Oracle® Containers for J2EE Security Guide 10g (10.1.3.5.0) Part Number E13977-01 |
|
|
View PDF |
This section describes new features since the 10.1.2.0.2 release:
The following security features and enhancements were added for the OC4J 10.1.3.5 implementation:
The Oracle Containers for J2EE Security Guide now contains instructions for configuring a data source to use TCPS when connecting to the database. See "Configuring a TCPS Data Source" for detailed information.
The following security features and enhancements were added for the OC4J 10.1.3.4 implementation:
Note the following key additions in the OC4J 10.1.3.4 implementation:
OC4J and Java SSO now supports Windows Native Authentication and Kerberose. Users of OC4J Web applications can be automatically authenticated based on their Windows desktop login. See Chapter 21, "Configuring Windows Native Authentication" for detailed information.
Additional documentation has been added that describes how to use the HTTP Client API to include basic, digest, and NTLM authentication information in a request header. See "Using Non-SSL Client Authentication" for detailed information.
Additional documentation has been added that describes how to set a Subject into the OC4J container. See "Setting a Subject Into the OC4J Container".
Document Errata items since the 10.1.3.1 release have been fixed in this release of the Oracle Containers for J2EE Security Guide.
Note the following deprecations in the OC4J 10.1.3.4 implementation:
Oracle Java SSL is deprecated and no longer used by HTTPClient
. The JDK-default JSSE implementation is now the default SSL implementation for HTTPClient
.
This section notes changes and updated deprecation notices for the OC4J 10.1.3.1 implementation. Also review the section that follows, "Changes in Release 10.1.3.0.0".
Note the following key additions in the OC4J 10.1.3.1 implementation:
Identity management framework to support heterogeneous third-party identity management systems
Java SSO, an alternative single sign-on solution packaged with OC4J that does not require additional infrastructure (such as Oracle Single Sign-On and Oracle Access Manager single sign-on do) and decouples OC4J from any identity management system that you use
DBTableOraDataSourceLoginModule
to replace DataSourceUserManager
functionality
A new user and role API framework, particularly for use with supported LDAP servers. This includes replacement functionality for the deprecated UserManager
, User
, and Group
classes
In addition, note the following changes:
The JDK-default JSSE implementation is now the default SSL implementation for HTTPClient
. (This is a step toward deprecating OracleSSL, the previous default SSL implementation, for use with HTTPClient
.)
Note the following deprecations in the OC4J 10.1.3.1 implementation:
The com.evermind.security
package and its classes are deprecated. They will no longer be supported in the 11g release.
UserManager
class: Use JAAS custom login modules instead of custom com.evermind.security.UserManager
implementations.
User
class: Use standard JAAS APIs instead.
Group
class: Use standard JAAS APIs instead.
The XMLUserManager
class and its data store, principals.xml
, are deprecated. They will no longer be supported in the 11g release. For instructions on migration, see "Migrating Principals from the principals.xml File".
The following security features and enhancements were added for the OC4J 10.1.3.0.0 implementation:
Support for the COREid Access (now Oracle Access Manager) security provider
Support for the LDAP-based provider in standalone OC4J
Digest authentication support, and client certification authentication and authorization support
Implementation of the Java Authorization Contract for Containers (JSR-115)
JAAS integration with EJBs
ORMI enhancements for SSL (ORMIS)
Support for subject propagation (with ORMI or ORMIS)
JMX and MBeans support (JSR-77) for security configuration
New OC4J user and role accounts (see below)
Enhanced Java 2 security support
Web services security (described in another document)
In addition, note the following changes since the OC4J 10.1.2 implementation:
There is a new consolidated "JAAS mode" for authorization, for both servlets and EJBs. This replaces previous runas-mode
and dosasprivileged-mode
functionality for servlets, and USE_JAAS
functionality (introduced in preliminary 10.1.3 releases) for EJBs. The previous functionality is supported but deprecated in OC4J 10.1.3.x implementations.
The instance-level jazn-data.xml
configuration file used in previous releases to store user and role configuration (for the file-based provider), policy configuration (for the file-based, external LDAP, or custom security provider), and login module configuration (for all security providers) has been renamed system-jazn-data.xml
. However, an application can optionally use an application-specific jazn-data.xml
repository file to store user and role configuration for the file-based provider.
The XMLUserManager
class and its data store, principals.xml
, are deprecated and will no longer be supported at a future release. We strongly encourage you to migrate your existing applications. For instructions, see "Migrating Principals from the principals.xml File".
Custom UserManager
classes are still supported at this release, but will be deprecated at a future release. We recommend that you use JAAS custom login modules instead of custom com.evermind.security.UserManager
implementations.
For the Oracle Identity Management security provider, the application realm and external realm are deprecated.
The external.synchronization
property is no longer supported.
The default setting of the jaas.username.simple
property is now "true
"; in the 10.1.2 implementation, the default setting was "false
". This now means that by default, realm names are omitted from the names of authenticated principals returned by such methods as getUserPrincipal()
and getRemoteUser()
for servlets, and getCallerPrincipal()
for EJBs.
There have been some OC4J account name changes: the admin
account is now oc4jadmin
; the administrators
role is now oc4j-administrators
; the jmx-users
role is now oc4j-app-administrators
. For the file-based provider in standalone OC4J, oc4jadmin
is initially deactivated. See "Predefined Accounts".
Required OC4J accounts are created automatically in Oracle Internet Directory when you associate an OC4J instance with an OID instance. See "Required Accounts Created in Oracle Internet Directory".
Setting LD_LIBRARY_PATH
is no longer necessary in 10.1.3.x implementations.
The jazn.debug.log.enable
flag is no longer supported for logging. Use regular OC4J logging features. See "Logging".