Skip Headers
Oracle® Containers for J2EE Security Guide
10
g
Release 3 (10.1.3)
B14429-01
Home
Solution Area
Index
Next
Contents
List of Examples
List of Figures
List of Tables
Title and Copyright Information
Preface
Audience
Documentation Accessibility
Related Documentation
Conventions
What's New
Changes Since Release 10.1.2
1
Standard Security Concepts
Introducing the Java 2 Security Model and JAAS
Authentication and Authorization
Authentication and Authorization Concepts
Capability Model of Access Control
JAAS Security Model Versus J2EE Security Model
About Principals and Subjects
About Permissions, Policies, and Realms
Security Permissions
Security Policies
Protection Domains
Security Managers and Access Control
Security Realms
Login Module Authentication
Role-Based Access Control: Roles and Role Hierarchy
Secure Communications
Secure Sockets Layer and HTTPS
Certificates
Key Encryption and Exchange
Identity Propagation
Developing Secure J2EE Applications
2
Overview of OC4J Security
Introducing the OracleAS JAAS Provider and Security Providers
Overview of the OracleAS JAAS Provider
Summary of JAAS Framework Features
Supported Security Providers
Support for DataSourceUserManager
Authentication in the OC4J Environment
Authorization in the OC4J Environment
J2EE Authorization
JAAS Authorization and JAAS Mode
Introduction to JAAS Mode
OracleAS JAAS Provider Realm and Policy Features
Features for Granting Permissions
Features for Checking Permissions
OracleAS JAAS Provider Permission Classes
Implementation of Java Authorization Contract for Containers
Overview of Security Role Mapping
3
Overview of Security Administration and Configuration
General OC4J Deployment and Configuration Features
Tools for Oracle Application Server and OracleAS JAAS Provider
Overview of Enterprise Manager
Overview of the OracleAS JAAS Provider Admintool
Overview of Oracle Identity Management and Oracle Internet Directory Tools
Overview of Delegated Administration Services
Overview of Oracle Directory Manager
JMX and MBeans Administration
Overview of Configuration Files and Key Elements
The orion-application.xml File (<jazn> and <jazn-web-app> Elements)
The system-application.xml File
The system-jazn-data.xml File
Application-Specific jazn-data.xml File (Optional)
The jazn.xml File
OC4J System Application
Summary of OC4J Accounts
Predefined OC4J Accounts
Activation of the oc4jadmin Account
Configuring a New Administration Account
Configuring an Anonymous User
Summary of Configuration Repositories and Security Management Tools
4
Java VM Security Settings for OC4J
Specifying an Alternate JAAS Policy Provider
Specifying a Java 2 Security Manager and Policy File
Creating a Java 2 Policy File
Using PrintingSecurityManager to Debug Java 2 Policy
Enabling Subject Propagation for ORMI
5
Tasks and Guidelines in Setting Security
Guidelines for Password Management
Creating an Indirect Password
Specifying a Password Manager in system-application.xml
Password Obfuscation in OC4J Configuration Files
Tasks and Guidelines for Using Security Realms in OC4J
Default Realm with the File-Based Provider or Oracle Identity Management
Evaluation of the Default Realm for File-Based Provider or Oracle Identity Management
Using the Default Realm
Using a Nondefault Realm
Using Multiple Realms
Omitting the Realm Name When Retrieving an Authenticated Principal
Tasks for JAAS Mode and Authorization
Use J2EE Authorization
Use OracleAS JAAS Provider Policy Management
Use OracleAS JAAS Provider JAAS Mode
Using the Java Authorization Contract for Containers
System Properties to Enable Java ACC Features
System Properties to Specify the Java ACC Provider
Packaging Considerations for OC4J Configuration Files
Configuration Tasks and Considerations in the Deployment Descriptors
Configuration to Use the Instance-Level File-Based Provider
Configuration to Automatically Create jazn-data.xml
Supplying an Application-Specific jazn-data.xml File
Deployment Tasks and Guidelines for Security
Overview of Deployment Considerations
Deploying an Application
Deploying an Application through Application Server Control
Specifying a Security Provider
Considering the File-Based Provider Versus Oracle Identity Management
Specifying the Security Provider through Application Server Control
Mapping J2EE Security Roles to JAAS Roles
Application Role Definitions and References
Specifying Security Role Mapping through Application Server Control
Mapping J2EE Roles to JAAS Roles in OC4J Configuration Files
Using the OC4J PUBLIC Role to Allow General Access by Authenticated Users
Post-Deployment Considerations
Navigating to the Security Provider Page for Your Application
Tasks for DataSourceUserManager
