How To Create Secure BC4J Applications with Oracle9i VPD and Oracle 9iAS JAAS
How To Create Secure BC4J Applications with Oracle9i VPD and Oracle
9iAS JAAS Provider
An Oracle JDeveloper TechNote
October 2002
Updated July 2004
Content
Introduction
This document explains how to use the Virtual Private Database (VPD) security
feature available in Oracle9i and Oracle8i databases with Oracle9i
JDeveloper releases 9.0.2 and 9.0.3. Further, it explains how to use the Oracle9iAS
Java Authentication and Authorization Services (JAAS) Provider in Oracle9i
JDeveloper 9.0.3 and how to combine VPD fine-grained access control and Oracle9iAS
JAAS authentication and authorization in Oracle9i JDeveloper 9.0.3 BC4J
JSP web applications.
Also contained in this document is a detailed description of building an example
BC4J JSP application using JAAS and VPD in Oracle9i JDeveloper,
thus providing hands on experience.
Virtual Private Database (VPD)
Virtual Private Database (VPD) [1] is a a set of database security features
provided by the Oracle8i and Oracle9i database servers that enforce
fine-grained access control through secure application context. Oracle8i
and Oracle9i VPD allow the implementation of PLSQL-based policy rules
that are associated with tables and/or views and are enforced no matter how
a user accesses the data. The application context, a context space in memory,
defines the environment and session attributes for every user working within
an application. The idea behind fine-grained access control provided by VPD
is to dynamically add a user-specific WHERE clause, the predicate, to the DML
statement. The predicate limits the connected user to only see data owned by
himself or data that he was granted the privilege to see. The same limitations
apply when creating, updating, or deleting data, where complex business logic
can be used to define the predicate.
As an example, using a predicate, which is dynamically added when parsing a
user's DML statement, the following query:
select * from exp_report_sum_view;
is changed to:
select * from exp_report_sum_view WHERE employee_id = sys_context(''expenses_reporting'',''emp_number'');
Using the sys_context() function in a WHERE clause predicate is
like using a bind variable, because it does not have a negative impact on the
performance of a query.
VPD Database Schema Used for Coding Examples
Exp_report_sum_view, as shown above, is a view in
the secdemo schema used in this document to demo VPD usage in BC4J.
The install script, fgacdemo.sql, for the database schema and its
objects is contained in the oci/samples directory of all Oracle8i
and Oracle9i Enterprise Edition database installations. After running
the fgacdemo.sql script under the system account, the following
objects and user schemas used in this document are created:
exp_report_sum_view - a view with a maximum of 12 rows, read from the
exp_report table
exprep_ctx - a PLSQL package setting the application context for a
user
exp_security - a PLSQL package with functions to return the predicate
associated with a policy
MURRAY, MOREAU, MILLER - user schemas where the password is the same
as the user name. While Murray and Miller are only allowed to see their own
data, Moreau is allowed to also see the data of the two employees reporting
to him.
Creating the Schema
Perform the following actions to create the application context exprep_ctx
in the secdemo security schema:
- Run
ORACLE_HOME\oci\samples\fgacdemo.sql using SQLPlus and
the system account. This creates the secdemo schema, tables,
users, and security policies. You may want to customize the table spaces before
running the script.
Hint: The fgacdemo.sql script contains logical line breaks
indicated by a '\' as used on Unix systems. This leads to errors when running
the script from SQLPlus. To avoid this, open the fgacdemo.sql script
with a text editor and search for POLICY #1. Starting at this
policy, remove all occurrences of '\' down to the bottom of the file. Make
sure that a execute dbms_rls.drop_policy() command starts and
ends in one single line. Save the file and run it from SQLPlus.
- Enable the policies created by
fgacdemo.sql by connecting as
secdemo/secdemo and executing the following commands
EXECUTE DBMS_RLS.ENABLE_POLICY('secdemo', 'exp_report', 'exp_report_policy',
true);
EXECUTE DBMS_RLS.ENABLE_POLICY('secdemo','exp_report_sum_view', 'exp_report_view_policy',true);
EXECUTE DBMS_RLS.ENABLE_POLICY('secdemo','exp_report', 'exp_report_insert_policy',
true);
EXECUTE DBMS_RLS.ENABLE_POLICY('secdemo','exp_line','exp_line_policy', true);
EXECUTE DBMS_RLS.ENABLE_POLICY('secdemo','exp_report', 'exp_report_approve_policy',true);
Background Information
The DBMS_RLS package, available in the Oracle9i and Oracle8i
Enterprise Edition, contains functions to create and manage policies, where
RLS stands for row level security. The second statement executed above enables
the policy exp_report_view_policy for the exp_report_sum_view.
