15 copyright © 2004, oracle. all rights reserved. adding jaas security to the client
DESCRIPTION
15-3 Copyright © 2004, Oracle. All rights reserved. JAAS Provider The JAAS provider supports: –Storage, retrieval, and administration of: - Realm information (users and roles) - Policy (permissions) –Multiple repositories: - XML based - LDAP based –Login modules It works with J2EE declarative security model: –Is part of the deployment model –Requires little or no programmingTRANSCRIPT
15Copyright © 2004, Oracle. All rights reserved.
Adding JAAS Security to the Client
15-2 Copyright © 2004, Oracle. All rights reserved.
Objectives
After completing this lesson, you should be able to do the following:• Describe how Java Authentication and
Authorization Services (JAAS) works in a Web application
• Use JAAS to add security to an application• Add users and roles to an application deployment
descriptor• Add JAAS security to a Web application
15-3 Copyright © 2004, Oracle. All rights reserved.
JAAS Provider
• The JAAS provider supports:– Storage, retrieval, and administration of:
- Realm information (users and roles)- Policy (permissions)
– Multiple repositories:- XML based- LDAP based
– Login modules• It works with J2EE declarative security model:
– Is part of the deployment model– Requires little or no programming
15-4 Copyright © 2004, Oracle. All rights reserved.
Defining Security Needs
• Determine the logical roles in an application:– Customer– Buyer– Administrator
• Determine authorization constraints: Who can do what actions.
• Decide provider type:– XML- based flat file– LDAP (Oracle Internet Directory)
• Map security roles to users and groups.
15-5 Copyright © 2004, Oracle. All rights reserved.
Oracle JAAS Implementation: JAZN
• OracleAS Containers for J2EE (OC4J) implement a JAAS provider called JAZN.
• The Oracle provider supports:– Integration with single sign-on (SSO)– Access control through Java 2 permissions– Secure file-based storage of user passwords
• JAZNUserManager– Obfuscates passwords in flat file storage– Supports full role-based access control– Supports full support for Java 2 permissions model
15-6 Copyright © 2004, Oracle. All rights reserved.
Client Authentication
• Authentication:– Determines who clients are– Can they prove it?
• JAAS integrates any number of authentication schemes, for example:– SSO: Uses OracleAS Single Sign-On– SSL: Uses secure sockets layer (SSL) for client
certificate-based authentication– Basic authentication: Prompts for username and
password– Write your own login module.
15-7 Copyright © 2004, Oracle. All rights reserved.
Client Authorization
• Client authorization is specified in J2EE deployment descriptors.
• Every client obtains a security principal.• A client can invoke a URL or a method only if the
client’s role has the associated rights.• The J2EE container enforces security policies and
provides tools for managing security.• Struts includes roles at the “node” level.
15-8 Copyright © 2004, Oracle. All rights reserved.
Basic Authentication Scenario
WebApp
Servlet 2
OracleAS JAAS
JAASOracleAS
JAAS Policy
Oracle Containers for J2EE
OracleAS JAZN Provider
HTTP client
HTTP Server
JAZNUserManager
Servlet 1
15-9 Copyright © 2004, Oracle. All rights reserved.
Adding JAAS Security to an Application
• JDeveloper provides a dialog box to help add JAAS security to an application.
• By using the dialog box, you do not have to directly edit the XML files.
• Security settings are maintained in the web.xml file.
• Access the settings:– Right-click web.xml in the Applications Navigator.– Select properties from the context menu.
15-10 Copyright © 2004, Oracle. All rights reserved.
Adding Authorization Information to Struts
• The Struts configuration includes an authorization scheme.
• The scheme specifies authorization at the node level.
• Specify the authorized role in the Property Inspector.
15-11 Copyright © 2004, Oracle. All rights reserved.
web.xml Properties
To implement JAAS security, modify:• Security roles: Add the security role that you want
to use.• Add a Web resource:
– Specify any unique name.– Add a URL pattern to validate.– On the Authorizations tabbed page, select the user
role.
15-12 Copyright © 2004, Oracle. All rights reserved.
web.xml Results
<web-app>… <security-constraint> <web-resource-collection> <web-resource-name>TestApplication</web-resource-name> <url-pattern>/</url-pattern> </web-resource-collection> <auth-constraint> <role-name>users</role-name> </auth-constraint> </security-constraint> <security-role> <role-name>users</role-name> </security-role></web-app>
15-13 Copyright © 2004, Oracle. All rights reserved.
Adding Users and Roles
• JDeveloper provides a wizard interface to the jazn-data.xml file.
• Select Tools > Embedded OC4J Server Preferences.
15-14 Copyright © 2004, Oracle. All rights reserved.
Adding Users
15-15 Copyright © 2004, Oracle. All rights reserved.
Managing Roles
15-16 Copyright © 2004, Oracle. All rights reserved.
Selecting a Specific jazn-data.xml File
• JDeveloper allows you to specify which JAZN file to use at runtime in the application configuration.
• To change files:– Right-click the application module– Select configurations– Edit the jbo.security.config property– Enter the path to your jazn-data.xml file
• It gives you testing and deployment flexibility.• To use LDAP, change the jazn.xml file.
15-17 Copyright © 2004, Oracle. All rights reserved.
Running the Application
• Test the application.• The browser prompts
for username and password.
• The application is opened if the user is authenticated and authorized.
• If either fails, the application is not authorized to run.
15-18 Copyright © 2004, Oracle. All rights reserved.
Summary
In this lesson, you should have learned how to:• Use JAAS to add security to an application• Add users and roles to an application deployment
descriptor• Add JAAS security to a Web application• Describe how JAAS works in a Web application.