|
Oracle® Containers for J2EE Security Guide
10g Release 3 (10.1.3) B14429-01 |
|
 Previous |
 Next |
|
Oracle® Containers for J2EE Security Guide
10g Release 3 (10.1.3) B14429-01 |
|
|
Previous |
Next |
This chapter discusses Oracle COREid Access and Identity and describes how to use the COREid Access security provider for authentication, authorization, and single sign-on. The chapter is useful for those who have already deployed, or plan to deploy, the Oracle COREid Access and Identity system. It describes integration between the COREid 7.0.4 implementation and the OC4J 10.1.3 implementation, and how to secure applications deployed on OC4J through features of COREid. This includes detailed configuration steps for Web applications, and examples for Web applications, EJBs, and Web Service authentication schemes (including username token, X.509 token, and SAML token).
This chapter covers the following topics:
|
Notes:
|
|
See Also:
These and other COREid documents are available from: (Scroll down the page until you see the entry for COREid documentation.) |
This section provides an overview of Oracle COREid Access and Identity and discusses prerequisites and architecture:
Oracle COREid Access and Identity is an enterprise-class authentication, authorization, and auditing solution that provides centralized security administration. This includes functionality for access control, single sign-on (separate from OracleAS Single Sign-On), personalization, and user profile management in heterogeneous application environments across a variety of application servers, legacy applications, and databases. COREid provides key features for creating, managing, and enforcing access policies. If you have different sets of users that require access to different data sets, while all require access to a common set of data, COREid can allow the right levels of access to each group so that everyone can access only the data that is appropriate for them.
In comparing Oracle COREid Access and Identity to other authentication, single sign-on, and authorization services, note the following differentiating features.
You can centralize authentication and authorization for multiple OC4J instances through a single Oracle COREid Access and Identity instance, allowing centralized single sign-on and auditing functionality, as well as more robust authentication options.
COREid offers superior identity administration through workflow, fine-grained attribute control, and delegation of administration.
COREid supports access control based on dynamic groups, with members based on a given identity profile.
COREid allows realtime access and identity integration, with runtime changes made through COREid being automatically populated into the Access Server cache to eliminate security loopholes.
In the OC4J 10.1.3 implementation, OracleAS JAAS Provider supports Oracle COREid Access and Identity integration through a custom login module and a special authentication method setting.
Oracle COREid Access and Identity includes the following components:
WebGate, the policy enforcer, is a Web server plug-in access client (with an associated Apache mod for use on Oracle HTTP Server) that intercepts HTTP requests and forwards them to the Access Server for authentication and authorization. In comparison, an AccessGate is a custom access client, built with the COREid Access SDK, that processes Web and non-Web resource requests from users or applications. It intercepts user requests and forwards them to the Access Server for authentication and authorization. The terms WebGate and AccessGate can be used interchangeably in most situations.
WebPass is a Web server plug-in that passes information between a Web server and a COREid server.
COREid Identity Server processes all user identity, group, organization, and credential-management requests.
Access Server, the policy decision-maker, receives requests, responds to the access client, and manages the login session. The Access Server receives requests from WebGate and queries the authentication, authorization, and auditing rules in Oracle Internet Directory. The Access Server also manages the login session by helping WebGate terminate sessions, set user session timeouts, reauthenticate when timeouts occur, and track session activity.
Access Manager writes policy data to Oracle Internet Directory, and updates the Access Server with policy modifications. It includes an Access System Console that enables administrators to manage policies and the system configuration.
|
Note: In the 10.1.3 implementation, Application Server Control does not support configuration of Oracle COREid Access and Identity. |
This section describes what you must have installed to use Oracle COREid Access and Identity. Oracle COREid Access and Identity components are version 7.0.4.
|
See Also:
|
At a high level, prerequisites include installing Oracle COREid Access and Identity and Oracle Application Server, and configuring the Access SDK and your applications on OC4J.
Detailed requirements on the COREid side:
A suitable LDAP repository, such as Oracle Internet Directory (included in the Oracle Application Server 10.1.2 infrastructure).
A Web server, such as Oracle HTTP Server (included in the Oracle Application Server 10.1.3 middle-tier infrastructure).
The COREid Identity Server and Access Server. When you install Oracle COREid Access and Identity, you will be asked to specify the LDAP repository you are using, which must be accessible for communication with COREid Identity Server and Access Server during runtime.
COREid WebGate, WebPass, and Access Manager installed on the Web server. WebGate is the SSO interceptor and communicates with Access Server during runtime. WebPass communicates with COREid Identity Server. Access Manager communicates with the LDAP repository. When you install WebGate and WebPass, you will be asked to specify the Access Server and COREid Identity Server you are using.
