Oracle® Application Server Containers for J2EE Security Guide
10g Release 2 (10.1.2) B14013-02 |
|
Previous |
Next |
This chapter further discusses the Oracle Application Server Java Authentication and Authorization Service (JAAS) Provider, first mentioned in the preceding chapter, in OC4J. The OracleAS JAAS Provider enables application developers to integrate authentication, authorization, and delegation services with their applications.
This chapter contains these topics:
The Oracle Application Server supports JAAS with the OracleAS JAAS Provider. The OracleAS JAAS Provider implements user authentication, authorization, and delegation services that developers can integrate into their application environments. Instead of devoting resources to developing these services, application developers can focus on the presentation and business logic of their applications.
Note: Some class and component names contain the word "JAZN", which is a shortened name for the OracleAS JAAS Provider. |
The JAAS framework and the Java 2 Security model form the foundation of JAAS. The OracleAS JAAS Provider implements support for JAAS policies. Policies contain the rules (permissions) that authorize a user to use resources, such as reading a file. Using JAAS, services can authenticate and enforce access control upon resource users. The OracleAS JAAS Provider is easily integrated with J2SE and J2EE applications that use the Java 2 Security model.
The OC4J JAAS implementation supports two different provider types. Each provider type implements a repository for secure, centralized storage, retrieval, and administration of provider data. This data consists of realm (users and roles) and JAAS policy (permissions) information.
The XML-based provider is used for lightweight storage of information in XML files. The XML-based provider stores user, realm, and policy information in an XML file, normally jazn-data.xml.
Note: XML files are used as property and configuration files by both LDAP-based and XML-based provider types. However, only the XML-based provider stores users, realms, and policies in an XML file,jazn-data.xml .
|
LDAP-based provider
The LDAP-based provider is based on the Lightweight Directory Access Protocol (LDAP) for centralized storage of information in a directory. The LDAP-based provider stores user, realm, and policy information in the LDAP-based Oracle Internet Directory.
Note: We recommend that you use the LDAP-based provider in a production environment; the XML-based provider is suitable for prototyping only. |
JAAS is a Java package that enables applications to authenticate and enforce access controls upon users. The OracleAS JAAS Provider is an implementation of the JAAS interface.
JAAS is designed to complement the existing code-based Java 2 security. JAAS implements a Java version of the standard Pluggable Authentication Module (PAM) framework. This enables an application to remain independent from the authentication service.
JAAS extends the access control architecture of the Java 2 Security Model to support principal-based authorization.
This section describes JAAS support for the following authentication, authorization, and user community (realm) features. The OracleAS JAAS Provider enhances some of these features.
See Also:
|
To associate a principal (such as frank
) with a subject, a client attempts to log in to an application. In login module authentication, the LoginContext
class provides the basic methods used to authenticate subjects such as users, roles, or computing services. The LoginContext
class consults configuration settings to determine whether the authentication modules (known as login modules) are configured for use with the particular application that the subject is attempting to access. Different login modules can be configured with different applications; furthermore, a single application can use multiple login modules.
Because the LoginContext
separates the application code from the authentication services, you can plug a different login module into an application without affecting the application code.
Actual authentication is performed by the LoginContext.login()
method. If authentication succeeds, then the authenticated subject can be retrieved by invoking the LoginContext.getSubject()
method. The real authentication process can involve multiple login modules. The JAAS framework defines a two-phase authentication process to coordinate the login modules configured for an application.
After retrieving the subject from the LoginContext
, the application then performs work as the subject by invoking the Subject.doAs()
or Subject.doAsPrivileged()
method.
The JAAS framework does not explicitly define roles or groups. Instead, roles or groups are implemented as concrete classes that use the java.security.Principal
interface.
The JAAS framework does not define how to support the role-based access control (RBAC) role hierarchy, in which you can grant a role to a role.
The JAAS framework does not explicitly define user communities. However, the J2EE reference implementation (RI) defines a similar concept of user communities called realms. A realm provides access to users and roles (groups) and optionally provides administrative functionality. A user community instance is essentially a realm that is maintained internally by the authorization system. The J2EE RI Realm API supports user-defined realms through subclassing.
The JAAS framework does not explicitly define an application or subsystem for partitioning authorization rules.
A policy is a repository of JAAS authorization rules. The policy includes grants of permissions to principals, thus answering the question: "Given a grantee, what are the granted permissions of the grantee?"
