Presentation is loading. Please wait.

Presentation is loading. Please wait.

15 Copyright © 2004, Oracle. All rights reserved. Adding JAAS Security to the Client.

Published byJemimah Burns Modified over 8 years ago

Similar presentations

Presentation on theme: "15 Copyright © 2004, Oracle. All rights reserved. Adding JAAS Security to the Client."— Presentation transcript:

1 15 Copyright © 2004, Oracle. All rights reserved. Adding JAAS Security to the Client

2 15-2 Copyright © 2004, Oracle. All rights reserved. Objectives After completing this lesson, you should be able to do the following: Describe how Java Authentication and Authorization Services (JAAS) works in a Web application Use JAAS to add security to an application Add users and roles to an application deployment descriptor Add JAAS security to a Web application

3 15-3 Copyright © 2004, Oracle. All rights reserved. JAAS Provider The JAAS provider supports: –Storage, retrieval, and administration of: - Realm information (users and roles) - Policy (permissions) –Multiple repositories: - XML based - LDAP based –Login modules It works with J2EE declarative security model: –Is part of the deployment model –Requires little or no programming

4 15-4 Copyright © 2004, Oracle. All rights reserved. Defining Security Needs Determine the logical roles in an application: –Customer –Buyer –Administrator Determine authorization constraints: Who can do what actions. Decide provider type: –XML- based flat file –LDAP (Oracle Internet Directory) Map security roles to users and groups.

5 15-5 Copyright © 2004, Oracle. All rights reserved. Oracle JAAS Implementation: JAZN OracleAS Containers for J2EE (OC4J) implement a JAAS provider called JAZN. The Oracle provider supports: –Integration with single sign-on (SSO) –Access control through Java 2 permissions –Secure file-based storage of user passwords JAZNUserManager –Obfuscates passwords in flat file storage –Supports full role-based access control –Supports full support for Java 2 permissions model

6 15-6 Copyright © 2004, Oracle. All rights reserved. Client Authentication Authentication: –Determines who clients are –Can they prove it? JAAS integrates any number of authentication schemes, for example: –SSO: Uses OracleAS Single Sign-On –SSL: Uses secure sockets layer (SSL) for client certificate-based authentication –Basic authentication: Prompts for username and password –Write your own login module.

7 15-7 Copyright © 2004, Oracle. All rights reserved. Client Authorization Client authorization is specified in J2EE deployment descriptors. Every client obtains a security principal. A client can invoke a URL or a method only if the client’s role has the associated rights. The J2EE container enforces security policies and provides tools for managing security. Struts includes roles at the “node” level.

8 15-8 Copyright © 2004, Oracle. All rights reserved. Basic Authentication Scenario WebApp Servlet 2 OracleAS JAAS OracleAS JAAS Policy Oracle Containers for J2EE OracleAS JAZN Provider HTTP client HTTP Server JAZNUserManager Servlet 1

9 15-9 Copyright © 2004, Oracle. All rights reserved. Adding JAAS Security to an Application JDeveloper provides a dialog box to help add JAAS security to an application. By using the dialog box, you do not have to directly edit the XML files. Security settings are maintained in the web.xml file. Access the settings: –Right-click web.xml in the Applications Navigator. –Select properties from the context menu.

10 15-10 Copyright © 2004, Oracle. All rights reserved. Adding Authorization Information to Struts The Struts configuration includes an authorization scheme. The scheme specifies authorization at the node level. Specify the authorized role in the Property Inspector.

11 15-11 Copyright © 2004, Oracle. All rights reserved. web.xml Properties To implement JAAS security, modify: Security roles: Add the security role that you want to use. Add a Web resource: –Specify any unique name. –Add a URL pattern to validate. –On the Authorizations tabbed page, select the user role.

12 15-12 Copyright © 2004, Oracle. All rights reserved. web.xml Results … TestApplication / users users

13 15-13 Copyright © 2004, Oracle. All rights reserved. Adding Users and Roles JDeveloper provides a wizard interface to the jazn-data.xml file. Select Tools > Embedded OC4J Server Preferences.

