Oracle® Containers for J2EE Security Guide 10g (10.1.3.5.0) Part Number E13977-01 |
|
|
View PDF |
This appendix shows versions of a sample servlet, first using standard J2EE security APIs, then adding code to manage policy by granting permissions to a user, and finally adding code to check permissions of a user (JAAS mode and JAAS authorization):
See Also:
The following Web site for OC4J "how-to" examples:
http://www.oracle.com/technology/tech/java/oc4j/1013/how_to/index.html
The versions of the sample servlet in this appendix use the file-based provider and depend on the following configurations:
In system-jazn-data.xml
, a user developer
belonging to a role developers
In web.xml
, a role sr_developers
and a security constraint for the servlet
In orion-application.xml
, a role mapping between developers
and sr_developers
These configurations are shown in the subsections that follow.
The system-jazn-data.xml
file defines the developer
user and the developers
role to which the user belongs, in the jazn.com
realm.
The recommended way to define users and roles for the file-based provider is through Application Server Control, as described in "Configuring the File-Based Provider in Application Server Control". You can also use the OracleAS JAAS Provider Admintool.
<jazn-data> ... <jazn-realm> <realm> <name>jazn.com</name> <users> ... <user> <name>developer</name> <display-name>developer</display-name> <credentials>{903}CafGQDjOlPMyMiwJEwUfyjhGLAbQkzhR</credentials> </user> ... </users> <roles> ... <role> <name>developers</name> <display-name>Developer Role</display-name> <members> <member> <type>user</type> <name>developer</name> </member> </members> </role> ... </roles> </realm> </jazn-realm> ... </jazn-data>
The web.xml
file sets up the security constraint and defines the role sr_developers
. There is also a setting for the authentication method. (Note that it is possible to override the authentication method in web.xml
with settings in the <jazn-web-app>
element in orion-application.xml
.)
<web-app> ... <security-role> <role-name>sr_developers</role-name> </security-role> ... <security-constraint> <web-resource-collection> <web-resource-name>CallerInfoA</web-resource-name> <url-pattern>/callerInfoA</url-pattern> </web-resource-collection> <!-- authorization --> <auth-constraint> <role-name>sr_developers</role-name> </auth-constraint> </security-constraint> ... <!-- authentication --> <login-config> <auth-method>BASIC</auth-method> </login-config> ... </web-app>
The orion-application.xml
file specifies the file-based provider, and maps the security role sr_developers
to the role developers
that is defined in the identity store (in this case, system-jazn-data.xml
).
Specify the security provider and security role mappings through Application Server Control, as described in "Specifying a Security Provider" and "Mapping Security Roles".
<orion-application> ... <security-role-mapping name="sr_developers"> <group name="developers" /> </security-role-mapping> ... <!-- use JAZN-XML by default --> <jazn provider="XML" /> ... </orion-application>
This first version of the servlet uses standard J2EE security APIs to get a user, determine if the user is in a role, and get a user principal.
import java.io.IOException; import java.util.Date; import java.util.Properties; import javax.naming.*; import javax.servlet.*; import javax.servlet.http.*; public class CallerInfo extends HttpServlet { public CallerInfo() { super(); } public void init(ServletConfig config) throws ServletException { super.init(config); } public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { ServletOutputStream out = response.getOutputStream(); response.setContentType("text/html"); out.println("<HTML><BODY bgcolor=\"#FFFFFF\">"); out.println("Time stamp: " + new Date().toString()); out.println ("request.getRemoteUser = " + request.getRemoteUser() + "<br>"); out.println("request.isUserInRole('ar_developers') = " + request.isUserInRole("sr_developers") + "<br>"); out.println ("request.getUserPrincipal = " + request.getUserPrincipal() + "<br>"); out.println("</BODY>"); out.println("</HTML>"); }
This version of the servlet adds code to grant permissions to a user. Alternatively, you could use the OracleAS JAAS Provider Admintool to grant permissions, as described in "Granting and Revoking Permissions".