The policy exp_report_view_policy is created within the fgacdemo.sql
script, using the following command:
execute dbms_rls.add_policy('secdemo','exp_report_sum_view','exp_report_view_policy','secdemo','exp_security.empview_sec',
'select);
This command creates the policy exp_report_view_policy for the
exp_report_sum_view in the secdemo schema. Whenever
a select statement is issued on the view, then the policy calls
the PLSQL procedure exp_security.empview_sec in the secdemo
schema to return and set the predicate for this operation. A policy must have
a unique name within the database and can handle many DML statements.
Using VPD and JAAS with BC4J Applications from the
JDeveloper BC4J Tester
With BC4J there exist two options for setting the application context to be
used with the fine-grained access security in an Oracle database. The first
is to use the JDBC session user to set the database application context, the
other is to use a lightweight web username as provided by Oracle9iAS
JAAS.
Using the JDBC Session User for Building the Application
Context
This section describes step by step how to configure a BC4J application to
use Oracle9i and Oracle8i fine-grained access security.
1. Creating the JDBC database connects
For the purpose of showing the effect that a VPD has when used with BC4J, create
two JDBC database connections, one for MILLER/MILLER
and another for MOREAU/MOREAU, in the JDeveloper IDE.
For simplicity name the database connection like the user each represents.
2. Create the BC4J sample application
For the purpose of the BC4J sample application, create a new project,
the name vpdbc4j.jpr will be used throughout in this example, and
create a new BC4J package, oracle.bc4j.vpdbc4j throughout in this
example. Because fgacdemo.sql script creates the VPD policies
for the exp_report_sum_view, we are going to build an entity object
based on this view. To build an entity object on a view, the BC4J package must
be created first as an empty package. This intermediate step is not required
if the entity object is built on top of a database table that has a primary
key defined.
- Right-mouse click on the project that you created to contain the BC4J package
and choose New Business Components Package from the menu.
- Enter
oracle.bc4j.vpdbc4j as a package name and click Next.
- In the open dialog, select the JDBC database connect created for MOREAU
as a connection name.
- Leave the next dialog empty as shown in the image below and click on Next.
This ensures an empty BC4J package will be created.
- Click the Finish button in the next dialog to close the
Business Component Package Wizard.
The next step for building the example BC4J application is to create an entity
object, a view object, and an application module for the empty BC4J package.
- Right-mouse click the BC4J components package
oracle.bc4j.vpdbc4j
and select New Entity Object from the popup menu.
- In the Entity Object Wizard select
secdemo as the Database
Schema and choose the SECDEMO.EXP_REPORT_SUM_VIEW view
as the Schema Object. For this example the entity object
name is chosen as ExpReportSumViewEO.
- In the Attribute Settings dialog, edit the
ReportID, checking
the Primary key checkbox. This makes the ReportID
become the primary key used by the entity object.
- Click Finish for JDeveloper to generate the entity object
and the view object.
- Right-click the BC4J package
oracle.bc4j.vpdbc4j and choose
New Application Module from the popup menu.
- Accept the default values for the application module name and add an instance
of
ExpReportSumViewEOView to the Data Model. Because only an
instance of the view object is attached to the Data Model, not the view object
itself, the name ExpReportSumViewEOView used in this example
changes to ExpReportSumViewEOView1.
- Click Finish to accept all default values.
- Save the BC4J project.
3. Enforcing VPD fine-grained access security for BC4J applications
In this case the created BC4J application gets enabled for VPD when connecting
to the database. We set the context information for VPD security after connecting
to the database by writing some code in the prepareSession() method
of our application module.
To enable the application module to be used with VPD:
- Navigate to the application module
Vpdbc4jModule node and expand
it.