Detailed requirements on the OC4J side:
Oracle Application Server 10.1.3 middle-tier installation, with OC4J and Oracle HTTP Server, including the mod_oc4j Apache mod. Note that this is separate from the Web server you install on the COREid side, which may or may not be Oracle HTTP Server.
Using the COREid Access security provider requires Oracle HTTP Server; you cannot use standalone OC4J.
COREid WebGate installed on this Oracle HTTP Server.
Additional OC4J instances as needed. Typically, when using COREid SSO, multiple OC4J instances are used in the topology, so the Oracle HTTP Server instance must be configured to route and maintain multiple OC4J instances.
COREid Access SDK, one for each OC4J instance, on the same system as OC4J. The Access SDK is required by OC4J at runtime to communicate with Access Server.
The next section, "COREid Architecture", shows how the Oracle COREid Access and Identity components fit with key components of the Oracle Application Server middle-tier infrastructure.
There are three stages of configuration steps to use OC4J applications with the COREid Access security provider:
One-time configurations for the COREid installation. This includes setting up authentication schemes and configuring a COREid resource type. Refer to "Configuring COREid Access".
Configurations for each OC4J instance. This includes configuring each OC4J instance with an Access SDK installation. Refer to "Configuring OC4J with the Access SDK".
Configurations for your application. This includes web.xml settings, deployment-time settings, orion-application.xml settings (pre- or post-deployment), and JAAS login module settings. Refer to "Configuring the Application".
Several of the configuration steps documented later in this chapter involve running the COREid Access Manager. Run it with a URL such as the following, then log in:
http://host:port/access/oblix
This will put you at the Access System Console, used frequently in this chapter.
This section provides background on some COREid concepts that will be relevant later in this chapter:
In Oracle COREid Access and Identity, a resource type describes the kind of resource to be protected, including its associated operations. Operations associated with a resource are tied to its type. Before you can add resources to a policy domain, you must define their types and the operation or operations associated with them that you want to protect.
For example, by default Oracle COREid Access and Identity supports resource types that are named "HTTP" and "EJB". The HTTP resource type supports operations such as CONNECT, DELETE, GET, POST, PUT, and TRACE. The EJB resource type supports the operation EXECUTE, which executes a bean. For a custom resource type, you can specify a custom operation name.
To create a session to the Access Server, OC4J uses the Access SDK, and the SDK expects some resource type and resource operation to be specified. For this reason, when you configure the COREid login module, you must configure a custom COREid resource type, including the following:
Desired name of the resource type (can be arbitrary)
Desired name of the operation (can be arbitrary)
You will specify just a single resource operation, but this will encompass whatever you want to execute against the protected resource.
URL of the protected resource
|
See Also:
|
In order to validate any user, COREid must be configured with an authentication scheme. An authentication scheme consists of plug-ins.
OC4J support for Oracle COREid Access uses the COREid credential_mapping plug-in, which maps user credentials to profiles, and, where applicable, the validate_password plug-in, which validates user passwords. You must configure these plug-ins as shown later in this chapter.
Additionally, OC4J supports two modes of integrating end-user authentication (identity assertion) with COREid Access:
Use of the COREid SSO cookie, ObSSOCookie, discussed further in the next section, "About the COREid Single Sign-On Cookie"
Use of a user name and password that are passed in HTTP headers, discussed further in "About Using HTTP Header Variables for Authentication"
|
See Also:
|
Oracle COREid Access implements single-domain and multi-domain single sign-on through an encrypted session cookie called the ObSSOCookie. (This is one of two possible modes of end-user authentication, the other involving HTTP header variables as discussed in the next section.) WebGate sends this cookie to the user's browser upon successful authentication. This cookie can then act as an authentication mechanism for other protected resources that require the same or a lower level of authentication.
When a user requests access to a resource, the request flows from WebGate to the Access Server. Once the user is validated, the ObSSOCookie is set, and then passed to OC4J. With this single sign-on functionality, COREid uses the cookie for subsequent requests instead of prompting the user to supply authentication credentials.
OC4J uses the ObSSOCookie to connect to the COREid Access Server and retrieve user roles.
|
Note: ObSSOCookie is a session cookie by default, but can be made persistent.
|
|
See Also:
|
COREid supports the use of HTTP header variables for authentication, where a user name and password are passed in HTTP headers to assert an end user. (This is one of two possible modes of end-user authentication, the other being the use of the COREid ObSSOCookie as discussed in the preceding section.)
To use this mode, you must configure the COREid login module with this user name and password (as discussed in "Configure the COREid JAAS Login Module") for OC4J to use in accessing the COREid Access Server.
