Contents

List of Examples

List of Figures

List of Tables

Title and Copyright Information

Preface

• Audience
• Documentation Accessibility
• Related Documentation
• Conventions

What's New

• Changes in Release 10.1.3.5
• Changes in Release 10.1.3.4
• Changes in Release 10.1.3.1
• Changes in Release 10.1.3.0.0

1 Basic Security Concepts

• Application-Level Security
  • About Authentication
  • About Authorization
    • Access Control Lists and the Capability Model of Access Control
    • Role-Based Access Control
• Transport-Level Security
  • Secure Sockets Layer and HTTPS
  • SSL Authentication
  • X.509 Certificates
  • Key Encryption and Exchange

2 Java Platform Security

• J2EE Security Model
  • Web Application Authentication and Authorization
    • Web Application Standard Authentication Methods
    • Web Application URL-Based Authorization
    • Run-As Mode and Propagated Identities in Web Applications
    • Related Web Application APIs
  • Enterprise JavaBeans Authentication and Authorization
    • EJB Authentication
    • EJB Method-Based Authorization
    • Run-As Mode and Propagated Identities in EJB Applications
    • Related EJB APIs
  • Identity Propagation
• Java 2 Security Model
  • Code-Based Security
  • Security Permissions
  • Protection Domains
  • Java 2 Authorization: Java 2 Security Policies
  • Java 2 Authorization: Security Managers and Access Controllers
• Java Authentication and Authorization Service
  • Principals and Subjects
  • JAAS Authentication: Login Modules
    • About Login Modules
    • Stacking Login Modules
  • JAAS Authorization: JAAS Security Policies
  • JAAS Authorization: Subject Methods doAs() and doAsPrivileged()
• Security Considerations during Development
  • Summary: Comparing Security Models for J2EE, Java 2, and JAAS
  • Steps to Develop a Secure J2EE Application

3 Overview of OC4J Security

• Introducing the OracleAS JAAS Provider and Security Providers
  • Overview of the OracleAS JAAS Provider
  • Summary of JAAS Framework Features
  • Security Realms in the OracleAS JAAS Provider
  • Supported Security Providers
• Introducing Authentication Features in the OC4J Environment
  • Supported Web Application Authentication Methods
  • Overview of OC4J Login Modules
  • Overview of Oracle Application Server Single Sign-On Alternatives
  • JAZNUserManager Delegation (File-Based Provider)
• Introducing Authorization Features in the OC4J Environment
• Overview of Security Role Mapping
• Overview of General-Use Identity Management Frameworks and APIs

4 Overview of Security Administration

• General OC4J Deployment and Configuration Features
• Tools for Oracle Application Server and OracleAS JAAS Provider
  • Overview of Oracle Enterprise Manager 10g Application Server Control
  • Overview of the OracleAS JAAS Provider Admintool
  • Overview of Oracle Identity Management and Oracle Internet Directory Tools
    • Overview of Delegated Administration Services
    • Overview of Oracle Directory Manager
• JMX and MBeans Administration
• Overview of Configuration Files and Key Elements
  • The orion-application.xml File (<jazn> and <jazn-web-app> Elements)
  • The system-application.xml File
  • The system-jazn-data.xml File
  • Application-Specific jazn-data.xml File (Optional)
  • The jazn.xml File
• OC4J System Application
• Summary of OC4J Accounts
  • Predefined Accounts
  • Activation of the oc4jadmin Account (Standalone OC4J)
  • Creating and Configuring a New Administrator Account
    • Creating a New Administrator Account
    • Configuring a New Administrator Account for the System Application
  • Configuring an Anonymous User
• Summary of Configuration Repositories and Security Management Tools