import java.io.*; import java.util.Date; import java.util.Properties; import javax.naming.*; import javax.servlet.*; import javax.servlet.http.*; import oracle.security.jazn.*; import oracle.security.jazn.realm.*; import oracle.security.jazn.oc4j.*; import oracle.security.jazn.spi.Grantee; import oracle.security.jazn.policy.*; import javax.security.auth.*; import java.security.*; public class CallerInfo extends HttpServlet { public CallerInfo() { super(); } public void init(ServletConfig config) throws ServletException { super.init(config); } public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { ServletOutputStream out = response.getOutputStream(); response.setContentType("text/html"); out.println("<HTML><BODY bgcolor=\"#FFFFFF\">"); out.println("Time stamp: " + new Date().toString()); out.println ("request.getRemoteUser = " + request.getRemoteUser() + "<br>"); out.println("request.isUserInRole('ar_developers') = " + request.isUserInRole("ar_developers") + "<br>"); out.println ("request.getUserPrincipal = " + request.getUserPrincipal() + "<br>"); //Grant Permissions to a user developer //get JAZNConfiguration related info JAZNConfig jc = JAZNConfig.getJAZNConfig(); //create a Grantee for "developer" RealmManager realmmgr = jc.getRealmManager(); Realm realm = realmMgr.getRealm("jazn.com"); UserManager userMgr = realm.getUserManager(); final RealmUser user = userMgr.getUser("developer"); //grant scott file permission JAZNPolicy policy = jc.getPolicy(); if ( policy != null) { Grantee gtee = new Grantee( (Principal) user); java.io.FilePermission fileperm = new java.io.FilePermission ("foo.txt","read"); policy.grant( gtee, fileperm); } out.println("</BODY>"); out.println("</HTML>"); }
This version of the servlet adds configuration and code for JAAS mode and JAAS authorization, to check permissions.
JAAS mode controls whether a J2EE application is executed in a Subject.doAs()
block or a Subject.doAsPrivileged()
block. Once this mode is set, the authenticated subject is associated with the appropriate access control context. After this, authorization checks may be incorporated into applications using standard JAAS and J2SE APIs.
See Also:
This example expands the previously shown orion-application.xml
configuration to also set the JAAS mode to "doasprivileged
". With this setting, OC4J will execute the servlet inside a Subject.doAsPrivileged()
block.
<orion-application>
...
<security-role-mapping name="sr_developers">
<group name="developers" />
</security-role-mapping>
...
<!-- use JAZN-XML by default -->
<jazn provider="XML" jaas-mode="doasprivileged" />
...
</orion-application>
Here is the servlet code, using JAAS policy to check whether the user has permission to read foo.txt
. Due to the preceding configuration, doasprivileged
mode is used.
For purposes of comparison, this example also shows equivalent code using AccessController
to check permissions. Being inside a doAsPrivileged()
block is equivalent to the doasprivileged
configuration for the JAAS policy code.
import java.io.*; import java.util.Date; import java.util.Properties; import javax.naming.*; import javax.servlet.*; import javax.servlet.http.*; import oracle.security.jazn.*; import oracle.security.jazn.realm.*; import oracle.security.jazn.oc4j.*; import oracle.security.jazn.spi.Grantee; import oracle.security.jazn.policy.*; import javax.security.auth.*; import java.security.*; public class CallerInfo extends HttpServlet { public CallerInfo() { super(); } public void init(ServletConfig config) throws ServletException { super.init(config); } public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { final ServletOutputStream out = response.getOutputStream(); response.setContentType("text/html"); out.println("<HTML><BODY bgcolor=\"#FFFFFF\">"); out.println("Time stamp: " + new Date().toString()); out.println ("request.getRemoteUser = " + request.getRemoteUser() + "<br>"); out.println("request.isUserInRole('ar_developers') = " + request.isUserInRole("ar_developers") + "<br>"); out.println ("request.getUserPrincipal = " + request.getUserPrincipal() + "<br>"); //create Permission FilePermission perm = new FilePermission("/home/developer/foo.txt","read"); // CHECK PERMISSION VIA JAAS POLICY //get current AccessControlContext AccessControlContext acc = AccessController.getContext(); javax.security.auth.Policy currPolicy = javax.security.auth.Policy.getPolicy(); // Query policy now out.println("Policy permissions for this subject are " + currPolicy.getPermissions(Subject.getSubject(acc),null)); //Check Permissions out.println("Policy.impiles permission: "+ perm +" ? " + currPolicy.getPermissions(Subject.getSubject(acc),null).implies(perm)); // CHECK USER'S PERMISSION VIA ACCESS CONTROLLER Subject.doAsPrivileged(s, new PrivilegedAction() { public Object run() { try { AccessController.checkPermission(perm); out.println("<br>"); out.println ("AccessController checkPermission passed for permission: " + perm); out.println("<br>"); } catch (IOException e) { e.printStackTrace(); } return null; } }, null); out.println("</BODY>"); out.println("</HTML>"); } }