Lesson 15 - Adding JAAS Security to the Client

Download Report

Transcript Lesson 15 - Adding JAAS Security to the Client

Adding JAAS Security to the Client
Copyright © 2004, Oracle. All rights reserved.
Objectives
After completing this lesson, you should be able to do
the following:
• Describe how Java Authentication and
Authorization Services (JAAS) works in a Web
application
• Use JAAS to add security to an application
• Add users and roles to an application deployment
descriptor
• Add JAAS security to a Web application
15-2
Copyright © 2004, Oracle. All rights reserved.
JAAS Provider
•
The JAAS provider supports:
– Storage, retrieval, and administration of:
- Realm information (users and roles)
- Policy (permissions)
– Multiple repositories:
- XML based
- LDAP based
– Login modules
•
It works with J2EE declarative security model:
– Is part of the deployment model
– Requires little or no programming
15-3
Copyright © 2004, Oracle. All rights reserved.
Defining Security Needs
•
Determine the logical roles in an application:
– Customer
– Buyer
– Administrator
•
•
Determine authorization constraints: Who can do
what actions.
Decide provider type:
– XML- based flat file
– LDAP (Oracle Internet Directory)
•
15-4
Map security roles to users and groups.
Copyright © 2004, Oracle. All rights reserved.
Oracle JAAS Implementation: JAZN
•
•
OracleAS Containers for J2EE (OC4J) implement a
JAAS provider called JAZN.
The Oracle provider supports:
– Integration with single sign-on (SSO)
– Access control through Java 2 permissions
– Secure file-based storage of user passwords
•
JAZNUserManager
– Obfuscates passwords in flat file storage
– Supports full role-based access control
– Supports full support for Java 2 permissions model
15-5
Copyright © 2004, Oracle. All rights reserved.
Client Authentication
•
Authentication:
– Determines who clients are
– Can they prove it?
•
JAAS integrates any number of authentication
schemes, for example:
– SSO: Uses OracleAS Single Sign-On
– SSL: Uses secure sockets layer (SSL) for client
certificate-based authentication
– Basic authentication: Prompts for username and
password
– Write your own login module.
15-6
Copyright © 2004, Oracle. All rights reserved.
Client Authorization
•
•
•
•
•
15-7
Client authorization is specified in J2EE
deployment descriptors.
Every client obtains a security principal.
A client can invoke a URL or a method only if the
client’s role has the associated rights.
The J2EE container enforces security policies and
provides tools for managing security.
Struts includes roles at the “node” level.
Copyright © 2004, Oracle. All rights reserved.
Basic Authentication Scenario
Oracle Containers
for J2EE
WebApp
HTTP client
Servlet 1 Servlet 2
OracleAS
JAAS
JAZNUserManager
JAAS
HTTP Server
15-8
OracleAS
JAAS Policy
Copyright © 2004, Oracle. All rights reserved.
OracleAS
JAZN Provider
Adding JAAS Security to an Application
•
•
•
•
JDeveloper provides a dialog box to help add
JAAS security to an application.
By using the dialog box, you do not have to
directly edit the XML files.
Security settings are maintained in the web.xml
file.
Access the settings:
– Right-click web.xml in the Applications Navigator.
– Select properties from the context menu.
15-9
Copyright © 2004, Oracle. All rights reserved.
Adding Authorization Information to Struts
•
•
•
15-10
The Struts configuration includes an authorization
scheme.
The scheme specifies authorization at the node
level.
Specify the authorized role
in the Property Inspector.
Copyright © 2004, Oracle. All rights reserved.
web.xml Properties
To implement JAAS security, modify:
• Security roles: Add the security role that you want
to use.
• Add a Web resource:
– Specify any unique name.
– Add a URL pattern to validate.
– On the Authorizations tabbed page, select the user
role.
15-11
Copyright © 2004, Oracle. All rights reserved.
web.xml Results
<web-app>
…
<security-constraint>
<web-resource-collection>
<web-resource-name>TestApplication</web-resource-name>
<url-pattern>/</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>users</role-name>
</auth-constraint>
</security-constraint>
<security-role>
<role-name>users</role-name>
</security-role>
</web-app>
15-12
Copyright © 2004, Oracle. All rights reserved.
Adding Users and Roles
15-13
•
JDeveloper provides a wizard interface to the
jazn-data.xml file.
•
Select Tools > Embedded OC4J Server Preferences.
Copyright © 2004, Oracle. All rights reserved.
Adding Users
15-14
Copyright © 2004, Oracle. All rights reserved.
Managing Roles
15-15
Copyright © 2004, Oracle. All rights reserved.
Selecting a Specific jazn-data.xml File
•
•
JDeveloper allows you to specify which JAZN file
to use at runtime in the application configuration.
To change files:
–
–
–
–
•
•
15-16
Right-click the application module
Select configurations
Edit the jbo.security.config property
Enter the path to your jazn-data.xml file
It gives you testing and deployment flexibility.
To use LDAP, change the jazn.xml file.
Copyright © 2004, Oracle. All rights reserved.
Running the Application
•
•
•
•
15-17
Test the application.
The browser prompts
for username and
password.
The application is
opened if the user is
authenticated and
authorized.
If either fails, the
application is not
authorized to run.
Copyright © 2004, Oracle. All rights reserved.
Summary
In this lesson, you should have learned how to:
• Use JAAS to add security to an application
• Add users and roles to an application deployment
descriptor
• Add JAAS security to a Web application
• Describe how JAAS works in a Web application.
15-18
Copyright © 2004, Oracle. All rights reserved.