15 copyright © 2004, oracle. all rights reserved. adding jaas security to the client

18
15 Copyright © 2004, Oracle. All rights reserved. Adding JAAS Security to the Client

Upload: jemimah-burns

Post on 18-Jan-2018

217 views

Category:

Documents


0 download

DESCRIPTION

15-3 Copyright © 2004, Oracle. All rights reserved. JAAS Provider The JAAS provider supports: –Storage, retrieval, and administration of: - Realm information (users and roles) - Policy (permissions) –Multiple repositories: - XML based - LDAP based –Login modules It works with J2EE declarative security model: –Is part of the deployment model –Requires little or no programming

TRANSCRIPT

Page 1: 15 Copyright © 2004, Oracle. All rights reserved. Adding JAAS Security to the Client

15Copyright © 2004, Oracle. All rights reserved.

Adding JAAS Security to the Client

Page 2: 15 Copyright © 2004, Oracle. All rights reserved. Adding JAAS Security to the Client

15-2 Copyright © 2004, Oracle. All rights reserved.

Objectives

After completing this lesson, you should be able to do the following:• Describe how Java Authentication and

Authorization Services (JAAS) works in a Web application

• Use JAAS to add security to an application• Add users and roles to an application deployment

descriptor• Add JAAS security to a Web application

Page 3: 15 Copyright © 2004, Oracle. All rights reserved. Adding JAAS Security to the Client

15-3 Copyright © 2004, Oracle. All rights reserved.

JAAS Provider

• The JAAS provider supports:– Storage, retrieval, and administration of:

- Realm information (users and roles)- Policy (permissions)

– Multiple repositories:- XML based- LDAP based

– Login modules• It works with J2EE declarative security model:

– Is part of the deployment model– Requires little or no programming

Page 4: 15 Copyright © 2004, Oracle. All rights reserved. Adding JAAS Security to the Client

15-4 Copyright © 2004, Oracle. All rights reserved.

Defining Security Needs

• Determine the logical roles in an application:– Customer– Buyer– Administrator

• Determine authorization constraints: Who can do what actions.

• Decide provider type:– XML- based flat file– LDAP (Oracle Internet Directory)

• Map security roles to users and groups.

Page 5: 15 Copyright © 2004, Oracle. All rights reserved. Adding JAAS Security to the Client

15-5 Copyright © 2004, Oracle. All rights reserved.

Oracle JAAS Implementation: JAZN

• OracleAS Containers for J2EE (OC4J) implement a JAAS provider called JAZN.

• The Oracle provider supports:– Integration with single sign-on (SSO)– Access control through Java 2 permissions– Secure file-based storage of user passwords

• JAZNUserManager– Obfuscates passwords in flat file storage– Supports full role-based access control– Supports full support for Java 2 permissions model

Page 6: 15 Copyright © 2004, Oracle. All rights reserved. Adding JAAS Security to the Client

15-6 Copyright © 2004, Oracle. All rights reserved.

Client Authentication

• Authentication:– Determines who clients are– Can they prove it?

• JAAS integrates any number of authentication schemes, for example:– SSO: Uses OracleAS Single Sign-On– SSL: Uses secure sockets layer (SSL) for client

certificate-based authentication– Basic authentication: Prompts for username and

password– Write your own login module.

Page 7: 15 Copyright © 2004, Oracle. All rights reserved. Adding JAAS Security to the Client

15-7 Copyright © 2004, Oracle. All rights reserved.

Client Authorization

• Client authorization is specified in J2EE deployment descriptors.

• Every client obtains a security principal.• A client can invoke a URL or a method only if the

client’s role has the associated rights.• The J2EE container enforces security policies and

provides tools for managing security.• Struts includes roles at the “node” level.

Page 8: 15 Copyright © 2004, Oracle. All rights reserved. Adding JAAS Security to the Client

15-8 Copyright © 2004, Oracle. All rights reserved.

