Oracle® Application Server Containers for J2EE Security Guide
10g Release 2 (10.1.2) B14013-02 |
|
Previous |
Next |
This chapter discusses managing passwords within XML files. It contains the following sections:
Many OC4J components require passwords for authentication. Embedding these passwords into deployment and configuration files poses a security risk, especially if the permissions on the files allow them to be read by any user. To avoid this problem, OC4J provides two solutions:
Password obfuscation: This replaces passwords stored in cleartext files with an encrypted version of the password, and is discussed in "Password Obfuscation in jazn-data.xml and jazn.xml" below.
Password indirection: This replaces cleartext passwords with information necessary to look up the password in another location, and is discussed in "Creating an Indirect Password".
The JAAS configuration files, jazn.xml
and jazn-data.xml
, contain user names and passwords for JAAS authorization. To protect these files, OC4J uses password obfuscation.
Whenever you update jazn.xml
or jazn-data.xml
, OC4J reads the file, then rewrites it with obfuscated (encrypted) versions of all passwords. In all other OC4J configuration files, you can avoid exposing password cleartext by using password indirection, as explained in "Creating an Indirect Password" .
The OracleAS JAAS Provider does not obfuscate passwords in orion-application.xml
. This means that you should not embed passwords within a <jazn>
element that is stored in orion-application.xml
.
Note: For security reasons, credentials stored in Oracle Internet Directory cannot usually be retrieved in decrypted (cleartext) format, which means the LDAP-based JAAS provider cannot be used as a password manager for your application. To resolve this, you can specify the XML-based JAAS provider as your application password manager even when your application uses the LDAP-based JAAS provider as the user manager.To do this, add the following entry to <password-manager> <jazn provider="XML" location="ORACLE_HOME/j2ee/instance_name/config/jazn-data.xml"/> </password-manager> Otherwise, passwords are not obfuscated. |
If you prefer, you can directly edit jazn-data.xml
with a text editor. The next time OC4J reads jazn-data.xml
, it will rewrite the file with all passwords obfuscated and unreadable.
Setting the clear
attribute of the <credentials>
element to "true
" enables you to use clear (human-readable) passwords in the jazn-data.xml
file:
<credentials clear="true">welcome</credentials>
<credentials>!welcome</credentials>
The following OC4J XML configuration and deployment files support password indirection in one or more entities:
data-sources.xml
: password
attribute of <data-source>
element
ra.xml
: <res-password>
element
rmi.xml
: password
attribute of <cluster>
element
application.xml
: password
attribute of <resource-provider>
and <commit-coordinator>
elements
jms.xml
: <password>
element
internal-settings.xml
: <sep-property>
element, with name="
keystore-password
" and name=
" truststore-password
"
To make any of these passwords indirect, replace the literal password string with a string containing "->
" followed by either the user name or by the realm and user name separated by a slash ("/
").
Note: To begin a literal (non-indirect) password with the string"-> ", precede the password by "->! ". For example, you would represent the direct password "->silly " as "->!->silly ".
|
Indirect Password Examples
<data-source password="->Scott">
: Use JAZNUserManager
to look up Scott
in the JAZNUserManager
, and use the password stored there.
<res-password="->customers/Scott">
: Use JAZNUserManager
to look up Scott
in the customers
realm, and use the password stored there.
<cluster password="martha">
: The literal string "martha
" is the password; the password is not indirect.
The <password-manager>
element in application.xml
specifies the user manager that the global application uses to look up indirect passwords. If this element is omitted, the user manager of the global application is used for authentication and authorization of indirect passwords. The <jazn>
element within a <password-manager>
element can be different from the <jazn>
element at the top level.
The <password-manager>
element should always contain the path name of the instance-level jazn-data.xml
file.
For example, you can use an LDAP-based user manager for the regular user manager, but use an XML-based user manager to authenticate indirect passwords. This is the only way to use indirect passwords in LDAP.
Note: It is possible to use pluggable user managers as password managers. However, if you useXMLUserManager as your password manager, principals.xml will not have passwords obfuscated.
|