Consider the 4K size limit of the HTTP header when you use HTTP header variables and cookies to pass information to downstream applications. This HTTP header size limit includes all cookies, server variables, and environment variables—that is, all of the content of the HTTP header. There is no constraint on the number of individual elements an HTTP header can contain if the content does not exceed the 4K limit. Therefore, when assessing the amount of available space in the HTTP header, take into account the byte size of the data used by COREid and other applications. For example, if COREid and other applications combine to use 1K in the HTTP header, you would have 3K for your data.
This section discusses one-time configurations to your COREid Access installation:
For single sign-on functionality, a form-based authentication scheme must be used in protecting your resources, due to limitations in the basic authentication scheme. (Some aspects of your configuration will have to use a no-password authentication, however, as discussed in "Configure COREid Basic Authentication".)
The steps here are to create and protect a login page for form-based authentication in Oracle COREid Access and Identity, for use by WebGate in protecting your resource. You will later configure your application to be protected by this form-based authentication.
Configure the credential_mapping Plug-In for Form-Based Authentication
Configure the validate_password Plug-In for Form-Based Authentication
|
See Also:
|
Create a login page for form-based authentication. As will be pointed out, some of the parameters you set in this page correspond to settings you will make in Access Manager and the COREid plug-ins.
Put the login page under the OHS_HOME/document_root directory, typically ORACLE_HOME/Apache/Apache/htdocs, on the middle-tier system.
Here is a sample login page, login.html. Assume it is in the ORACLE_HOME/Apache/Apache/htdocs/login directory.
<html> <head> <title> COREid SSO Login Page</title> <body bgcolor="white"> <h1 align="center">COREid SSO Provider Example : Sign in</h1> <form method="POST" action="/coreid/access/test.html" > <table border="0" cellspacing="5"> <tr> <th align="right">Username:</th> <td align="left"><input type="text" name="usernamevar"></td> </tr> <tr> <th align="right">Password:</th> <td align="left"><input type="password" name="passwordvar"></td> </tr> <tr> <td align="right"><input type="submit" value="Log In"></td> <td align="left"><input type="reset"></td> </tr> </table> </form> </body> </html>
The action URL for the POST method can be arbitrary, but must match the action URL you specify when you configure authentication management in Access Manager in the next step.
The variable for the user name (usernamevar here) must match what you specify in the COREid credential_mapping plug-in. The variable for the password (passwordvar here) must match what you specify in the COREid validate_password plug-in.
This step uses the COREid Access Manager to define form-based authentication. Navigate as follows in Access Manager:
Access System Console > Access System Configuration > Authentication Management
List all authentication schemes, then choose to add a new scheme. In the General tab to define a new authentication scheme, makes entries such as the following:
Name: COREidSSOform Description: COREid SSO Form Based Level: 1 Challenge Method: Form Challenge Parameter: form: /login/login.html creds: usernamevar passwordvar action: /coreid/access/test.html passthrough: No SSL Required: No Challenge Redirect Enabled: Yes
You can choose any name and description; here "COREidSSOform" and "COREid SSO Form Based" are just examples. The challenge parameter specifies login/login.html as the form because that is the path relative to the Oracle HTTP Server document root where we created the login page in the previous step. Leave "Challenge Redirect" blank.
Note that the entries for "creds" here must match the variables specified for user and password in your login page in the previous step, and these variables are used in the credential_mapping plug-in and validate_password plug-in, respectively, for form-based authentication.
Also note that the action URL (/coreid/access/test.html here) can be arbitrary, but must match the action URL for the POST method in your login page. Protect this URL with the basic (no password) authentication scheme described in "Configure COREid Basic Authentication".
Next, you must configure the COREid credential_mapping plug-in for form-based authentication in Access Manager. This is to protect the login form.
Navigate to the appropriate page as follows:
Access System Console > Access System Configuration > Authentication Management
List all authentication schemes, then choose the form-based scheme, then go to the Plugins tab.
Modify the credential_mapping plug-in with entries such as the following:
obMappingBase="cn=users,dc=us,dc=oracle,dc=com",obMappingFilter="(&(&
(objectclass=inetorgperson)(uid=%usernamevar%))(|(!
(obuseraccountcontrol=*)) (obuseraccountcontrol=ACTIVATED)))"
The value entered for uid (usernamevar here) must match the variable you specified for the user name in the login form, and when defining form-based authentication in Access Manager, shown in previous steps.
This also corresponds to the value of the coreid.name.attribute option in the COREid login module configuration in OC4J.
|
See Also:
|
Now configure the COREid validate_password plug-in for form-based authentication in Access Manager. This is to protect the login form.
