6
Integrating the JAAS Provider with Java2 Applications

This chapter describes how the JAAS provider is integrated with applications developed for Java2 environments in Oracle9iAS Containers for J2EE (OC4J).

This chapter contains these topics:

• Java2 Application Environments Overview

• JAAS Provider Integration in J2SE Application Environments

• JAAS Provider Integration in J2EE Application Environments

• How Do I Get Started?

Java2 Application Environments Overview

The JAAS provider integrates into applications developed for several Java2 environments:

• Java2 Platform, Standard Edition (J2SE)

  For developing, deploying, and managing standalone Java applications

  See Also: "JAAS Provider Integration in J2SE Application Environments"

• Java2 Platform, Enterprise Edition (J2EE)

  For developing, deploying, and managing multi-tier, Web-based applications

  See Also: "JAAS Provider Integration in J2EE Application Environments"

Oracle Components Available on the Java2 Platform

When the JAAS provider is integrated with applications developed for the Java2 Platform, the following Oracle components are available to developers:

• The JAAS provider, which provides support for storage, retrieval, and administration of realm information (users and roles) and policy information (permissions). The JAAS provider supports two possible repositories or provider types:
  • LDAP-based Oracle Internet Directory (available only with Oracle9iAS Infrastructure installation)

  • XML-Based Provider Type

• Login modules, such as the JAAS provider RealmLoginModule

  See Also: "Provider Types" for further information about provider types Chapter 7 of the Oracle9i Application Server Security Guide for required components

JAAS Provider Integration in J2SE Application Environments

Figure 6-1 provides an overview of an application running in a J2SE environment.

Figure 6-1 Oracle Component Integration in J2SE Environment

Text description of the illustration jazdg004.gif

A Typical Scenario in the J2SE Environment

The following section describes the responsibilities of the Oracle components illustrated in Figure 6-1 when a client request is initiated.

1. A client attempts to access a local, desktop application.

2. RealmLoginModule or other LoginModule authenticates the client's login attempt.

3. The Java virtual machine (JVM) examines the authorization context associated with the current thread, consults the JAAS provider policy, determines that the current subject has the required permission to write to the file, and returns checkPermission() safely.

   See Also: Your Sun Java documentation for more information on J2SE by visiting the following URL: http://java.sun.com/j2se/

JAAS Provider Integration in J2EE Application Environments

When the JAAS provider is integrated with applications developed for the J2EE environment, the functionality of the J2SE environment extends to the enterprise level. Additional features in the J2EE environment include:

• Oracle9iAS Containers for J2EE (OC4J)

• JAZNUserManager

Oracle9iAS Containers for J2EE (OC4J)

OC4J is a key component of the JAAS provider integration in the J2EE environment. OC4J is a Web container that accepts HTTP and RMI client connections. These connections permit access to servlets, Java Server Pages (JSPs), and Enterprise JavaBeans (EJBs).

J2EE containers separate business logic from resource and lifecycle management. This enables developers to focus on writing business logic, rather than writing enterprise infrastructure. For example, Java servlets simplify Web development by providing an infrastructure for component, communication, and session management in a Web container integrated with a Web server.

The JAAS provider is also integrated with OC4J to enhance application security. This integration provides the following benefits:

• Integration with either single sign-on (SSO) and mod_osso or secure socket layer (SSL) and mod_ossl

• Fine-grained access control through Java2 permissions

• run-as identity support, delegation support (from servlet to Enterprise JavaBeans)

• Secure file-based storage of passwords

JAZNUserManager

Another key component of JAAS provider integration in the J2EE environment is JAZNUserManager. JAZNUserManager is an implementation of the OC4J UserManager interface.

