Skip Headers
Oracle® Application Server Containers for J2EE Security Guide
10g Release 2 (10.1.2)
B14013-02
  Go To Documentation Library
Home
Go To Product List
Solution Area
Go To Table Of Contents
Contents
Go To Index
Index

Previous
Previous
Next
Next
 

A OracleAS JAAS Provider Samples

This appendix provides supplemental samples and standards. It contains the following samples:

Sample: jazn-data.xml Configuration

This section presents a sample jazn-data.xml file which illustrates the specific standards that XML files must conform to. This jazn-data.xml file contains a realm, jazn.com, users, and roles.

Example A-1 Sample jazn-data.xml File

<?xml version="1.0" encoding="UTF-8" standalone='yes'?>
<!DOCTYPE jazn-data PUBLIC "JAZN-XML Data" "http://xmlns.oracle.com/ias/dtds/jazn-data-9_04.dtd">
<jazn-data>
 
<!-- JAZN Realm Data -->
<jazn-realm>
  <realm>
    <name>jazn.com</name>
    <users>
      <user>
        <name>anonymous</name>
        <description>The default guest/anonymous user</description>
      </user>
      <user>
        <name>SCOTT</name>
        <display-name>SCOTT</display-name>
        <credentials>!TIGER</credentials>
      </user>
      <user>
        <name>admin</name>
        <display-name>OC4J Administrator</display-name>
        <description>OC4J Administrator</description>
        <credentials>!welcome</credentials>
      </user>
      <user>
        <name>user</name>
        <description>The default user</description>
        <credentials>!456</credentials>
      </user>
 
            <!-- users used for password hiding -->
      <user>
        <name>pwForScott</name>
        <description>Password for database user Scott</description>
        <credentials>!TIGER</credentials>
      </user>
      <user>
        <name>pwForSSL</name>
        <description>Password for ssl key and trust stores</description>
        <credentials>!123456</credentials>
      </user>
      <user>
        <name>pwForSystem</name>
        <description>Password for database system user </description>
        <credentials>!manager</credentials>
      </user>
    </users>
    <roles>
      <role>
        <name>administrators</name>
        <display-name>Realm Admin Role</display-name>
        <description>Administrative role for this realm.</description>
        <members>
          <member>
            <type>user</type>
            <name>admin</name>
          </member>
        </members>
      </role>
      <role>
        <name>users</name>
        <members>
          <member>
            <type>user</type>
            <name>user</name>
          </member>
          <member>
            <type>user</type>
            <name>SCOTT</name>
          </member>
          <member>
            <type>role</type>
            <name>administrators</name>
          </member>
        </members>
      </role>
      <role>
        <name>guests</name>
        <members>
          <member>
            <type>user</type>
            <name>anonymous</name>
          </member>
          <member>
            <type>role</type>
            <name>users</name>
          </member>
        </members>
      </role>
      <role>
        <name>jmxusers</name>
        <display-name>JMX users</display-name>
        <description>
            Allows access to application level user defined MBeans
        </description>
        <members>
        </members>
      </role>
    </roles>
  </realm>
</jazn-realm>
 
<!-- JAZN Policy Data -->
<jazn-policy>
  <grant>
    <grantee>
      <principals>
        <principal>
          <realm-name>jazn.com</realm-name>
          <type>role</type>
          <class>oracle.security.jazn.spi.xml.XMLRealmRole</class>
          <name>jazn.com/administrators</name>
        </principal>
      </principals>
    </grantee>
    <permissions>
      <permission>
        <class>oracle.security.jazn.policy.AdminPermission</class>
        <name>
           oracle.security.jazn.realm.RealmPermission$jazn.com$createrealm
        </name>
      </permission>
      <permission>
        <class>oracle.security.jazn.realm.RealmPermission</class>
        <name>jazn.com</name>
        <actions>createrealm</actions>
      </permission>
      <permission>
        <class>oracle.security.jazn.policy.AdminPermission</class>
        <name>oracle.security.jazn.realm.RealmPermission$jazn.com$droprealm</name>
      </permission>
      <permission>
        <class>oracle.security.jazn.policy.AdminPermission</class>
        <name>
           oracle.security.jazn.realm.RealmPermission$jazn.com$createrole<
        /name>
      </permission>
      <permission>
        <class>oracle.security.jazn.policy.AdminPermission</class>
        <name>oracle.security.jazn.policy.RoleAdminPermission$jazn.com/*$</name>
      </permission>
      <permission>
        <class>oracle.j2ee.server.AdministrationPermission</class>
        <name>administration</name>
        <actions>administration</actions>
      </permission>
      <permission>
        <class>oracle.security.jazn.realm.RealmPermission</class>
        <name>jazn.com</name>
        <actions>droprealm</actions>
      </permission>
      <permission>
        <class>oracle.security.jazn.realm.RealmPermission</class>
        <name>jazn.com</name>
        <actions>dropuser</actions>
      </permission>
      <permission>
        <class>oracle.security.jazn.policy.RoleAdminPermission</class>
        <name>jazn.com/*</name>
      </permission>
      <permission>
        <class>oracle.j2ee.server.rmi.RMIPermission</class>
        <name>login</name>
      </permission>
      <permission>
        <class>oracle.security.jazn.policy.AdminPermission</class>
        <name>
           oracle.security.jazn.realm.RealmPermission$jazn.com$modifyrealmmetadata
        </name>
      </permission>
      <permission>
        <class>oracle.security.jazn.realm.RealmPermission</class>
        <name>jazn.com</name>
        <actions>modifyrealmmetadata</actions>
      </permission>
      <permission>
        <class>oracle.security.jazn.policy.AdminPermission</class>
        <name>oracle.security.jazn.realm.RealmPermission$jazn.com$droprole</name>
      </permission>
    </permissions>
  </grant>
  <grant>
    <grantee>
      <principals>
        <principal>
          <realm-name>jazn.com</realm-name>
          <type>role</type>
          <class>oracle.security.jazn.spi.xml.XMLRealmRole</class>
          <name>jazn.com/users</name>
        </principal>
      </principals>
    </grantee>
    <permissions>
      <permission>
        <class>oracle.j2ee.server.rmi.RMIPermission</class>
        <name>login</name>
      </permission>
    </permissions>
  </grant>
  <grant>
    <grantee>
      <principals>
        <principal>
          <realm-name>jazn.com</realm-name>
          <type>role</type>
          <class>oracle.security.jazn.spi.xml.XMLRealmRole</class>
          <name>jazn.com/jmxusers</name>
        </principal>
      </principals>
    </grantee>
    <permissions>
      <permission>
        <class>oracle.j2ee.server.rmi.RMIPermission</class>
        <name>login</name>
      </permission>
    </permissions>
  </grant>
 