Navigate as for the credential_mapping plug-in in the previous step. Modify the validate_password plug-in with an entry such as the following:
obCredentialPassword="passwordvar"
The value entered for obCredentialPassword (passwordvar here) must match the password variable specified in the login page, and when defining form-based authentication in Access Manager, shown in previous steps.
This also corresponds to the value of the coreid.password.attribute option in the COREid login module configuration.
You must configure the COREid basic authentication scheme, which must not be password protected. (It will use only the credential_mapping plug-in, not the validate_password plug-in.) This scheme will be used to protect two resources:
A URL associated with the resource type that you configure, as discussed in "Configure and Protect the URL of the Configured Resource Type". The COREid login module will use this URL to communicate to the Access Server through the Access SDK.
The action URL for the form page, noted in "Create a Login Form" and "Define Form-Based Authentication in Access Manager". This is so submitted form requests can be intercepted by WebGate in order to enforce rules for submitted credentials.
(Your application itself, however, must be protected by form-based authentication, described in "Configure COREid Form-Based Authentication".)
These steps define basic authentication, without a password, to protect the resource.
This step uses the COREid Access Manager to configure basic authentication. Navigate as follows in Access Manager:
Access System Console > Access System Configuration > Authentication Management
List all authentication schemes, then choose to add a new scheme. In the General tab to define a new authentication scheme, makes entries such as the following:
Name: COREidSSONoPwd Description: Authentication without Password Level: 1 Challenge Method: Basic Challenge Parameter: realm:NetPoint Basic Over LDAP SSL Required: No Challenge Redirect Enabled: Yes
You can choose any name and description; here "COREidSSONoPwd" and "Authentication without Password" are just examples. The challenge parameter entry indicated here is one of the choices available from a dropdown list. Leave "Challenge Redirect" blank.
Next, configure the COREid credential_mapping plug-in for basic authentication in Access Manager. This is to protect your resource, but without a password so WebGate can intercept results.
Navigate to the appropriate page as follows:
Access System Console > Access System Configuration > Authentication Management
List all authentication schemes, then choose the basic scheme, then go to the Plugins tab.
Modify the credential_mapping plug-in with entries such as the following:
obMappingBase="cn=users,dc=us,dc=oracle,dc=com",obMappingFilter="(&(&
(objectclass=inetorgperson)(uid=%usernamevar%))(|(!
(obuseraccountcontrol=*)) (obuseraccountcontrol=ACTIVATED)))"
These are the same entries as for the credential_mapping plug-in for form-based authentication. The value entered for uid (usernamevar here) must match the user name variable specified in the login form.
This also corresponds to the value of the coreid.name.attribute option in the COREid login module configuration.
|
See Also:
|
In Oracle COREid Access and Identity, a resource type describes the kind of resource to be protected, including its associated operations. Operations associated with a resource are tied to its type. You must configure an Oracle COREid Access and Identity resource type for your resource, and then protect your resource type, action URL, and application.
There are three parts to configuring the resource type for your resource, accomplished through Access Manager and described below:
The COREid login module will need information for the resource type, as will be noted. OC4J uses the resource type to retrieve user information based on the Oracle COREid Access and Identity ObSSOCookie or the user name, using APIs of the Access SDK.
Once these configuration steps are complete, the resource URL will be associated with the resource type and protected by the no-password basic authentication method you configured.
To configure the name and operation of the resource type in Access Manager, navigate as follows:
Access System Console > Access System Configuration > Common Information Configuration > Resource Type Definitions
On the page that lists all resource types, choose to add a new resource type.
Make entries such as the following to define a new resource type:
Resource Name: myresourcetype Display Name: My Resource Type Display Name Resource Matching: Case Insensitive Resource Operation: myresourceoperation
You can choose any names for the resource type and resource operation, but you must use the same names for the coreid.resource.type and coreid.resource.operation option values in the COREid login module configuration.
To configure and protect the URL of your configured resource type in Access Manager, navigate as follows:
Access Manager > Create Policy Domains
Choose the link for your policy domain. In the Resources tab, use entries such as the following:
Resource Type: myresourcetype Host Identifiers: myhost URL Prefix: /myresourceurl Description: My Description
This configuration must be protected using a no-password scheme. Use the basic scheme that you configured in "Define Basic Authentication in Access Manager".
Choose your resource type (myresourcetype in these examples) from the dropdown list, then choose the appropriate host name.
The URL prefix must start with a "/" and is the designated URL of the resource type. This must match the value of the coreid.resource.name option in the COREid login module configuration.
The description can be anything; "My Description" is just an example.
|
Note: Do not confuse the URL specified here with the "action URL" specified when setting up authentication in earlier steps. The two are separate. |
After authentication, OC4J requires access to the user's roles in order to check for authorization. To enable this, you must set up a COREid "return action" that allows COREid to return the appropriate roles to OC4J for the user after successful authentication.