Replacing principals.xml

JAZNUserManager permits secure replacement for or migration from the OC4J principals.xml file with the following:

• Secure storage of obfuscated passwords

• Full role-based access control (RBAC), including hierarchical roles

• Full support for the Java2 permission model and JAAS

• Secure implementation based on the Java2 permission model, to allow untrusted (or partially trusted) code to run in the same JVM as the JAAS provider

  See Also: For information on using the JAZN Admintool to migrate from principals.xml, "Migrating Principals from the principals.xml File"

JAZNUserManager Features

In addition to the features mentioned in "Replacing principals.xml", JAZNUserManager provides many other features, including:

• Single Sign-On (SSO) integration with OC4J

• RealmLoginModule integration in non-SSO environments

• Identity propagation

• Location, read, edit, removal, and management of user and group objects

• Enforcement of security constraints

• A filter for changing the content of HTTP requests, responses, and header information.

  See Also: Chapter 7 of the Oracle9i Application Server Security Guide for information on the JaznUserManager

Figure 6-2 provides an overview of an application running in a J2EE environment.

Figure 6-2 J2EE Application Model

Text description of the illustration jazdg003.gif

Authentication Environments

The JAAS provider integrates with three different login authentication environments in a J2EE applications.

• SSO

  Uses Oracle9iAS Single Sign-On to authenticate logins

• SSL
  • Uses Secure Socket Layers, the industry standard protocol for managing the security of message transmission on the Internet

  • Uses a login module (for example, RealmLoginModule) to authenticate logins

• Basic Authentication
  • Prompts user directly for username and password, without going through Oracle9iAS Single Sign-On

  • Uses a login module (for example, RealmLoginModule) to authenticate logins

The following sections discuss how the JAAS provider integrates with each of these authentication types.

See Also: Chapter 7 of the Oracle9i Application Server Security Guide for information on configuring authentication methods

Integrating the JAAS Provider with SSO-Enabled Applications

SSO lets a user access multiple accounts and applications with a single set of login credentials. Figure 6-3 shows JAAS provider integration in an application running in an SSO-enabled J2EE environment.

Figure 6-3 Oracle Component Integration in SSO-Enabled J2EE Environments

Text description of the illustration jazdg001.gif

SSO-Enabled J2EE Environments: A Typical Scenario

This section describes the responsibilities of Oracle components when an HTTP client request is initiated in an SSO-enabled J2EE environment.

1. An HTTP client attempts to access a Web application (named WebApp A1) hosted by OC4J (the Web container for executing servlets). Oracle HTTP Server (using an Apache listener) handles the request.

2. mod_osso/Oracle HTTP Server receives the request and:
   • Determines that WebApp A1 application requires Web-based SSO for authenticating HTTP clients

   • Redirects the HTTP client request to the Web-based SSO Oracle9iAS Single Sign-On (since it has not yet been authenticated).

3. The HTTP client is authenticated by Oracle9iAS Single Sign-On through HTTP or public key infrastructure (PKI) Authentication. Oracle9iAS Single Sign-On then:
   • Validates the user's stored login credentials

   • Sets the SSO cookie (including the user's distinguished name and realm)

   • Redirects back to the WebApp A1 application (in OC4J)

4. The JAAS provider retrieves the SSO user.

5. The final step or steps depend on the setting of the runas-mode in the jazn-web-app element.

   If the runas-mode is set to false, then the following happens:

   1. The target servlet is invoked.

   If the runas-mode is set to true, then the following happens:

   1. The JAAS provider invokes the target servlet's service() method within a PrivilegedAction block through Subject.doAs(). The JAZNUserManager enforces security constraints.
      • When Subject.doAs() is called, JAAS consults the provider for permissions associated with the SSO user through the getPermissions() method.

      • The provider retrieves the permissions associated with the given grantee from the provider type (Oracle Internet Directory or XML-based), and updates the policy cache as appropriate. The provider then returns the granted set of permissions to JAAS runtime.

      • JAAS runtime constructs a new AccessControlContext based on the permissions returned from getPermissions().

   2. The servlet's code runs under the AccessControlContext of the SSO user.

   3. The servlet's code attempts to write to a file in the operating system's file system, triggering a call to SecurityManager.checkPermission().

