Oracle Application Server 10g R3 provides a fully J2EE 1.4 compliant environment for creating and hosting secure, portable, high-performing applications. It provides all the containers, APIs, and services mandated by the J2EE specification. It is an integrated, standards-based software platform that allows organizations of all sizes to be more responsive to changing business requirements. It is a platform that provides an enterprise the ability to develop, deploy, secure and manage business services and applications in an efficient and cost effective manner. It provides a number of security features and components, including:
Java Platform Security – As a standard Java platform, the Oracle Application Server 10g R3 offers the standard Java security model services for authentication, authorization and accountability. It also delivers user management and administration APIs, and tools that enable consistent enterprise deployments. Oracle Application Server 10g components rely on this framework for delivering their security interfaces to their end users. It uses JAAS (Java Authentication and Authorization Service) to provide pluggable authentication and permissions-based authorization for all Oracle Application Server components.
Web Services Security – Oracle Application Server 10g R3 provides a comprehensive WS-Security implementation for authentication, confidentiality with encryption, and integrity with XML Digital Signatures.
Oracle Identity Management – Oracle Identity Management is a key component of the Oracle Application Server 10g and provides the infrastructure for central management of user and application identities, their authorizations and other policy decision points. This component serves as a provisioning and/or synchronizing hub to facilitate Oracle applications or components integration with the chosen or incumbent enterprise Identity Management system. Oracle Identity Management is also available in the Oracle 10g R1 and R2 releases.
These components and features make Oracle Application Server uniquely able to provide the combination of flexibility and security across a broad range of enterprise applications and infrastructure.
What is new in 10g Release 3
This section describes the new security features of Oracle Application Server 10g R3. The key new security features are the introduction of Web Services Security and Oracle Access Manager integration. Other new security features include:
Web Services Security
In this release, OC4J supports securing Web services using the OASIS WS-Security 1.0 security standard. WS-Security defines a mechanism for adding transport independence and different levels of security to SOAP messages.
If there is a need to apply integrity and confidentiality at a fine-grained level, instead of applying them to the entire SOAP message, XML signature and encryption can be used to protect the SOAP body, header block, or portions of either. If the SOAP message needs to be protected beyond the transport session, message-level security can be used. If there is a need to use different forms of authentication, then message-level security authentication tokens can be used, such as username token, X.509 token, or SAML token.
Oracle Access Manager Integration
In this release, OracleAS JAAS Provider supports Oracle Access Manager through a custom login module. This enables applications to authenticate and authorize against both Oracle COREid 10.1.2 and Oracle Access Manager, which is shipping with10.1.3 IDM.
HTTP Digest Authentication authenticates a user based on a username and an encrypted password. With the digest authentication mechanism, the password that a client presents to authenticate itself is encrypted through the use of an MD5 digest. This is transmitted in the request message. From a user’s perspective, digest authentication behaves in the same way as basic authentication. The digest method is currently supported for Oracle Internet Directory (OID) and XML file security providers.
Client Certificate Authentication
OC4J supports a client authentication mode in which the server explicitly requests certificate authentication from the client before the server will communicate with the client.
JAAS Integration with EJBs>
Another new feature is the ability to extend JAAS authorizations to EJBs. You can define security constraints and J2EE security roles in the EJB deployment descriptor to protect your EJB methods.
Support for ORMI over SSL (ORMIs)
By default, OC4J EJBs exchange RMI calls over the Oracle Remote Method Invocation (ORMI) protocol, an Oracle proprietary protocol optimized for use with OC4J. OC4J now supports securing ORMI using SSL.
JMX and mBean Support for Security Configuration
OC4J supports the JMX specification, which allows standard interfaces to be created for managing resources dynamically in a J2EE environment. The OC4J implementation of JMX provides a JMX client, the System MBean Browser, which you can use to manage an OC4J instance through mBeans that are provided with OC4J.
New OC4J User and Role Accounts
There have been some OC4J account name changes in this release. The admin account is now oc4jadmin instead of admin. The administrator’s role is now oc4j-administrators and the jmx-user’s role is now oc4j-app-administrators.
Oracle AS 10g R3 doesn't ship with Oracle Identity Management. Depending on its installation type, Oracle AS10g R3 includes the Oracle HTTP Server, Oracle Containers for J2EE (OC4J), Oracle Process Manager and Notification Server (OPMN), Application Server Control Console, and Oracle Business Rules. You can use this release with Oracle 10g R2 (10.1.2), and R1 (9.0.4) Oracle Identity Management Services, and R2 Oracle Application Server Web Cache. For more information about which specific versions are compatible with 10 g R3 see the Oracle Application Server Upgrade and Compatibility Guide. Oracle Identity Management is more completely described on the Oracle Technology Network at http://otn.oracle.com/products/id_mgmt/index.html.
Copyright © Oracle Corporation 2006
This document is provided for informational purposes only,
Oracle is a registered trademark of Oracle Corporation.
All other company and product names mentioned are used