- Open the file
Vpdbc4jModuleImpl.java in the JDeveloper Code
Editor by double-clicking on its name.
- In
Vpdbc4jModuleImpl.java, to override the prepareSession()
method inherited from ApplicationModuleImpl , add the following
Java code*:
protected void prepareSession (Session _session)
{
String appContext
= "Begin exprep_ctx.set_ctx; END;";
java.sql.CallableStatement
st= null;
super.prepareSession(_session);
try
{
st = getDBTransaction().createCallableStatement(appContext,0);
st.execute();
} catch (java.sql.SQLException
s)
{
throw new
oracle.jbo.JboException(s);
} finally
{
try
{
if
(st!= null)
{
st.close();
}
} catch (java.sql.SQLException
s2)
{
null; }
}
}
|
VPD security is enforced by the exprep_ctx.set_ctx procedure called
in the prepareSession() method. The exprep_ctx.set_ctx procedure
creates a user application context in the database by reading the username of
the connected user from the database session. The username is used to query
the employee_id which then gets stored in an application attribute
emp_number for further use within the created application
context expenses_reporting. Also set, as an attribute in the same
context, is whether or not the job role of the user is manager
or employee. Attributes in the application context are used to
build the predicates that are attached to query and DML statements. The application
context for a connected user cannot be changed by the user directly or modified
externally.
4. Testing VPD by running the BC4J application from the BC4J Tester in JDeveloper
- Select the application module node
Vpdbc4jModule with the right
mouse button and choose Test from the popup menu.
- In the Connection dialog choose
moreau as the database connect
name.
- Click Connect.
- Open the view object shown in the Tester by double-clicking on its name.
- Navigate through the records shown in the Tester form and notice that Moreau
can see 9 records.
- Close the BC4J Tester
- To proof that the record shown is the result of a VPD predicate, dynamically
added to the query statement, open SQLPlus, connecting as
secdemo/secdemo,
and issue the following command to disable the policy associated with exp_report_sum_view:
execute dbms_rls.enable_policy('secdemo','exp_report_sum_view','exp_report_view_policy',false);
- In JDeveloper, run the application module using the BC4J Tester. Again choose
moreau as the database connection. Note that instead of 9 records,
now 12 are shown in the BC4J Tester form.
- In SQLPlus reenable the policy by issuing the following command:
execute dbms_rls.enable_policy('secdemo','exp_report_sum_view',
'exp_report_view_policy',true);
- Again run the BC4J tester and this time choose
miller
as the database connection name.
- Miller can see 3 records in contrast to Moreau, who as a manager, is allowed
to see more reports.
The above example shows that BC4J in Oracle9i JDeveloper 9.0.2 and 9.0.3
can run under fine-grained data access security, enforced by Oracle9i
and Oracle8i VPD
Using Oracle9iAS JAAS Authentication for Building the
Application Context
The previous example requires application users to be database users with connection
and resource privileges. In the following section authentication is performed
by Oracle9iAS JAAS. JAAS stands for Java Authentication and Authorization
Services. Oracle’s JAAS implementation, known as the Oracle9iAS JAAS
Provider, provides core security services for developing Java-based applications
for Oracle9iAS. To enforce VPD for JAAS authenticated users, the
application context is set by BC4J calling a database procedure to set the application
context, passing the user's principal name as an argument.
Important: The integration with JAAS requires Oracle9i JDeveloper,
version 9.0.3
1. Configure BC4J to use JAAS
To make BC4J work with Oracle9iAS JAAS, the BC4J security library must
be added to the project. Open the Project Settings dialog by double-clicking
the vpdbc4j.jpr project. In the Projects Settings dialog, select
the Libraries node under the Configurations | Development
node. From the list of available libraries, select BC4J Security
and add it to your project. Click Ok to close the dialog and
return to the JDeveloper IDE.
In the JDeveloper IDE, open the application module, Vpdbc4jModule,
for configuration by right-clicking on the module. Select Configurations
from the the popup menu.
In the Configurations dialog click the Edit button to edit
the application module properties. In the Properties tab search for the jbo.security.enforce
property and set its value to Must. There are three possible options
for the value of this property. None to not enforce JAAS authorization,
Test to enable JAAS authentication (but ignore authentication failure)
and Must to enforce valid JAAS authentication. Click Ok
to close the dialogs.