5 Authorization in OC4J

• Java 2 Security and Code-Based Policy Management
  • Specifying a Java 2 Security Manager and Policy File
  • Using PrintingSecurityManager to Determine Required Java 2 Permissions
  • Creating or Updating a Java 2 Policy File
• Authorization APIs, JAAS Mode, and JACC in the OC4J Environment
  • JAAS Authorization and OracleAS JAAS Provider JAAS Mode
    • Introduction to JAAS Mode
    • OracleAS JAAS Provider Realm and Policy APIs
    • OracleAS JAAS Provider APIs for Granting or Revoking Permissions
    • APIs for Checking Permissions
  • Setting a Subject Into the OC4J Container
  • Implementation of Java Authorization Contract for Containers
• OracleAS JAAS Provider Policy Management
  • Granting Permissions through the OracleAS JAAS Provider Admintool
  • Using OracleAS JAAS Provider Policy Management APIs
  • OracleAS JAAS Provider Policy Configuration
    • Policy Repository Setting in jazn.xml
    • Policy Configuration in system-jazn-data.xml
    • Policy Configuration in Oracle Internet Directory
  • Specification of the Oracle Policy Provider
• Authorization Coding and Configuration
  • Using J2EE Authorization APIs
  • Obtaining a Subject
  • Using the checkPermission() Method
  • Configuring and Using JAAS Mode
  • Enabling the Java Authorization Contract for Containers
    • System Property to Enable JACC Features
    • System Properties to Specify the JACC Provider
• Authorization Strategies
  • Considering J2EE Security
  • Considering Java 2 Security
  • Considering JAAS Security

6 General Tasks for OC4J Security

• Tasks for Password Management
  • Using Password Indirection
  • Specifying a Password Manager in system-application.xml
  • Password Obfuscation in OC4J Configuration Files
• Using Security Realms in OC4J
  • Default Realm with the File-Based Provider or Oracle Identity Management
  • Evaluation of Default Realm for File-Based Provider, Oracle Identity Management
  • Using the Default Realm
  • Using a Nondefault Realm
  • Using Multiple Realms
  • Omitting the Realm Name When Retrieving an Authenticated Principal
• Deployment Tasks for Security
  • Overview of Deployment Considerations
  • Deploying an Application
    • Deploying an Application through Application Server Control
  • Specifying a Security Provider
    • Considering the File-Based Provider Versus Oracle Identity Management
    • Specifying the Security Provider through Application Server Control
  • Mapping Security Roles
    • Application Role Definitions and References
    • Specifying Security Role Mapping through Application Server Control
    • Mapping J2EE Roles to Deployment Roles in OC4J Configuration Files
    • Using the OC4J PUBLIC Role to Allow General Access by Authenticated Users
• Post-Deployment Tasks for Security
  • Navigating to the Security Provider Page for Your Application
• Tasks to Share a Library
  • Loading the Library as an OC4J Shared Library
  • Importing the Library into Your Application

7 File-Based Security Provider

• Tools for File-Based Provider Policy and Realm Management
• Configuring the File-Based Provider in Application Server Control
  • Configuring the File-Based Provider during Application Deployment
  • Changing to the File-Based Provider after Deployment
  • Managing Application Realms through Application Server Control
    • Search for a Realm
    • Create a Realm
    • Delete a Realm
  • Managing Application Users through Application Server Control
    • Search for a User
    • Create a User
    • Delete a User
    • Edit a User
  • Managing Roles through Application Server Control
    • Search for a Role
    • Create a Role
    • Delete a Role
    • Edit a Role
  • Administering Instance-Level Security through Application Server Control
• File-Based Provider Settings in OC4J Configuration Files
  • Settings in the <jazn> Element for the File-Based Provider
    • Scenarios for <jazn> Settings in orion-application.xml
    • Configuration to Automatically Create an Application-Specific jazn-data.xml File
    • Supplying an Application-Specific jazn-data.xml File
  • Realm Configuration in the Repository File
  • Policy Configuration in the Repository File
  • Predefined OC4J Accounts in system-jazn-data.xml
• OracleAS JAAS Provider Migration Tool
  • Overview of the Migration Tool
  • Migration Tool Command Syntax
  • Migration Tool APIs
• Migrating Principals from the principals.xml File
• Using the File-Based Provider Across an OC4J Group
  • OC4J Basic Group Features
  • Cluster MBean Browser Features and the J2EEServerGroup MBean

