overview
Admintool Prerequisites
Authenticating Yourself
Adding Clustering Support
Specifying an Admintool LoginModule in jazn-data.xml
Specifying An Alternate Policy Provider (Optional)
Specifying Bootstrap OracleAS JAAS Provider Settings
Turning On Debug Logging
Specifying UserManagers
Specifying A UserManager
Specifying a UserManager In orion-application.xml
Advanced Configuration
Customizing RealmLoginModule
Enabling RealmLoginModule Using A Text Editor
Specifying Authentication (auth-method)
Specifying auth-method in web.xml
Specifying auth-method in orion-application.xml
Configuring J2EE Authorization
Servlets, runas-mode, and doasprivileged-mode
Mapping Logical Roles to Security Roles
Removing Realm Names From Authentication Principals
Configuring Third-Party LDAP Providers
Permitting EJB RMI Client Access
Creating a Java 2 Policy File
Using the <principals> element and principals.xml
5
Configuring the OC4J Instance
The Bootstrap jazn.xml File
Specifying LDAP Connection Properties
Specifying LDAP JNDI Connection Pool Size
Configuring LDAP Caching
Changing Session Cache Details
Disabling LDAP Caching
LDAP Cache Configuration
Configuring LDAP SSL Properties
Choosing SSL Authentication
Configuring LDAP Default Realm
6
Security Considerations During Application Deployment
Selecting a UserManager
Mapping Security Roles
Granting Permissions
Granting RMI Permission Or Administration Permission
Granting and Revoking All Other Permissions
Creating Users And Groups
7
Configuring the LDAP-Based Provider
Preparing To Use LDAP
Creating Administrative Users and Groups
LDAP-Based Provider Environment Variables
Creating LDAP Users and Groups
8
Configuring the XML-Based Provider
Creating Users
Creating Roles (Groups)
Deleting Users
Deleting Roles (Groups)
Creating Realms
Deleting Realms
Granting Permissions
Revoking Permissions
Granting Roles (Groups)
Revoking Roles (Groups)
Setting Persistence Mode
Configuring XML Default Realm
Migrating Principals from the principals.xml File
9
Configuring External LDAP Providers
Prerequisites
Creating a <login-module> Element in jazn-data.xml
An Example LDIF Description
Configuring Sun Java System Application Server as LDAP Provider
SunOne Example
Configuring Microsoft Active Directory as LDAP Provider
10
Custom LoginModules
Overview of JAAS Login Modules
Prerequisites
Configuring Dynamic Role Mapping
Integrating Custom JAAS LoginModules
Developing a LoginModule
Subject-based Authorization
J2EE Security Authorization
Callback Support
Debugging Tips
Debug Logging
Debugging LoginModules
Adding and Removing Login Modules
Listing Login Modules
Packaging and Deploying
Deploying as Standard Extensions or Optional Packages
Deploying Within the J2EE Application
Using the OC4J Classloading Mechanism
Configuring Your Application
jazn-data.xml
<jazn-loginconfig>
<jazn-policy>
web.xml or ejb-jar.xml
orion-application.xml
<jazn>
<security-role-mapping>
<library>
oc4j-ra.xml (J2EE Connector Architecture only)
Simple Login Module J2EE Integration
Development
Packaging
Deployment
Custom LoginModule Example
11
Configuring OC4J and SSL
Overview of SSL Keys and Certificates
Using Keys and Certificates with OC4J and Oracle HTTP Server
Enabling SSL in OC4J
Configuring Oracle HTTP Server for SSL
Requesting Client Authentication
Resolving Common SSL Problems
Common SSL Errors and Solutions
General SSL Debugging
12
Configuring EJB Security
EJB JNDI Security Properties
JNDI Properties in jndi.properties
JNDI Properties Within Implementation
Configuring Security
Granting Permissions in Browser
Authenticating and Authorizing EJB Applications
Specifying Users and Groups
Specifying Logical Roles in the EJB Deployment Descriptor
Specifying Unchecked Security for EJB Methods
Specifying the runAs Security Identity
Mapping Logical Roles to Users and Groups
Specifying a Default Role Mapping for Undefined Methods
Specifying Users and Groups by the Client
Specifying Credentials in EJB Clients
Credentials in JNDI Properties
Credentials in the InitialContext
13
Oracle HTTPS for Client Connections
Introduction
Requesting Client Authentication
Oracle HTTPS And Clients
HTTPConnection Class
OracleSSLCredential Class (OracleSSL Only)
Overview of Oracle HTTPS Features
SSL Cipher Suites
Choosing a Cipher Suite
SSL Cipher Suites Supported by OracleSSL
SSL Cipher Suites Supported by JSSE