Next, on the file system of your computer, navigate to the lib\security
directory of the Java runtime engine used. For Oracle9i JDeveloper this
is <jdev_install> \jdk\jre\lib\security. Either open
the file java.security in a text editor, or add this file to the
JDeveloper project to edit it there, and add the following line to it:
login.configuration.provider=oracle.security.jazn.spi.LoginConfigProvider
Both steps explained above enable JAAS in BC4J.
2. Creating users for Oracle9iAS JAAS
Oracle9iAS JAAS supports two types of authentication and authorization
storage: JAZN-XML and LDAP. JAZN-XML is a fast, lightweight implementation of
the JAAS API that is based on XML as an encoding mechanism. JAZN-XML allows
Java developers to retrieve user and role information securely from operating
system files. JAZN-XML is used in the following for all examples provided in
this document.
However, BC4J and JAAS integration works the same with JAZN-LDAP [2], an implementation
that uses Oracle Internet Directory (OID) as a store for authentication and
authorization information.
Users in JAZN-XML are created with the Oracle Enterprise Manager or the JAZN
Admintool. If using Oracle9iAS JAAS with Oracle Internet Directory (OID),
then the Delegated Administrative Service (DAS), a web-based user interface,
shall be used to create and manage users.
For this document we choose the JAZN Admintool [3] to create lightweight user
accounts for MILLER and MOREAU. The JAZN Admintool is available with every installation
of Oracle Containers for J2EE (OC4J).
Open a command line and navigate to the <jdev_install>\j2ee\home
directory to open the UNIX like shell interface of the JAZN Admintool
JDeveloper_Home\j2ee\home>
java -jar jazn.jar -shell |
This opens the JAZN Admintool shell, requiring you to authenticate as an administrator.
A default account to use is admin/welcome:
<JDev903\j2ee\home>
java -jar jazn.jar -shell
RealmLoginModule username: admin
RealmLoginModule password:********
JAZN:>
|
Check for available realms by issuing cd realms and then ls
commands:
JAZN:> cd realms
JAZN:> ls
jazn.com |
The default realm used with Oracle9iAS JAAS is jazn.com and we
are going to add the users MILLER and MOREAU to this realm using the adduser
<realm_name> <username> <password> command. The password
for both users in this example is chosen to be their last name:
JAZN:> adduser jazn.com MILLER
MILLER
JAZN:> adduser jazn.com MOREAU MOREAU
JAZN:> |
Use the ls command in the users directory to list
all users contained in the jazn.com realm:
JAZN:> cd jazn.com
JAZN:jazn.com> cd users
JAZN:jazn.com> ls |
The list of users should now contain entries for MILLER and MOREAU.
There are two default roles available in jazn-data.xml, the XML
file that is used by Oracle9iAS JAAS as a secure user store on the file
system. The users MILLER and MOREAU are selected to be members of the users
role and the JAZN Admintool can be used for granting this role. The syntax for
the grant command is grantrole <role name> <realm name> <username>.
The role helps to access control BC4J applications configured for Oracle9iAS
JAAS:
JAZN:> grantrole users jazn.com
MILLER
JAZN:> grantrole users jazn.com MOREAU
JAZN:> exit
<jdev_install>\j2ee\home> |
Use exit to close the JAZN Admintool and to write the changes
into the jaszn-data.xml data file. Viewing the jazn-data.xml
file located in the <jdev_install>\j2ee\home\config
directory in a texteditor shows the following entries
<users>
<user>
<name>MOREAU</name>
<credentials>{903}iKx5Gs7ysTpzuTu0McMh9Qx/m0PkjXM0</credentials>
</user>
<user>
<name>MILLER</name>
<credentials>{903}dG1LbAQuHC/esoUGO6LWvg5x/0Qxh37q</credentials>
</user>
</users>
...
<roles>
<role>
<name>users</name>
<members>
<member>
<type>user</type>
<name>MILLER</name>
</member>
<member>
<type>user</type>
<name>MOREAU</name>
</member>
..