8 Oracle Identity Management

• Initial Considerations for OC4J Support of Oracle Identity Management
• Overview of Oracle Identity Management Key Components
  • Overview of Oracle Internet Directory
  • About Distinguished Names
  • Overview of Oracle Single Sign-On
  • SSO-Enabled J2EE Environment: Typical Scenario
• Prerequisite: Oracle Application Server Infrastructure
• Steps to Use the Oracle Identity Management Security Provider
  • Associate Oracle Internet Directory with OC4J
    • Associating Oracle Internet Directory with OC4J
    • Changing the Oracle Internet Directory Association
    • Required Accounts Created in Oracle Internet Directory
    • Oracle Internet Directory Association in jazn.xml
    • Considering Multiple OC4J Instances when Associating Oracle Internet Directory
  • Configure SSO (Optional)
    • Run the SSO Registration Tool
    • Transfer the osso.conf File to the OC4J Instance
    • Run the osso1013 Script
    • Synchronization of OracleAS JAAS Provider User Context with Servlet Sessions
    • Restart the Oracle HTTP Server and OC4J Instances
  • Configure Oracle Identity Management as the Security Provider
    • Specifying Oracle Identity Management during Deployment
    • Changing to Oracle Identity Management after Deployment
• Settings for Authentication Method with Oracle Identity Management
  • OC4J Configuration for Oracle Single Sign-On Authentication
  • Using Digest Authentication with Oracle Internet Directory
• Realm Management for the LDAP-Based Provider
  • Overview of OracleAS JAAS Provider Realms for Oracle Identity Management
    • Realm Hierarchy for the OracleAS JAAS Provider
    • Relation of JAAS Provider Realms to Oracle Internet Directory Realms
    • Access Control Lists and OracleAS JAAS Provider Directory Entries
  • Realm Management for Oracle Identity Management
    • Managing Realms in Oracle Internet Directory
    • Changing Your Default Realm
    • Using Multiple Realms and Oracle Single Sign-On with OC4J
• LDAP-Based Provider Settings in OC4J Configuration Files
  • Configuring LDAP User and SSL Properties
  • Configuring LDAP Connection Properties
  • Configuring LDAP Caching Properties
• Tips and Troubleshooting for the LDAP-Based Provider
  • Checking Configuration (JAZN-LDAP)
  • Using ldapsearch to Retrieve Realm Names from Oracle Internet Directory
  • Avoiding OC4J Restart for Oracle Internet Directory Changes to Take Effect
  • Accessing the Oracle Single Sign-On Administration Pages

9 Login Modules

• Initial Login Module Considerations
  • Specification of the Oracle Login Configuration Provider
  • Login Module Notes and Tips
• Login Modules Supplied with OC4J
  • RealmLoginModule
  • DBTableOraDataSourceLoginModule
    • DBTableOraDataSourceLoginModule Options
    • Configuring DBTableOraDataSourceLoginModule in Application Server Control
    • Configuring DBTableOraDataSourceLoginModule in the Admintool
    • Sample DBTableOraDataSourceLoginModule Settings in system-jazn-data.xml
    • Principals for DBTableOraDataSourceLoginModule
    • Implementing DBLoginModuleEncodingInterface for Password Encryption
    • Previous Functionality: DataSourceUserManager (Deprecated)
• Introducing Custom JAAS Login Modules
• Summary of Choices for Packaging Login Modules
  • Packaging Login Modules within the J2EE Application
  • Providing Login Modules as Optional Packages
  • Providing Login Modules as OC4J Shared Libraries
• Configuring the Custom Security Provider in Application Server Control
  • Specifying and Configuring a Custom Security Provider during Deployment
    • Editing a Custom Login Module Configuration during Deployment
    • Adding a Custom Login Module during Deployment
  • Changing to a Custom Security Provider after Deployment
  • Adding a Login Module to the Custom Security Provider
  • Updating a Login Module in the Custom Security Provider
  • Deleting a Login Module in the Custom Security Provider
• Using Admintool to Configure Login Modules and Grant RMI Permission
  • Configuring Login Modules through the Admintool
  • Granting RMI Permission through the Admintool
• Summary of Login Module Configuration in OC4J Configuration Files
  • Login Module Settings in system-jazn-data.xml
  • Login Modules Settings in orion-application.xml
    • Settings in <jazn-loginconfig> in orion-application.xml
    • Settings in <jazn> for Login Modules
    • Settings in <namespace-access> for Access to JNDI Context
    • Specifying the Mapping Attribute
  • Login Module Settings in oc4j-ra.xml (J2EE Connector Architecture)
• Step by Step: Integrating a Custom Login Module with OC4J
  • Develop the Login Module
  • Configure and Package the Login Module
    • Configuration to Enable Login Module Usage
    • Configuration of the Login Module
  • Configure Namespace Access and Role Mappings (as applicable)
  • Deploy the Login Module
  • Grant RMI Permission (as applicable)
  • Set JNDI Properties (as applicable)
• Custom Login Module Example
  • SampleLoginModule Code
  • SamplePrincipal Code

