Feature Overview


Oracle Application Server 10 g

Security
June 2006

Overview

Oracle Application Server 10g R3 provides a fully J2EE 1.4 compliant environment for creating and hosting secure, portable, high-performing applications. It provides all the containers, APIs, and services mandated by the J2EE specification. It is an integrated, standards-based software platform that allows organizations of all sizes to be more responsive to changing business requirements. It is a platform that provides an enterprise the ability to develop, deploy, secure and manage business services and applications in an efficient and cost effective manner. It provides a number of security features and components, including:

Java Platform Security As a standard Java platform, the Oracle Application Server 10g R3 offers the standard Java security model services for authentication, authorization and accountability. It also delivers user management and administration APIs, and tools that enable consistent enterprise deployments. Oracle Application Server 10g components rely on this framework for delivering their security interfaces to their end users. It uses JAAS (Java Authentication and Authorization Service) to provide pluggable authentication and permissions-based authorization for all Oracle Application Server components.

Web Services Security – Oracle Application Server 10g R3 provides a comprehensive WS-Security implementation for authentication, confidentiality with encryption, and integrity with XML Digital Signatures.

Oracle Identity Management – Oracle Identity Management is a key component of the Oracle Application Server 10g and provides the infrastructure for central management of user and application identities, their authorizations and other policy decision points. This component serves as a provisioning and/or synchronizing hub to facilitate Oracle applications or components integration with the chosen or incumbent enterprise Identity Management system. Oracle Identity Management is also available in the Oracle 10g R1 and R2 releases. 

These components and features make Oracle Application Server uniquely able to provide the combination of flexibility and security across a broad range of enterprise applications and infrastructure.

What is new in 10g Release 3

This section describes the new security features of Oracle Application Server 10g R3. The key new security features are the introduction of Web Services Security and Oracle Access Manager integration. Other new security features include:

  • Client certificate authentication and authorization support
  • Support for the LDAP-based provider in standalone OC4J
  • JAAS integration with EJBs
  • Support for ORMI and SSL (ORMIs)
  • Digest authentication support
  • JMX and mBean support for security configuration
  • New OC4J user and role accounts 

Security Features
There is a wide range of new features in Oracle 10g Release3 that provides users with more flexibility in determining how to secure their applications. At the same time, Oracle has made security simpler to deploy and manage. This section will cover these items in more detail.

Web Services Security

In this release, OC4J supports securing Web services using the OASIS WS-Security 1.0 security standard. WS-Security defines a mechanism for adding transport independence and different levels of security to SOAP messages.

  • WS-Security offers multiple ways to authenticate. In WS-Security, it is easy to associate different identities with service requests. These identities can be used to enforce authorization, after authentication.
  • WS-Security offers support for SOAP traffic involving intermediaries.
  • WS-Security is transport-independent, which gives greater transport flexibility.
  •   WS-Security is targeted security. For example, you can sign or encrypt the whole message body, or just a single XML element of the body payload.

If there is a need to apply integrity and confidentiality at a fine-grained level, instead of applying them to the entire SOAP message, XML signature and encryption can be used to protect the SOAP body, header block, or portions of either. If the SOAP message needs to be protected beyond the transport session, message-level security can be used. If there is a need to use different forms of authentication, then message-level security authentication tokens can be used, such as username token, X.509 token, or SAML token.

Oracle Access Manager Integration

In this release, OracleAS JAAS Provider supports Oracle Access Manager through a custom login module. This enables applications to authenticate and authorize against both Oracle COREid 10.1.2 and Oracle Access Manager, which is shipping with10.1.3 IDM.

Digest Authentication

HTTP Digest Authentication authenticates a user based on a username and an encrypted password. With the digest authentication mechanism, the password that a client presents to authenticate itself is encrypted through the use of an MD5 digest. This is transmitted in the request message. From a user’s perspective, digest authentication behaves in the same way as basic authentication. The digest method is currently supported for Oracle Internet Directory (OID) and XML file security providers.

Client Certificate Authentication

OC4J supports a client authentication mode in which the server explicitly requests certificate authentication from the client before the server will communicate with the client.

JAAS Integration with EJBs>

Another new feature is the ability to extend JAAS authorizations to EJBs. You can define security constraints and J2EE security roles in the EJB deployment descriptor to protect your EJB methods.

Support for ORMI over SSL (ORMIs)

By default, OC4J EJBs exchange RMI calls over the Oracle Remote Method Invocation (ORMI) protocol, an Oracle proprietary protocol optimized for use with OC4J. OC4J now supports securing ORMI using SSL.

JMX and mBean Support for Security Configuration

OC4J supports the JMX specification, which allows standard interfaces to be created for managing resources dynamically in a J2EE environment. The OC4J implementation of JMX provides a JMX client, the System MBean Browser, which you can use to manage an OC4J instance through mBeans that are provided with OC4J.

New OC4J User and Role Accounts

There have been some OC4J account name changes in this release. The admin account is now oc4jadmin instead of admin. The administrator’s role is now oc4j-administrators and the jmx-user’s role is now oc4j-app-administrators. 

Identity Management

Oracle AS 10g R3 doesn't ship with Oracle Identity Management. Depending on its installation type, Oracle AS10g R3 includes the Oracle HTTP Server, Oracle Containers for J2EE (OC4J), Oracle Process Manager and Notification Server (OPMN), Application Server Control Console, and Oracle Business Rules. You can use this release with Oracle 10g R2 (10.1.2), and R1 (9.0.4) Oracle Identity Management Services, and R2 Oracle Application Server Web Cache. For more information about which specific versions are compatible with 10 g R3 see the Oracle Application Server Upgrade and Compatibility Guide. Oracle Identity Management is more completely described on the Oracle Technology Network at http://otn.oracle.com/products/id_mgmt/index.html.

Top of Page

 

Oracle Corporation
World Headquarters
500 Oracle Parkway
Redwood Shores, CA 94065

Worldwide Inquiries:
+1.650.506.7000
Fax +1.650.506.7200
http://www.oracle.com/

Copyright © Oracle Corporation 2006
All Rights Reserved

This document is provided for informational purposes only,
and the information herein is subject to change
without notice.  Please report any errors herein to
Oracle Corporation.  Oracle Corporation does not provide
any warranties covering and specifically disclaims any
liability in connection with this document.

Oracle is a registered trademark of Oracle Corporation.

All other company and product names mentioned are used
for identification purposes only and may be trademarks of
their respective owners.