To set up the return action in COREid, navigate as follows:
Access Manager > My Policy Domains > Select myresourcetype > Authorization Rules tab > Choose role name > Actions tab
Under the Authorization Success section, add the following entries (continuing the preceding example using myresourcetype):
Return Type: myresourcetype Return Name: myresourcetype Return Attribute: ObMyGroups
ObMyGroups is an action attribute defined in Oracle COREid Access and Identity for use in returning all the roles of an authenticated user.
|
See Also:
|
Using Access Manager, protect the action URL you specified in "Configure COREid Form-Based Authentication". Use similar steps as for protecting the resource type URL, as described in "Configure and Protect the URL of the Configured Resource Type".
This configuration must be under a no-password authentication scheme. Use the basic authentication scheme that you configured in "Configure COREid Basic Authentication".
Use "HTTP" as the resource type.
Specify the action URL (/coreid/access/test.html in the examples).
|
See Also: For information about how to protect resources:
|
This section describes configuration steps for each OC4J instance on the middle tier.
As a prerequisite to this, you must install WebGate on the Oracle HTTP Server instance in the middle tier. This Oracle HTTP Server instance, in turn, can (and typically does) support multiple OC4J instances.
This section covers the following steps:
|
Note: Your middle-tier and OC4J installation can be on the same system as COREid, but would typically not be. |
|
See Also:
|
Typically, when using COREid SSO, multiple OC4J instances are used in the topology, so the Oracle HTTP Server instance must be configured to route and maintain multiple OC4J instances:
Create new OC4J instances as desired, using the createinstance utility as described in the Oracle Containers for J2EE Configuration and Administration Guide.
Each OC4J instance should be tied to the Oracle HTTP Server instance. Each application deployed to an OC4J instance must be configured in the mod_oc4j configuration file, ORACLE_HOME/Apache/Apache/conf/mod_oc4j.conf, so that requests are properly routed to the OC4J instance. This should occur automatically when you create the OC4J instance.
You will need COREid Access SDK, one installation for each OC4J instance, on the same system as OC4J. The Access SDK is required by OC4J at runtime to communicate with Access Server. OC4J must be given the Access SDK location during startup (through the java.library.path property, as shown later in this chapter), so that it can initialize the SDK. Note this initialization occurs only if at least one application is using COREid Access as the security provider. Also note the following:
Create a separate Access SDK installation for each OC4J instance, on the same system as OC4J. You can have multiple Access SDK installations on the same system.
Configure each Access SDK to work with the appropriate Access Server. From the Access_SDK_Home/access/oblix/tools/configureAccessGate directory, run the command configureAccessGate. This utility requires the Access Server ID, AccessGate ID, and other related parameters.
Copy the COREid file jobaccess.jar from the Access SDK to the OC4J path. You will find this file in the Access_SDK_Home/AccessServerSDK/oblix/lib directory. Create the directory ORACLE_HOME/j2ee/home/lib/ext (if it does not already exist) and copy the jobaccess.jar to that directory.
|
See Also:
|
You must configure the java.library.path property for each OC4J instance, in the ORACLE_HOME/opmn/conf/opmn.xml file, so that the OC4J instance has access to the Access SDK at runtime. Set the property so that it points to the SDK location.
For example, on a Windows system:
-Djava.library.path=C:\CoreID\AccessSDK\AccessServerSDK\oblix\lib
|
See Also:
|
Instructions in this section are geared toward a Web application, consisting of the following steps:
The first step in protecting your application is to protect appropriate URLs or URL prefixes through settings in the web.xml file, using standard J2EE features.
These are the same URLs that you will you protect through COREid configuration in "Protect the Application URLs in COREid Access".
In the Oracle Application Server 10.1.3 implementation, Application Server Control does not yet support COREid Access as a security provider. When you deploy your application using the Application Server Control Console, choose the file-based provider. This will be overridden through the configuration steps documented in this chapter.
To use COREid Single Sign-On as the authentication method for Web applications, set the auth-method attribute to "COREIDSSO" in the <jazn-web-app> element in the OC4J orion-application.xml file. You can do this as either a pre-deployment step (packaged in the EAR file) or a post-deployment step.
|
Notes:
|
Here is a sample entry in orion-application.xml, where <jazn-web-app> is a subelement of the <jazn> element:
<orion-application ... >
...
<jazn provider="XML" >
<jazn-web-app auth-method="COREIDSSO"/>
...
</jazn>
...
