Contents

List of Examples

List of Figures

List of Tables

Title and Copyright Information

Preface

• Audience
• Documentation Accessibility
• Related Documentation
• Conventions

1 Concepts

• Java 2 Security Model
• • Permissions
  • Protection Domains
  • OracleAS JAAS Provider Permission Classes
• Principals
• Subjects
• Authentication and Authorization
• Secure Communications
• • Secure Sockets Layer
  • Certificates
  • HTTPS
  • Identity Propagation
• Developing Secure J2EE Applications

2 Overview of JAAS in Oracle Application Server

• The OracleAS JAAS Provider
• • Provider Types
• What Is JAAS?
• • Login Module Authentication
  • Roles
  • Realms
  • Applications
  • Policies and Permissions
  • • XML-Based Example
• JAAS Framework Features
• User Managers
• • Using JAZNUserManager
  • Using XMLUserManager
• Capability Model of Access Control
• Role-Based Access Control (RBAC)
• • Role Hierarchy
  • Role Activation
• Changes Since Release 9.0.4

3 Understanding OC4J Security

• Introduction
• Security Considerations During Development and Deployment
• • Development
  • Deployment
• OC4J and the OracleAS JAAS Provider
• • OC4J Integration
  • JAZNUserManager
  • Authentication Environments
  • Enabling OracleAS Single Sign-On in J2EE Applications
  • • OracleAS Single Sign-On-Enabled J2EE Environments: Typical Scenario
  • Integrating the OracleAS JAAS Provider with SSL-Enabled Applications
  • Integrating the OracleAS JAAS Provider with Basic Authentication
  • • Basic Authentication J2EE Environments: Typical Scenario
• Authentication in the J2EE Environment
• • Running with an Authenticated Identity
  • Retrieving Authentication Information
• Authorization in the J2EE Environment
• • Security Role Mapping
  • • J2EE Security Roles
    • Deployment Roles and Users
    • OC4J Group Mapping to J2EE Security Roles
• Lightweight J2EE Single Sign-On
• • Introduction to Lightweight J2EE Single Sign-On
  • Configuring Lightweight J2EE Single Sign-On
  • • Contents of Specialized ejb-jar.xml File
    • Contents of Specialized orion-ejb-jar.xml File
  • Enabling Lightweight J2EE Single Sign-On

4 Overall Security Configuration

• Choosing the XML-Based or LDAP-Based Provider
• Locating jazn.xml, jazn-data.xml, and the <jazn> Element
• • Locating jazn.xml
  • Locating jazn-data.xml
  • Locating the <jazn> Element
• Admintool Overview
• • Admintool Prerequisites
  • Authenticating Yourself
  • Adding Clustering Support
  • Specifying an Admintool Login Module in jazn-data.xml
• Specifying an Alternate Policy Provider (Optional)
• Specifying OracleAS JAAS Provider Settings
• Enabling Debug Logging
• Specifying User Managers
• • Specifying a User Manager
  • Specifying a User Manager in orion-application.xml
  • • Advanced Configuration
• Customizing RealmLoginModule
• • Enabling RealmLoginModule Using a Text Editor
• Specifying Authentication (auth-method)
• • Specifying auth-method in web.xml
  • Specifying auth-method in orion-application.xml
  • • Specifying auth-method SSO
    • Specifying auth-method Digest
• Configuring J2EE Authorization
• • Servlets, runas-mode, and doasprivileged-mode
  • Mapping Logical Roles to Security Roles
• Removing Realm Names from Authentication Principals
• Configuring Third-Party LDAP Providers
• Permitting EJB RMI Client Access
• Creating a Java 2 Policy File
• Using the <principals> Element and principals.xml

5 Configuring the OC4J Instance

• The admin Account
• Instance-Level jazn.xml File
• Specifying LDAP Connection Properties
• Specifying LDAP JNDI Connection Pool Size
• Configuring LDAP Caching
• • Changing Session Cache Details
  • Disabling LDAP Caching
  • LDAP Cache Configuration
• Configuring LDAP SSL Properties
• • Choosing SSL Authentication
• Configuring LDAP Default Realm

6 Security Considerations During Application Deployment

• Selecting a User Manager
• Mapping Security Roles
• Granting Permissions
• • Granting RMI Permission or Administration Permission
  • Granting and Revoking All Other Permissions
• Creating Users and Groups

7 Configuring the LDAP-Based Provider

• Preparing to Use LDAP
• • Creating Administrative Users and Groups
  • • Creating Users Using LoadOidData
    • Creating an anonymous User Using ldapmodify
  • LDAP-Based Provider Environment Variables
• Creating LDAP Users and Groups

8 Configuring the XML-Based Provider

• Creating Users
• Creating Roles (Groups)
• Deleting Users
• Deleting Roles (Groups)
• Creating Realms
• Deleting Realms
• Granting Permissions
• Revoking Permissions
• Granting Roles (Groups)
• Revoking Roles (Groups)
• Setting Persistence Mode
• Configuring XML Default Realm
• Migrating Principals from the principals.xml File

9 Configuring External LDAP Providers

• Prerequisites
• Creating a <login-module> Element in jazn-data.xml
• Sample LDIF Description
• Configuring Sun Java System Application Server as LDAP Provider
• • SunOne Example
• Configuring Microsoft Active Directory as LDAP Provider