10 External LDAP Security Providers

• Overview of External LDAP Provider Configuration and Administration
• Configuring External LDAP Providers in Application Server Control
  • Specifying and Configuring an External LDAP Provider during Deployment
  • Changing to an External LDAP Provider after Deployment
• External LDAP Provider Settings in system-jazn-data.xml
• Creating Necessary Accounts and Granting Necessary Permissions
  • Creating the Administrative User and Roles and Granting RMI Permission
  • Granting RMI Permission to an LDAP Principal
  • Granting Additional Permissions to External LDAP Principals
  • Using JAAS Mode with External LDAP Providers
• Sample Configuration for Sun Java System Directory Server
  • Sample LDIF Description
  • Sample Entries in OC4J Configuration Files
    • Settings in system-jazn-data.xml for Sun Java System Directory Server
    • Settings in orion-application.xml for an External LDAP Server
• Using SSL with External LDAP Providers
  • Initial SSL Considerations for External LDAP Providers
  • Configuring OC4J to Use SSL with an External LDAP Provider
  • Configuring the External LDAP Provider for SSL

11 Oracle Access Manager

• Getting Started with Oracle Access Manager
  • Overview of Oracle Access Manager
  • Oracle Access Manager Prerequisites
  • Oracle Access Manager Architecture
  • Top-Level Summary of Configuration Stages for Oracle Access Manager
  • Running the Policy Manager
• Oracle Access Manager Concepts
  • About Oracle Access Manager Resource Types
  • About Oracle Access Manager Authentication
  • About the Oracle Access Manager Single Sign-On Cookie
  • About Using HTTP Header Variables for Authentication
• Configuring Oracle Access Manager
  • Configure Oracle Access Manager Form-Based Authentication
    • Create a Login Form
    • Define Form-Based Authentication in Policy Manager
    • Configure the credential_mapping Plug-In for Form-Based Authentication
    • Configure the validate_password Plug-In for Form-Based Authentication
  • Configure Oracle Access Manager Basic Authentication
    • Define Basic Authentication in Policy Manager
    • Configure the credential_mapping Plug-In for Basic Authentication
  • Configure the Resource Type
    • Configure the Name and Operation of the Resource Type
    • Configure and Protect the URL of the Configured Resource Type
    • Configure the Return Action Attributes
  • Protect the Action URL
• Configuring OC4J with the Access Manager SDK
  • Create OC4J Instances as Needed
  • Configure the Access Manager SDK to Each OC4J Instance
  • Configure the Access Manager SDK Library Path for Each OC4J Instance
• Configuring opmn.xml for Oracle Access Manager
• Creating Required Accounts in the LDAP Server
• Configuring the Application
  • Protect the Application URLs in web.xml
  • Settings for Application Deployment
  • Configure Oracle Access Manager SSO in orion-application.xml
  • Protect the Application URLs in Oracle Access Manager
  • Configure the Oracle Access Manager Login Module
  • Test the Application
• Granting Permissions to Oracle Access Manager Principals
  • Granting RMI Permission to an Oracle Access Manager Principal
  • Granting Required Permissions to Additional Oracle Access Manager Principals
  • Confirming Configured Realm Names for Oracle Access Manager Principals
• Considerations for Oracle Application Server SOA Applications
  • Configure Logout for Oracle Application Server SOA Applications
  • Troubleshooting Login to Oracle Application Server SOA Applications
• Oracle Access Manager Examples for J2EE Applications
  • Web Application Using HTTP Header Variables through Oracle Access Manager
    • Configure Name and Password in Policy Manager
    • Configure HTTP Header Variables for the Oracle Access Manager Login Module
    • Secure the Web Application That Uses HTTP Headers
  • Web Application Using the Oracle Access Manager ObSSOCookie
    • Configure User Name and Password for the Oracle Access Manager Login Module
    • Secure the Web Application That Uses ObSSOCookie
  • EJB Application Using Oracle Access Manager
• Oracle Access Manager Support and Examples for Web Services
  • Web Service with Username Token Authentication for Oracle Access Manager
  • Web Service with X.509 Token Authentication for Oracle Access Manager
  • Web Service with SAML Token Authentication for Oracle Access Manager
• Troubleshooting the Oracle Access Manager Setup