</members>
</role>
</roles> |
Note that the user password is encrypted, making jazn-data.xml
more safe than the commonly used principals.xml, which also is
in Oracle9iAS JAAS supported for backward compatibility.
3. Modifying EXPREP_CTX to handle the user principal name passed from BC4J
for setting the application context
To use JAAS authentication with VPD, replace the package EXPREP_CTX
created in fgacdemo.sql with the one below having an additional procedure
with the name of set_ctx_appuser. The set_ctx_appuser
expects the authenticated username as an argument to set the VPD application context.
The authenticated username will be read from Oracle9iAS JAAS and passed
to the database procedure by BC4J.
Execute the following SQL in SQLPlus:
CONNECT SECDEMO/SECDEMO
CREATE OR REPLACE PACKAGE exprep_ctx AS
PROCEDURE set_ctx;
PROCEDURE set_ctx_appuser(app_user VARCHAR2);
END;
/
SHOW ERRORS
CREATE OR REPLACE PACKAGE BODY exprep_ctx AS
PROCEDURE set_ctx IS
empnum number;
countrec number;
cc number;
role varchar2(20);
BEGIN
-- SET emp_number
select EMPLOYEE_ID into empnum from employee
where last_name = sys_context('userenv',
'session_user');
dbms_session.set_context('expenses_reporting','emp_number',
empnum);
-- SET ROLE ?
select count(*) into countrec from cost_center where
manager_id=empnum;
IF (countrec > 0) THEN
dbms_session.set_context('expenses_reporting','exp_role',
'MANAGER');
ELSE
dbms_session.set_context('expenses_reporting','exp_role',
'EMPLOYEE');
END IF;
-- SET cc_number
select COST_CENTER_ID into cc from employee
where last_name = sys_context('userenv',
'session_user');
dbms_session.set_context('expenses_reporting','cc_number',
cc);
END;
PROCEDURE set_ctx_appuser(app_user
VARCHAR2) IS
empnum number;
countrec number;
cc number;
role varchar2(20);
BEGIN
-- SET emp_number
select EMPLOYEE_ID into empnum from employee
where last_name = app_user;
dbms_session.set_context('expenses_reporting','emp_number',
empnum);
-- SET ROLE ?
select count(*) into countrec from cost_center where
manager_id=empnum;
IF (countrec > 0) THEN
dbms_session.set_context('expenses_reporting','exp_role',
'MANAGER');
ELSE
dbms_session.set_context('expenses_reporting','exp_role',
'EMPLOYEE');
END IF;
-- SET cc_number
select COST_CENTER_ID into cc from employee
where last_name = app_user;
dbms_session.set_context('expenses_reporting','cc_number',
cc);
END;
END;
/
SHOW ERRORS
/
GRANT EXECUTE ON secdemo.exprep_ctx TO public;
/
EXIT
|
5. Modifying Vpdbc4jModuleImpl.java to use set_ctx_appuser
Vpdbc4jModuleImpl.java needs to be changed to read the principal
name of the user authenticated by Oracle9iAS JAAS and to pass the username
as an argument to set_ctx_appuser. The name of the authenticated
user for this example is retrieved by a new method, getApplicationUserName(),
added to Vpdbc4jModuleImpl.java.
Replace the existing prepareSession() method created earlier in
this document with the following Java code*:
String getApplicationUserName()
{
String appUserName = getUserPrincipalName();
String realm ="jazn.com/";
if (appUserName.startsWith(realm))
{
appUserName = getUserPrincipalName().substring(realm.length());
}
return appUserName;
}
protected void prepareSession (Session _session)
{
super.prepareSession(_session);
String appContext = "Begin exprep_ctx.set_ctx_appuser('"+getApplicationUserName()+"');
END;";
java.sql.CallableStatement st= null;
try
{
st = getDBTransaction().createCallableStatement(appContext,0);
st.execute();
} catch (java.sql.SQLException s)
{
throw new oracle.jbo.JboException(s);
} finally
{
try
{
if (st!= null)
{
st.close();
}
} catch (java.sql.SQLException s2)
{
}
}
}
|
In this example the getApplicationUserName() method has the realm
name hardcoded to jazn.com, which works in this case because jazn.com
is the default realm used in OC4J. If you don't know about the realm name used,
or if there is no need to distinguish one realm name from the other, then, to
extract the username from the principal name retrieved, you can search for the
delimiting forward slash ("/"):
String appAuthUser = getUserPrincipalName();
String appUserName = appAuthUser.substring(appAuthUser.indexOf("/")+1); |
If the realm name matters then the following code lines works to to retrieve
the realm name and user name:
String appAuthUser = getUserPrincipalName();
StringTokenizer st = new StringTokenizer(appAuthUser,"/");
String appUserRealm = (String) st.nextToken();
String appUserName = (String) st.nextToken(); |
The prepareSession() method now calls exprep_ctx.set_ctx_appuser,
instead of exprep_ctx.set_ctx, to set the VPD application context.
