Raymond K. Ng Technical Lead - JAAS Platform Security Oracle Corporation.

Slides:



Advertisements
Similar presentations
Agenda 2 factor authentication Smart cards Virtual smart cards FIM CM
Advertisements

DIGIDOC A web based tool to Manage Documents. System Overview DigiDoc is a web-based customizable, integrated solution for Business Process Management.
Understanding WebLogic Security
5 Copyright © 2006, Oracle. All rights reserved. Securing Grid Control.
Novell iChain ® 2.x Configuration Using the Web Server Accelerator Wizard Cary Andrews Senior Software Engineer Novell, Inc.
DEV392: Extending SharePoint Products And Technologies Through Web Parts And ASP.NET Clint Covington, Program Manager Data And Developer Services - Office.
6/4/2015Page 1 Enterprise Service Bus (ESB) B. Ramamurthy.
J2EE Security and Enterprise Java Beans Mrunal G. Dhond Department of Computing and Information Sciences Master of Science, Final Defense February 26,
Oracle Products Overview Internet Computing Indrek Peenmaa Sales Consultant Oracle Corporation
Access and Identity Management for Enterprise Portals Rohit Gupta Director, Identity Management Product Management Oracle Corporation.
ORACLE APPLICATION SERVER BY PHANINDER SURAPANENI CIS 764.
Understanding and Managing WebSphere V5
May 30 th – 31 st, 2006 Sheraton Ottawa. Microsoft Certificate Lifecycle Manager Saleem Kanji Technology Solutions Professional - Windows Server Microsoft.
Edwin Sarmiento Microsoft MVP – Windows Server System Senior Systems Engineer/Database Administrator Fujitsu Asia Pte Ltd
SOA – Development Organization Yogish Pai. 2 IT organization are structured to meet the business needs LOB-IT Aligned to a particular business unit for.
“This presentation is for informational purposes only and may not be incorporated into a contract or agreement.”
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Oracle Application Server 10g (9.0.4) Recommended Topologies Pavana Jain.
Novera Software, Inc The Leader in Java Application Servers.
[Name] [Title] Oracle Corporation Building an Enterprise Portal.
第十四章 J2EE 入门 Introduction What is J2EE ?
Brent Mosher Senior Sales Consultant Applications Technology Oracle Corporation.
ArcGIS Server and Portal for ArcGIS An Introduction to Security
SURENDER SARA 10GAS Building Corporate KPI’s
Using AS 10g with EBS What are the Benefits of Integrating AS 10g with Oracle Applications?
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 22 – Internet Authentication.
Simplify and Strengthen Security with Oracle Application Server Allan L Haensgen Senior Principal Instructor Oracle Corporation Session id:
XML Registries Source: Java TM API for XML Registries Specification.
OracleAS 10G SSO: A “Fan-Out” Configuration Overview for Decentralized Implementation Presented By: Tony Macedo "This work was performed under the auspices.
Source: Peter Eeles, Kelli Houston, and Wojtek Kozaczynsky, Building J2EE Applicationa with the Rational Unified Process, Addison Wesley, 2003 Prepared.
Sudha Iyer Principal Product Manager Oracle Corporation.
PS Security By Deviprasad. Agenda Components of PS Security Security Model User Profiles Roles Permission List. Dynamic Roles Static Roles Building Roles/Rules.
