|
Oracle® Application Server Containers for J2EE Security Guide
10g Release 2 (10.1.2) B14013-02 |
|
 Previous |
 Next |
|
Oracle® Application Server Containers for J2EE Security Guide
10g Release 2 (10.1.2) B14013-02 |
|
|
Previous |
Next |
This appendix provides supplemental samples and standards. It contains the following samples:
This section presents a sample jazn-data.xml file which illustrates the specific standards that XML files must conform to. This jazn-data.xml file contains a realm, jazn.com, users, and roles.
Example A-1 Sample jazn-data.xml File
<?xml version="1.0" encoding="UTF-8" standalone='yes'?>
<!DOCTYPE jazn-data PUBLIC "JAZN-XML Data" "http://xmlns.oracle.com/ias/dtds/jazn-data-9_04.dtd">
<jazn-data>
<!-- JAZN Realm Data -->
<jazn-realm>
<realm>
<name>jazn.com</name>
<users>
<user>
<name>anonymous</name>
<description>The default guest/anonymous user</description>
</user>
<user>
<name>SCOTT</name>
<display-name>SCOTT</display-name>
<credentials>!TIGER</credentials>
</user>
<user>
<name>admin</name>
<display-name>OC4J Administrator</display-name>
<description>OC4J Administrator</description>
<credentials>!welcome</credentials>
</user>
<user>
<name>user</name>
<description>The default user</description>
<credentials>!456</credentials>
</user>
<!-- users used for password hiding -->
<user>
<name>pwForScott</name>
<description>Password for database user Scott</description>
<credentials>!TIGER</credentials>
</user>
<user>
<name>pwForSSL</name>
<description>Password for ssl key and trust stores</description>
<credentials>!123456</credentials>
</user>
<user>
<name>pwForSystem</name>
<description>Password for database system user </description>
<credentials>!manager</credentials>
</user>
</users>
<roles>
<role>
<name>administrators</name>
<display-name>Realm Admin Role</display-name>
<description>Administrative role for this realm.</description>
<members>
<member>
<type>user</type>
<name>admin</name>
</member>
</members>
</role>
<role>
<name>users</name>
<members>
<member>
<type>user</type>
<name>user</name>
</member>
<member>
<type>user</type>
<name>SCOTT</name>
</member>
<member>
<type>role</type>
<name>administrators</name>
</member>
</members>
</role>
<role>
<name>guests</name>
<members>
<member>
<type>user</type>
<name>anonymous</name>
</member>
<member>
<type>role</type>
<name>users</name>
</member>
</members>
</role>
<role>
<name>jmxusers</name>
<display-name>JMX users</display-name>
<description>
Allows access to application level user defined MBeans
</description>
<members>
</members>
</role>
</roles>
</realm>
</jazn-realm>
<!-- JAZN Policy Data -->
<jazn-policy>
<grant>
<grantee>
<principals>
<principal>
<realm-name>jazn.com</realm-name>
<type>role</type>
<class>oracle.security.jazn.spi.xml.XMLRealmRole</class>
<name>jazn.com/administrators</name>
</principal>
</principals>
</grantee>
<permissions>
<permission>
<class>oracle.security.jazn.policy.AdminPermission</class>
<name>
oracle.security.jazn.realm.RealmPermission$jazn.com$createrealm
</name>
</permission>
<permission>
<class>oracle.security.jazn.realm.RealmPermission</class>
<name>jazn.com</name>
<actions>createrealm</actions>
</permission>
<permission>
<class>oracle.security.jazn.policy.AdminPermission</class>
<name>oracle.security.jazn.realm.RealmPermission$jazn.com$droprealm</name>
</permission>
<permission>
<class>oracle.security.jazn.policy.AdminPermission</class>
<name>
oracle.security.jazn.realm.RealmPermission$jazn.com$createrole<
/name>
</permission>
<permission>
<class>oracle.security.jazn.policy.AdminPermission</class>
<name>oracle.security.jazn.policy.RoleAdminPermission$jazn.com/*$</name>
</permission>
<permission>
<class>oracle.j2ee.server.AdministrationPermission</class>
<name>administration</name>
<actions>administration</actions>
</permission>
<permission>
<class>oracle.security.jazn.realm.RealmPermission</class>
<name>jazn.com</name>
<actions>droprealm</actions>
</permission>
<permission>
<class>oracle.security.jazn.realm.RealmPermission</class>
<name>jazn.com</name>
<actions>dropuser</actions>
</permission>
<permission>
<class>oracle.security.jazn.policy.RoleAdminPermission</class>
<name>jazn.com/*</name>
</permission>
<permission>
<class>oracle.j2ee.server.rmi.RMIPermission</class>
<name>login</name>
</permission>
<permission>
<class>oracle.security.jazn.policy.AdminPermission</class>
<name>
oracle.security.jazn.realm.RealmPermission$jazn.com$modifyrealmmetadata
</name>
</permission>
<permission>
<class>oracle.security.jazn.realm.RealmPermission</class>
