Contents

List of Examples

List of Figures

List of Tables

Title and Copyright Information

Preface

• Audience
• Documentation Accessibility
• Related Documentation
• Conventions

1 Concepts

• Java 2 Security Model
• Permissions
• Protection Domains
• OracleAS JAAS Provider Permission Classes
• Principals
• Subjects
• Authentication and Authorization
• Secure Communications
• Secure Sockets Layer
• Certificates
• HTTPS
• Identity Propagation
• Developing Secure J2EE Applications

2 Overview of JAAS in Oracle Application Server

• The OracleAS JAAS Provider
• Provider Types
• What Is JAAS?
• Login Module Authentication
• Roles
• Realms
• Applications
• Policies and Permissions
• XML-Based Example
• JAAS Framework Features
• User Managers
• Using JAZNUserManager
• Using XMLUserManager
• Capability Model of Access Control
• Role-Based Access Control (RBAC)
• Role Hierarchy
• Role Activation
• Changes Since Release 9.0.4

3 Understanding OC4J Security

• Introduction
• Security Considerations During Development and Deployment
• Development
• Deployment
• OC4J and the OracleAS JAAS Provider
• OC4J Integration
• JAZNUserManager
• Authentication Environments
• Enabling OracleAS Single Sign-On in J2EE Applications
• OracleAS Single Sign-On-Enabled J2EE Environments: Typical Scenario
• Integrating the OracleAS JAAS Provider with SSL-Enabled Applications
• Integrating the OracleAS JAAS Provider with Basic Authentication
• Basic Authentication J2EE Environments: Typical Scenario
• Authentication in the J2EE Environment
• Running with an Authenticated Identity
• Retrieving Authentication Information
• Authorization in the J2EE Environment
• Security Role Mapping
• J2EE Security Roles
• Deployment Roles and Users
• OC4J Group Mapping to J2EE Security Roles
• Lightweight J2EE Single Sign-On
• Introduction to Lightweight J2EE Single Sign-On
• Configuring Lightweight J2EE Single Sign-On
• Contents of Specialized ejb-jar.xml File
• Contents of Specialized orion-ejb-jar.xml File
• Enabling Lightweight J2EE Single Sign-On

4 Overall Security Configuration

• Choosing the XML-Based or LDAP-Based Provider
• Locating jazn.xml, jazn-data.xml, and the <jazn> Element
• Locating jazn.xml
• Locating jazn-data.xml
• Locating the <jazn> Element
• Admintool Overview
• Admintool Prerequisites
• Authenticating Yourself
• Adding Clustering Support
• Specifying an Admintool Login Module in jazn-data.xml
• Specifying an Alternate Policy Provider (Optional)
• Specifying OracleAS JAAS Provider Settings
• Enabling Debug Logging
• Specifying User Managers
• Specifying a User Manager
• Specifying a User Manager in orion-application.xml
• Advanced Configuration
• Customizing RealmLoginModule
• Enabling RealmLoginModule Using a Text Editor
• Specifying Authentication (auth-method)
• Specifying auth-method in web.xml
• Specifying auth-method in orion-application.xml
• Specifying auth-method SSO
• Specifying auth-method Digest
• Configuring J2EE Authorization
• Servlets, runas-mode, and doasprivileged-mode
• Mapping Logical Roles to Security Roles
• Removing Realm Names from Authentication Principals
• Configuring Third-Party LDAP Providers
• Permitting EJB RMI Client Access
• Creating a Java 2 Policy File
• Using the <principals> Element and principals.xml

5 Configuring the OC4J Instance

• The admin Account
• Instance-Level jazn.xml File
• Specifying LDAP Connection Properties
• Specifying LDAP JNDI Connection Pool Size
• Configuring LDAP Caching
• Changing Session Cache Details
• Disabling LDAP Caching
• LDAP Cache Configuration
• Configuring LDAP SSL Properties
• Choosing SSL Authentication
• Configuring LDAP Default Realm

6 Security Considerations During Application Deployment

• Selecting a User Manager
• Mapping Security Roles
• Granting Permissions
• Granting RMI Permission or Administration Permission
• Granting and Revoking All Other Permissions
• Creating Users and Groups

7 Configuring the LDAP-Based Provider

• Preparing to Use LDAP
• Creating Administrative Users and Groups
• Creating Users Using LoadOidData
• Creating an anonymous User Using ldapmodify
• LDAP-Based Provider Environment Variables
• Creating LDAP Users and Groups

8 Configuring the XML-Based Provider

• Creating Users
• Creating Roles (Groups)
• Deleting Users
• Deleting Roles (Groups)
• Creating Realms
• Deleting Realms
• Granting Permissions
• Revoking Permissions
• Granting Roles (Groups)
• Revoking Roles (Groups)
• Setting Persistence Mode
• Configuring XML Default Realm
• Migrating Principals from the principals.xml File

9 Configuring External LDAP Providers

• Prerequisites
• Creating a <login-module> Element in jazn-data.xml
• Sample LDIF Description
• Configuring Sun Java System Application Server as LDAP Provider
• SunOne Example
• Configuring Microsoft Active Directory as LDAP Provider