Access Information About Established SSL Connections
Security-Aware Applications Support
java.net.URL Framework Support
Specifying Default System Properties
javax.net.ssl.KeyStore
javax.net.ssl.KeyStorePassword
Potential Security Risk with Storing Passwords in System Properties
Oracle.ssl.defaultCipherSuites (OracleSSL only)
Oracle HTTPS Example
Initializing SSL Credentials In OracleSSL
Verifying Connection Information
Transferring Data Using HTTPS
Using HTTPClient with JSSE
Configuring HTTPClient To Use JSSE
14
Password Management
Introduction
Password Obfuscation In jazn-data.xml and jazn.xml
Hand-editing jazn-data.xml
Creating An Indirect Password
Indirect Password Examples
Specifying a UserManager In application.xml
15
Configuring CSIv2
Introduction to CSIv2 Security Properties
EJB Server Security Properties in internal-settings.xml
CSIv2 Security Properties in internal-settings.xml
CSIv2 Security Properties in ejb_sec.properties
Trust Relationships
CSIv2 Security Properties in orion-ejb-jar.xml
The <transport-config> element
The <as-context> element
The <sas-context> element
DTD
EJB Client Security Properties in ejb_sec.properties
16
J2EE Connector Architecture Security
Deploying Resource Adapters
The oc4j-ra.xml Descriptor
The <security-config> Element
The oc4j-connectors.xml Descriptor
Specifying Container-Managed or Component-Managed Sign-On
Authentication in Container-Managed Sign-On
JAAS Pluggable Authentication
The InitiatingPrincipal and InitiatingGroup Classes
JAAS and the <connector-factory> Element
User-Created Authentication Classes
Extending AbstractPrincipalMapping
Modifying oc4j-ra.xml
17
Security Support for EIS Connections
Overview of Security and Authentication Setup for EIS Connections
Summary of J2EE Connector Architecture Security Contract
Summary of Component-Managed Versus Container-Managed Sign-On
Understanding Component-Managed Sign-On
Understanding Container-Managed Sign-On
Using Declarative Container-Managed Sign-On
Using Programmatic Container-Managed Sign-On
Using a Principal Mapping Class
Understanding the PrincipalMapping Interface APIs
Extending the AbstractPrincipalMapping Class
Configuring a Principal Mapping Class
Using a JAAS Login Module
OC4J Support for Groups in Programmatic Container-Managed Sign-On
18
Troubleshooting Security Issues
Locating jazn.xml
JAZN Admintool
Custom LoginModules
Subject-Based Authorization
J2EE Security Integration
LDAP-Based Provider Issues
Checking JAZN-LDAP Configuration
Enabling and Disabling Caching
Servlets, runas-mode, and doasprivileged-mode
Creating Realms
Removing Realm Names From Principals
Specifying the JAAS Provider
19
Security Tips
HTTPS
Overall Security
JAAS
A
OracleAS JAAS Provider Standards and Samples
Sample jazn-data.xml Code
Modifying User Permissions
Modifying User Permissions Code
Discussion Of Sample Code
B
Using the JAZN Admintool
Authentication and the JAZN Admintool (XML-based Provider Only)
JAZN Admintool Command-Line Options
Syntax
Admintool Authentication (XML-based Provider Only)
Clustering Operations
Configuration Operations
Interactive Shell
Login Modules
Migration Operations
Miscellaneous
Password Management (XML-based Provider only)
Policy Operations
Realm Operations
Adding and Removing Policy Permissions (XML-based Provider Only)
Adding Clustering Support
Adding and Removing Login Modules (XML-based Provider Only)
Adding and Removing Principals (XML-based Provider Only)
Adding and Removing Realms
Adding and Removing Roles (XML-based Provider Only)
Adding and Removing Users (XML-based Provider Only)
Checking Passwords (XML-based Provider Only)
Configuration Operations
Granting and Revoking Permissions
Granting and Revoking Roles
Listing Login Modules
Listing Permissions
Listing Permission Information
Listing Principal Classes
Listing Principal Class Information
Listing Realms
Listing Roles
Listing Users
Migrating Principals from the principals.xml File
Setting Passwords (XML-based Provider only)
Using the JAZN Admintool Shell
Navigating the JAZN Admintool Shell
add: Creating Provider Data
cd: Navigating Provider Data
clear: Clearing the Screen
exit: Exiting the JAZN Shell
help: Listing JAZN Admintool Shell Commands
ls: Listing Data
man: Viewing JAZN Admintool Man Pages
pwd: Displaying The Working Directory
rm: Removing Provider Data
set: Updating Values
Admintool Shell Directory Structure
Index