DataSourceUserManager Properties
Configuring an Application to Use DataSourceUserManager
6
Oracle Identity Management Security Provider
Realm Management in LDAP-Based Environments
LDAP-Based Realm Types
About Distinguished Names
LDAP-Based Realm Data Storage
Realm Hierarchy
Access Control Lists and OracleAS JAAS Provider Directory Entries
Overview of Oracle Identity Management Key Components
Overview of Oracle Internet Directory
Overview of Oracle Application Server Single Sign-On
SSO-Enabled J2EE Environment: Typical Scenario
Prerequisites: Oracle Application Server Infrastructure
Supported Versions for Oracle Internet Directory and OracleAS Single Sign-On
Considerations for 9.0.4.x Infrastructure: Access Control List Settings
Steps to Use the Oracle Identity Management Security Provider
Associate Oracle Internet Directory with OC4J
Associating Oracle Internet Directory with OC4J
Changing the Oracle Internet Directory Association
Required OC4J Accounts Created in Oracle Internet Directory
Oracle Internet Directory Association in jazn.xml
Associating the OC4J System Application with Oracle Internet Directory
Configure Oracle Identity Management as the Security Provider
Specifying Oracle Identity Management during Deployment
Changing to Oracle Identity Management after Deployment
Configure SSO (Optional)
Run the SSO Registration Tool
Transfer the osso.conf File to the OC4J Instance
Run the osso1013 Script
Synchronization of OracleAS JAAS Provider User Context with Servlet Sessions
Restart the Oracle HTTP Server and OC4J Instances
LDAP-Based Provider Settings in OC4J Configuration Files
Configuring LDAP User and SSL Properties
Configuring LDAP Connection Properties
Configuring LDAP Caching Properties
7
File-Based Security Provider
Tools for File-Based Provider Policy and Realm Management
Configuring the File-Based Provider in Application Server Control
Configuring the File-Based Provider during Application Deployment
Changing to the File-Based Provider after Deployment
Managing Application Realms through Application Server Control
Search for a Realm
Create a Realm
Delete a Realm
Managing Application Users through Application Server Control
Search for a User
Create a User
Delete a User
Edit a User
Managing Application Roles through Application Server Control
Search for a Role
Create a Role
Delete a Role
Edit a Role
Administering Instance-Level Security through
Application Server Control
File-Based Provider Settings in OC4J Configuration Files
Scenarios for <jazn> Settings in orion-application.xml
Realm Configuration in the Repository File
Policy Configuration in the Repository File
Predefined OC4J Accounts in system-jazn-data.xml
OracleAS JAAS Provider Migration Tool
Overview of the Migration Tool
Migration Tool Command Syntax
Migration Tool APIs
Migrating Principals from the principals.xml File
8
Login Modules
Configuring RealmLoginModule
Introducing Custom JAAS Login Modules
Packaging and Deploying Login Modules
Deploying Login Modules within the J2EE Application
Deploying Login Modules as Optional Packages
Using Login Modules as OC4J Shared Libraries
Configuring the Custom Security Provider in Application Server Control
Specifying and Configuring a Custom Security Provider during Deployment
Editing a Custom Login Module Configuration during Deployment
Adding a Custom Login Module during Deployment
Changing to a Custom Security Provider after Deployment
Adding a Login Module to the Custom Security Provider
Updating a Login Module in the Custom Security Provider
Deleting a Login Module in the Custom Security Provider
Configuring Login Modules through the Admintool
Login Module Configuration in OC4J Configuration Files
Login Module Settings in system-jazn-data.xml
Login Modules Settings in orion-application.xml
Settings in <jazn-loginconfig> in orion-application.xml
Settings in <jazn> for Login Modules
Settings in <namespace-access> for Login Modules
Configuring oc4j-ra.xml for Login Modules (J2EE Connector Architecture)
Simple Login Module J2EE Integration
Development of Simple Login Module
Packaging of Simple Login Module
Deployment of Simple Login Module
Custom Login Module Example
9
External LDAP Security Providers
Overview of External LDAP Provider Configuration and Administration
Configuring External LDAP Providers in Application Server Control
Specifying and Configuring an External LDAP Provider during Deployment
Changing to an External LDAP Provider after Deployment
External LDAP Provider Settings in system-jazn-data.xml
Granting RMI Permission to an LDAP Principal
Sample Configuration for Sun Java System Directory Server
Sample LDIF Description
Sample Entries in OC4J Configuration Files