10 Custom Login Modules

• Integrating Custom JAAS Login Modules
• Developing a Login Module
• Subject-Based Authorization
• J2EE Security Authorization
• Callback Support
• Debugging Tips
• Debug Logging
• Debugging Login Modules
• Accessing EJBs When Using Custom Login Modules
• Adding and Removing Login Modules
• Listing Login Modules
• Packaging and Deploying
• Deploying as Standard Extensions or Optional Packages
• Deploying within the J2EE Application
• Using the OC4J Classloading Mechanism
• Configuring Your Application
• The jazn-data.xml File
• <jazn-loginconfig>
• <jazn-policy>
• The web.xml or ejb-jar.xml File
• The orion-application.xml File
• <jazn>
• <security-role-mapping>
• <library>
• The oc4j-ra.xml File (J2EE Connector Architecture)
• Simple Login Module J2EE Integration
• Development
• Packaging
• Deployment
• Custom Login Module Example

11 Configuring OC4J and SSL

• Overview of SSL Keys and Certificates
• Using Keys and Certificates with OC4J and Oracle HTTP Server
• Enabling SSL in OC4J
• Configuring Oracle HTTP Server for SSL
• Requesting Client Authentication
• Resolving Common SSL Problems
• Common SSL Errors and Solutions
• General SSL Debugging

12 Configuring EJB Security

• EJB JNDI Security Properties
• JNDI Properties in jndi.properties
• JNDI Properties within Code Implementation
• Configuring Security
• Granting Permissions in Browser
• Authenticating and Authorizing EJB Applications
• Specifying Users and Groups
• Specifying Logical Roles in the EJB Deployment Descriptor
• Specifying Unchecked Security for EJB Methods
• Specifying the run-as Security Identity
• Mapping Logical Roles to Users and Groups
• Specifying a Default Role Mapping for Undefined Methods
• Specifying Users and Groups by the Client
• Specifying Credentials in EJB Clients
• Credentials in JNDI Properties
• Credentials in the InitialContext

13 Oracle HTTPS for Client Connections

• Oracle HTTPS and Clients
• HTTPConnection Class
• OracleSSLCredential Class (OracleSSL Only)
• Overview of Oracle HTTPS Features
• SSL Cipher Suites
• Choosing a Cipher Suite
• SSL Cipher Suites Supported by OracleSSL
• SSL Cipher Suites Supported by JSSE
• Access Information About Established SSL Connections
• Security-Aware Applications Support
• Framework Support for java.net.URL
• Specifying Default System Properties
• The javax.net.ssl.KeyStore Property
• The javax.net.ssl.KeyStorePassword Property
• The Oracle.ssl.defaultCipherSuites Property (OracleSSL Only)
• Oracle HTTPS Example
• Initializing SSL Credentials in OracleSSL
• Verifying Connection Information
• Transferring Data Using HTTPS
• Using HTTPClient with JSSE
• Configuring HTTPClient to Use JSSE

14 Password Management

• Introduction
• Password Obfuscation in jazn-data.xml and jazn.xml
• Editing jazn-data.xml
• Creating an Indirect Password
• Specifying a User Manager in application.xml

15 Configuring CSIv2

• Introduction to CSIv2 Security Properties
• EJB Server Security Properties in internal-settings.xml
• CSIv2 Security Properties in internal-settings.xml
• CSIv2 Security Properties in ejb_sec.properties
• Trust Relationships
• CSIv2 Security Properties in orion-ejb-jar.xml
• DTD for <ior-security-config>
• <transport-config>
• <as-context>
• <sas-context>
• EJB Client Security Properties in ejb_sec.properties

16 Troubleshooting Security Issues

• Alternative jazn.xml Locations
• JAZN Admintool
• Custom Login Modules
• Subject-Based Authorization
• J2EE Security Integration
• LDAP-Based Provider Issues
• Checking JAZN-LDAP Configuration
• Enabling and Disabling Caching
• Servlets, runas-mode, and doasprivileged-mode
• Creating Realms
• Removing Realm Names from Principals
• Specifying the JAAS Provider

17 Security Tips

• HTTPS Tips
• Overall Security Tips
• JAAS Tips

A OracleAS JAAS Provider Samples

• Sample: jazn-data.xml Configuration
• Sample: Modifying User Permissions

B JAZN Admintool Reference

• Introduction to JAZN Admintool Command-Line Options and Syntax
• Authentication and the JAZN Admintool (XML-Based Provider Only)
• Adding and Removing Policy Permissions (XML-Based Provider Only)
• Adding Clustering Support (XML-Based Provider Only)
• Adding and Removing Login Modules (XML-Based Provider Only)
• Adding and Removing Principals (XML-Based Provider Only)
• Adding and Removing Realms
• Adding and Removing Roles (XML-Based Provider Only)
• Adding and Removing Users (XML-Based Provider Only)
• Checking Passwords (XML-Based Provider Only)
• Configuration Operations
• Granting and Revoking Permissions
• Granting and Revoking Roles
• Listing Login Modules
• Listing Permissions
• Listing Permission Information
• Listing Principal Classes
• Listing Principal Class Information
• Listing Realms
• Listing Roles
• Listing Users
• Migrating Principals from the principals.xml File
• Setting Passwords (XML-Based Provider Only)
• Using the JAZN Admintool Shell
• JAZN Admintool Shell Commands
• Admintool Shell Directory Structure

Index