   4. The JVM then:
      • Examines the authorization context associated with the current thread

      • Determines that the current subject has the required permissions to write to the file

   5. SecurityManager.checkPermission() returns safely and the client HTTP request proceeds.

Integrating the JAAS Provider with SSL-Enabled Applications

SSL is an industry standard protocol for managing the security of message transmission on the Internet. Figure 6-4 shows the JAAS provider integration in an application running in an SSL-enabled J2EE environment.

Figure 6-4 Oracle Component Integration in SSL-Enabled J2EE Environments

Text description of the illustration jazdg010.gif

SSL-Enabled J2EE Environments: A Typical Scenario

This section describes the responsibilities of Oracle components when an HTTP client request is initiated in an SSL-enabled J2EE environment. In this environment, Oracle9iAS Single Sign-On is not used. A login module (for example, RealmLoginModule) is used.

1. An HTTP client attempts to access a Web application (named WebApp A1) hosted by OC4J (the Web container for executing servlets). Oracle HTTP Server (using an Apache listener) handles the request.

2. mod_ossl/Oracle HTTP Server receives the request and determines that the WebApp A1 application requires SSL server authentication for HTTP clients.

3. If a server and/or client wallet certificate is configured, the HTTP client is prompted to accept the server certificate and provide the client certificate.

4. The JAAS provider retrieves the SSL client certificate.

5. The JAAS provider retrieves the SSL user.

6. The final step or steps depend on the setting of the runas-mode in the jazn-web-app element.

   If the runas-mode is set to false, then the following happens:

   1. The target servlet is invoked.

   If the runas-mode is set to true, then the following happens:

   1. The JAAS provider invokes the target servlet's service() method within a PrivilegedAction block through Subject.doAs(). The JAZNUserManager enforces security constraints.
      • When Subject.doAs() is called, JAAS consults for permissions associated with the SSL user through the getPermissions() method.

      • The provider retrieves the permissions associated with the given grantee from the provider type (Oracle Internet Directory or XML-based), and updates the policy cache as appropriate. The provider then returns the granted set of permissions to JAAS runtime.

      • JAAS runtime constructs a new AccessControlContext based on the permissions returned from getPermissions().

   2. The servlet's code runs under the AccessControlContext of the SSL user.

   3. The servlet's code attempts to write to a file in the operating system's file system, triggering a call to SecurityManager.checkPermission().

   4. The JVM then:
      • Examines the authorization context associated with the current thread

      • Determines that the current subject has the required permissions to write to the file

   5. SecurityManager.checkPermission() returns safely and the client HTTP request proceeds.

Integrating the JAAS Provider with Basic Authentication

Basic authentication bypasses Oracle9iAS Single Sign-On. Figure 6-5 shows specific JAAS provider integration in an application configured for Basic authentication in a J2EE environment.

Figure 6-5 Oracle Component Integration in J2EE Environment

Text description of the illustration jazdg011.gif

Basic Authentication J2EE Environments: A Typical Scenario

This section describes the responsibilities of Oracle components when an HTTP client request is initiated in a J2EE environment configured for Basic authentication. In this environment, Oracle9iAS Single Sign-On is not used. A login module (for example, RealmLoginModule) is used.

1. An HTTP client attempts to access a Web application (named WebApp A1) hosted by OC4J (the Web container for executing servlets). The OC4J listener handles the request.

2. The JAAS provider retrieves the user.

3. The final step or steps depend on the setting of the runas-mode in the jazn-web-app element.

   If the runas-mode is set to false, then the following happens:

   1. The target servlet is invoked.

   If the runas-mode is set to true, then the following happens:

   1. The JAAS provider invokes the target servlet's service() method within a PrivilegedAction block through Subject.doAs(). The JAZNUserManager enforces security constraints.
      • When Subject.doAs() is called, JAAS consults the provider for permissions associated with the SSO user through the getPermissions() method.

