Skip Headers
Oracle® Application Server Containers for J2EE Security Guide
10
g
Release 2 (10.1.2)
B14013-02
Library
Product
Index
Next
Contents
List of Examples
List of Figures
List of Tables
Title and Copyright Information
Preface
Audience
Documentation Accessibility
Related Documentation
Conventions
1
Concepts
Java 2 Security Model
Permissions
Protection Domains
OracleAS JAAS Provider Permission Classes
Principals
Subjects
Authentication and Authorization
Secure Communications
Secure Sockets Layer
Certificates
HTTPS
Identity Propagation
Developing Secure J2EE Applications
2
Overview of JAAS in Oracle Application Server
The OracleAS JAAS Provider
Provider Types
What Is JAAS?
Login Module Authentication
Roles
Realms
Applications
Policies and Permissions
XML-Based Example
JAAS Framework Features
User Managers
Using JAZNUserManager
Using XMLUserManager
Capability Model of Access Control
Role-Based Access Control (RBAC)
Role Hierarchy
Role Activation
Changes Since Release 9.0.4
3
Understanding OC4J Security
Introduction
Security Considerations During Development and Deployment
Development
Deployment
OC4J and the OracleAS JAAS Provider
OC4J Integration
JAZNUserManager
Authentication Environments
Enabling OracleAS Single Sign-On in J2EE Applications
OracleAS Single Sign-On-Enabled J2EE Environments: Typical Scenario
Integrating the OracleAS JAAS Provider with SSL-Enabled Applications
Integrating the OracleAS JAAS Provider with Basic Authentication
Basic Authentication J2EE Environments: Typical Scenario
Authentication in the J2EE Environment
Running with an Authenticated Identity
Retrieving Authentication Information
Authorization in the J2EE Environment
Security Role Mapping
J2EE Security Roles
Deployment Roles and Users
OC4J Group Mapping to J2EE Security Roles
Lightweight J2EE Single Sign-On
Introduction to Lightweight J2EE Single Sign-On
Configuring Lightweight J2EE Single Sign-On
Contents of Specialized ejb-jar.xml File
Contents of Specialized orion-ejb-jar.xml File
Enabling Lightweight J2EE Single Sign-On
4
Overall Security Configuration
Choosing the XML-Based or LDAP-Based Provider
Locating jazn.xml, jazn-data.xml, and the <jazn> Element
Locating jazn.xml
Locating jazn-data.xml
Locating the <jazn> Element
Admintool Overview
Admintool Prerequisites
Authenticating Yourself
Adding Clustering Support
Specifying an Admintool Login Module in jazn-data.xml
Specifying an Alternate Policy Provider (Optional)
Specifying OracleAS JAAS Provider Settings
Enabling Debug Logging
Specifying User Managers
Specifying a User Manager
Specifying a User Manager in orion-application.xml
Advanced Configuration
Customizing RealmLoginModule
Enabling RealmLoginModule Using a Text Editor
Specifying Authentication (auth-method)
Specifying auth-method in web.xml
Specifying auth-method in orion-application.xml
Specifying auth-method SSO
Specifying auth-method Digest
Configuring J2EE Authorization
Servlets, runas-mode, and doasprivileged-mode
Mapping Logical Roles to Security Roles
Removing Realm Names from Authentication Principals
Configuring Third-Party LDAP Providers
Permitting EJB RMI Client Access
Creating a Java 2 Policy File
Using the <principals> Element and principals.xml
5
Configuring the OC4J Instance
The admin Account
Instance-Level jazn.xml File
Specifying LDAP Connection Properties
Specifying LDAP JNDI Connection Pool Size
Configuring LDAP Caching
Changing Session Cache Details
Disabling LDAP Caching
LDAP Cache Configuration
Configuring LDAP SSL Properties
Choosing SSL Authentication
Configuring LDAP Default Realm
6
Security Considerations During Application Deployment
Selecting a User Manager
Mapping Security Roles
Granting Permissions
Granting RMI Permission or Administration Permission
Granting and Revoking All Other Permissions
Creating Users and Groups
7
Configuring the LDAP-Based Provider
Preparing to Use LDAP
Creating Administrative Users and Groups
Creating Users Using LoadOidData
Creating an anonymous User Using ldapmodify
LDAP-Based Provider Environment Variables
Creating LDAP Users and Groups
8
Configuring the XML-Based Provider
Creating Users
Creating Roles (Groups)
Deleting Users
Deleting Roles (Groups)
Creating Realms
Deleting Realms
Granting Permissions
Revoking Permissions
Granting Roles (Groups)
Revoking Roles (Groups)
Setting Persistence Mode
Configuring XML Default Realm
Migrating Principals from the principals.xml File
9
Configuring External LDAP Providers
Prerequisites
Creating a <login-module> Element in jazn-data.xml
Sample LDIF Description
Configuring Sun Java System Application Server as LDAP Provider
SunOne Example
Configuring Microsoft Active Directory as LDAP Provider
10
Custom Login Modules
