Oracle JHeadstart Developer's Guide - Downloads - Oracle
Oracle JHeadstart Developer's Guide - Downloads - Oracle
Oracle JHeadstart Developer's Guide - Downloads - Oracle
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
10.1.2. JAAS Custom Login Module<br />
A great benefit from this approach is that the mechanism behind the retrieval of security<br />
information can be changed, for instance from file- or table based to LDAP (Lightweight<br />
Directory Access Protocol) based, without a single change in the application code itself.<br />
Furthermore, it is very convenient that during development, a simple file-based security<br />
mechanism can be used, while in other environments such as test- and production<br />
environments, a full-blown security implementation such as LDAP can be implemented,<br />
again without any changes to the application code.<br />
When using <strong>Oracle</strong>’s web container OC4J, the JAAS standard is implemented using the<br />
<strong>Oracle</strong> AS JAAS Provider, shortened as “JAZN”. JAZN provides out-of-the-box support<br />
for storing the user and roles information in two formats:<br />
• In a simple XML file, typically named jazn-data.xml<br />
• In an LDAP directory. <strong>Oracle</strong>’s Internet Directory (OID) is a popular<br />
implementation of the LDAP protocol.<br />
In addition, JAZN can be configured to authenticate users against <strong>Oracle</strong>’s Single Sign-<br />
On Server (SSO).<br />
To use JAAS-JAZN with <strong>JHeadstart</strong>, you set the Authentication Type property to<br />
“JAAS”.<br />
If you want to use role-based authorization using JAAS, then check the Use Role-Based<br />
Authorization? Checkbox and set the Authorization Type to “JAAS”. This only makes<br />
sense if your LDAP directory contains a useful role structure that is linked to your<br />
application users stored in LDAP. If no role information is present in LDAP, or it is too<br />
coarse-grained to be of use for the authorization levels that need to be applied in your<br />
application, then set the Authorization Type to “Custom”, so you can use the <strong>JHeadstart</strong><br />
security tables or your own tables to implement authorization. If LDAP contains useful<br />
role information, and you want to use additional application-specific roles, then set the<br />
Authorization Type to “JAAS and Custom”.<br />
Warning: All application roles need to be listed in the web.xml deployment<br />
descriptor for the isUserInRole() API call to work properly. In other words,<br />
your list of application roles needs to be maintained in two places, in the<br />
LDAP accessed by JAAS, and in the web.xml.<br />
If you need to deploy your ADF-<strong>JHeadstart</strong> application to another web container, like<br />
JBoss, Tomcat, or Websphere, you need to consult the documentation of this web<br />
container for information on configuring JAAS and availability of out-of-the-box JAAS<br />
providers like <strong>Oracle</strong>AS JAAS (JAZN).<br />
Overview of JAAS-based security in OC4J. OC4J Security <strong>Guide</strong>, chapter 2<br />
http://downloaduk.oracle.com/docs/cd/B25221_03/web.1013/b14429/jaas_intro.htm<br />
JAAS supports the concept of a Custom Login Module (CLM). A CLM allows you to<br />
retrieve security information from an arbitrary information store, for example a set of<br />
database tables. If none of the standard JAAS providers of your web container meets<br />
your requirements, you can write a custom login module. Since accessing database tables<br />
for obtaining the security information is a common use case for a custom login module,<br />
<strong>JHeadstart</strong> Developer’s <strong>Guide</strong> Application Security 10- 3