Policy information is supplied by the OracleAS JAAS Provider. The JAAS framework does not define an administrative API for policy administration. The administrative API provided by the OracleAS JAAS Provider is an Oracle extension.
Table 2-1 describes the Sun Microsystems implementation of policy file parameters.
Table 2-1 Policy File Parameters
Parameter | Defined As | Example |
---|---|---|
Subject |
One or more principal(s) |
duke |
Codesource |
|
|
The JAAS XML-based provider can store policy data in the file jazn-data.xml
. In the following example, a segment of the jazn-data.xml
file grants the admin
principal permission to log in.
<jazn-policy> <grant> <grantee> <principals> <principal> <class>oracle.security.jazn.samples.SampleUser</class> <name>admin</name> </principal> </principals> </grantee> <permissions> <permission> <class>oracle.j2ee.server.rmi.RMIPermission</class> <name>login</name> </permission> </permissions> </grant> </jazn-policy>
Table 2-2 contains the JAAS framework features implemented by the OracleAS JAAS Provider.
Table 2-2 OracleAS JAAS Provider Features
Feature | Description | See Also |
---|---|---|
Chapter 3, "Understanding OC4J Security" |
||
Declarative Model |
|
Chapter 4, "Overall Security Configuration" |
Authorization |
|
"Role-Based Access Control (RBAC)" |
|
|
|
Management |
|
|
|
|
OC4J security employs a user manager to authenticate and authorize users and groups that attempt to access a J2EE application. You base your choice of user manager on performance and security needs.
All UserManager
classes implement the com.evermind.security.UserManager
interface. UserManager
classes manage users, groups, and passwords through methods such as createUser()
, getUser()
, and getGroup()
.
OC4J provides two predefined user managers, JAZNUserManager
and XMLUserManager
. JAZNUserManager
supports both XML-based and LDAP-based providers. We recommend using JAZNUserManager
because it is based on the JAAS specification and is integrated with Oracle Application Server Single Sign-On and Oracle Internet Directory. JAZNUserManager
is the default security provider, because it offers powerful and flexible security control. Customers can also supply their own classes that implement the UserManager
interface, although this will be deprecated at a future release.
See Also:
|
Table 2-3 lists the user managers provided by OC4J.
Table 2-3 OC4J User Managers and Repositories
User Manager Class | User Repository |
---|---|
|
Several types: |
|
|
Custom user manager |
Customized user repository |
See "Specifying a User Manager in orion-application.xml" for directions on how to define the default UserManager
for all applications or a single UserManager
for a specific application.
The following sections describe the JAZN and XML user managers:
The JAZNUserManager
class is the default user manager. The primary purpose of the JAZNUserManager
class is to leverage the OracleAS JAAS Provider as the security infrastructure for OC4J.
There are two JAAS providers supplied with OC4J security: XML-based and LDAP-based.
The XML-based provider is a fast, lightweight implementation of the JAAS Provider API. This provider type uses XML to store user names and encrypted passwords. The user repository is stored in the jazn-data.xml
file, in a location specified in the jazn.xml
file. For details, see Chapter 8, "Configuring the XML-Based Provider".
Select JAZN-XML as the user manager in the Enterprise Manager. Configure its users, roles, and groups using the JAZN Admintool.
The LDAP-based provider is scalable, secure, enterprise-ready, and integrated with OracleAS Single Sign-On. The LDAP-based provider is the only OracleAS JAAS Provider that supports OracleAS Single Sign-On.
Select JAZN-LDAP as the user manager in the Enterprise Manager. Configure its users and groups using the Oracle Delegated Administration Services from Oracle Internet Directory. The user repository is an Oracle Internet Directory instance, which requires that the application server instance be associated with an infrastructure. If it the server is not associated with an Oracle Internet Directory instance, then the LDAP-based provider is not a security option.For information on configuring the LDAP-based provider, see Chapter 7, "Configuring the LDAP-Based Provider".
Figure 2-1 shows the two different JAAS providers supplied with OC4J.
Figure 2-1 OC4J Security Architecture under the JAZNUserManager Class
The XMLUserManager
class is a simple user manager that manages users, groups, and roles in an XML-based system. It stores user passwords in the clear, and therefore is not as secure as the JAZNUserManager
. All XMLUserManager
configuration information is stored in the principals.xml
file, which is the user repository for the XMLUserManager
class.