</jazn-policy>
 
<!-- Permission Class Data -->
<jazn-permission-classes>
</jazn-permission-classes>
 
<!-- Principal Class Data -->
<jazn-principal-classes>
</jazn-principal-classes>
 
<!-- Login Module Data -->
<jazn-loginconfig>
  <application>
    <name>oracle.security.jazn.oc4j.JAZNUserManager</name>
    <login-modules>
      <login-module>
        <class>oracle.security.jazn.realm.RealmLoginModule</class>
        <control-flag>required</control-flag>
        <options>
          <option>
            <name>addAllRoles</name>
            <value>true</value>
          </option>
        </options>
      </login-module>
    </login-modules>
  </application>
  <application>
    <name>oracle.security.jazn.tools.Admintool</name>
    <login-modules>
      <login-module>
        <class>oracle.security.jazn.realm.RealmLoginModule</class>
        <control-flag>required</control-flag>
        <options>
          <option>
            <name>addAllRoles</name>
            <value>true</value>
          </option>
          <option>
            <name>debug</name>
            <value>false</value>
          </option>
        </options>
      </login-module>
    </login-modules>
  </application>
  <application>
    <name>oracle.security.jazn.oc4j.DigestAuthenticator</name>
    <login-modules>
      <login-module>
        <class>oracle.security.jazn.login.module.digest.DigestLoginModule</class>
        <control-flag>required</control-flag>
        <options>
          <option>
            <name>debug</name>
            <value>false</value>
          </option>
          <option>
            <name>addAllRoles</name>
            <value>true</value>
          </option>
        </options>
      </login-module>
    </login-modules>
  </application>
</jazn-loginconfig>
 
</jazn-data>

Sample: Modifying User Permissions

Example A-2 demonstrates granting java.io.FilePermission to a user named Jane.Smith. The objects to be modified are presented in bold.

Table A-1 lists the objects in Example A-2.

Table A-1 Objects in Sample Modifying User Permissions Code

Objects Names Comments

RealmUser user

Jane.Smith


codesource cs

file:/home/task.jar


File path

report.data

Path is the path name of the file.

Sample organization

abc.com

abc.com does not appear in this code directly.

Sample external realm

abcRealm



Example A-2 Modifying User Permissions

import oracle.security.jazn.*;
import oracle.security.jazn.policy.*;
import oracle.security.jazn.realm.*;
import java.lang.*;
import java.security.*;
import java.util.*;
import java.net.*;
import java.io.*;

public class Init {

    public static void main(String[] args) {
     
    try {
            JAZNConfig _jc = JAZNConfig.getJAZNConfig();
            RealmManager realmMgr = _jc.getRealmManager();
            Realm realm = realmMgr.getRealm("abcRealm");
            UserManager userMgr = realm.getUserManager();
            RoleManager roleMgr = realm.getRoleManager();
            final JAZNPolicy policy = _jc.getPolicy();

            final RealmUser user = userMgr.getUser("Jane.Smith");

            AccessController.doPrivileged (new PrivilegedAction() {
                    public Object run() {

                try {

                  CodeSource cs = 
                        new CodeSource(new URL("file:/home/task.jar"), null);
                    HashSet prop = new HashSet();
                    prop.add((Principal) user);

                    // assign permission to principals
                    policy.grant(new Grantee(prop, cs), new
                             FilePermission("report.data", "read"));

                    return null;
                        } catch (JAZNException e1) {
                            e1.printStackTrace();
                        } catch (java.net.MalformedURLException e2) {
                            e2.printStackTrace();
                        }
                    return null;
                    }
                }
             );

        } catch (JAZNException e) {
            e.printStackTrace();
        }
    }
}

This sample code grants a user, Jane.Smith, permission to use the sample application, AccessTest1, as follows:

The name cs is assigned to the file:/home/task.jar, which includes the sample application AccessTest1:

CodeSource cs = new CodeSource(new URL("file:/home/task.jar"), null);

Jane.Smith is the user added to the HashSet prop:

HashSet prop = new HashSet();
prop.add((Principal) user);

Jane.Smith is granted permission, on the Codesource cs, to read the file report.data.

policy.grant(new Grantee(prop, cs), new FilePermission("report.data", "read"));