</orion-application>
Use Access Manager to protect your application URLs or URL prefixes through form-based authentication. These will be the same URLs as in "Protect the Application URLs in web.xml". Use the following navigation:
Access Manager > Create Policy Domains
Then choose the appropriate public policy domain. You should protect each URL or URL prefix you protected in web.xml, as follows:
Use "HTTP" as the resource type.
Specify the URL (for example, /foo).
The configuration must be under the form-based authentication scheme that you defined in "Configure COREid Form-Based Authentication".
|
See Also: For information about how to protect resources:
|
For a Web application, the OC4J implementation to support Oracle COREid Access and Identity requires the login module CoreIDLoginModule, supplied by Oracle. The following template shows the general form of the configuration, in the system-jazn-data.xml file. Note the <class> and <control-flag> element settings. Table 10-1 describes the available options. Examples of specific scenarios and their configurations are shown later in this chapter.
|
Note: As with other custom login modules, the settingprovider="XML" is used with the COREid login module.
|
<application> <name>yourappname</name> <login-modules> <login-module> <class> oracle.security.jazn.login.module.coreid.CoreIDLoginModule </class> <control-flag>required</control-flag> <options> <option> <name>option1name</name> <value>option1value</value> </option> <option> <name>option2name</name> <value>option2value</value> </option> ... </options> </login-module> </login-modules> </application>
Table 10-1 COREid Login Module Options
| Option Name | Required/Optional | Option Value |
|---|---|---|
|
addAllRoles |
Required |
This flag should be set to |
|
coreid.resoure.type |
Required |
Name of the resource type you defined through Access Manager. See Also: "About COREid Resource Types" and "Configure the Name and Operation of the Resource Type" |
|
coreid.resource.operation |
Required |
Name of the resource operation associated with the resource type specified in See Also: "Configure the Name and Operation of the Resource Type" |
|
coreid.resource.name |
Required |
The URL prefix associated with the resource type specified in See Also: "Configure and Protect the URL of the Configured Resource Type" |
|
coreid.name.attribute |
Required |
Variable for the user name for authentication, as defined in the See Also: "About COREid Authentication" and "Configure the credential_mapping Plug-In for Form-Based Authentication" |
|
coreid.password.attribute |
Required (except when using X.509 token or SAML authentication) |
Variable for the password for authentication, as defined in the See Also: "Configure the validate_password Plug-In for Form-Based Authentication" |
|
coreid.name.header |
Optional |
If you use HTTP header variables for authentication, this parameter is the user name that OC4J should use to authenticate against the COREid Access Server. See Also: "About Using HTTP Header Variables for Authentication" and "Web Application Using HTTP Header Variables through COREid" |
|
coreid.password.header |
Optional |
If you use HTTP header variables for authentication, this parameter is the password that OC4J should use with the user name specified in |
|
Note: The values ofcoreid.resource.type, coreid.resource.operation, and coreid.resource.name are determined during one-time COREid configuration, as described in "Configure the Resource Type", and are the same for any application using the same installation of Oracle COREid Access and Identity. Each application must configure these property values in its configuration for the COREid login module.
|
The following sample corresponds to the example that runs throughout "Configure COREid Form-Based Authentication", "Configure COREid Basic Authentication", and "Configure the Resource Type":
<application>
<name>foo</name>
<login-modules>
<login-module>
<class>
oracle.security.jazn.login.module.coreid.CoreIDLoginModule
</class>
<control-flag>required</control-flag>
<options>
<option>
<name>addAllRoles</name>
<value>true</value>
</option>
<option>
<name>coreid.resource.type</name>
<value>myresourcetype</value>
</option>
<option>
<name>coreid.resource.operation</name>
<value>myresourceoperation</value>
</option>
<option>
<name>coreid.resource.name</name>
<value>/myresourceurl</value>
</option>
<option>
<name>coreid.name.attribute</name>
<value>usernamevar</value>
</option>
<option>
<name>coreid.password.attribute</name>
<value>passwordvar</value>
</option>
</options>
</login-module>
</login-modules>
</application>
(This uses all supported options for the COREid login module except for coreid.name.header and coreid.password.header. Examples for these are shown later in this chapter.)
After you have deployed your Web application, restarted OC4J, and restarted Oracle HTTP Server, run the application. This example assumes Oracle HTTP Server listens on port 6666:
http://www.example.com:6666/foo
WebGate will intercept this request and will check the authentication scheme for this URL. The configuration shown earlier in this chapter will result in the user being prompted with the login.html login form from "Create a Login Form". Then the following sequence will take place:
WebGate will capture the user name and password from the login form and communicate to Access Server.
Access Server will communicate to Oracle Internet Directory (or other repository that you use).
After the user is authenticated, the COREid SSO token will be returned to WebGate.