Empowering people-centric IT Unified device management Access and information protection Desktop Virtualization Hybrid Identity.
Databases JDBC (Java Database Connectivity) –Thin clients – servlet,JavaServer Pages (JSP) –Thick clients – RMI to remote databases –most recommended way.
Identity and Access Management Siddharth Karnik. Identity Management -> Oracle Identity Management is a product set that allows enterprises to manage.
NA-MIC National Alliance for Medical Image Computing UCSD: Engineering Core 2 Portal and Grid Infrastructure.
Windows Role-Based Access Control Longhorn Update
Single Sign-On in the Danish Educational Sector Per Thorboll Deputy director UNI-C.
Get Your Community To Collaborate On The Same Portal Page Jim Powell Product Manager Oracle Corporation Session id: OracleAS Portal Rich Lee Product.
Sue Vickers Product Manager OracleAS Portal Oracle Corporation Tugdual Grall Product Manager OracleAS Portal Oracle Corporation.
Access and Information Protection Product Overview Andrew McMurray Technical Evangelist – Windows
Module 9 User Profiles and Social Networking. Module Overview Configuring User Profiles Implementing SharePoint 2010 Social Networking Features.
The OWASP Foundation guarding your applications Koen Vanderloock
Preface IIntroduction Objectives I-2 Course Overview I-3 1Oracle Application Development Framework Objectives 1-2 J2EE Platform 1-3 Benefits of the J2EE.
Web Services Security Patterns Alex Mackman CM Group Ltd
Oracle HFM Implementation Boot Camp
1 Distributed System using J2EE. 2 What is J2EE?  J2EE (Java2 Enterprise Edition) offers a suite of software specification to design, develop, assemble.
DEVELOPING ENTERPRISE APPLICATIONS USING EJB
1 Active Directory Service in Windows 2000 Li Yang SID: November 2000.
15 Copyright © 2004, Oracle. All rights reserved. Adding JAAS Security to the Client.
8 Copyright © 2004, Oracle. All rights reserved. Making the Model Secure.
Security and Privacy for the Smart Grid James Bryce Clark, OASIS Robert Griffin, RSA Hal Lockhart, Oracle.
Managing the Oracle Application Server in a Datacenter Environment Nicole Haba Senior Product Manager Oracle Corporation Session id:
Securing Web Applications Lesson 4B / Slide 1 of 34 J2EE Web Components Pre-assessment Questions 1. Identify the correct return type returned by the doStartTag()
David Saslav Principal Product Manager Database and Application Server Technologies Oracle Corporation.
Enterprise Java v040918JBoss Security Setup1 Setting up Security in JBoss References: “Getting Started with JBoss, J2EE applications on the JBoss 3.2.x.
Active Directory Domain Services (AD DS). Identity and Access (IDA) – An IDA infrastructure should: Store information about users, groups, computers and.
October 2014 HYBRIS ARCHITECTURE & TECHNOLOGY 01 OVERVIEW.
The Holmes Platform and Applications
J2EE Platform Overview (Application Architecture)
Secure Connected Infrastructure
Uppili Srinivasan Oracle Identity Management and Security
Integrating Oracle HTML DB with Oracle Application Server 10g.
IBM Certified WAS 8.5 Administrator
Enterprise Service Bus (ESB) (Chapter 9)
Check Point Connectra NGX R60
OracleAS Identity Management
Presentation transcript:

