Skip Navigation Links | |
Exit Print View | |
Oracle Java CAPS Security Guide Java CAPS Documentation |
Securing Your Java CAPS Environment
Authentication and Authorization
Analyzing Your Security Requirements
Hire Security Consultants or Use Diagnostic Software
Securing Java CAPS Repository Components
Securing the Production Environment
Securing the GlassFish Server in Production
Developing secure Java CAPS applications is critical for many reasons. The applications you develop are often used to transmit sensitive, propriety, personal, or critical data. This data must be sent in a secure manner with its integrity guaranteed. Certain applications must follow strict regulations, such as HIPAA, the Sarbanes-Oxley Act, and so on. In addition, messages may be exchanged between many groups, including trading partners, customers, and vendors. Each organization's governance policies and security requirements must be met.
Developing secure application generally includes, but is not limited to, the following:
Authentication
Authorization
Confidentiality
Non-repudiation
Secure transport
User administration and role management
Auditing and control
These security measures are all described under Security Concepts.
Java CAPS provides multiple implementation alternatives to support secure services and processes. Many Adapters and Binding Components support a variety of secure transports. For example, the HTTP Adapter and Binding Component both support HTTP Basic Authentication and HTTP over SSL. Many Java CAPS components can be configured to work with an LDAP server.
Additional security can come from other Oracle products, including Access Manager and Oracle Web Services Manager (OWSM). For example, Access Manager can be used to store user information and to generate and validate SAML assertions. The keystore in the application server can be used to maintain digital certificates. For information about message-level security in GlassFish Server, see Chapter 10 "Configuring Message Security" in the GlassFish Enterprise Server v2.1.1 Administration Guide.
When developing applications in Java CAPS, keep the following security considerations in mind.
Security can be handled at multiple levels, so you need to determine which deployment model best secures your application. You can set security policies at the message level, at the application level, and at the application server level. You can use a combination of these to set security for your applications.
When possible configure your applications to use SSL.
Examine your applications for any security vulnerabilities. Organizations such as the Open Web Application Security Project have identified common issues. See the OWASP Top Ten Project for additional information.
If your application contains untrusted code, you might want to enable the Java security manager.
Several Java CAPS components provide support for transmitting data using secure protocols, and login credentials must often be configured in their properties in order to connect to external systems. For most Adapters, you can configure security in either the Connectivity Map or Environment properties. For most Binding Components, security is defined in the extensibility elements. For more information, refer to the documentation for the Adapter or Binding Component you want to use.
Below are a few links that provide examples of Java CAPS component properties for configuring security.
LDAP Adapter:
HTTP Adapter:
Batch Adapter:
Oracle Java CAPS Adapter for Batch User’s Guide
The Batch Adapter supports multiple types of security protocols, including FTP over SSL, SFTP, SCP, and so on.
SAP Adapter:
HTTP Binding Component:
LDAP Binding Component:
The following topics provide additional information about configuring SSL for specific components:
Using SSL With the WebSphere MQ Adapter in Configuring Oracle Java CAPS for SSL Support
SSL and Adapters in Configuring Oracle Java CAPS for SSL Support
Using the OpenSSL Utility for the LDAP and HTTPS Adapters in Configuring Oracle Java CAPS for SSL Support
For web services, security occurs at the binding level for the binding component that exposes a business process to external clients. Frequently, this is the SOAP binding, but most binding components define some level of security. Enforcement of security policies does not generally occur in the business process itself.
Java CAPS supports the following message-level web service specification:
WS-Security
WS-SecurityPolicy
WS-Trust
WS-SecureConveration
For a discussion of web services security in Java CAPS, see the white paper Web Services Security in Java CAPS 6.
Where WS-Security is supported, Java CAPS also supports the following Oracle Web Services Manager (OWSM) policies:
wss11_username_token_with_message_protection_service_policy
wss11_saml_token_with_message_protection_service_policy
OWSM allows you to centrally define policies that govern web services operations (such as access policies, logging policies, and load balancing), and then wrap these policies around web services without needing to modify those services. For more information about these policies, see the following documents:
Oracle Fusion Middleware Security and Administrator's Guide for Web Services
Interoperability with Oracle GlassFish Enterprise Server Release 3.0.1 in Oracle Fusion Middleware Interoperability Guide for Oracle Web Services Manager
You can also find sample projects implementing these policies on the Java CAPS sample site at http://java.net/projects/javacaps-samples/pages/Home.