12 User and Role API Framework

• Overview of User and Role (Identity Management) API Framework
• User and Role API Features to Replace UserManager, User, Group
• User and Role API Framework and Providers
• Summary of User and Role Interfaces and Classes
  • User and Role Interface Descriptions
  • User and Role Class Descriptions
• User and Role API Usage Models
  • Step by Step: Basic Usage Model
  • Step by Step: OC4J Integration Usage Model
  • Permission Requirements for the OC4J Integration Feature
  • User and Role Properties File
• Example: Basic User and Role API Framework
• Example: OC4J Integration with User and Role API Framework

13 Pluggable Identity Management Framework

• Overview of OracleAS JAAS Provider Identity Management Framework
  • Need for a Pluggable Identity Management Framework
  • How the Identity Management Framework Works
  • Overview of Identity Management Framework Programmatic Implementation
  • Overview of Identity Management Framework Configuration
  • Use of the Identity Management Framework by OC4J Java Single Sign-On
• Identity Management Framework Programmatic Interfaces
  • Identity Token Interface and Oracle Implementations
  • Token Collector Interface and Oracle Implementation
  • Token Asserter Interface
  • Identity Callback Handler Interface
  • Oracle Callback Implementations
    • Identity Callback
    • HTTP Request Callback
  • Login Module Requirements
  • Subject Asserter Interface
  • Packaging Your Identity Management Framework Implementation Classes
• Identity Management Framework Configuration
  • Configuring Identity Management Framework Properties
  • Configuring the Identity Management Framework Login Module
  • Configuring an Application to Use the Identity Management Framework
  • Considerations for Multiple OC4J Instances
• Summary of How to Use the Identity Management Framework
• Sample Use Case: Using a Header-Based Identity Token
  • Sample Token Collector: CollectorImpl.java
  • Sample Token Asserter: TokenAsserterImpl.java
  • Sample Configuration: jazn.xml

14 OC4J Java Single Sign-On

• Overview of OC4J Java SSO
  • Need for an OC4J Container-Level Java Single Sign-On Solution
  • How Java SSO Works
    • Single Sign-On Interaction and Logical Flow
    • Java SSO Runtime Operations
    • Java SSO Implementation of the Identity Management Framework
  • Java SSO Deployment Scenarios
  • Summary of Java SSO Configuration
  • About the Java SSO Login Page and Error Page
    • Localization Support for the Java SSO Login Page and Error Pages
    • Customizing the Login Page or Error Page
• Java SSO Setup and Configuration
  • Configuring Java SSO through Application Server Control
    • Start the javasso Application
    • Set Java SSO Properties and Generate the Symmetric Key
    • Configure the Security Provider for the javasso Application
    • Configure the Security Provider for Partner Applications
    • Enable Partner Applications to Use Java SSO
  • Java SSO Configuration Properties
    • Java SSO Configuration Property Descriptions
    • Default Java SSO Property Settings for Single-Instance OC4J Installations
  • Configuration for Enabling Partner Applications for Java SSO
  • Configuration for Special Scenarios
    • Considerations with the File-Based Provider and Two OC4J Instances
    • General Considerations for Multiple OC4J Instances
    • Considerations When Using the 10.1.3.1 Patch over 10.1.3.0.0
• Java SSO APIs
  • Java SSO Logout API
• Summary of How to Use Java SSO
• Troubleshooting Java SSO

