| Oracle® Containers for J2EE Security Guide 10g Release 3 (10.1.3) B14429-01 | 
 | 
|  Previous |  Next | 
This appendix shows various versions of a sample servlet, first using standard J2EE security APIs, then adding code to manage policy by granting permissions to a user, and finally adding code to check permissions of a user (JAAS mode and JAAS authorization):
| See Also: 
 | 
The various versions of the sample servlet in this appendix use the file-based provider and depend on the following configurations:
In system-jazn-data.xml, a user developer belonging to a role developers
In web.xml, a role sr_developer and a security constraint for the servlet
In orion-application.xml, a role mapping between developers and sr_developer
These configurations are shown in the subsections that follow.
The system-jazn-data.xml file defines the developer user and the developers role to which the user belongs, in the jazn.com realm.
The recommended way to define users and roles for the file-based provider is through Application Server Control. You can also use the OracleAS JAAS Provider Admintool.
<jazn-data>
   ...
   <jazn-realm>
      <realm>
         <name>jazn.com</name>
         <users>
            ...
            <user>
               <name>developer</name>
               <display-name>developer</display-name>
               <credentials>{903}CafGQDjOlPMyMiwJEwUfyjhGLAbQkzhR</credentials>
            </user>
            ...
         </users>
 
         <roles>
            ...
            <role>
               <name>developers</name>
               <display-name>Developer Role</display-name>
               <members>
                  <member>
                     <type>user</type>
                     <name>developer</name>
                  </member>
               </members>
            </role>
            ...
         </roles>
      </realm>
   </jazn-realm>
   ...
</jazn-data>
The web.xml file sets up the security constraint and defines the role sr_developer. There is also a setting for the authentication method. (Note that it is possible to override the authentication method in web.xml with settings in the <jazn-web-app> element in orion-application.xml.)
<web-app>
   ...
   <security-role>
        <role-name>sr_developer</role-name>
   </security-role>
   ...
   <security-constraint>
      <web-resource-collection>
         <web-resource-name>CallerInfoA</web-resource-name>
         <url-pattern>/callerInfoA</url-pattern>
      </web-resource-collection>
      <!-- authorization -->
      <auth-constraint>
         <role-name>sr_developer</role-name>
      </auth-constraint>
   </security-constraint>
   ...
   <!-- authentication -->
   <login-config>
      <auth-method>BASIC</auth-method>
   </login-config>
   ...
</web-app>
The orion-application.xml file specifies the file-based provider, and maps the security role sr_developer to the role developers that is defined in the identity store (in this case, system-jazn-data.xml).
Specify the security provider and security role mappings through Application Server Control.
<orion-application> ... <security-role-mapping name="sr_developer"> <group name="developers" /> </security-role-mapping> ... <!-- use JAZN-XML by default --> <jazn provider="XML" /> ... </orion-application>
This first version of the servlet uses standard J2EE security APIs to get a user, determine if the user is in a role, and get a user principal.
import java.io.IOException;
import java.util.Date;
import java.util.Properties;
import javax.naming.*;
import javax.servlet.*;
import javax.servlet.http.*;
public class CallerInfo extends HttpServlet {
 
    public CallerInfo() {
        super();
    }
 
    public void init(ServletConfig config)
            throws ServletException {
        super.init(config);
    }
 
    public void doGet(HttpServletRequest request, HttpServletResponse response)
            throws ServletException, IOException {
        ServletOutputStream out = response.getOutputStream();
 
        response.setContentType("text/html");
        out.println("<HTML><BODY bgcolor=\"#FFFFFF\">");
        out.println("Time stamp: " + new Date().toString());
        out.println
           ("request.getRemoteUser = " + request.getRemoteUser() + "<br>");
        out.println("request.isUserInRole('ar_developer') = " +
                     request.isUserInRole("sr_developer") + "<br>");
        out.println
            ("request.getUserPrincipal = " + request.getUserPrincipal() + "<br>");
        out.println("</BODY>");
        out.println("</HTML>");
    }
This version of the servlet adds code to grant permissions to a user. Alternatively, you could use the OracleAS JAAS Provider Admintool to grant permissions.
import java.io.*;
import java.util.Date;
import java.util.Properties;
import javax.naming.*;
import javax.servlet.*;
import javax.servlet.http.*;
import oracle.security.jazn.*;
import oracle.security.jazn.realm.*;
import oracle.security.jazn.oc4j.*;
import oracle.security.jazn.spi.Grantee;
import oracle.security.jazn.Policy.*;
import javax.security.auth.*;
import java.security.*;
 