Also, because there no longer exist a dedicated JDBC connect for the user, the
authenticated user principal name is passed as an argument to exprep_ctx.set_ctx_appuser.
To retrieve the user's principal name, a new method getApplicationUserName()
is added to the example code, using the getUserPrincipalName() method
in Oracle9i JDeveloper 9.0.3. The value returned by getUserPrincipalName()
contains the realm name, jazn.com which needs to be eliminated
from the returned string to isolate the name of the authenticated user.
Running the Demo from the JDeveloper BC4J Tester
Before running the demo, create a new database connection in JDeveloper that
is used by all users authenticated by JAAS to run the BC4J example application.
The user account information for this database connect is secdemo
identified by secdemo because this account contains the installed database
tables and views.
Now you are ready to test JAAS authentication in combination with VPD by running
the Vpdbc4jModule using the BC4J Tester.
For this, right-click the Vpdbc4jModule application module and
select Test from the popup menu, which will display the BC4J
Tester Connection dialog.
Important: In the connection dialog, choose the Business Component
Configuration Name to be Vpdbc4jModuleLocal, used by this
example. Also select secdemo as the Connection Name
to use.
After pressing Connect, the Oracle9iAS JAAS logon dialog
is displayed. First, authenticate yourself as MILLER/MILLER and note that the
BC4J Tester shows three records.
The Login dialog shown in the image above is the result of configuring BC4J
to use JAAS authentication, setting the jbo.security.enforce property
to either Must or Test. The login module is part of
the Oracle9iAS Login Provider and does not belong to BC4J itself.
Although, in this example, the JAAS username and password is chosen to be the
same as the user's database account credentials (for example, MILLER/MILLER)
so there is no need for this.
Rerun the same test, but to this time authenticate as MOREAU/MOREAU.
If you followed all the instructions for building the BC4J example application,
then you now have a working implementation of BC4J running with data access
control enforced by Oracle VPD and user authentication provided by Oracle9iAS
JAAS.
Deploying the BC4J JSP Client Application Using VPD
Security and JAAS Authentication
Now that you've seen JAAS running in the BC4J Tester, it is time to deploy
and test this feature on the web. As with the BC4J Tester, the Oracle9iAS
JAAS authentication could be performed using Oracle OID or jazn-data.xml
as an authentication store. For the example, in this section we continue using
the jazn-data-xml file, created earlier in this document, as a user store.
Making jazn-data.xml Available for BC4J Deployed in
Oracle9i JDeveloper
To use the jazn-data.xml file, created earlier with the users
MILLER and MOREAU added, it needs to be copied to the directory containing the
configuration files for the embedded OC4J server. BC4J applications deployed
to the OC4J instance of Oracle9i JDeveloper are deployed to <jdev_install>\jdev\system9.0.3\oc4j-config\current-workspace-app.
To use the previously created jazn-data.xml file over the default,
copy
<jdev_install>\j2ee\home\config\jazn-data.xml
To:
<jdev_install>\jdev\system9.0.3<.xxx>\oc4j-config\jazn-data.xml
replacing the existing jazn-data.xml file.
Note: <.xxx> is a placeholder for the build
number of the JDeveloper installation and the 'xxx' should be replaced
by the actual number as shown on the file system.
Generating a Default BC4J JSP Web Client
To build the BC4J JSP web client, create a new empty project in JDeveloper
in the same workspace. For this example the project name is chosen to vpdjsp.jpr.