Raymond K. Ng Technical Lead - JAAS Platform Security Oracle Corporation

Securing J2EE Applications with Oracle Identity Management

Agenda  Application Security Overview  Authentication Requirements  Authorization Requirements  J2EE Security  JAAS  Oracle Strategy

Application Security  Security is a process, not a product or feature – No 100% security  Only as secure as weakest link – Go beyond firewall security – Implement multi-layer security  Considerations – Authentication – Authorization – Accountability/Audit – Secure Transport

Oracle 10 g Security Architecture Single Sign-On Oracle Internet Directory mod_ossl Browser Oracle HTTP Server JAAS Oracle 10 g Containers for J2EE (OC4J) mod_osso Security Infrastructure Layer

Authentication Requirements

Use The Appropriate Mechanism  Username and password  Client certificate  Smart Card  Biometrics

Single Sign-On (SSO)  Why SSO-enable your application? – User Convenience – Security – Cost Reduction  Factors to consider – Integration with infrastructure – Extensible framework

Oracle 10 g Single Sign-On  Centralized authentication for web applications  Multiple authentication options – Username/password – Client certificates – 3 rd party API (Biometrics, Smart Card, etc.)  Single Sign-Off  Multiple application types  Integrated across Oracle 10 g – OID, OC4J/JAAS, Portal, OHS, Wireless, Workflow, UM, Ultrasearch, Personalization, Reports, Forms, Discoverer…

Relevant Standards  HTTP  SSL/X.509  J2EE  JAAS  Java Authentication SPI  SAML  WS-Security  Plus emerging specifications

Authorization Requirements

Choose The Right Authorization Model  Roll Your Own (Application-specific) – Maintenance – Administrative Cost – Inconsistent Authorization Policy => Insecurity  Understand The Relevant Standards – J2EE Security – Java 2 Security – JAAS – JACC

J2EE Security

 Design Principles – Declarative security model  Decouple security logic from application logic  Write once run anywhere (WORA ) – Leverage existing security infrastructure  J2EE Roles – Application Provider – Application Assembler – Application Deployer – System Administrator

J2EE Security: Authentication  Multiple Authentication Methods - Basic, Form, SSL client certificate, etc.  Declarative Security – Deployment descriptors: web.xml, ejb-jar.xml  JSR 196: Java Authentication SPI – J2EE 1.5 – JAAS LoginModule integration  Missing – Single Sign-On support

J2EE Security: Authorization  Protected Resources – Web Resources: URL-patterns – Enterprise Beans: Method permissions  “Role”-based Authorization – Not “Role Based Access Control (RBAC)” – Portability  JSR 115: Integration with Java2/JAAS – Pluggable security (authorization) provider – J2EE security constraints => Java2 permissions

JAAS: Java Authentication and Authorization Service

Java 2 Security  Key Components – Security Policy defines authorization policy – SecurityManager/AccessController is security monitor  Necessary if running any untrusted code in your JVM  Limitations – Code-based security only – No policy management API – File-based implementation doesn’t scale

What is JAAS?  Principal-Based security  Authentication – Pluggable Authentication Module (PAM) framework  Authorization – Extension to Java2 Security Model  Optional Package to JDK 1.3 – JDK 1.4 Core API  J2EE 1.3 Requirement – J2EE 1.4: JACC (JSR 115) – J2EE 1.5: Java Authentication SPI (JSR 196)

Oracle 10 g JAAS Provider  Oracle’s JAAS (Java Authentication and Authorization Services) Implementation, plus Extensions  Integrated with Oracle 10 g SSO and OID  Default Security Provider for Oracle 10 g Containers for J2EE

Oracle 10 g JAAS Provider: User Manager LDAP-based Provider type XML-based Provider type OID repository jazn-data.xml repository JAZNUserManager Oracle 10 g Containers for J2EE

Oracle 10 g JAAS Provider: Authentication  Oracle’s RealmLoginModule Integrated with OC4J Authentication – Declarative model – Integrated with J2EE security model – Integrated with Realm framework for user communities  Support custom JAAS LoginModules – Programmatic and declarative – Integrated with J2EE security model  Option to Use Oracle 10 g Single Sign-On (SSO)

Oracle 10 g JAAS Provider: Authorization  JAAS Authorization – Principal (i.e. user) and code-based policies – Hierarchical, role-based access control (RBAC) – Realm framework to support multiple user communities  Authorization Repository – XML flat-file – Oracle Internet Directory (OID)  3 methods of Management – Oracle Enterprise Manager – JAZN Admintool – Programmatic API

Oracle 10 g JAAS Provider: What’s New  Custom JAAS LoginModules – Leverage any JAAS-compliant LoginModules – Integration with J2EE security model  Performance & Scalability Enhancements  OC4J Integration – Password hiding (data-sources.xml, oc4j-ra.xml)  Tool Integration – JDeveloper / BC4J

