Container for Java (OC4J)
Oracle Application Server Tips by Burleson
The Oracle Container For Java (OC4J)
supports the operation of Java Server Pages (JSP), servlets and J2EE
applications. As such, most of the authentication work takes place
here. Oracle 10g JAAS (a.k.a. "JAZN"), is Oracle's implementation
of the Java Authentication and Authorization Service (JAAS)
standard, which adds PAM-based pluggable authentication and
Subject-based, fine-grained authorization to the Java2 platform.
OC4J implements the J2EE JAAS API to facilitate security within the
J2EE application. The two JAAS implementations OC4J provides are
JAZN-LDAP and JAZN-XML. JAZN-LDAP is an implementation of the JAAS
API that retrieves user and authorization information securely from
Oracle Internet Directory (OID). JAZN-LDAP is particularly useful
for applications that have a large user community, for which
scalability is a strong requirement. JAZN-XML is a fast,
lightweight implementation of the JAAS API that is based on XML as
an encoding mechanism. JAZN-XML allows Java developers to retrieve
user and role information securely from operating system files
rather than retrieving information from Oracle Internet Directory
(as is the case with JAZN-LDAP). JAZN_XML supports lightweight
deployments of Oracle9iAS and provides a more secure alternative to
principals.xml. JAZN_XML will usually use the file JAZN-DATA.xml to
store and retrieve user data. To get additional information on
using JAAS within you application go to otn.oracle.com and search on
Authentication establishes a network
entity?s identity. An entity could be users or another
application. Entities that access an application are asked for a
password, which the application verifies against a user directory.
The user directory can be a file, LDAP directory or Oracle Internet
Directory. The user directory?s job is to store users credentials.
External applications may also need to be authenticated and could
either provide passwords or use a digital certificate. A developer
can create a login module that supports whatever authentication
method is required.
Authorization is granting an
authenticated entity privileges. Roles are defined within the J2EE
application that determine access rights to different objects.
Oracle Application Server 10g support a fully declarative
implementation of the J2EE security, which means you can secure your
java application without writing code. Once an entity, such as a
user, is authenticated, it is granted a role, or roles, that allow
it to access the necessary parts of the application. These
authorizations can be centrally managed in the Oracle Internet
Directory or in XML files. Placing the authorizations in OID allows
for centralized management of privileges within an organization.
JAAS and OID also allow you to relate a section of code to a user so
that users have the authorization to execute sections of code
without being authorized to execute all the code.
Delegation is where an EJB runs with
the privileges of a certain user. This allows a user with limited
privileges to execute an EJB, which will execute with a higher
authorization to perform some task. This supports the idea of
assigning a user the lowest privilege level necessary to accomplish
Oracle Identity Management
One of the benefits of using the
application server Infrastructure is the integration of Oracle
Identity Management, which provides a single location for the
complete management of users and network entities. This can greatly
reduce the cost of managing large groups of users. As new users are
added to the system, Oracle Identity Management provides a single
location for modifying application and system privileges to include
account creation and suspension, privilege modification, and
attribute management. Users can be internal company employees,
customers, or anyone that requires access to you applications,
servers, or network devices. Oracle 10g Identity Management is
comprise of six different products. The root of Oracle?s Identity
Management is the Oracle Internet Directory (OID). OID is Oracle?s
implementation of LDAP ver3. Oracle?s Single Sign-On is an
application that uses OID to authenticate users. . Single Sign-On
(SSO) provides that capability to have a user provide his
credentials once and then to automatically authenticate him as he
changes applications. Delegated Administration Services provides
application server components with secure access to OID.
Certificate Authority issue and manage X.509v3 compliant
certificates to secure email and network connections. Directory
Integration allows integration with other directories (e.g. ADS,
SunONE). And provisioning integration, which provides automatic
provisioning of users in the Oracle environment.
This is an excerpt from "Oracle
10g Application Server Administration Handbook" by Don Burleson
and John Garmany.