Oracle® Application Server Containers for J2EE Security Guide
10g Release 2 (10.1.2) B14013-02 |
|
Previous |
Next |
This appendix provides supplemental samples and standards. It contains the following samples:
This section presents a sample jazn-data.xml
file which illustrates the specific standards that XML files must conform to. This jazn-data.xml
file contains a realm, jazn.com
, users, and roles.
Example A-1 Sample jazn-data.xml File
<?xml version="1.0" encoding="UTF-8" standalone='yes'?> <!DOCTYPE jazn-data PUBLIC "JAZN-XML Data" "http://xmlns.oracle.com/ias/dtds/jazn-data-9_04.dtd"> <jazn-data> <!-- JAZN Realm Data --> <jazn-realm> <realm> <name>jazn.com</name> <users> <user> <name>anonymous</name> <description>The default guest/anonymous user</description> </user> <user> <name>SCOTT</name> <display-name>SCOTT</display-name> <credentials>!TIGER</credentials> </user> <user> <name>admin</name> <display-name>OC4J Administrator</display-name> <description>OC4J Administrator</description> <credentials>!welcome</credentials> </user> <user> <name>user</name> <description>The default user</description> <credentials>!456</credentials> </user> <!-- users used for password hiding --> <user> <name>pwForScott</name> <description>Password for database user Scott</description> <credentials>!TIGER</credentials> </user> <user> <name>pwForSSL</name> <description>Password for ssl key and trust stores</description> <credentials>!123456</credentials> </user> <user> <name>pwForSystem</name> <description>Password for database system user </description> <credentials>!manager</credentials> </user> </users> <roles> <role> <name>administrators</name> <display-name>Realm Admin Role</display-name> <description>Administrative role for this realm.</description> <members> <member> <type>user</type> <name>admin</name> </member> </members> </role> <role> <name>users</name> <members> <member> <type>user</type> <name>user</name> </member> <member> <type>user</type> <name>SCOTT</name> </member> <member> <type>role</type> <name>administrators</name> </member> </members> </role> <role> <name>guests</name> <members> <member> <type>user</type> <name>anonymous</name> </member> <member> <type>role</type> <name>users</name> </member> </members> </role> <role> <name>jmxusers</name> <display-name>JMX users</display-name> <description> Allows access to application level user defined MBeans </description> <members> </members> </role> </roles> </realm> </jazn-realm> <!-- JAZN Policy Data --> <jazn-policy> <grant> <grantee> <principals> <principal> <realm-name>jazn.com</realm-name> <type>role</type> <class>oracle.security.jazn.spi.xml.XMLRealmRole</class> <name>jazn.com/administrators</name> </principal> </principals> </grantee> <permissions> <permission> <class>oracle.security.jazn.policy.AdminPermission</class> <name> oracle.security.jazn.realm.RealmPermission$jazn.com$createrealm </name> </permission> <permission> <class>oracle.security.jazn.realm.RealmPermission</class> <name>jazn.com</name> <actions>createrealm</actions> </permission> <permission> <class>oracle.security.jazn.policy.AdminPermission</class> <name>oracle.security.jazn.realm.RealmPermission$jazn.com$droprealm</name> </permission> <permission> <class>oracle.security.jazn.policy.AdminPermission</class> <name> oracle.security.jazn.realm.RealmPermission$jazn.com$createrole< /name> </permission> <permission> <class>oracle.security.jazn.policy.AdminPermission</class> <name>oracle.security.jazn.policy.RoleAdminPermission$jazn.com/*$</name> </permission> <permission> <class>oracle.j2ee.server.AdministrationPermission</class> <name>administration</name> <actions>administration</actions> </permission> <permission> <class>oracle.security.jazn.realm.RealmPermission</class> <name>jazn.com</name> <actions>droprealm</actions> </permission> <permission> <class>oracle.security.jazn.realm.RealmPermission</class> <name>jazn.com</name> <actions>dropuser</actions> </permission> <permission> <class>oracle.security.jazn.policy.RoleAdminPermission</class> <name>jazn.com/*</name> </permission> <permission> <class>oracle.j2ee.server.rmi.RMIPermission</class> <name>login</name> </permission> <permission> <class>oracle.security.jazn.policy.AdminPermission</class> <name> oracle.security.jazn.realm.RealmPermission$jazn.com$modifyrealmmetadata </name> </permission> <permission> <class>oracle.security.jazn.realm.RealmPermission</class> <name>jazn.com</name> <actions>modifyrealmmetadata</actions> </permission> <permission> <class>oracle.security.jazn.policy.AdminPermission</class> <name>oracle.security.jazn.realm.RealmPermission$jazn.com$droprole</name> </permission> </permissions> </grant> <grant> <grantee> <principals> <principal> <realm-name>jazn.com</realm-name> <type>role</type> <class>oracle.security.jazn.spi.xml.XMLRealmRole</class> <name>jazn.com/users</name> </principal> </principals> </grantee> <permissions> <permission> <class>oracle.j2ee.server.rmi.RMIPermission</class> <name>login</name> </permission> </permissions> </grant> <grant> <grantee> <principals> <principal> <realm-name>jazn.com</realm-name> <type>role</type> <class>oracle.security.jazn.spi.xml.XMLRealmRole</class> <name>jazn.com/jmxusers</name> </principal> </principals> </grantee> <permissions> <permission> <class>oracle.j2ee.server.rmi.RMIPermission</class> <name>login</name> </permission> </permissions> </grant> </jazn-policy> <!-- Permission Class Data --> <jazn-permission-classes> </jazn-permission-classes> <!-- Principal Class Data --> <jazn-principal-classes> </jazn-principal-classes> <!-- Login Module Data --> <jazn-loginconfig> <application> <name>oracle.security.jazn.oc4j.JAZNUserManager</name> <login-modules> <login-module> <class>oracle.security.jazn.realm.RealmLoginModule</class> <control-flag>required</control-flag> <options> <option> <name>addAllRoles</name> <value>true</value> </option> </options> </login-module> </login-modules> </application> <application> <name>oracle.security.jazn.tools.Admintool</name> <login-modules> <login-module> <class>oracle.security.jazn.realm.RealmLoginModule</class> <control-flag>required</control-flag> <options> <option> <name>addAllRoles</name> <value>true</value> </option> <option> <name>debug</name> <value>false</value> </option> </options> </login-module> </login-modules> </application> <application> <name>oracle.security.jazn.oc4j.DigestAuthenticator</name> <login-modules> <login-module> <class>oracle.security.jazn.login.module.digest.DigestLoginModule</class> <control-flag>required</control-flag> <options> <option> <name>debug</name> <value>false</value> </option> <option> <name>addAllRoles</name> <value>true</value> </option> </options> </login-module> </login-modules> </application> </jazn-loginconfig> </jazn-data>
Example A-2 demonstrates granting java.io.FilePermission
to a user named Jane.Smith
. The objects to be modified are presented in bold.
Table A-1 lists the objects in Example A-2.
Table A-1 Objects in Sample Modifying User Permissions Code
Objects | Names | Comments |
---|---|---|
|
|
|
|
|
|
File path |
report.data |
Path is the path name of the file. |
Sample organization |
|
|
Sample external realm |
|
|
Example A-2 Modifying User Permissions
import oracle.security.jazn.*; import oracle.security.jazn.policy.*; import oracle.security.jazn.realm.*; import java.lang.*; import java.security.*; import java.util.*; import java.net.*; import java.io.*; public class Init { public static void main(String[] args) { try { JAZNConfig _jc = JAZNConfig.getJAZNConfig(); RealmManager realmMgr = _jc.getRealmManager(); Realm realm = realmMgr.getRealm("abcRealm"); UserManager userMgr = realm.getUserManager(); RoleManager roleMgr = realm.getRoleManager(); final JAZNPolicy policy = _jc.getPolicy(); final RealmUser user = userMgr.getUser("Jane.Smith"); AccessController.doPrivileged (new PrivilegedAction() { public Object run() { try { CodeSource cs = new CodeSource(new URL("file:/home/task.jar"), null); HashSet prop = new HashSet(); prop.add((Principal) user); // assign permission to principals policy.grant(new Grantee(prop, cs), new FilePermission("report.data", "read")); return null; } catch (JAZNException e1) { e1.printStackTrace(); } catch (java.net.MalformedURLException e2) { e2.printStackTrace(); } return null; } } ); } catch (JAZNException e) { e.printStackTrace(); } } }
This sample code grants a user, Jane.Smith
, permission to use the sample application, AccessTest1
, as follows:
The name cs
is assigned to the file:/home/task.jar
, which includes the sample application AccessTest1
:
CodeSource cs = new CodeSource(new URL("file:/home/task.jar"), null);
Jane.Smith
is the user added to the HashSet
prop
:
HashSet prop = new HashSet(); prop.add((Principal) user);
Jane.Smith
is granted permission, on the Codesource
cs
, to read the file report.data
.
policy.grant(new Grantee(prop, cs), new FilePermission("report.data", "read"));