Oracle Container for Java (OC4J) Oracle Application Server Tips by Burleson Consulting

The Oracle Container For Java (OC4J) supports the operation of Java Server Pages (JSP), servlets and J2EE applications.  As such, most of the authentication work takes place here.  Oracle 10g JAAS (a.k.a. "JAZN"), is Oracle's implementation of the Java Authentication and Authorization Service (JAAS) standard, which adds PAM-based pluggable authentication and Subject-based, fine-grained authorization to the Java2 platform.  OC4J implements the J2EE JAAS API to facilitate security within the J2EE application.  The two JAAS implementations OC4J provides are JAZN-LDAP and JAZN-XML.  JAZN-LDAP is an implementation of the JAAS API that retrieves user and authorization information securely from Oracle Internet Directory (OID). JAZN-LDAP is particularly useful for applications that have a large user community, for which scalability is a strong requirement.  JAZN-XML is a fast, lightweight implementation of the JAAS API that is based on XML as an encoding mechanism. JAZN-XML allows Java developers to retrieve user and role information securely from operating system files rather than retrieving information from Oracle Internet Directory (as is the case with JAZN-LDAP). JAZN_XML supports lightweight deployments of Oracle9iAS and provides a more secure alternative to principals.xml.  JAZN_XML will usually use the file JAZN-DATA.xml to store and retrieve user data.  To get additional information on using JAAS within you application go to otn.oracle.com and search on JAAS.

Authentication

Authentication establishes a network entity?s identity.  An entity could be users or another application.  Entities that access an application are asked for a password, which the application verifies against a user directory.   The user directory can be a file, LDAP directory or Oracle Internet Directory.  The user directory?s job is to store users credentials.  External applications may also need to be authenticated and could either provide passwords or use a digital certificate.  A developer can create a login module that supports whatever authentication method is required.

Authorization

Authorization is granting an authenticated entity privileges.  Roles are defined within the J2EE application that determine access rights to different objects.  Oracle Application Server 10g support a fully declarative implementation of the J2EE security, which means you can secure your java application without writing code.  Once an entity, such as a user, is authenticated, it is granted a role, or roles, that allow it to access the necessary parts of the application.  These authorizations can be centrally managed in the Oracle Internet Directory or in XML files.  Placing the authorizations in OID allows for centralized management of privileges within an organization.  JAAS and OID also allow you to relate a section of code to a user so that users have the authorization to execute sections of code without being authorized to execute all the code.

Delegation

Delegation is where an EJB runs with the privileges of a certain user.  This allows a user with limited privileges to execute an EJB, which will execute with a higher authorization to perform some task.  This supports the idea of assigning a user the lowest privilege level necessary to accomplish a task.

Oracle Identity Management

One of the benefits of using the application server Infrastructure is the integration of Oracle Identity Management, which provides a single location for the complete management of users and network entities.  This can greatly reduce the cost of managing large groups of users.  As new users are added to the system, Oracle Identity Management provides a single location for modifying application and system privileges to include account creation and suspension, privilege modification, and attribute management.    Users can be internal company employees, customers, or anyone that requires access to you applications, servers, or network devices.  Oracle 10g Identity Management is comprise of six different products.  The root of Oracle?s Identity Management is the Oracle Internet Directory (OID).  OID is Oracle?s implementation of LDAP ver3.  Oracle?s Single Sign-On is an application that uses OID to authenticate users. .  Single Sign-On (SSO) provides that capability to have a user provide his credentials once and then to automatically authenticate him as he changes applications.  Delegated Administration Services provides application server components with secure access to OID.  Certificate Authority issue and manage X.509v3 compliant certificates to secure email and network connections.  Directory Integration allows integration with other directories (e.g. ADS, SunONE).  And provisioning integration, which provides automatic provisioning of users in the Oracle environment.

This is an excerpt from "Oracle 10g Application Server Administration Handbook" by Don Burleson and John Garmany.