Basic Authentication in J2EE Environments
In this environment, Oracle AS SSO is not used.A login module such as RealmLoginModule is used.
An HTTP client attempts to access a Web application hosted by OC4J.Oc4J invokes the RealmLoginModule whenever user credentials are required. For e.g. when a user hits a protected page,OC4J will ask Oracle AS JAAS provider to authenticate the user.The RealmLoginModule will be invoked to authenticate the user, using the credentials sent by the user via browser over HTTP.
Then Oracle JAAS provider retrieves the user. The following sections speak about this in detail.
I.Authentication in the J2EE Environment
Authentication is the process of verifying the identity of a user in a computing system. In Oracle Application Server, authentication in the J2EE environment is performed by the following:
- OracleAS Single Sign-On (for OracleAS Single Sign-On environments)
- OracleAS JAAS Provider RealmLoginModule or other login module (for non-OracleAS Single Sign-On environments)
The following javax.servlet.HttpServletRequest APIs retrieve authentication information within the servlet.
- getRemoteUser() for the authenticated user name
- getAuthType() for the authentication scheme
- getUserPrincipal() for the authenticated principal object
II.Authorization in the J2EE Environment
Authorization is the process of granting permission & privileges to an authenticated user. Authorization is achieved through JAZNUserManager. The JAZNUserManager gets the authenticated user information (set by mod_osso) from the HTTP request object & sets the JAAS subject in OC4J.
Retrieving Authorization Information
- Servlet.service() in the servlet
- Subject.doAs() and Subject.doAsPrivileged() in the client
- SecurityManager.checkPermission() in the server
III.Security Role Mapping
Two distinct role types available to application developers creating secure applications in J2EE environment are J2EE roles & JAAS roles.
This section describes these role types and how they are mapped together.
- J2EE Security Roles
- Deployment Roles and Users
- OC4J Group Mapping to J2EE Security Roles
The J2EE development environment includes a portable security roles feature defined in the web.xml file for servlets and JavaServer Pages (JSP). For example, an application defines a security role called sr_developer:
<security-role>
<role-name>
sr_developer
</role-name>
</security-role>
You also define the access permissions for the sr_developer role.
<security-constraint>
<web-resource-collection>
<web-resource-name>access to the entire application
<web-resource-collection>
<web-resource-name>access to the entire application
</web-resource-name>
<url-pattern>/*</url-pattern>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<!-- authorization -->
<!-- authorization -->
<auth-constraint>
<role-name>
sr_developer
</role-name>
<role-name>
sr_developer
</role-name>
</auth-constraint>
</security-constraint>
</security-constraint>
Deployment Roles and Users
JAAS roles and users are defined depending on the provider type, LDAP-based or XML-based.
For example, with the XML-based provider type, developer is listed as a role in the jazndata.
xml file:
<role>
<name>
developer
</name>
<members>
<member>
<type>user<type>
<name>john<name>
</member>
</members>
</role>
developer
</name>
<members>
<member>
<type>user<type>
<name>john<name>
</member>
</members>
</role>
OC4J Group Mapping to J2EE Security Roles
OC4J enables you to map portable J2EE security roles defined in the J2EE web.xml file to groups in an orion-application.xml file. The roles and users defined in your provider environment are mapped to the OC4J developer group role in the orion-application.xml file.
For example, the sr_developer security role is mapped to the group named developer.
<security-role-mapping name="sr_developer">
<group name="developer" />
</security-role-mapping>
No comments:
Post a Comment