<name>jazn.com</name>
<actions>modifyrealmmetadata</actions>
</permission>
<permission>
<class>oracle.security.jazn.policy.AdminPermission</class>
<name>oracle.security.jazn.realm.RealmPermission$jazn.com$droprole</name>
</permission>
</permissions>
</grant>
<grant>
<grantee>
<principals>
<principal>
<realm-name>jazn.com</realm-name>
<type>role</type>
<class>oracle.security.jazn.spi.xml.XMLRealmRole</class>
<name>jazn.com/users</name>
</principal>
</principals>
</grantee>
<permissions>
<permission>
<class>oracle.j2ee.server.rmi.RMIPermission</class>
<name>login</name>
</permission>
</permissions>
</grant>
<grant>
<grantee>
<principals>
<principal>
<realm-name>jazn.com</realm-name>
<type>role</type>
<class>oracle.security.jazn.spi.xml.XMLRealmRole</class>
<name>jazn.com/jmxusers</name>
</principal>
</principals>
</grantee>
<permissions>
<permission>
<class>oracle.j2ee.server.rmi.RMIPermission</class>
<name>login</name>
</permission>
</permissions>
</grant>
</jazn-policy>
<!-- Permission Class Data -->
<jazn-permission-classes>
</jazn-permission-classes>
<!-- Principal Class Data -->
<jazn-principal-classes>
</jazn-principal-classes>
<!-- Login Module Data -->
<jazn-loginconfig>
<application>
<name>oracle.security.jazn.oc4j.JAZNUserManager</name>
<login-modules>
<login-module>
<class>oracle.security.jazn.realm.RealmLoginModule</class>
<control-flag>required</control-flag>
<options>
<option>
<name>addAllRoles</name>
<value>true</value>
</option>
</options>
</login-module>
</login-modules>
</application>
<application>
<name>oracle.security.jazn.tools.Admintool</name>
<login-modules>
<login-module>
<class>oracle.security.jazn.realm.RealmLoginModule</class>
<control-flag>required</control-flag>
<options>
<option>
<name>addAllRoles</name>
<value>true</value>
</option>
<option>
<name>debug</name>
<value>false</value>
</option>
</options>
</login-module>
</login-modules>
</application>
<application>
<name>oracle.security.jazn.oc4j.DigestAuthenticator</name>
<login-modules>
<login-module>
<class>oracle.security.jazn.login.module.digest.DigestLoginModule</class>
<control-flag>required</control-flag>
<options>
<option>
<name>debug</name>
<value>false</value>
</option>
<option>
<name>addAllRoles</name>
<value>true</value>
</option>
</options>
</login-module>
</login-modules>
</application>
</jazn-loginconfig>
</jazn-data>
Example A-2 demonstrates granting java.io.FilePermission to a user named Jane.Smith. The objects to be modified are presented in bold.
Table A-1 lists the objects in Example A-2.
Table A-1 Objects in Sample Modifying User Permissions Code
| Objects | Names | Comments |
|---|---|---|
|
|
|
|
|
|
|
|
|
File path |
report.data |
Path is the path name of the file. |
|
Sample organization |
|
|
|
Sample external realm |
|
|
Example A-2 Modifying User Permissions
import oracle.security.jazn.*;
import oracle.security.jazn.policy.*;
import oracle.security.jazn.realm.*;
import java.lang.*;
import java.security.*;
import java.util.*;
import java.net.*;
import java.io.*;
public class Init {
public static void main(String[] args) {
try {
JAZNConfig _jc = JAZNConfig.getJAZNConfig();
RealmManager realmMgr = _jc.getRealmManager();
Realm realm = realmMgr.getRealm("abcRealm");
UserManager userMgr = realm.getUserManager();
RoleManager roleMgr = realm.getRoleManager();
final JAZNPolicy policy = _jc.getPolicy();
final RealmUser user = userMgr.getUser("Jane.Smith");
AccessController.doPrivileged (new PrivilegedAction() {
public Object run() {
try {
CodeSource cs =
new CodeSource(new URL("file:/home/task.jar"), null);
HashSet prop = new HashSet();
prop.add((Principal) user);
// assign permission to principals
policy.grant(new Grantee(prop, cs), new
FilePermission("report.data", "read"));
return null;
} catch (JAZNException e1) {
e1.printStackTrace();
} catch (java.net.MalformedURLException e2) {
e2.printStackTrace();
}
return null;
}
}
);
} catch (JAZNException e) {
e.printStackTrace();
}
}
}
This sample code grants a user, Jane.Smith, permission to use the sample application, AccessTest1, as follows:
The name cs is assigned to the file:/home/task.jar, which includes the sample application AccessTest1:
CodeSource cs = new CodeSource(new URL("file:/home/task.jar"), null);
Jane.Smith is the user added to the HashSet prop:
HashSet prop = new HashSet(); prop.add((Principal) user);
Jane.Smith is granted permission, on the Codesource cs, to read the file report.data.
policy.grant(new Grantee(prop, cs), new FilePermission("report.data", "read"));