Note: TheXMLUserManager class is supported for backward compatibility only, and will be desupported in a forthcoming release. Oracle strongly recommends that you use one of the OracleAS JAAS Provider types.
|
The capability model is a method for organizing authorization information. The OracleAS JAAS Provider is based on the Java 2 Security Model, which uses the capability model to control access to permissions. With the capability model, authorization is associated with the principal (a user named frank
in the following example). Table 2-4 shows the permissions that user frank
is authorized to use:
Table 2-4 User Permissions
User | File Permissions |
---|---|
|
Read and write permissions on a file named |
When user frank
logs in and is successfully authenticated, the permissions described in Table 2-4 are retrieved from the OracleAS JAAS Provider (whether the LDAP- based Oracle Internet Directory or XML-based provider) and granted to user frank
. User frank
is then free to execute the actions permitted by these permissions.
RBAC enables you to assign permissions to roles. You grant users permissions by making them members of appropriate roles. Support for RBAC is a key JAAS feature. This section describes the following RBAC features:
RBAC simplifies the management problems created by direct assignment of permissions to users. Assigning permissions directly to multiple users is potentially a major management task. If multiple users no longer require access to a specific permission, you must individually remove that permission from each user.
Instead of directly assigning permissions to users, permissions are assigned to a role, and users are granted their permissions by being made members of that role. Multiple roles can be granted to a user. A role can also be granted to another role, thus forming a role hierarchy that provides administrators with a tool to model enterprise security policies. Figure 2-2 provides an example of role-based access control.
When a user's responsibilities change (for example, through a promotion), the user's authorization information is easily updated by assigning a different role to the user instead of a massive update of access control lists containing entries for that individual user.
For example, if multiple users no longer require write permissions on a file named salaries
in the /home/user
directory, those privileges are removed from the HR
role. All members of the HR
role then have their permissions and privileges automatically updated.
A user is typically granted multiple roles. However, not all roles are enabled by default. An application can selectively enable the required roles to accomplish a specific task in a user session with the run-as
security identity and Subject.doAS()
method. Selectively enabling roles upholds the principle of least privilege—the application is not enabling permissions or privileges unnecessary for the task. This limits the damage that can potentially result from an accident or error.
The correct setting for the environment variable controlling loading of dynamic libraries (for example, LD_LIBRARY_PATH
in Solaris) is now ORACLE_HOME
/lib32
instead of ORACLE_HOME
/lib
). Table 2-5 shows the complete settings.
Table 2-5 Dynamic Library Path Settings
Operating System | Variable | Value |
---|---|---|
Solaris |
|
|
HP/UX |
|
|
AIX 32-bit applications |
|
Null |
AIX 64-bit applications |
|
Null |
Windows |
Not applicable |
Not applicable |
The Java Development Kit 1.3 default installation does not include JAAS support. To use JAAS with JDK1.3, you must download JAAS 1.0_01 from the Sun Web site http://java.sun.com/products/jaas/index-10.html
and follow the installation and deployment instructions.
Note: When you develop applications using JDK 1.3, you should be aware of a JDK class loader issue. The class loader can locate custom login modules only if you deploy the JAR containing them as a standard extension in theORACLE_HOME /jre/lib/ext directory. This problem will be fixed at the next release.
|
At this release, Oracle supports third-party LDAP providers. See Chapter 9, "Configuring External LDAP Providers", for details.
At this release, Oracle supplies a default file (jazn.security.props
) in the directory ORACLE_HOME
/j2ee/home/startup
that specifies the OracleAS JAAS provider to be used for JAAS login configuration and policy. Note that these properties are set by default during OC4J startup, so in most circumstances you do not need to worry about setting these properties. For details, see "Specifying an Alternate Policy Provider (Optional)".
Custom UserManager
classes are still supported at this release, but will be deprecated at a future release.
The file principals.xml
will no longer be supported at a future release. We strongly encourage you to migrate your existing applications from using principals.xml
to using JAZNUserManager
. For instructions, see "Migrating Principals from the principals.xml File".
The interface for retrieving the SSL client certificate has changed. You now use the following:
servletRequest.getAttribute("javax.servlet.request.X509Certificate");
Instead of:
servletRequest.getAttribute("javax.security.cert.X509certificate");