Settings in system-jazn-data.xml for Sun Java System Directory Server
Settings in orion-application.xml for External LDAP Server
10
COREid Access Security Provider
Getting Started with Oracle COREid Access and Identity
Overview of Oracle COREid Access and Identity
COREid Prerequisites
COREid Architecture
Top-Level Summary of Configuration Stages
Running the Access Manager
Oracle COREid Access and Identity Concepts
About COREid Resource Types
About COREid Authentication
About the COREid Single Sign-On Cookie
About Using HTTP Header Variables for Authentication
Configuring COREid Access
Configure COREid Form-Based Authentication
Create a Login Form
Define Form-Based Authentication in Access Manager
Configure the credential_mapping Plug-In for Form-Based Authentication
Configure the validate_password Plug-In for Form-Based Authentication
Configure COREid Basic Authentication
Define Basic Authentication in Access Manager
Configure the credential_mapping Plug-In for Basic Authentication
Configure the Resource Type
Configure the Name and Operation of the Resource Type
Configure and Protect the URL of the Configured Resource Type
Configure the Return Action Attributes
Protect the Action URL
Configuring OC4J with the Access SDK
Create OC4J Instances as Needed
Configure the Access SDK to Each OC4J Instance
Configure the Access SDK Library Path for Each OC4J Instance
Configuring the Application
Protect the Application URLs in web.xml
Settings for Application Deployment
Configure COREid SSO in orion-application.xml
Protect the Application URLs in COREid Access
Configure the COREid JAAS Login Module
Test the Application
COREid Examples for J2EE Applications
Web Application Using HTTP Header Variables through COREid
Configure HTTP Header Variables in Access Manager
Configure HTTP Header Variables for the COREid Login Module
Secure the Web Application
Web Application Using the COREid ObSSOCookie
Configure User Name and Password for the COREid Login Module
Secure the Web Application
EJB Application Using COREid
COREid Support and Examples for Web Services
Web Service with Username Token Authentication for COREid
Web Service with X.509 Token Authentication for COREid
Web Service with SAML Token Authentication for COREid
Troubleshooting the Oracle COREid Access and Identity Setup
11
Integration with SSL and ORMIS
Using Keys and Certificates with OC4J and Oracle HTTP Server
Integrating the Security Provider with SSL-Enabled Applications
Using SSL with Standalone OC4J
Using SSL with OC4J in Oracle Application Server
Configure OC4J with SSL
Use Oracle HTTP Server with SSL
Configure AJP over SSL
Configure OPMN to Enable HTTPS and Use SSL
Sample Configuration Files for SSL
Requesting Client Authentication
Resolving Common SSL Problems
Common SSL Errors and Solutions
General SSL Debugging
Enabling ORMIS for OC4J
Configuring ORMIS for Standalone OC4J
Configure server.xml for the RMI Configuration File Location
Configure rmi.xml for ORMIS
Disabling ORMI with ORMIS Enabled
Configuring ORMIS for OC4J in an Oracle Application Server Environment
Configuring ORMIS Access Restrictions
Configuring Clients to Use ORMIS
Specify the Appropriate Java Naming Provider URL
Specify the Keystore and Password
12
Oracle HTTPS for Client Connections
Oracle HTTPS and Clients
HTTPConnection Class
OracleSSLCredential Class
Overview of Oracle HTTPS Features
SSL Cipher Suites
Choosing a Cipher Suite
SSL Cipher Suites Supported by OracleSSL
SSL Cipher Suites Supported by JSSE
Accessing Information for Established SSL Connections
Security-Aware Applications Support
Support for java.net.URL Framework
Specifying Default System Properties
Property javax.net.ssl.KeyStore
Property javax.net.ssl.KeyStorePassword
Potential Security Risk with Storing Passwords in System Properties
Property Oracle.ssl.defaultCipherSuites
Oracle HTTPS Example
Initializing SSL Credentials In OracleSSL
Verifying Connection Information
Transferring Data through HTTPS
Using HTTPClient with JSSE
13
Web Application Security Configuration
Specifying the Authentication Method (auth-method)
Specifying auth-method in web.xml
Configuring OC4J for OracleAS Single Sign-On
Using Digest Authentication with Oracle Internet Directory
Using Form-Based Authentication
Setting Standard Configuration for Form-Based Authentication
Setting the OC4J Flag for Client-Side Redirects
Using Client-Cert Authentication
Configuring OC4J for Client-Cert Authentication
Client-Cert Execution Flow in OC4J
Web Application Security Role Configuration
J2EE Security Roles
Mapping of Application Roles to J2EE Roles
Definition of JAAS Roles and Users
OC4J Mapping of J2EE Roles to JAAS Roles
14
EJB Security Configuration
EJB JNDI Security Properties
JNDI Properties in jndi.properties