First, the BC4J output path of the vpdbc4j.jpr project needs to
be added as an additional classpath to the JSP project. Double-click on the
BC4J project and select Configurations | Development | Paths
from the from the opened dialog. Copy the value of the Output Directory
field to the clipboard and close the dialog by clicking onto the Cancel
button.
Open the JSP project by double-clicking it, opening a similar dialog like before.
Under the same selection Configurations | Development | Paths,
paste the string from the clipboard into the Additional Classpath
field and click the OK button.
Right-click the vpdjsp.jpr node and select New
from the popup menu. Select JSP for Business Components from
the Web Tier category in the opened dialog. As an item to build,
choose Browse Form.
In the next dialog press the New button to create a client
data model to use within the JSP application. Data models for BC4J JSP applications
is a new feature in Oracle9i JDeveloper 9.0.3, greatly simplifying the
shared use of data sources.
In the Client Data Model Definition Wizard, select the BC4J application module
created before in this document as a value in the Application Module
field and <Application Module Name>Local for the Configuration
field. If you followed the example used in this document, then the dialog looks
like this
Finish the Client Data Model Definition Wizard as well as the BC4J JSP wizard
and return to the JSP project in JDeveloper. Along with the web client, JSP
component files, a deployment descriptor file, web.xml, is created.
To enforce JAAS authentication for the web-deployed BC4J application, we need
to edited the web.xml file accordingly.
Configuring the web.xml in the BC4J JSP Project
Open the web.xml configuration dialog by right-clicking the file
and choosing Settings from the popup menu. Select the security
node in the Web Application Deployment Descriptor dialog. Click the Add
button to create the Security Role Name users.
Remember that MILLER and MOREAU have been granted the role users. To protect
our BC4J example application, we only allow people granted the role users
to run it. Role-based access security is a unique feature in the Oracle9iAS
JAAS implementation.
Select the Constraints node under the Security
node and click Add to create a web resource name used with
this application. For this document, the web resource name is chosen as jdbc/vpdbc4j,
where the jdbc/ indicates a JDBC data source being used with the
BC4J application. However, this name can be freely chosen by you.
In the same dialog, select the created Web Resources name
to define a URL pattern to access the application. Set the value of the URL
Pattern to / as shown below.
Still in the same dialog, select the Authorization node and
check Users to enforce role-based security in Oracle9iAS
JAAS.
Select the Login node under the Security
node and set the radio button to HTTP Basic Authentication.
In the navigation tree, select the Resource References node
and click on the Add button in the opened dialog.
Add the following values:
- The name of the web resource (
jdbc/vpdbc4j
in this example)
-
javax.sql.DataSource
- Select the Servlet option
Press OK to close the dialogs.
Running the Example BC4J Application on the Web Using
JAAS and VPD
If you followed building the example application, then the BC4J JSP project
contains a file ExpReportSumViewEOView1_Browse.jsp. Select this
file in the Oracle9i JDeveloper IDE and then hit the green run button
from the toolbar:
This starts the integrated OC4J instance of Oracle9i JDeveloper and
opens a browser window to display the HTML of the rendered BC4J JSP application.
Before the BC4J JSP application is shown, a logon dialog is displayed for you
to provide a valid user account configured in JAAS. To see VPD working with
Oracle9iAS JAAS, run the application twice: connect as MILLER the first
time and MOREAU the second.
Running as MILLER
As before, the name and password of the authenticated user on the middle tier
does not need to match an existing database user. Only make sure that there
exists a match in the database for the VPD application context to be created.
This can be done, for example, by a table that maps middle tier user names to
their employee numbers.
Running as MOREAU
Summary
In this document we showed how to build a BC4J JSP application that uses Oracle9i
Virtual Private Database (VPD) fine grained application security and the Oracle9iAS
implementation of the Java Authentication and Authorization Service (JAAS) to
protect and access control application data.
* Code updated compared to earlier version of same document
Recommended additional readings
[1] Oracle9i Security Overview - VPD
[2] Oracle9iAS Containers for J2EE (OC4J) Services Guide - Managing
the JAAS provider
[3] Oracle9iAS Containers for J2EE (OC4J) Services Guide - JAZN
Admintool documentation
| 
Bookmark