      • The provider retrieves the permissions associated with the given grantee from the provider type (Oracle Internet Directory or XML-based), and updates the policy cache as appropriate. The provider then returns the granted set of permissions to JAAS runtime.

      • JAAS runtime constructs a new AccessControlContext based on the permissions returned from getPermissions().

   2. The servlet's code runs under the AccessControlContext of the user.

   3. The servlet's code attempts to write to a file in the operating system's file system, triggering a call to SecurityManager.checkPermission().

   4. The JVM then:
      • Examines the authorization context associated with the current thread

      • Determines that the current subject has the required permissions to write to the file

   5. SecurityManager.checkPermission() returns safely and the client HTTP request proceeds.

      See Also: Your Sun Java documentation for more information on J2EE by visiting the following URL: http://java.sun.com/j2ee/

J2EE and JAAS Provider Role Mapping

Two distinct roles types are available to application developers creating JAAS provider-integrated applications in J2EE environments: J2EE roles and JAAS provider roles. When these role types are mapped together using OC4J group mappings, users can access an application with a defined set of role permissions for as long as the user is mapped to this role.

This section describes these role types and how which they are mapped together.

• J2EE Security Roles

• JAAS Provider Roles and Users

• OC4J Group Mapping to J2EE Security Roles

J2EE Security Roles

The J2EE development environment includes a portable security roles feature defined in the web.xml file for servlets and Java Server Pages (JSPs). Security roles define a set of resource access permissions for an application. Associating a principal (in this case, a JAAS provider user or role) with a security role assigns the defined access permissions to that principal for as long as they are mapped to the role. For example, an application defines a security role called sr_developer:

<security-role>
   	<role-name>sr_developer</role-name>
</security-role>  
 

You also define the access permissions for the sr_developer role.

 <security-constraint>
    <web-resource-collection>
      <web-resource-name>access to the entire application</web-resource-name>
      <url-pattern>/*</url-pattern>
    </web-resource-collection>
        <!-- authorization -->
    <auth-constraint>
      <role-name>sr_developer</role-name>
    </auth-constraint>
  </security-constraint>

JAAS Provider Roles and Users

JAAS provider roles and Users are defined depending on the provider type, LDAP-based Oracle Internet Directory or XML-based.

For example, with the XML-based provider type, developer is listed as a role element in the jazn-data.xml file:

       <role>
             <name>developer</name>
             <members>
                    <member>
                             <type>user<type>
                             <name>john<name>
                     </member>
              </members>
       </role>

OC4J Group Mapping to J2EE Security Roles

OC4J enables you to map portable J2EE security roles defined in the J2EE web.xml file to groups in an orion-application.xml file.

The roles and users defined in your provider environment are mapped to the OC4J developer group role in the orion-application.xml file.

For example, the sr_developer security role is mapped to the group named developer.

<security-role-mapping name="sr_developer">
    <group name="developer" />
</security-role-mapping>

This association permits the developer group to access the resources allowed for the sr_developer security role.

User john is listed as a member of the developer role. Because the developer group is mapped to the J2EE security role sr_developer in the orion-application.xml file, john has access to the application resources defined by the sr_developer role.

How Do I Get Started?

You are now ready to get started with the JAAS Provider. To get started quickly, follow the sections in Table 6-1 in the exact order listed:

Table 6-1 Getting Started with the JAAS Provider

To...	See...
Identify and install the JAAS provider components required for applications developed in the J2SE and J2EE environments	The Oracle9i Application Server Installation Guide for your operating system
Configure the JAAS provider after installation	Chapter 7 of the Oracle9i Application Server Security Guide
Create realms and associated components with the provider	Chapter 7, "Managing the JAAS Provider"
Create secure J2SE and J2EE applications with the JAAS provider	Chapter 8, "Developing Secure J2SE Applications" Chapter 9, "Developing Secure J2EE Applications"