Managing the provided security within Oracle Database Mobile Server is described in Chapter 9, "Configuring Security in the Oracle Database Mobile Server" in the Oracle Database Mobile Server Administration and Deployment Guide. This chapter describes how to customize authentication to provide your own mechanisms to be used within Oracle Database Mobile Server.
The following section details security issues for Oracle Database Mobile Server:
You can provide an external authenticator for the mobile server to authenticate users with passwords as well as their access privileges to applications. For example, in an enterprise environment, you may have your user data, such as employee information, stored in a LDAP-based directory service. The mobile server can retrieve the user information from the LDAP directory—or from any custom User Management System—if configured with your own implementation of an external authenticator. The mobile server links the external user information to the mobile server repository.
The following sections describe how to implement and use an external authentication method for Oracle Database Mobile Server:
In order to use an external authenticator, you must implement the oracle.lite.provider.Authenticator Java interface and configure the implementation in the mobile.ora file.
Note:
SamplesSampleAuthenticator.java and OIDAuthenticator.java demonstrate how to implement an external authenticator. These samples can be found in the <ORACLE_HOME>\Mobile\Server\demos\devmgr\java\ directory.Implement the following methods in your external authenticator. The mobile server invokes each of these methods as appropriately.
Section 7.1.1.1, "Initialization for the External Authenticator"
Section 7.1.1.2, "Destruction of the External Authenticator"
Section 7.1.1.3, "The Authentication Method for the External Authenticator"
Section 7.1.1.4, "The User Instantiation Method for the External Authenticator"
Section 7.1.1.5, "Retrieve the User Name or the User Global Unique ID"
The mobile server invokes the initialize method before calling any other method of provider class. This method be called only once when the provider is initialized.
Method: void initialize (String metaData) throws Exception Parameter: String metaData (Reserved for future use)
The mobile server invokes the destroy method when the system shutdowns. Provider implementation should implement all the cleanup code in this method.
Method: void destroy() throws Exception Parameter: None
Authenticate a user and return a session handle with the authenticate method. The returned session handle is passed to the logOff method when the user logs off from the system. Note that the logOff method may not be called for each successful authenticate method call. Some of the mobile server clients may use the authenticate method to verify the user credential and not for logging on to the system.
Method: Object authenticate (String uid, String pwd) throws SecurityException Parameter: User Id (or User Name) and password string Return: Session handle or NULL
You can pass error and warning information, as follows:
Failure: Pass along any error information, such as why the authentication failed. Use the AuthException class, available in the package oracle.lite.provider.auth, to pass along failure information.
Warning: Pass along any warnings, such as the situation when the user's password is about to expire. Use the ExtAuthResult class, available in the package oracle.lite.provider.auth, to pass along warning information.
Refer to the Oracle Database Mobile Server API Specification for more details on these exception classes.
If the user has not been instantiated in the mobile server repository, then the mobile server invokes the getInitializationScripts method—after authenticating the user—to retrieve the initialization scripts for the user. The mobile server uses the initialization scripts to instantiate the user in the mobile server and assign access rights to applications and data. See Section 7.1.3, "User Initialization Scripts" for more information.
Method: StringBuffer getInitializationScripts (Object sid) Parameter: Session handle returned by 'authenticate' method Return: 'StringBuffer' containing User's initialization scripts
Return the user name or GUID (Globally Unique Id) of the user if there is one. Usually, LDAP-based User Management systems maintain a GUID for each user. In case your authentication mechanism does not support GUID, then the getUserGUID method returns NULL.
Method: String getFullName (Object sid) Parameter: Session handle returned by 'authenticate' method Return: User's full name
Method: String getUserGUID (Object sid) Parameter: Session handle returned by 'authenticate' method Return: User's GUID or NULL
Log off the User from the back-end system. Note that the logOff method may not be called for each successful authenticate method call. Some of the mobile server clients may use the authenticate method to verify the user credential and not for logging on to the system.
Method: void logOff (Object sid) throws SecurityException Parameter: Session handle returned by 'authenticate' method
The EXTERNAL_AUTHENTICATION section in the mobile.ora file facilitates the authentication of existing external users with the specified external authenticator class. To register your external authenticator class, modify the mobile.ora file and set your external Authenticator JAVA class name in the EXTERNAL_AUTHENTICATION section, as follows:
[EXTERNAL_AUTHENTICATION] CLASS = SampleAuthenticator EXPIRATION = 1800
The mobile server caches the user instantiated through the external authenticator for a period of time in order to improve efficiency. The default expiration time for the cached user object is 30 minutes (or 1800 seconds). Customize this value by setting a new value for the EXPIRATION parameter.
In addition, you must configure the EXTERNALUSER parameter in the WSH.INI script, which notifies the server that the user being created is external and does not require a password in the WSH.INI script. Instead, the new user be authenticated by the external authenticator specified in the mobile.ora file. For more information on EXTERNALUSER parameter, see Appendix B, "Write Scripts for the Mobile Server with the WSH Tool" in the Oracle Database Mobile Server Administration and Deployment Guide.
Alternatively, you can create the external user with the ResourceManager APIs, which notifies the server that the user being created does not require a password. Instead, the new user be authenticated by the external authenticator specified in the mobile.ora file.
The mobile server invokes the getInitializationScripts method to retrieve the user initialization script that instantiates user-specific objects in the mobile server repository. The external authenticator can perform the following actions during the initialization process:
Assign access rights to applications
Set data subscription parameters.
Optionally, add the user to a user group.
The syntax of the initialization script is based on the INI format. The first section in the script is as follows.
[MAIN] VERSION=2
The following example performs these actions for a user whose id is USER1.
Assigning access rights to applications.
Assign access rights to Application1 and Application2 for USER1, where Application1 has two publication items and three subscription parameters.
# List the applications we want access to # [ACL] Application1 Application2 # List Access details for 'Application1' # [ACL.Application1] NAME=USER1 TYPE=USER DATA=LOCATION, ITEMS # List Access details for 'Application2' # [ACL.Application2] NAME=USER1 TYPE=USER
Setting data subscription parameters.
[SUBSCRIPTION.USER1.Application1.LOCATION] NAME=ZIP, USR_ID VALUE=12345, USER1 [SUBSCRIPTION.USER1.Application1.ITEMS] NAME=WEIGHT VALUE=20
Adding a User to a User Group
[GROUP] User's Group [GROUP.User's Group] USER=USER1