public class CallerInfo extends HttpServlet {
 
    public CallerInfo() {
        super();
    }
 
    public void init(ServletConfig config)
            throws ServletException {
        super.init(config);
    }
 
    public void doGet(HttpServletRequest request, HttpServletResponse response)
            throws ServletException, IOException {
        ServletOutputStream out = response.getOutputStream();
 
        response.setContentType("text/html");
        out.println("<HTML><BODY bgcolor=\"#FFFFFF\">");
        out.println("Time stamp: " + new Date().toString());
        out.println
            ("request.getRemoteUser = " + request.getRemoteUser() + "<br>");
        out.println("request.isUserInRole('ar_developer') = " +
                     request.isUserInRole("ar_developer") + "<br>");
        out.println
            ("request.getUserPrincipal = " + request.getUserPrincipal() + "<br>");
 
   //Grant Permissions to a user developer
 
   //get JAZNConfiguration related info
   JAZNConfig jc = JAZNConfig.getJAZNConfig();
 
   //create a Grantee for "developer"
   RealmManager realmmgr = jc.getRealmManager();
   Realm realm = realmMgr.getRealm("jazn.com");
   UserManager userMgr = realm.getUserManager();
   final RealmUser user = userMgr.getUser("developer");
 
   //grant scott file permission
   JAZNPolicy policy = jc.getPolicy();
   if ( policy != null) {
      Grantee gtee = new Grantee( (Principal) user);
      java.io.FilePermission fileperm = new java.io.FilePermission
                                        ("foo.txt","read");
      policy.grant( gtee, fileperm);
   }
 
out.println("</BODY>");
   out.println("</HTML>");
}
This version of the servlet adds configuration and code for JAAS mode and JAAS authorization, to check permissions.
JAAS mode controls whether a J2EE application is executed in a Subject.doAs() block or a Subject.doAsPrivileged() block. Once this mode is set, the authenticated subject is associated with the appropriate access control context. After this, authorization checks may be incorporated into applications using standard JAAS and J2SE APIs.
This example expands the previously shown orion-application.xml configuration to also set the JAAS mode to "doasprivileged". With this setting, OC4J will execute the servlet inside a Subject.doAsPrivileged() block.
<orion-application>
   ...
   <security-role-mapping name="sr_developer">
      <group name="developers" />
   </security-role-mapping>
   ... 
   <!-- use JAZN-XML by default -->
   <jazn provider="XML" jaas-mode="doasprivileged" />
   ...
</orion-application>
Here is the servlet code, checking whether the user has permission to read foo.txt.
import java.io.*;
import java.util.Date;
import java.util.Properties;
import javax.naming.*;
import javax.servlet.*;
import javax.servlet.http.*;
 
import oracle.security.jazn.*;
import oracle.security.jazn.realm.*;
import oracle.security.jazn.oc4j.*;
import oracle.security.jazn.spi.Grantee;
import oracle.security.jazn.Policy.*;
 
import javax.security.auth.*;
import java.security.*;
 
public class CallerInfo extends HttpServlet {
 
    public CallerInfo() {
        super();
    }
 
    public void init(ServletConfig config)
            throws ServletException {
        super.init(config);
    }
 
    public void doGet(HttpServletRequest request, HttpServletResponse response)
            throws ServletException, IOException {
       ServletOutputStream out = response.getOutputStream();
 
       response.setContentType("text/html");
       out.println("<HTML><BODY bgcolor=\"#FFFFFF\">");
       out.println("Time stamp: " + new Date().toString());
       out.println
           ("request.getRemoteUser = " + request.getRemoteUser() + "<br>");
       out.println("request.isUserInRole('ar_developer') = " +
                    request.isUserInRole("ar_developer") + "<br>");
       out.println
           ("request.getUserPrincipal = " + request.getUserPrincipal() + "<br>");
 
      //create Permission
      FilePermission perm = new FilePermission("/home/developer/foo.txt","read");
      {
         //get current AccessControlContext
         AccessControlContext acc = AccessController.getContext();
         
         javax.security.auth.Policy currPolicy =
                                    javax.security.auth.Policy.getPolicy();
 
         // Query policy now
         out.println("Policy permissions for this subject are " + 
                      currPolicy.getPermissions(Subject.getSubject(acc),null));
 
         //Check Permissions
         out.println("Policy.impiles permission: "+ perm +" ? " +
         currPolicy.getPermissions(Subject.getSubject(acc),null).implies(perm));
      }
      out.println("</BODY>");
      out.println("</HTML>");
   }
}