Skip Headers
Oracle® Application Server Containers for J2EE Security Guide
10g Release 2 (10.1.2)
B14013-02
  Go To Documentation Library
Library
Go To Product List
Product
Go To Table Of Contents
Contents
Go To Index
Index

Previous
Previous
Next
Next
 

14 Password Management

This chapter discusses managing passwords within XML files. It contains the following sections:

Introduction

Many OC4J components require passwords for authentication. Embedding these passwords into deployment and configuration files poses a security risk, especially if the permissions on the files allow them to be read by any user. To avoid this problem, OC4J provides two solutions:

Password Obfuscation in jazn-data.xml and jazn.xml

The JAAS configuration files, jazn.xml and jazn-data.xml, contain user names and passwords for JAAS authorization. To protect these files, OC4J uses password obfuscation.

Whenever you update jazn.xml or jazn-data.xml, OC4J reads the file, then rewrites it with obfuscated (encrypted) versions of all passwords. In all other OC4J configuration files, you can avoid exposing password cleartext by using password indirection, as explained in "Creating an Indirect Password" .

The OracleAS JAAS Provider does not obfuscate passwords in orion-application.xml. This means that you should not embed passwords within a <jazn> element that is stored in orion-application.xml.


Note:

For security reasons, credentials stored in Oracle Internet Directory cannot usually be retrieved in decrypted (cleartext) format, which means the LDAP-based JAAS provider cannot be used as a password manager for your application. To resolve this, you can specify the XML-based JAAS provider as your application password manager even when your application uses the LDAP-based JAAS provider as the user manager.

To do this, add the following entry to application.xml:

<password-manager>
  <jazn provider="XML"
   location="ORACLE_HOME/j2ee/instance_name/config/jazn-data.xml"/>
</password-manager>

Otherwise, passwords are not obfuscated.


Editing jazn-data.xml

If you prefer, you can directly edit jazn-data.xml with a text editor. The next time OC4J reads jazn-data.xml, it will rewrite the file with all passwords obfuscated and unreadable.

Setting the clear attribute of the <credentials> element to "true" enables you to use clear (human-readable) passwords in the jazn-data.xml file:

<credentials clear="true">welcome</credentials> 
<credentials>!welcome</credentials>

Creating an Indirect Password

The following OC4J XML configuration and deployment files support password indirection in one or more entities:

To make any of these passwords indirect, replace the literal password string with a string containing "->" followed by either the user name or by the realm and user name separated by a slash ("/").


Note:

To begin a literal (non-indirect) password with the string "->", precede the password by "->!". For example, you would represent the direct password "->silly" as "->!->silly".

Indirect Password Examples

Specifying a User Manager in application.xml

The <password-manager> element in application.xml specifies the user manager that the global application uses to look up indirect passwords. If this element is omitted, the user manager of the global application is used for authentication and authorization of indirect passwords. The <jazn> element within a <password-manager> element can be different from the <jazn> element at the top level.

The <password-manager> element should always contain the path name of the instance-level jazn-data.xml file.

For example, you can use an LDAP-based user manager for the regular user manager, but use an XML-based user manager to authenticate indirect passwords. This is the only way to use indirect passwords in LDAP.


Note:

It is possible to use pluggable user managers as password managers. However, if you use XMLUserManager as your password manager, principals.xml will not have passwords obfuscated.