15 SSL Communication with OC4J

• Integrating the Security Provider with SSL-Enabled Applications
• Using Keys and Certificates with OC4J and Oracle HTTP Server
• Using SSL with Standalone OC4J
• Using SSL in OPMN-Managed OC4J without Oracle HTTP Server
  • Configure OC4J with SSL (Scenario without Oracle HTTP Server)
  • Configure OPMN to Support HTTPS (Scenario without Oracle HTTP Server)
• Using SSL in OPMN-Managed OC4J with Oracle HTTP Server
  • Configure OC4J with SSL (Scenario with Oracle HTTP Server)
  • Configure AJP over SSL
    • Configure AJPS between OC4J and Oracle HTTP Server
    • Configure OPMN to Support AJPS (Scenario with Oracle HTTP Server)
  • Sample Configuration Files for SSL
• Requesting Client Authentication
  • Overview of OC4J Client Authentication Mode
  • Client Authentication to OC4J
  • Oracle HTTP Server Authentication to OC4J in Oracle Application Server
  • Client Authentication to Oracle HTTP Server
• Troubleshooting and Debugging SSL
  • Common SSL Errors and Solutions
  • General SSL Debugging: javax.net.debug Property
• Enabling ORMIS for OC4J
  • Configuring ORMIS for Standalone OC4J
    • Configure server.xml for the RMI Configuration File Location
    • Configure rmi.xml for ORMIS
    • Disable ORMI with ORMIS Enabled (Optional)
  • Configuring ORMIS for OC4J in an Oracle Application Server Environment
  • Configuring ORMIS Access Restrictions
  • Configuring Clients to Use ORMIS
    • Specify the Appropriate Java Naming Provider URL
    • Specify the Keystore and Password
• Enabling ORMI Tunneling through HTTPS
• Configuring a TCPS Data Source

16 Oracle Security for Client Connections

• Using Non-SSL Client Authentication
  • Basic-Based Client Authentication
  • Digest-Based Client Authentication
  • NTLM-Based Client Authentication
• HTTPS and Clients
• Overview of Client-Side HTTPS Features
  • Supported Keystore Formats
  • Accessing Information for Established SSL Connections
  • Support for java.net.URL Framework
  • SSL Cipher Suites
• Supported Default System Properties
  • Property javax.net.ssl.keyStore
  • Property javax.net.ssl.keyStorePassword
  • Property javax.net.ssl.keyStoreType
  • Property javax.net.ssl.trustStore
  • Property javax.net.ssl.trustStorePassword
  • Property javax.net.ssl.trustStoreType
• Using HTTPClient with JSSE
  • Prerequisites for using JSSE
  • Configuring HTTPClient to Use JSSE
• HTTPClient Support for SSL Host Name Verification
  • Enabling Host Name Verification through System Property Setting
  • Enabling Host Name Verification Programmatically
  • Using the Oracle Standard Host Name Verifier
  • Verifying Additional Connection Information
• Migrating from Oracle Java SSL to JSSE
  • Code Samples for Migration to JSSE
  • Additional Changes Relevant for Migration to JSSE
• Features for Oracle Java SSL (Deprecated)
  • Specifying Oracle Java SSL as the SSL Implementation for HTTPClient
  • OracleSSLCredential Class for Oracle Java SSL
  • Security-Aware Applications Support in Oracle Java SSL
  • Using HTTPClient with Oracle Java SSL
    • Sample Code (Oracle Java SSL)
    • Initializing SSL Credentials in Oracle Java SSL
  • System Property Features with Oracle Java SSL
  • Specifying Cipher Suites for Oracle Java SSL
    • Property Oracle.ssl.defaultCipherSuites
    • Method setSSLEnabledCipherSuites()
  • SSL Cipher Suites Supported by Oracle Java SSL

