1 / 18

Adding JAAS Security to the Client

Learn how to add Java Authentication and Authorization Services (JAAS) to a web application, including adding users, roles, and security settings. Explore the Oracle JAAS implementation, JAZN, and understand how to implement client authentication and authorization using JAAS and J2EE deployment descriptors.

dorothytucker
Download Presentation

Adding JAAS Security to the Client

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Adding JAAS Security to the Client

  2. Objectives • After completing this lesson, you should be able to do the following: • Describe how Java Authentication and Authorization Services (JAAS) works in a Web application • Use JAAS to add security to an application • Add users and roles to an application deployment descriptor • Add JAAS security to a Web application

  3. JAAS Provider • The JAAS provider supports: • Storage, retrieval, and administration of: • - Realm information (users and roles) • - Policy (permissions) • Multiple repositories: • - XML based • - LDAP based • Login modules • It works with J2EE declarative security model: • Is part of the deployment model • Requires little or no programming

  4. Defining Security Needs • Determine the logical roles in an application: • Customer • Buyer • Administrator • Determine authorization constraints: Who can do what actions. • Decide provider type: • XML- based flat file • LDAP (Oracle Internet Directory) • Map security roles to users and groups.

  5. Oracle JAAS Implementation: JAZN • OracleAS Containers for J2EE (OC4J) implement a JAAS provider called JAZN. • The Oracle provider supports: • Integration with single sign-on (SSO) • Access control through Java 2 permissions • Secure file-based storage of user passwords • JAZNUserManager • Obfuscates passwords in flat file storage • Supports full role-based access control • Supports full support for Java 2 permissions model

  6. Client Authentication • Authentication: • Determines who clients are • Can they prove it? • JAAS integrates any number of authentication schemes, for example: • SSO: Uses OracleAS Single Sign-On • SSL: Uses secure sockets layer (SSL) for client certificate-based authentication • Basic authentication: Prompts for username and password • Write your own login module.

  7. Client Authorization • Client authorization is specified in J2EE deployment descriptors. • Every client obtains a security principal. • A client can invoke a URL or a method only if the client’s role has the associated rights. • The J2EE container enforces security policies and provides tools for managing security. • Struts includes roles at the “node” level.

  8. Basic Authentication Scenario Oracle Containers for J2EE WebApp HTTP client Servlet 1 Servlet 2 OracleAS JAZN Provider JAAS OracleAS JAZNUserManager JAAS HTTP Server OracleAS JAAS Policy

  9. Adding JAAS Security to an Application • JDeveloper provides a dialog box to help add JAAS security to an application. • By using the dialog box, you do not have to directly edit the XML files. • Security settings are maintained in the web.xml file. • Access the settings: • Right-click web.xml in the Applications Navigator. • Select properties from the context menu.

  10. Adding Authorization Information to Struts • The Struts configuration includes an authorization scheme. • The scheme specifies authorization at the node level. • Specify the authorized role in the Property Inspector.

  11. web.xml Properties • To implement JAAS security, modify: • Security roles: Add the security role that you want to use. • Add a Web resource: • Specify any unique name. • Add a URL pattern to validate. • On the Authorizations tabbed page, select the user role.

  12. web.xml Results • <web-app> • … • <security-constraint> • <web-resource-collection> • <web-resource-name>TestApplication</web-resource-name> • <url-pattern>/</url-pattern> • </web-resource-collection> • <auth-constraint> • <role-name>users</role-name> • </auth-constraint> • </security-constraint> • <security-role> • <role-name>users</role-name> • </security-role> • </web-app>

  13. Adding Users and Roles • JDeveloper provides a wizard interface to the jazn-data.xml file. • Select Tools > Embedded OC4J Server Preferences.

  14. Adding Users

  15. Managing Roles

  16. Selecting a Specific jazn-data.xml File • JDeveloper allows you to specify which JAZN file to use at runtime in the application configuration. • To change files: • Right-click the application module • Select configurations • Edit the jbo.security.config property • Enter the path to your jazn-data.xml file • It gives you testing and deployment flexibility. • To use LDAP, change the jazn.xml file.

  17. Running the Application • Test the application. • The browser prompts for username and password. • The application is opened if the user is authenticated and authorized. • If either fails, the application is not authorized to run.

  18. Summary In this lesson, you should have learned how to: • Use JAAS to add security to an application • Add users and roles to an application deployment descriptor • Add JAAS security to a Web application • Describe how JAAS works in a Web application.

More Related