14 15-14 Copyright © 2004, Oracle. All rights reserved. Adding Users

15 15-15 Copyright © 2004, Oracle. All rights reserved. Managing Roles

16 15-16 Copyright © 2004, Oracle. All rights reserved. Selecting a Specific jazn-data.xml File JDeveloper allows you to specify which JAZN file to use at runtime in the application configuration. To change files: –Right-click the application module –Select configurations –Edit the jbo.security.config property –Enter the path to your jazn-data.xml file It gives you testing and deployment flexibility. To use LDAP, change the jazn.xml file.

17 15-17 Copyright © 2004, Oracle. All rights reserved. Running the Application Test the application. The browser prompts for username and password. The application is opened if the user is authenticated and authorized. If either fails, the application is not authorized to run.

18 15-18 Copyright © 2004, Oracle. All rights reserved. Summary In this lesson, you should have learned how to: Use JAAS to add security to an application Add users and roles to an application deployment descriptor Add JAAS security to a Web application Describe how JAAS works in a Web application.

19 15-19 Copyright © 2004, Oracle. All rights reserved. Practice 15-1

20 15-20 Copyright © 2004, Oracle. All rights reserved. Practice 15-1

Download ppt "15 Copyright © 2004, Oracle. All rights reserved. Adding JAAS Security to the Client."

Similar presentations

J2EE Overview.

J2EE Overview.
6 Copyright © 2005, Oracle. All rights reserved. Building Applications with Oracle JDeveloper 10g.

6 Copyright © 2005, Oracle. All rights reserved. Building Applications with Oracle JDeveloper 10g.
17 Copyright © 2005, Oracle. All rights reserved. Deploying Applications by Using Java Web Start.

17 Copyright © 2005, Oracle. All rights reserved. Deploying Applications by Using Java Web Start.
Lesson 17: Configuring Security Policies

Lesson 17: Configuring Security Policies
® IBM Software Group © 2006 IBM Corporation Securing Your Application With WebSphere Security You will need to develop Login procedures for your web applications.

® IBM Software Group © 2006 IBM Corporation Securing Your Application With WebSphere Security You will need to develop Login procedures for your web applications.
Understanding WebLogic Security

Understanding WebLogic Security
Web Application Security SSE USTC Qing Ding. Agenda General security issues Web-tier security requirements and schemes HTTP basic authentication based.

Web Application Security SSE USTC Qing Ding. Agenda General security issues Web-tier security requirements and schemes HTTP basic authentication based.
Securing web applications using Java EE Dr Jim Briggs 1.

Securing web applications using Java EE Dr Jim Briggs 1.
5 Copyright © 2006, Oracle. All rights reserved. Securing Grid Control.

5 Copyright © 2006, Oracle. All rights reserved. Securing Grid Control.
WEB2P security Java web application security Dr Jim Briggs.

WEB2P security Java web application security Dr Jim Briggs.
Design Aspects. User Type the URL address on the cell phone or web browser Not required to login.

Design Aspects. User Type the URL address on the cell phone or web browser Not required to login.
Teamcenter™ Security Services SSO

Teamcenter™ Security Services SSO
4 Copyright © 2004, Oracle. All rights reserved. Creating a Basic Form Module.

4 Copyright © 2004, Oracle. All rights reserved. Creating a Basic Form Module.
3 Copyright © 2004, Oracle. All rights reserved. Working in the Forms Developer Environment.

3 Copyright © 2004, Oracle. All rights reserved. Working in the Forms Developer Environment.
J2EE Security and Enterprise Java Beans Mrunal G. Dhond Department of Computing and Information Sciences Master of Science, Final Defense February 26,

J2EE Security and Enterprise Java Beans Mrunal G. Dhond Department of Computing and Information Sciences Master of Science, Final Defense February 26,
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.

ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
Project Implementation for COSC 5050 Distributed Database Applications Lab1.

Project Implementation for COSC 5050 Distributed Database Applications Lab1.
1 Chapter Overview Creating User and Computer Objects Maintaining User Accounts Creating User Profiles.

1 Chapter Overview Creating User and Computer Objects Maintaining User Accounts Creating User Profiles.
Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.

Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.
“This presentation is for informational purposes only and may not be incorporated into a contract or agreement.”

“This presentation is for informational purposes only and may not be incorporated into a contract or agreement.”

Similar presentations

Ads by Google