17 Web Application Security Configuration

• Specifying the Authentication Method (auth-method)
  • Specifying auth-method in web.xml
  • Specifying auth-method in orion-application.xml
  • Using Basic Authentication Fallback in Digest Authentication Mode
  • Using Form-Based Authentication
    • Setting Standard Configuration for Form-Based Authentication
    • Setting the OC4J Flag for Client-Side Redirects
  • Using Client-Cert Authentication
    • Configuring OC4J for Client-Cert Authentication
    • Client-Cert Execution Flow in OC4J
• Web Application Security Role and Constraint Configuration
  • Configuring J2EE Roles and Security Constraints
  • Linking Application Roles to J2EE Roles
  • Definition of Deployment Roles and Users
  • Specifying a Run-As Security Identity for a Web Application
  • OC4J Mapping of J2EE Roles to Deployment Roles

18 EJB Security Configuration

• Authenticating and Authorizing EJB Applications
  • Specifying J2EE Roles and Method Permissions in the EJB Deployment Descriptor
  • Specifying Unchecked Security for EJB Methods
  • Specifying a Run-As or Caller Security Identity for an EJB
  • Mapping J2EE Roles to Deployment Users and Roles
  • Configuring Namespace Access
  • Specifying a Default Role Mapping for Unidentified Methods
• Specifying Credentials in EJB Clients
  • Credentials in JNDI Properties
  • Credentials in the InitialContext
• Permitting EJB RMI Client Access
• Granting Permissions in the Browser
• Configuring Anonymous EJB Lookup
• Enabling and Configuring Subject Propagation for ORMI
  • Overview of Subject Propagation in OC4J
  • Enabling Subject Propagation for ORMI
    • Set the Subject Propagation System Property
    • Enable JAAS Mode
    • Grant RMI Permission for Subject Propagation
  • Sharing Principal Classes for Subject Propagation
  • Removing and Configuring Subject Propagation Restrictions

19 Common Secure Interoperability Protocol

• CSIv2 Security Properties in internal-settings.xml (EJB Server)
• CSIv2 Security Properties in ejb_sec.properties (EJB Client)
• CSIv2 Security Properties in orion-ejb-jar.xml
  • The <transport-config> element
  • The <as-context> element
  • The <sas-context> element
  • Example: <ior-security-config>

20 Security Support for Resource Adapters

• Overview of Security and Authentication Setup for EIS Connections
  • Summary of J2EE Connector Architecture Security Contract
  • Summary of Component-Managed Versus Container-Managed Sign-On
  • Summary of Security-Related Resource Adapter Configuration Elements
    • The oc4j-ra.xml File <security-config> Element
    • The oc4j-connectors.xml File <security-permission> Element
• Understanding Component-Managed Sign-On
• Understanding Container-Managed Sign-On
• Authentication in Container-Managed Sign-On
• Using Declarative Container-Managed Sign-On
• Using Programmatic Container-Managed Sign-On
  • Using a Principal Mapping Class
    • Understanding the PrincipalMapping Interface APIs
    • Extending the AbstractPrincipalMapping Class
    • Configuring a Principal Mapping Class
  • Using a JAAS Login Module for an EIS Connection
    • The InitiatingPrincipal and InitiatingGroup Classes
    • JAAS and the <connector-factory> Element

21 Configuring Windows Native Authentication

• Overview of WNA
• Prerequisites for Configuring WNA
• Step 1: Configure the Linux Host System as a Kerberos Client
• Step 2: Create a User Account in Active Directory
• Step 3: Generate and Test the Keytab File for the Linux Host
• Step 4: Configure the OC4J Instance
  • Set Security System Properties for OC4J
  • Edit the System JAZN Configuration File
  • Edit the JAZN Configuration File
  • Edit Application Deployment Descriptors
• Step 5: Configuring a Browser and Testing WNA