Integrating Custom JAAS Login Modules
Developing a Login Module
Subject-Based Authorization
J2EE Security Authorization
Callback Support
Debugging Tips
Debug Logging
Debugging Login Modules
Accessing EJBs When Using Custom Login Modules
Adding and Removing Login Modules
Listing Login Modules
Packaging and Deploying
Deploying as Standard Extensions or Optional Packages
Deploying within the J2EE Application
Using the OC4J Classloading Mechanism
Configuring Your Application
The jazn-data.xml File
<jazn-loginconfig>
<jazn-policy>
The web.xml or ejb-jar.xml File
The orion-application.xml File
<jazn>
<security-role-mapping>
<library>
The oc4j-ra.xml File (J2EE Connector Architecture)
Simple Login Module J2EE Integration
Development
Packaging
Deployment
Custom Login Module Example
11
Configuring OC4J and SSL
Overview of SSL Keys and Certificates
Using Keys and Certificates with OC4J and Oracle HTTP Server
Enabling SSL in OC4J
Configuring Oracle HTTP Server for SSL
Requesting Client Authentication
Resolving Common SSL Problems
Common SSL Errors and Solutions
General SSL Debugging
12
Configuring EJB Security
EJB JNDI Security Properties
JNDI Properties in jndi.properties
JNDI Properties within Code Implementation
Configuring Security
Granting Permissions in Browser
Authenticating and Authorizing EJB Applications
Specifying Users and Groups
Specifying Logical Roles in the EJB Deployment Descriptor
Specifying Unchecked Security for EJB Methods
Specifying the run-as Security Identity
Mapping Logical Roles to Users and Groups
Specifying a Default Role Mapping for Undefined Methods
Specifying Users and Groups by the Client
Specifying Credentials in EJB Clients
Credentials in JNDI Properties
Credentials in the InitialContext
13
Oracle HTTPS for Client Connections
Oracle HTTPS and Clients
HTTPConnection Class
OracleSSLCredential Class (OracleSSL Only)
Overview of Oracle HTTPS Features
SSL Cipher Suites
Choosing a Cipher Suite
SSL Cipher Suites Supported by OracleSSL
SSL Cipher Suites Supported by JSSE
Access Information About Established SSL Connections
Security-Aware Applications Support
Framework Support for java.net.URL
Specifying Default System Properties
The javax.net.ssl.KeyStore Property
The javax.net.ssl.KeyStorePassword Property
The Oracle.ssl.defaultCipherSuites Property (OracleSSL Only)
Oracle HTTPS Example
Initializing SSL Credentials in OracleSSL
Verifying Connection Information
Transferring Data Using HTTPS
Using HTTPClient with JSSE
Configuring HTTPClient to Use JSSE
14
Password Management
Introduction
Password Obfuscation in jazn-data.xml and jazn.xml
Editing jazn-data.xml
Creating an Indirect Password
Specifying a User Manager in application.xml
15
Configuring CSIv2
Introduction to CSIv2 Security Properties
EJB Server Security Properties in internal-settings.xml
CSIv2 Security Properties in internal-settings.xml
CSIv2 Security Properties in ejb_sec.properties
Trust Relationships
CSIv2 Security Properties in orion-ejb-jar.xml
DTD for <ior-security-config>
<transport-config>
<as-context>
<sas-context>
EJB Client Security Properties in ejb_sec.properties
16
Troubleshooting Security Issues
Alternative jazn.xml Locations
JAZN Admintool
Custom Login Modules
Subject-Based Authorization
J2EE Security Integration
LDAP-Based Provider Issues
Checking JAZN-LDAP Configuration
Enabling and Disabling Caching
Servlets, runas-mode, and doasprivileged-mode
Creating Realms
Removing Realm Names from Principals
Specifying the JAAS Provider
17
Security Tips
HTTPS Tips
Overall Security Tips
JAAS Tips
A
OracleAS JAAS Provider Samples
Sample: jazn-data.xml Configuration
Sample: Modifying User Permissions
B
JAZN Admintool Reference
Introduction to JAZN Admintool Command-Line Options and Syntax
Authentication and the JAZN Admintool (XML-Based Provider Only)
Adding and Removing Policy Permissions (XML-Based Provider Only)
Adding Clustering Support (XML-Based Provider Only)
Adding and Removing Login Modules (XML-Based Provider Only)
Adding and Removing Principals (XML-Based Provider Only)
Adding and Removing Realms
Adding and Removing Roles (XML-Based Provider Only)
Adding and Removing Users (XML-Based Provider Only)
Checking Passwords (XML-Based Provider Only)
Configuration Operations
Granting and Revoking Permissions
Granting and Revoking Roles
Listing Login Modules
Listing Permissions
Listing Permission Information
Listing Principal Classes
Listing Principal Class Information
Listing Realms
Listing Roles
Listing Users
Migrating Principals from the principals.xml File
Setting Passwords (XML-Based Provider Only)
Using the JAZN Admintool Shell
JAZN Admintool Shell Commands
Admintool Shell Directory Structure
Index