1 Introduction to Oracle Platform Security Services
This chapter incudes the following sections:
The scope of this document does not include Oracle Web Services security. For information about Oracle Web Services security, see Securing Web Services and Managing Policies with Oracle Web Services Manager.
What Is OPSS?
OPSS is the underlying security platform that provides security to Oracle Fusion Middleware products, including Oracle WebLogic Server, service-oriented architecture (SOA) applications, Oracle WebCenter, Oracle Application Development Framework (Oracle ADF) applications, and Oracle Entitlements Server (OES).
OPSS provides an abstraction layer in the form of application programming interfaces (APIs) that insulate developers from security and identity management implementation details. Developers do not need to know the details of, for example, cryptographic key management, repository interfaces, or other identity management infrastructures. Using OPSS, in-house developed applications, third-party applications, and integrated applications benefit from the same uniform security services across the enterprise.
OPSS is supported on WebLogic Server and is installed with Oracle Fusion Middleware Infrastructure.
OPSS Main Features
OPSS complies with the following standards: Role-Based Access Control (RBAC), Java EE, Java Authorization and Authentication Services (JAAS), and Java Authorization Contract for Containers (JACC).
Built upon these standards, OPSS provides an integrated security platform that supports:
-
Authentication
-
Identity assertion
-
Authorization
-
Managing roles and role mappings
-
Managing application policies and credentials
-
Managing keys and certificates
-
Audit
-
Identity Virtualization
-
Security APIs
OPSS Architecture Overview
OPSS includes the WebLogic Server security providers and the Oracle Fusion Middleware security frameworks. Figure 1-1 illustrates the OPSS architecture.
The OPSS architecture has the following layers:
-
The security services, which includes authorization, authentication, credentials, identity and trust, Secure Sockets Layer (SSL), and cryptographic services. For authentication, OPSS uses WebLogic Server Authentication providers.
-
The WebLogic Server security providers. The Security Services Provider Interface (SSPI) provides Java container security, resource-based authorization for the environment, and APIs for implementing security providers. A module implementing any of these interfaces can be plugged into the framework to provide a particular type of security service, such as custom authentication or a particular role mapping.
-
The security store with one of three types of repositories: file, Lightweight Directory Access Protocol (LDAP), or database.
See also:
The Security Service Provider Interfaces (SSPIs) in Understanding Security for Oracle WebLogic Server
Benefits of Using OPSS
OPSS offers many benefits, including the following:
-
Allows developers to focus on application and domain problems
-
Supports enterprise deployments
-
Supports LDAP servers and SSO systems
-
Is certified on WebLogic Server
-
Integrates with Oracle products and technologies
-
Offers a consistent security experience for developers and security administrators
-
Provides a uniform set of APIs for all types of applications
-
Optimizes development time by offering abstraction layers
-
Provides a simplified application security maintenance
-
Allows changing security rules without affecting application code
-
Eases administration
-
Integrates with identity management systems
OPSS provides security for Java EE applications, Oracle Fusion Middleware applications, and Java SE applications. It also provides the tools to administer all security in the enterprise, and allows changing security configurations without modifying application code.
Using OPSS APIs, developers secure all types of applications and integrate them with other security systems, such as LDAP, databases, and custom security components.
Ready-to-use, the default security provider (embedded LDAP server) is available, but domains can use identity data in other LDAP repositories.
OPSS for Developers
The following sections summarize the main security features that you use in Java applications:
About Java EE Application Security
Java EE applications can use several interfaces to access and maintain security data, including those provided with Credential Store Framework API, User and Role API, Identity Governance Framework API, and Keystore Service API. Using these interfaces Java EE applications set and retrieve user attributes, and manage policies, keys, and certificates.
Java EE applications can use authentication and authorization declaratively, with specifications in the web.xml file, or programmatically, with calls to the isUserInRole and isCallerInRole methods.
Java EE applications can use custom authentication providers and control authentication between Java servlets and Enterprise JavaBeans (EJB) using roles and enterprise groups.
About Java SE Application Security
Most of the OPSS features available for Java EE applications are also available for Java SE applications, but there are some differences that apply to Java SE applications only, including the following:
-
Applications must use the
AppSecurityContext.JpsStartup.startmethod before calling any security operations. -
Application security configuration is defined in the
jps-config-jse.xmlfile by default installed in the following location:$DOMAIN_HOME/config/fmwconfig/jps-config-jse.xml
To specify a different location, use the
oracle.security.jps.configproperty:-Doracle.security.jps.config=pathToConfigFile
-
Applications use standard JAAS login modules by implementing a custom authentication provider that calls the login module.
-
The following Java archive (JAR) file must be added to the class path:
$ORACLE_HOME/oracle_common/modules/oracle.jps_12.2.1/jps-manifest.jar
See also:
Authentication Providers in Developing Security Providers for Oracle WebLogic Server
ADF Security Overview
Oracle ADF is an end-to-end Java EE framework that simplifies development by providing infrastructure services and a visual development experience. Oracle ADF is integrated with Oracle JDeveloper.
ADF Security is based on the JAAS security model, uses OPSS and permission-based authorization, and simplifies the configuration of application security with visual editors and ADF Security wizard.
During the development of an Oracle ADF application, the authentication providers are configured with Oracle WebLogic Server Administration Console, and policies are kept in a file.
To summarize, ADF security allows you to:
-
Control the granularity of declarative security
-
Simplify permission with the role hierarchy
-
Access to Oracle ADF resources
-
Integrate with JDeveloper for quick development and test cycles
See also:
Enabling ADF Security in a Fusion Web Application in Developing Fusion Web Applications with Oracle Application Development Framework
Oracle ADF Application Security
Oracle ADF simplifies the development of Java EE applications with JDeveloper by minimizing the code that implements the application infrastructure. This helps developers focus on application features.
Oracle ADF leverages container authentication and uses JAAS based authorization to control access to Oracle ADF resources. Policies may include specific application roles and JAAS authorization permissions. Oracle ADF connection credentials are stored in the security store.
Oracle ADF and WebCenter applications include WebLogic Server Authentication providers and may include a single sign-on solution such as Oracle Single Sign-On.
See also:
Overview of Single Sign-On with Microsoft Clients in Administering Security for Oracle WebLogic Server