Basic Authentication Scenario

WebApp

Servlet 2

OracleAS JAAS

JAASOracleAS

JAAS Policy

Oracle Containers for J2EE

OracleAS JAZN Provider

HTTP client

HTTP Server

JAZNUserManager

Servlet 1

Page 9: 15 Copyright © 2004, Oracle. All rights reserved. Adding JAAS Security to the Client

15-9 Copyright © 2004, Oracle. All rights reserved.

Adding JAAS Security to an Application

• JDeveloper provides a dialog box to help add JAAS security to an application.

• By using the dialog box, you do not have to directly edit the XML files.

• Security settings are maintained in the web.xml file.

• Access the settings:– Right-click web.xml in the Applications Navigator.– Select properties from the context menu.

Page 10: 15 Copyright © 2004, Oracle. All rights reserved. Adding JAAS Security to the Client

15-10 Copyright © 2004, Oracle. All rights reserved.

Adding Authorization Information to Struts

• The Struts configuration includes an authorization scheme.

• The scheme specifies authorization at the node level.

• Specify the authorized role in the Property Inspector.

Page 11: 15 Copyright © 2004, Oracle. All rights reserved. Adding JAAS Security to the Client

15-11 Copyright © 2004, Oracle. All rights reserved.

web.xml Properties

To implement JAAS security, modify:• Security roles: Add the security role that you want

to use.• Add a Web resource:

– Specify any unique name.– Add a URL pattern to validate.– On the Authorizations tabbed page, select the user

role.

Page 12: 15 Copyright © 2004, Oracle. All rights reserved. Adding JAAS Security to the Client

15-12 Copyright © 2004, Oracle. All rights reserved.

web.xml Results

<web-app>… <security-constraint> <web-resource-collection> <web-resource-name>TestApplication</web-resource-name> <url-pattern>/</url-pattern> </web-resource-collection> <auth-constraint> <role-name>users</role-name> </auth-constraint> </security-constraint> <security-role> <role-name>users</role-name> </security-role></web-app>

Page 13: 15 Copyright © 2004, Oracle. All rights reserved. Adding JAAS Security to the Client

15-13 Copyright © 2004, Oracle. All rights reserved.

Adding Users and Roles

• JDeveloper provides a wizard interface to the jazn-data.xml file.

• Select Tools > Embedded OC4J Server Preferences.

Page 14: 15 Copyright © 2004, Oracle. All rights reserved. Adding JAAS Security to the Client

15-14 Copyright © 2004, Oracle. All rights reserved.

Adding Users

Page 15: 15 Copyright © 2004, Oracle. All rights reserved. Adding JAAS Security to the Client

15-15 Copyright © 2004, Oracle. All rights reserved.

Managing Roles

Page 16: 15 Copyright © 2004, Oracle. All rights reserved. Adding JAAS Security to the Client

15-16 Copyright © 2004, Oracle. All rights reserved.

Selecting a Specific jazn-data.xml File

• JDeveloper allows you to specify which JAZN file to use at runtime in the application configuration.

• To change files:– Right-click the application module– Select configurations– Edit the jbo.security.config property– Enter the path to your jazn-data.xml file

• It gives you testing and deployment flexibility.• To use LDAP, change the jazn.xml file.

Page 17: 15 Copyright © 2004, Oracle. All rights reserved. Adding JAAS Security to the Client

15-17 Copyright © 2004, Oracle. All rights reserved.

Running the Application

• Test the application.• The browser prompts

for username and password.

• The application is opened if the user is authenticated and authorized.

• If either fails, the application is not authorized to run.

Page 18: 15 Copyright © 2004, Oracle. All rights reserved. Adding JAAS Security to the Client

15-18 Copyright © 2004, Oracle. All rights reserved.

Summary

In this lesson, you should have learned how to:• Use JAAS to add security to an application• Add users and roles to an application deployment

descriptor• Add JAAS security to a Web application• Describe how JAAS works in a Web application.