Oracle Platform Security Services (OPSS) provides development teams a portable and integrated framework to secure Java Platform Standard Edition (Java SE) and Java Platform Enterprise Edition (Java EE) applications.
This chapter incudes the following sections:
The scope of this document does not include Oracle Web Services security. For information about Oracle Web Services, see Securing Web Services and Managing Policies with OWSM.
OPSS is the underlying security platform that provides security to Oracle Fusion Middleware products, including Oracle WebLogic Server, service-oriented architecture (SOA) applications, Oracle WebCenter, Oracle Application Development Framework (Oracle ADF) applications, and Oracle Entitlements Server (OES).
OPSS provides an abstraction layer in the form of application programming interfaces (APIs) that insulate developers from security and identity management implementation details. Developers do not need to know the details of, for example, cryptographic key management, repository interfaces, or other identity management infrastructures. Using OPSS, in-house developed applications, third-party applications, and integrated applications benefit from the same uniform security services across the enterprise.
OPSS is installed as part of the Oracle Fusion Middleware installation.
OPSS complies with the following standards: Role-Based Access Control (RBAC), Java EE, Java Authorization and Authentication Services (JAAS), and Java Authorization Contract for Containers (JACC).
Built upon these standards, OPSS provides an integrated security platform that supports:
Managing roles and role mappings
Managing application policies and credentials
Managing keys and certificates
OPSS is supported on WebLogic Server.
OPSS includes the WebLogic Server security providers and the Oracle Fusion Middleware security frameworks. Figure 1-1 illustrates the OPSS architecture.
The OPSS architecture has the following layers:
The security services, which includes authorization, authentication, credentials, identity and trust, Secure Sockets Layer (SSL), and cryptographic services. For authentication, OPSS uses WebLogic Server Authentication providers.
The WebLogic security providers. The Security Services Provider Interface (SSPI) provides Java container security, resource-based authorization for the environment, and APIs for implementing security providers. A module implementing any of these interfaces can be plugged into the framework to provide a particular type of security service, such as custom authentication or a particular role mapping.
The security store with one of three types of repositories: file, Lightweight Directory Access Protocol (LDAP), or database.
The Security Service Provider Interfaces (SSPIs) in Understanding Security for Oracle WebLogic Server
OPSS offers many benefits, including the following:
Allows developers to focus on application and domain problems
Supports enterprise deployments
Supports LDAP servers and SSO systems
Is certified on WebLogic Server
Integrates with Oracle products and technologies
Offers a consistent security experience for developers and security administrators
Provides a uniform set of APIs for all types of applications
Optimizes development time by offering abstraction layers
Provides a simplified application security maintenance
Allows changing security rules without affecting application code
Integrates with identity management systems
OPSS provides security for Java EE applications, Oracle Fusion Middleware applications, and Java SE applications. It also provides the tools to administer all security in the enterprise, and allows changing security configurations without modifying application code.
Using OPSS APIs, developers secure all types of applications and integrate them with other security systems, such as LDAP, DBMS, and custom security components.
Ready-to-use, the default security provider (embedded LDAP server) is available, but domains can use identity data in other LDAP repositories.
The following sections summarize the main security features that you use in Java applications:
Java EE applications can use several interfaces to access and maintain security data, including those provided with Credential Store Framework API, User and Role API, Identity Governance Framework API, and Keystore Service API. Using these interfaces Java EE applications set and retrieve user attributes, and manage policies, keys, and certificates.
Java EE applications can use authentication and authorization declaratively, with specifications in the
web.xml file, or programmatically, with calls to the
Java EE applications can use custom authentication providers and control authentication between Java servlets and Enterprise JavaBeans (EJB) using roles and enterprise groups.
Most of the OPSS features available for Java EE applications are also available for Java SE applications, but there are some differences that apply to Java SE applications only, including the following:
Applications must use the
JpsStartup.start method before calling any security operations.
Application security configuration is defined in the
jps-config-jse.xmlfile by default installed in the following location:
To specify a different location, use the
Applications use standard JAAS login modules by implementing a custom authentication provider that calls the login module.
The following Java archive (JAR) file must be added to the class path:
Authentication Providers in Developing Security Providers for Oracle WebLogic Server
Oracle ADF is an end-to-end Java EE framework that simplifies development by providing infrastructure services and a visual development experience. Oracle ADF is integrated with Oracle JDeveloper (JDeveloper).
ADF Security is based on the JAAS security model, uses OPSS and permission-based authorization, and simplifies the configuration of application security with visual editors and ADF Security wizard.
During the development of an Oracle ADF application, the authentication providers are configured with Oracle WebLogic Server Administration Console, and policies are kept in a file.
To summarize, ADF security allows you to:
Control the granularity of declarative security
Simplify permission with the role hierarchy
Access to Oracle ADF resources
Integrate with JDeveloper for quick development and test cycles
Oracle ADF simplifies the development of Java EE applications with JDeveloper by minimizing the code that implements the application infrastructure. This helps developers focus on application features.
Oracle ADF leverages container authentication and uses JAAS based authorization to control access to Oracle ADF resources. Policies may include specific application roles and JAAS authorization permissions. Oracle ADF connection credentials are stored in the security store.
Oracle ADF and WebCenter applications include WebLogic Authentication providers and may include a single sign-on solution such as Oracle Single Sign-On.
Overview of Single Sign-On with Microsoft Clients in Administering Security for Oracle WebLogic Server 12c