10 Custom Login Modules

• Integrating Custom JAAS Login Modules
• Developing a Login Module
• • Subject-Based Authorization
  • J2EE Security Authorization
  • Callback Support
  • Debugging Tips
  • • Debug Logging
    • Debugging Login Modules
  • Accessing EJBs When Using Custom Login Modules
• Adding and Removing Login Modules
• Listing Login Modules
• Packaging and Deploying
• • Deploying as Standard Extensions or Optional Packages
  • Deploying within the J2EE Application
  • Using the OC4J Classloading Mechanism
• Configuring Your Application
• • The jazn-data.xml File
  • • <jazn-loginconfig>
    • <jazn-policy>
  • The web.xml or ejb-jar.xml File
  • The orion-application.xml File
  • • <jazn>
    • <security-role-mapping>
    • <library>
  • The oc4j-ra.xml File (J2EE Connector Architecture)
• Simple Login Module J2EE Integration
• • Development
  • Packaging
  • Deployment
• Custom Login Module Example

11 Configuring OC4J and SSL

• Overview of SSL Keys and Certificates
• Using Keys and Certificates with OC4J and Oracle HTTP Server
• Enabling SSL in OC4J
• • Configuring Oracle HTTP Server for SSL
• Requesting Client Authentication
• Resolving Common SSL Problems
• • Common SSL Errors and Solutions
  • General SSL Debugging

12 Configuring EJB Security

• EJB JNDI Security Properties
• • JNDI Properties in jndi.properties
  • JNDI Properties within Code Implementation
• Configuring Security
• • Granting Permissions in Browser
  • Authenticating and Authorizing EJB Applications
  • • Specifying Users and Groups
    • Specifying Logical Roles in the EJB Deployment Descriptor
    • Specifying Unchecked Security for EJB Methods
    • Specifying the run-as Security Identity
    • Mapping Logical Roles to Users and Groups
    • Specifying a Default Role Mapping for Undefined Methods
    • Specifying Users and Groups by the Client
  • Specifying Credentials in EJB Clients
  • • Credentials in JNDI Properties
    • Credentials in the InitialContext

13 Oracle HTTPS for Client Connections

• Oracle HTTPS and Clients
• • HTTPConnection Class
  • OracleSSLCredential Class (OracleSSL Only)
• Overview of Oracle HTTPS Features
• • SSL Cipher Suites
  • • Choosing a Cipher Suite
    • SSL Cipher Suites Supported by OracleSSL
    • SSL Cipher Suites Supported by JSSE
  • Access Information About Established SSL Connections
  • Security-Aware Applications Support
  • Framework Support for java.net.URL
• Specifying Default System Properties
• • The javax.net.ssl.KeyStore Property
  • The javax.net.ssl.KeyStorePassword Property
  • The Oracle.ssl.defaultCipherSuites Property (OracleSSL Only)
• Oracle HTTPS Example
• • Initializing SSL Credentials in OracleSSL
  • Verifying Connection Information
  • Transferring Data Using HTTPS
• Using HTTPClient with JSSE
• • Configuring HTTPClient to Use JSSE

14 Password Management

• Introduction
• Password Obfuscation in jazn-data.xml and jazn.xml
• • Editing jazn-data.xml
• Creating an Indirect Password
• Specifying a User Manager in application.xml

15 Configuring CSIv2

• Introduction to CSIv2 Security Properties
• EJB Server Security Properties in internal-settings.xml
• CSIv2 Security Properties in internal-settings.xml
• CSIv2 Security Properties in ejb_sec.properties
• • Trust Relationships
• CSIv2 Security Properties in orion-ejb-jar.xml
• • DTD for <ior-security-config>
  • <transport-config>
  • <as-context>
  • <sas-context>
• EJB Client Security Properties in ejb_sec.properties

16 Troubleshooting Security Issues

• Alternative jazn.xml Locations
• JAZN Admintool
• Custom Login Modules
• • Subject-Based Authorization
  • J2EE Security Integration
• LDAP-Based Provider Issues
• • Checking JAZN-LDAP Configuration
  • Enabling and Disabling Caching
• Servlets, runas-mode, and doasprivileged-mode
• Creating Realms
• Removing Realm Names from Principals
• Specifying the JAAS Provider

17 Security Tips

• HTTPS Tips
• Overall Security Tips
• JAAS Tips

A OracleAS JAAS Provider Samples

• Sample: jazn-data.xml Configuration
• Sample: Modifying User Permissions

B JAZN Admintool Reference

• Introduction to JAZN Admintool Command-Line Options and Syntax
• Authentication and the JAZN Admintool (XML-Based Provider Only)
• Adding and Removing Policy Permissions (XML-Based Provider Only)
• Adding Clustering Support (XML-Based Provider Only)
• Adding and Removing Login Modules (XML-Based Provider Only)
• Adding and Removing Principals (XML-Based Provider Only)
• Adding and Removing Realms
• Adding and Removing Roles (XML-Based Provider Only)
• Adding and Removing Users (XML-Based Provider Only)
• Checking Passwords (XML-Based Provider Only)
• Configuration Operations
• Granting and Revoking Permissions
• Granting and Revoking Roles
• Listing Login Modules
• Listing Permissions
• Listing Permission Information
• Listing Principal Classes
• Listing Principal Class Information
• Listing Realms
• Listing Roles
• Listing Users
• Migrating Principals from the principals.xml File
• Setting Passwords (XML-Based Provider Only)
• Using the JAZN Admintool Shell
• • JAZN Admintool Shell Commands
  • Admintool Shell Directory Structure

Index