How to secure J2EE applications in an OC4J by Oracle SSO?

JAAS Providers

To secure web applications OC4J leverages Oracle Application Server Java Authentication & Authorization Service (JAAS) which supports two types

1.JAZN-XML

This provider type maintains the repository of user information in an XML file in the file system. This repository may be maintained using text editors or JAZN Admin tool:

% cd $ORACLE_HOME/j2ee/home

% cd java -jar jazn.jar -shell

2. JAZN-LDAP

This provider type stores the user information as LDAP entries in Oracle Internet Directory (OID). The principals, roles & permissions can be navigated and maintained using the following

1. Oracle Directory Manager (ODM)

2. JAZN Admin Tool

3. OID Delegated Administration Services (OIDDAS)

Of the mentioned above, OIDDAS is the simplest one to use.

When using SSO, it is necessary to configure OC4J to use JAZN-LDAP provider as SSO engine authenticates users against LDAP directory.

Steps to do 

Step 1:

Create a Privileged group in OID by name "myTrustedUsers" by using OIDDAS. Make this group available as a role.

Step 2:Navigate to 

$ORACLE_HOME/j2ee/<OC4J_NAME>/applicationdeployments/<APPLICATION_NAME>/orion-application.xml

Add the following lines inside <orion-application>,

<jazn provider="LDAP" default-realm="companyname" location="ldap://hostname:portno" > 

<property name="ldap.user" value="cn=orcladmin" /> 

<property name="ldap.password" value="!welcome456" /> 

<jazn-web-app auth-method="SSO" /> </jazn>

• The hostname of the URL used for the "location" attribute should match the location of the OID Server used by the Infrastructure install
• The port value is provided in the file:$ORACLE_HOME/install/portlist.ini
• The value for "default-realm" also needs to be appropriate to the site. You can find out the default realm by the following way

A simple way to verify the default-realm from within this list is to login in to the OIDDAS application:

http://<infra_host>:<port>/oiddas as "orcladmin" then create a new user.

After creating the user, locate the user by clicking the "Users" tab and then entering a query for the name of that user. In the list returned, select the radio button to the left of the user entry then click on the Edit button.Scroll down to the botton of the page returned, where you will find the section "EditHistory" and information similar to the following:

Created By cn=orcladmin,cn=users,dc=company,dc=com

Created At March 24, 2004 6:23:50 PM EST

Last Modified By cn=orcladmin,cn=users,dc=company,dc=com

Last Modified At March 24, 2004 6:23:50 PM EST

Look at the distinguished name for the "Created By" entry. The value for the default realm should also be the value of the first "dc=" entry immediately to the right of the cn=users

Step 3:

Edit the following file to create a security role

$ORACLE_HOME/j2ee/<OC4J_NAME>/applicationdeployments/<APPLICATION_NAME>/<APPLICATION_NAM E>/orion-web.xml

Add the following lines inside ,

<security-role-mapping impliesAll="false" name="trustedUsers"> 

<group name="myTrustedUsers"/> 

</security-role-mapping> 

<jazn-web-app auth-method="SSO"/>

The <security-role-mapping> maps the *logical* role "trustedUsers" (used by the application) to the physical role "myTrustedUsers" which is available in LDAP repository.

Step 4:

Now provide the role created in Step 3 in the following file,

$ORACLE_HOME/j2ee/<OC4J_NAME>/applications/<APPLICATION_NAME>/<APPLICATION_NAME>/WEB-INF/web.xml

A) Add <security-constraint> under <web-app> as shown below

<security-constraint> 

<web-resource-collection> 

<web-resource-name>protected

</web-resource-name> 

<url-pattern>/ *</url-pattern> 

</web-resource-collection> 

<auth-constraint> 

<role-name>trustedUsers

</role-name> 

</auth-constraint> 

<user-data-constraint> 

<transport-guarantee>NONE</transport-guarantee> 

</user-data-constraint> 

</security-constraint>

B) Provide the <security-role> under <web-app> as shown below

<security-role> 

<role-name>trustedUsers

</role-name> 

</security-role>

Now,all URLs within the application accessed will first be redirected to the SSO server for appropriate authentication.