A Tips and Troubleshooting for OC4J Security

• Best Practices for OC4J Security
  • JAAS Best Practices
  • HTTPS Best Practices
• General OC4J Security Tips and Troubleshooting
  • File jazn.xml Not Found
  • Authentication Issues
  • Failure to Specify OracleAS JAAS Provider as the JAAS Provider
  • Realm Issues
    • Realm Names Omitted from User Names
    • Specifying Default Realm to Solve Authentication Failure
• Logging
  • Using Oracle Diagnostic Logging with the OracleAS JAAS Provider
  • Using Standard JDK Logging with the OracleAS JAAS Provider Admintool

B OracleAS JAAS Provider Samples

• Security Configuration for Sample Servlet
  • Configuration in system-jazn-data.xml
  • Configuration in web.xml
  • Configuration in orion-application.xml
• Sample Servlet: Invoking J2EE Security APIs
• Sample Servlet: Granting Permissions
• Sample Servlet: Checking Permissions
  • JAAS Mode Configuration in orion-application.xml
  • Servlet Code for Authorization

C OracleAS JAAS Provider Admintool Reference

• Getting Started with the Admintool
  • Running the Admintool
  • User Repository Location for the Admintool
  • Authentication for the Admintool
  • Using Custom Principals and Permissions with the Admintool
• Summary of Admintool Command-Line Syntax and Options
• Admintool Shell
  • Shell Support for Admintool Command-Line Options
  • Admintool Shell Directory Structure
  • Summary of Admintool Special Shell Commands
    • add, mkdir, and mk: Creating Provider Data
    • cd: Navigating Provider Data
    • clear: Clearing the Screen
    • exit: Exiting the Admintool Shell
    • help: Listing Admintool Shell Commands
    • ls: Listing Data
    • man: Viewing Admintool man Pages
    • pwd: Displaying the Working Directory
    • rm: Removing Provider Data
    • set: Updating Values
• Admintool Administrative Functions
  • Adding and Removing Login Modules
  • Adding and Removing Realms (File-Based Provider Only)
  • Adding and Removing Roles (File-Based Provider Only)
  • Adding and Removing Users (File-Based Provider Only)
  • Setting Passwords (File-Based Provider Only)
  • Checking Passwords (File-Based Provider Only)
  • Administrative Operations
  • Granting and Revoking Permissions
  • Granting and Revoking Roles
  • Listing Login Modules
  • Listing Permissions
  • Listing Realms
  • Listing Roles
  • Listing Users
  • Converting from the principals.xml File to JAAS

D OracleAS JAAS Provider Configuration Files

• Hierarchy of jazn.xml
• Elements and Attributes of jazn.xml
  • <jazn>
  • <property>
• Hierarchy of system-jazn-data.xml
• Elements and Attributes of system-jazn-data.xml
  • <actions>
  • <application>
  • <class>
  • <codesource>
  • <control-flag>
  • <credentials>
  • <description>
  • <display-name>
  • <grant>
  • <grantee>
  • <guid>
  • <jacc-repository>
  • <jazn-data>
  • <jazn-loginconfig>
  • <jazn-permission-classes>
  • <jazn-policy>
  • <jazn-principal-classes>
  • <jazn-realm>
  • <login-module>
  • <login-modules>
  • <member>
  • <members>
  • <name>
  • <name>
  • <option>
  • <options>
  • <permission>
  • <permissions>
  • <principal>
  • <principals>
  • <realm>
  • <realm-name>
  • <role>
  • <roles>
  • <type>
  • <type>
  • <url>
  • <user>
  • <users>
  • <value>

E Third Party Licenses

• Apache
  • The Apache Software License
• Apache SOAP
  • Apache SOAP License
• mod_mm and mod_ssl
• OpenSSL
  • OpenSSL License
• Perl
  • Perl Kit Readme
  • mod_perl 1.29 License
  • mod_perl 1.99_16 License
  • Perl Artistic License
    • Preamble
    • Definitions

Index