Overview
Oracle
Application Server 10g R3 provides a fully J2EE 1.4 compliant
environment for
creating and hosting secure, portable, high-performing applications. It
provides all the containers, APIs, and services mandated by the J2EE
specification. It is an
integrated, standards-based software platform that allows organizations
of all sizes to be more responsive to changing business requirements.
It is a platform that provides an enterprise the ability to develop,
deploy, secure and manage business services and applications in an
efficient and cost effective manner. It provides
a number of security features and components, including:
Java
Platform
Security –
As a standard Java
platform, the Oracle Application Server 10g R3 offers the standard Java
security model services for authentication, authorization and
accountability. It also delivers user management and
administration APIs, and tools that enable consistent enterprise
deployments. Oracle Application Server 10g components rely on this
framework for delivering their security interfaces to their end users.
It uses JAAS (Java Authentication and Authorization Service) to provide
pluggable authentication and permissions-based authorization for all
Oracle Application Server components.
Web
Services Security – Oracle Application Server 10g
R3 provides a comprehensive WS-Security implementation for
authentication, confidentiality with encryption, and integrity with XML
Digital Signatures.
Oracle
Identity Management – Oracle
Identity Management is a key component of the Oracle Application Server
10g and provides the infrastructure for central management of user and
application identities, their authorizations and other policy decision
points. This component serves as a provisioning and/or synchronizing
hub to facilitate Oracle applications or components integration with
the chosen or incumbent enterprise Identity Management system. Oracle
Identity Management is also available in the Oracle 10g R1 and R2
releases.
These components and
features make Oracle Application Server uniquely able to provide the
combination of flexibility and security across a broad range of
enterprise applications and infrastructure.
What is new in 10g
Release 3
This
section
describes the new security features of Oracle Application Server 10g
R3. The key new security features are the introduction of Web
Services Security and Oracle Access Manager integration. Other
new security features include:
- Client certificate
authentication and authorization
support
- Support
for the
LDAP-based provider in standalone OC4J
- JAAS
integration
with EJBs
- Support for ORMI
and
SSL (ORMIs)
- Digest
authentication support
- JMX
and mBean
support for security configuration
- New
OC4J user and
role accounts
Security
Features
There is a wide range of new features in Oracle 10g Release3 that
provides users with more flexibility in determining how to secure their
applications. At the same time, Oracle has made security simpler to
deploy and manage. This section will cover these items in more detail.
Web
Services Security
In this
release,
OC4J supports securing Web services using the OASIS WS-Security 1.0
security standard. WS-Security defines a mechanism for adding
transport independence and different levels of security to SOAP
messages.
- WS-Security
offers
multiple ways to authenticate. In WS-Security, it is easy to associate
different identities with service requests. These identities can be
used to enforce authorization, after authentication.
- WS-Security
offers
support for SOAP traffic involving intermediaries.
- WS-Security
is
transport-independent, which gives greater transport flexibility.
- WS-Security
is
targeted security. For example, you can sign or encrypt the whole
message body, or just a single XML element of the body payload.
If there
is a need
to apply integrity and confidentiality at a fine-grained level, instead
of applying them to the entire SOAP message, XML signature and
encryption can be used to protect the SOAP body, header block, or
portions of either. If the SOAP message needs to be protected beyond
the transport session, message-level security can be used. If there is
a need to use different forms of authentication, then message-level
security authentication tokens can be used, such as username token,
X.509 token, or SAML token.
Oracle
Access Manager Integration
In this
release,
OracleAS JAAS Provider supports Oracle Access Manager through a custom
login module. This enables applications to authenticate and authorize
against both Oracle COREid 10.1.2 and Oracle Access Manager, which is
shipping with10.1.3 IDM.
Digest
Authentication
HTTP Digest
Authentication authenticates a user based on a username and an
encrypted password. With the digest authentication mechanism, the
password that a client presents to authenticate itself is encrypted
through the use of an MD5 digest. This is transmitted in the request
message. From a user’s perspective, digest authentication
behaves in the same way as basic authentication. The digest method is
currently supported for Oracle Internet Directory (OID) and XML file
security providers.
Client
Certificate Authentication
OC4J
supports a
client authentication mode in which the server explicitly requests
certificate authentication from the client before the server will
communicate with the client.
JAAS
Integration with EJBs>
Another
new feature
is the ability to extend JAAS authorizations to EJBs. You can define
security constraints and J2EE security roles in the EJB deployment
descriptor to protect your EJB methods.
Support
for ORMI over SSL (ORMIs)
By
default, OC4J
EJBs exchange RMI calls over the Oracle Remote Method Invocation (ORMI)
protocol, an Oracle proprietary protocol optimized for use with OC4J.
OC4J now supports securing ORMI using SSL.
JMX and
mBean Support for Security Configuration
OC4J
supports the JMX specification, which allows standard
interfaces to be created for managing resources dynamically in a J2EE
environment. The OC4J implementation of JMX provides a JMX client, the
System MBean Browser, which you can use to manage an OC4J instance
through mBeans that are provided with OC4J.
New OC4J
User and Role Accounts
There have
been some
OC4J account name changes in this release. The admin account is now
oc4jadmin instead of admin. The administrator’s role
is now oc4j-administrators and the jmx-user’s role is now
oc4j-app-administrators.
Identity
Management
Oracle
AS 10g R3
doesn't ship with Oracle Identity Management. Depending on its
installation type, Oracle AS10g R3 includes the Oracle HTTP Server,
Oracle Containers for J2EE (OC4J), Oracle Process Manager and
Notification Server (OPMN), Application Server Control Console, and
Oracle Business Rules. You can use this release with Oracle 10g R2
(10.1.2), and R1 (9.0.4) Oracle Identity Management Services, and R2
Oracle Application Server Web Cache. For more information about which
specific versions are compatible with 10g
R3 see the Oracle Application Server Upgrade and Compatibility
Guide. Oracle Identity Management is more completely described on the
Oracle Technology Network at http://otn.oracle.com/products/id_mgmt/index.html.
Top of Page
|
Bookmark