WebGate will set the ObSSOCookie and pass the cookie and other HTTP headers to mod_oc4j, which will route the request to the appropriate OC4J instance.
OC4J will take the cookie and validate it, or retrieve roles for the user associated with this cookie from Access Server using the Access SDK configured on OC4J.
This section discusses the following COREid usages for Web applications and EJBs:
You can optionally configure a Web application to use HTTP header variables for authentication. The header variable for user name corresponds to the coreid.name.header option in the COREid login module configuration. The header variable for password corresponds to the coreid.password.header option.
You must execute the following steps to use these header variables:
Use Access Manager to create an HTTP header variable for passing the user name, and, as appropriate, a header variable for passing the password. Whether to include the password depends on whether your COREid authentication scheme uses just the credential_mapping plug-in, or also uses the validate_password plug-in.
|
See Also: For information about using HTTP header variables:
|
Include option settings for coreid.name.header and (as appropriate) coreid.password.header in the COREid login module configuration in system-jazn-data.xml. In the following example, password authentication is used, and the HTTP header variables you created in the previous step are myhttpuservar and myhttppwdvar:
<options>
...
<option>
<name>coreid.name.header</name>
<value>myhttpuservar</value>
</option>
<option>
<name>coreid.password.header</name>
<value>myhttppwdvar</value>
</option>
...
</options>
|
Note: When using HTTP header variables, be aware that option settings forcoreid.name.attribute and coreid.password.attribute are still required, in addition to settings for coreid.name.header and coreid.password.header.
|
Define appropriate security constraints in your standard Web application configuration, and set auth-method="COREIDSSO" in orion-application.xml as shown in "Configure COREid SSO in orion-application.xml".
When no HTTP header variables are provided for a secure Web application, the COREid ObSSOCookie is used to retrieve authentication information. By default, this cookie contains the cookie in the HTTP header.
You must execute the following steps to use the cookie:
Include option settings for coreid.name.attribute and (as appropriate) coreid.password.attribute in the COREid login module configuration in system-jazn-data.xml. In the following example, password authentication is used, and the user name and password variables you defined for the credential_mapping and validate_password plug-ins are usernamevar and passwordvar:
<options>
...
<option>
<name>coreid.name.attribute</name>
<value>usernamevar</value>
</option>
<option>
<name>coreid.password.attribute</name>
<value>passwordvar</value>
</option>
...
</options>
Define appropriate security constraints in your standard Web application configuration, and set auth-method="COREIDSSO" in orion-application.xml as shown in "Configure COREid SSO in orion-application.xml".
For EJB authentication, OC4J gets the user name and password from the EJB context and passes them to the COREid login module. The same user name and password are used to authenticate against Oracle COREid Access and Identity. The EJB scenario requires both the credential_mapping plug-in and the validate_password plug-in, discussed earlier in this chapter. The user name and password variables you define for the plug-ins must be reflected in option settings for the COREid login module, as discussed in "Configure COREid Form-Based Authentication".
The client must send the user name and password for authenticating itself before it can access the EJB.
Configure the COREid login module, where COREid Access authentication variables are as follows:
myejbappname is the name of the EJB application.
myejbusernamevar is the variable name for the EJB user name, as you define in the credential_mapping plug-in.
myejbpwdvar is the variable name for the EJB user password, as you define in the validate_password plug-in.
<application> <name>myejbappname</name> <login-modules> <login-module> <class> oracle.security.jazn.login.module.coreid.CoreIDLoginModule </class> <control-flag>required</control-flag> <options> <option> <name>addAllRoles</name> <value>true</value> </option> <option> <name>coreid.resource.type</name> <value>myresourcetype</value> </option> <option> <name>coreid.resource.operation</name> <value>myresourceoperation</value> </option> <option> <name>coreid.resource.name</name> <value>/myresourceurl</value> </option> <option> <name>coreid.name.attribute</name> <value>myejbusernamevar</value> </option> <option> <name>coreid.password.attribute</name> <value>myejbpwdvar</value> </option> </options> </login-module> </login-modules> </application>
|
Note: In the current release there is no direct support for a scenario where COREidObSSOCookie is sent instead of the user name and password for authentication.
|
|
See Also:
|
Web services can use Oracle COREid Access and Identity for authenticating Web service clients. With respect to COREid, OC4J supports username token authentication, X.509 token authentication, and SAML token authentication, as follows:
Username token: OC4J extracts the user name and password, and uses them to authenticate against COREid.
X.509 token: OC4J uses the CN value of the X.509 entry to authenticate against COREid.
SAML token: OC4J uses the subject name to authenticate against COREid.
