|
Oracle® Application Server Containers for J2EE Security Guide
10g Release 2 (10.1.2) B14013-02 |
|
 Previous |
 Next |
|
Oracle® Application Server Containers for J2EE Security Guide
10g Release 2 (10.1.2) B14013-02 |
|
|
Previous |
Next |
This chapter discusses issues to be considered when deploying applications. It is divided into the following sections:
By default, if you associated your OC4J instance with infrastructure, the JAZN LDAP UserManager is used for your newly-deployed application; otherwise, the JAZN XML UserManager is used for your application. If for some reason you need to change the user manager of your application, you can do so from the Application Server Control Console. For details, see the Application Server Control Console help topic "Modifying the User Manager for All Applications".
You map security roles for your application using the Security page of the Application Server Control Console. Use the following steps:
Select your application from the Application Server Control Console, then click the Security link.
Select a role from the list titled Security Roles.
Click the button Map Roles To Principals. A new page appears headed Role: yourrole.
Click the checkbox next to the desired group or user. (There are two separate areas labeled Map Role to Groups and Map Role to Users.) Click Apply.
A confirmation page appears. Click OK.
There are two different ways to grant permissions.
To grant RMI permission or administration permission, use Oracle Enterprise Manager 10g Application Server Control Console. For details, see "Granting RMI Permission or Administration Permission" immediately following.
To grant any permissions other than RMI permission or administration permission, you use the JAZN Admintool. For details, see "Granting and Revoking All Other Permissions" below.
You can grant RMI or administration permission to a group using Oracle Enterprise Manager 10g Application Server Control Console. To do this:
Select an application and navigate to the Security page.
Select the group name from the list of groups. The Add/Edit Group page appears.
Check whichever permissions you wish to add and click Apply.
You use the JAZN Admintool to grant and revoke user permissions. For basic information on running the JAZN Admintool, see "Admintool Overview" .
-grantperm {realm {-user user|-role role }|principal_class principal_parameters} permission_class [permission_parameters] -revokeperm {realm {-user user|-role role}|principal_class principal_parameters} permission_class [permission_parameters] -listperms {realm {-user user|-role role}|principal_class principal_parameters} permission_class [permission_parameters]
In this syntax, principal_class is the fully qualified name of a class that implements the principal interface (such as com.sun.security.auth.NTDomainPrincipal) and principal_parameters is a single String parameter.
The -grantperm option grants the specified permission to a user (when called with -user) or a role (when called with -role) or a principal. The -revokeperm option revokes the specified permission from a user or role or principal.
A permission_descriptor consists of the explicit class name of a permissions (for example, oracle.security.jazn.realm.RealmPermission), its action, and its action and target parameters (for RealmPermission, realmname action). Note that there may be multiple action and target parameters.
|
Note: If the Admintool gives the error message "Permission class not found", it means that the permission you wish to grant is not in the classpath. You must place the JAR containing the permission class in the jdk/jre/lib/ext directory so that the Admintool can locate it.
|
For example, to grant FilePermission with target a.txt and actions "read, write" to user martha in realm foo, type:
java -jar jazn.jar -grantperm foo -user martha java.io.FilePermission
a.txt read,write
Admintool shell:
JAZN:> grantperm foo -user martha java.io.FilePermission a.txt read,write
See Chapter 7, "Configuring the LDAP-Based Provider" or Chapter 8, "Configuring the XML-Based Provider" for details on creating users and groups in each provider.