Oracle 10 g JAAS Provider: Future Directions  Support for 3 rd party LDAP directories – Default LoginModule certified against AD and SunONE  JACC Provider (JSR 115) – Unified authorization model for managed components  Java Authentication SPI (JSR 196) – Unified authentication model for managed components  Portlet Integration (JSR 168) – J2EE/JAAS authorization model for portlets  Management & Deployment Enhancements – JSR 77 & 88  XML Services Security  Web Services Security

JAAS Up Your J2EE Apps

JAAS Up your J2EE Apps: Putting the Pieces Together  Define your security policy – Enterprise policy:  role hierarchy  user->role assignment  permission->role assignment – Application-specific policy:  authentication method  authorization constraints (“security-roles”)  Deploy your J2EE Application – authentication method – authorization constraints (“security-role-mappings”) – RunAs identity

JAAS Up Your J2EE Apps: SSO-enabling your J2EE Apps  Specify static declarative constraints – in web.xml or ejb-jar.xml  Deploy your J2EE applications – specify JAZN-LDAP UserManager – security-role mappings  OID realms, users and groups  Specify authentication method as SSO – in orion-web.xml: 

JAAS Up Your J2EE Apps: Custom LoginModule Integration  Develop, package & deploy your application as usual  Package & deploy your custom LoginModule – As an independent JAR or as part of your application  Configure your application – Set JAZN property “role.mapping.dynamic” to “true” – Set application classpath as appropriate – Set security role mapping as appropriate  Register your custom LoginModule – Associate your custom LoginModule with your application – JAZN Admintool: “-addloginmodule” option

JAAS Up Your J2EE Apps: Tips & Tricks  JAZN-LDAP – User/group management delegated to DAS – grant RMIPermission to user accessing EJBs  JAZN-LDAP Cache – Tuning parameters: “ldap.cache.*”  Identity Management Realm – SSO integration  External Synchronization – Performance vs. Ease-of-development  Public Group – Authentication only

Oracle Strategy

Distributed Systems Security Reference Architecture Identity & Profile Assertion Services Policy Decision Services Identity Management Infrastructure Identity & Policy Store Protected Resources Authentication Application Authorization Privacy Audit Application Security Services Administration & Provisioning Users

Oracle 10 g Security Solution  Oracle Identity Management Infrastructure for the enterprise  Platform security enabled by Oracle Identity Management  Platform components with high security assurance

Oracle Security Architecture Oracle Internet Directory OracleAS Certificate Authority Directory Integration & Provisioning OracleAS Single Sign-on Delegated Administration Services OracleAS 10g JAAS, WS Security Java2 Permissions.. Oracle E-Business Suite Responsibilities, Roles …. Oracle 10g Enterprise users, VPD, Encryption Label Security Oracle Collaboration Suite Secure Mail, Interpersonal Rights … Access Management Directory Services Provisioning Services External Security Services Oracle Identity Management Oracle 10g Platform Security Bindings OracleAS Portal & Wireless Roles, Privilege Groups … Application Component Security OracleAS 10g JAAS, WS Security Java2 Permissions.. Oracle 10g Enterprise users, VPD, Encryption Label Security OracleAS 10g JAAS, WS Security Java2 Permissions.. Oracle 10g Database Enterprise users, VPD, Encryption Label Security Enterprise Security Infrastructure

Oracle Identity Management Benefits  Enables deployment of all Oracle products out of the box – AS, DB, OCS, eBiz  An enterprise infrastructure that leverages Oracle’s “unbreakable” technology – Reliability, scalability, security, performance  A single point of integration for customer’s existing identity management solutions – Transparent 3 rd party integration for OIM enabled products  Accommodates wide variety of partner solutions and customer deployments – Open, standards-based infrastructure enables integration

What’s Next  Implementing Identity Management at Lawrence Livermore National Labs – ID: – Presentor: Tony Macedo, Computer Scientist, LLNL – Date: Thursday, 9/11 – Time: 3:15 - 4:15 – Location: Moscone Center room 120

A Q & Q U E S T I O N S A N S W E R S

Raymond K. Ng Technical Lead - JAAS Platform Security Oracle Corporation

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.