Oracle® Containers for J2EE Security Guide
10g Release 3 (10.1.3) B14429-01 |
|
![]() Previous |
![]() Next |
This section describes new features in this release:
The following security features and enhancements are added for the OC4J 10.1.3 implementation:
Support for the COREid Access security provider
Support for the LDAP-based provider in standalone OC4J
Digest authentication support, and client certification authentication and authorization support
Implementation of the Java Authorization Contract for Containers (JSR-115).
JAAS integration with EJBs
ORMI enhancements for SSL (ORMIS)
Support for subject propagation (with ORMI or ORMIS)
JMX and MBeans support (JSR-77) for security configuration
New OC4J user and role accounts (see below)
Enhanced Java 2 security support
Web services security (described in another document)
In addition, note the following changes since the OC4J 10.1.2 implementation:
There is a new consolidated "JAAS mode" for authorization, for both servlets and EJBs. This replaces previous runas-mode
and dosasprivileged-mode
functionality for servlets, and USE_JAAS
functionality (introduced in preliminary 10.1.3 releases) for EJBs. The previous functionality is supported but deprecated in the OC4J 10.1.3 implementation.
The instance-level jazn-data.xml
configuration file used in previous releases to store user and role configuration (for the file-based provider), policy configuration (for the file-based, external LDAP, or custom security provider), and login module configuration (for all security providers) has been renamed system-jazn-data.xml
. However, an application can optionally use an application-specific jazn-data.xml
repository file to store user and role configuration for the file-based provider.
The XMLUserManager
class and its data store, principals.xml
, are deprecated and will no longer be supported at a future release. We strongly encourage you to migrate your existing applications. For instructions, see "Migrating Principals from the principals.xml File".
The com.evermind
package has been largely replaced by oracle.j2ee
. Although the com.evermind.*
classes continue to exist, they are deprecated; we encourage you to move your applications to oracle.j2ee.*
.
Custom UserManager
classes are still supported at this release, but will be deprecated at a future release. We recommend that you use JAAS custom login modules instead of custom UserManager
implementations.
For the Oracle Identity Management security provider, the application realm and external realm are deprecated.
The external.synchronization
property is no longer supported.
The default setting of the jaas.username.simple
property is now "true
"; in the 10.1.2 implementation the default setting was "false
". This now means that by default, realm names are omitted from the names of authenticated principals returned by such methods as getUserPrincipal()
and getRemoteUser()
for servlets, and getCallerPrincipal()
for EJBs.
There have been some OC4J account name changes: the admin
account is now oc4jadmin
; the administrators
role is now oc4j-administrators
; the jmx-users
role is now oc4j-app-administrators
. For the file-based provider in standalone OC4J, oc4jadmin
is initially deactivated. See "Predefined OC4J Accounts".
Required OC4J accounts are created automatically in Oracle Internet Directory when you associate an OC4J instance with an OID instance. See "Required OC4J Accounts Created in Oracle Internet Directory".
Setting LD_LIBRARY_PATH
is no longer necessary in the 10.1.3 implementation.
The jazn.debug.log.enable
flag is no longer supported for logging. Use regular OC4J logging features. See "Logging".