JNDI Properties within Implementation
Configuring EJB Security
Granting Permissions in the Browser
Authenticating and Authorizing EJB Applications
Specifying Logical Roles in the EJB Deployment Descriptor
Specifying Unchecked Security for EJB Methods
Specifying the Run-As Security Identity
Mapping Logical Roles to Users and Roles
Specifying a Default Role Mapping for Undefined Methods
Specifying Credentials in EJB Clients
Credentials in JNDI Properties
Credentials in the InitialContext
Configuring Anonymous EJB Lookup
Permitting EJB RMI Client Access
Enabling and Configuring Subject Propagation for ORMI
Overview of Subject Propagation in OC4J
Enabling Subject Propagation for ORMI
Sharing Principal Classes for Subject Propagation
Removing and Configuring Subject Propagation Restrictions
15
Common Secure Interoperability Protocol
EJB Server Security Properties in internal-settings.xml
EJB Client Security Properties in ejb_sec.properties
Introduction to CSIv2 Security Properties
CSIv2 Security Properties in internal-settings.xml
CSIv2 Security Properties in ejb_sec.properties
CSIv2 Security Properties in orion-ejb-jar.xml
The <transport-config> element
The <as-context> element
The <sas-context> element
Example: <ior-security-config>
16
Security Support for Resource Adapters
Overview of Security and Authentication Setup for EIS Connections
Summary of J2EE Connector Architecture Security Contract
Summary of Component-Managed Versus Container-Managed Sign-On
Summary of Security-Related Resource Adapter Configuration Elements
The oc4j-ra.xml File <security-config> Element
The oc4j-connectors.xml File <security-permission> Element
Understanding Component-Managed Sign-On
Understanding Container-Managed Sign-On
Authentication in Container-Managed Sign-On
Using Declarative Container-Managed Sign-On
Using Programmatic Container-Managed Sign-On
Using a Principal Mapping Class
Understanding the PrincipalMapping Interface APIs
Extending the AbstractPrincipalMapping Class
Configuring a Principal Mapping Class
Using a JAAS Login Module for an EIS Connection
The InitiatingPrincipal and InitiatingGroup Classes
JAAS and the <connector-factory> Element
A
Tips and Troubleshooting for OC4J Security
Best Practices for OC4J Security
HTTPS Best Practices
Overall Security Best Practices
JAAS Best Practices
OC4J Security Issues and Hints
File jazn.xml Not Found
Issues for Custom Login Modules
Subject-Based Authorization
J2EE Security Integration
Issues for Oracle Identity Management
Checking Configuration (JAZN-LDAP)
Using ldapsearch to Retrieve Realm Names from Oracle Internet Directory
Avoiding OC4J Restart for Oracle Internet Directory Changes to Take Effect
Failure to Specify OracleAS JAAS Provider as the JAAS Provider
Realm Issues
Realm Names Omitted from User Names
Specifying Default Realm to Solve Authentication Failure
Logging
Using Oracle Diagnostic Logging with OracleAS JAAS Provider
Using Standard JDK Logging with the OracleAS JAAS Provider Admintool
B
OracleAS JAAS Provider Samples
Security Configuration for Sample Servlet
Configuration in system-jazn-data.xml
Configuration in web.xml
Configuration in orion-application.xml
Sample Servlet: Invoking J2EE Security APIs
Sample Servlet: Granting Permissions
Sample Servlet: Checking Permissions
JAAS Mode Configuration in orion-application.xml
Servlet Code for Authorization
C
OracleAS JAAS Provider Admintool Reference
Authentication to Run the Admintool
Summary of Admintool Command-Line Syntax and Options
Admintool Shell
Shell Support for Admintool Command-Line Options
Admintool Shell Directory Structure
Summary of Admintool Special Shell Commands
add, mkdir, and mk: Creating Provider Data
cd: Navigating Provider Data
clear: Clearing the Screen
exit: Exiting the Admintool Shell
help: Listing Admintool Shell Commands
ls: Listing Data
man: Viewing Admintool man Pages
pwd: Displaying the Working Directory
rm: Removing Provider Data
set: Updating Values
Admintool Administrative Functions
Adding and Removing Login Modules
Adding and Removing Realms
Adding and Removing Roles (File-Based Provider)
Adding and Removing Users (File-Based Provider)
Checking Passwords (File-Based Provider)
Administrative Operations
Granting and Revoking Permissions
Granting and Revoking Roles
Listing Login Modules
Listing Permissions
Listing Realms
Listing Roles
Listing Users
Converting from the principals.xml File to JAAS
Setting Passwords (File-Based Provider)
D
Third Party Licenses
Apache
The Apache Software License
Apache SOAP
Apache SOAP License
mod_mm and mod_ssl
OpenSSL
OpenSSL License
Perl
Perl Kit Readme
mod_perl 1.29 License
mod_perl 1.99_16 License
Perl Artistic License
Preamble
Definitions
Index