This tutorial describes how OTN developers used Java Authentication and Authorization Service (JAAS) to add role-based security to the Virtual Shopping Mall (VSM) sample application. OTN members can download complete VSM source code and installation instructions.
1. Concepts 2. Design 3. Required Software 4. Setup 5. Implementation 6. Resources7. Feedback
JAAS 1.0 is an optional package to the Java 2™ SDK, version 1.3.x. You can download the package and documentation from Sun's website: http://java.sun.com/products/jaas/index-10.html JAAS is packaged as separate downloadable items:
JAAS 1.0 class libraries (binary) and sample code (source and binary). Javadocs. Sample authentication modules.
JAAS1.0 requires the Java™ 2 SDK, Standard Edition, v 1.3 or the Java™ 2 Runtime Environment v 1.3, previously installed. Note: JAAS has been integrated into the Java 2 SDK, Standard Edition, v 1.4.
The Virtual Shopping Mall (VSM) sample application enables vendors to set up online shops, customers to browse through the shops, and a system administrator to approve and reject requests fornew shops and maintain lists of shop categories. This tutorial describes how the VSM implements a security mechanism that enables users to access specific application features based on their roles. Java Authentication and Authorization Service (JAAS) is a Java package that enables services to authenticate and enforce access controls upon users. Authentication is used to verify the identity of auser or an entity to be granted access to the computer resources. Once the user is authenticated, authorization process begins. Authorization is the process of granting resource specific privileges to the user (such as inserting a row in the database or writing to a file). Oracle's implementation of a JAAS provider is called JAZN. JAZN supports user authentication, authorization, and JAAS policies.JAZN supports two types of repository providers, referred to as provider types. These provider types are repositories for secure, centralized storage, retrieval, and administration of provider data. This data consists of realm (users and roles) and JAAS policy (permissions) information. The provider types are :
XML based provider type where user information is stored in XML files. LDAPbased provider type where user information is stored in a LDAP based directory like Oracle Internet Directory.
JAZN supports three authentication environments: basic authentication, single sign-on, and SSL. This sample illustrates basic authentication using an XML-type provider.
One goal of the VSM is to demonstrate a simple case of JAAS implementation with minimum setup. Onereason OTN developers chose an XML-based implementation for the VSM is that it is simple to comprehend. Users can open the XML file and see roles, users, and permissions. Another reason is availability of LDAP: not everyone has LDAP servers and the setup can be difficult. JAZN supports XML based role/user management and users that are in LDAP. Iit also supports custom Login Modules, which can bewritten by developers for specific applications and plugged in to the app server. Note that in practice, adding/updating roles and users may require some kind of custom coding, like what the VSM has in oracle.otnsamples.vsm.OC4JJAASManager. The idea of JAAS is based on Pluggable Authentication Modules (PAM), developed by Sun Microsystems. JAAS is a Java specification for PAM. A key advantage of JAAS(and Oracle's JAZN) is that authentication and authorization mechanisms are completely separate from application code. The simplest mechanism is a user name/password combination, but the specification also enables support for devices such as magnetic cards, finger print readers or retina scanners without changing the application. Other apects of the VSM design are covered in various lessons in...