The following usages are shown below:
|
Note: In the current release there is no direct support for a scenario where the COREidObSSOCookie is sent instead of the user name and password for authentication.
|
|
See Also:
|
A username token client uses the user name and password for authentication. You must configure variables for the user name and password through the COREid credential_mapping and validate_password plug-ins, with corresponding settings for the coreid.name.attribute and coreid.password.attribute options in the COREid login module configuration, as discussed in "Configure COREid Form-Based Authentication".
Configure the COREid login module as follows, where:
UsernameAppName is the name of the Web service application using username token authentication.
UsernameNamevar is the variable name for the user name, as you define in the credential_mapping plug-in.
UsernamePwdvar is the variable name for the user password, as you define in the validate_password plug-in.
<application> <name>UsernameAppName</name> <login-modules> <login-module> <class> oracle.security.jazn.login.module.coreid.CoreIDLoginModule </class> <control-flag>required</control-flag> <options> <option> <name>addAllRoles</name> <value>true</value> </option> <option> <name>coreid.resource.type</name> <value>myresourcetype</value> </option> <option> <name>coreid.resource.operation</name> <value>myresourceoperation</value> </option> <option> <name>coreid.resource.name</name> <value>/myresourceurl</value> </option> <option> <name>coreid.name.attribute</name> <value>UsernameNamevar</value> </option> <option> <name>coreid.password.attribute</name> <value>UsernamePwdvar</value> </option> </options> </login-module> </login-modules> </application>
|
See Also:
|
An X.509 client uses the CN value from the X.509 entry for authentication. You must configure a variable for the CN user name through the COREid credential_mapping plug-in, with a corresponding setting for the coreid.name.attribute option in the COREid login module configuration, as discussed in "Configure COREid Form-Based Authentication".
You do not configure the COREid validate_password plug-in or set the login module coreid.password.attribute option when X.509 token authentication is used.
Configure the COREid login module as follows, where:
X509AppName is the name of the Web service application using X.509 token authentication.
cn_name_var is the variable name for the CN user name, as you define in the credential_mapping plug-in.
<application> <name>X509AppName</name> <login-modules> <login-module> <class> oracle.security.jazn.login.module.coreid.CoreIDLoginModule </class> <control-flag>required</control-flag> <options> <option> <name>addAllRoles</name> <value>true</value> </option> <option> <name>coreid.resource.type</name> <value>myresourcetype</value> </option> <option> <name>coreid.resource.operation</name> <value>myresourceoperation</value> </option> <option> <name>coreid.resource.name</name> <value>/myresourceurl</value> </option> <option> <name>coreid.name.attribute</name> <value>cn_name_var</value> </option> </options> </login-module> </login-modules> </application>
|
See Also:
|
For a SAML client, OC4J determines the subject name, and you must configure a variable name for SAML subject authentication through the COREid credential_mapping plug-in. This credential_mapping setting must be reflected in the setting of the coreid.name.attribute option in the COREid login module configuration, as discussed in "Configure COREid Form-Based Authentication". OC4J passes the subject name and credential_mapping variable name to COREid for authentication.
You do not configure the COREid validate_password plug-in or set the login module coreid.password.attribute option when SAML authentication is used.
Configure the COREid login module as shown below, where:
SAMLAppName is the name of the Web service application using SAML token authentication.
subject_name_var is the variable for the subject name, as you define in the credential_mapping plug-in.
In the SAML scenario, there is also a SAML login module, SAMLLoginModule, that you must configure along with the COREid login module, as follows. This example uses www.example.com for the issuer name.
|
Important: TheSAMLLoginModule configuration must precede the CoreIDLoginModule configuration in system-jazn-data.xml.
|
<application> <name>SAMLAppName</name> <login-modules> <login-module> <class> oracle.security.jazn.login.module.saml.SAMLLoginModule </class> <control-flag>required</control-flag> <options> <option> <name>addAllRoles</name> <value>true</value> </option> <option> <name>issuer.name.1</name> <value>www.example.com</value> </option> </options> </login-module> <login-module> <class> oracle.security.jazn.login.module.coreid.CoreIDLoginModule </class> <control-flag>required</control-flag> <options> <option> <name>addAllRoles</name> <value>true</value> </option> <option> <name>coreid.resource.type</name> <value>myresourcetype</value> </option> <option> <name>coreid.resource.operation</name> <value>myresourceoperation</value> </option> <option> <name>coreid.resource.name</name> <value>/myresourceurl</value> </option> <option> <name>coreid.name.attribute</name> <value>subject_name_var</value> </option> </options> </login-module> </login-modules> </application>
|
See Also:
|
Table 10-2 provides some troubleshooting tips for your Oracle COREid Access and Identity setup and configuration.
Table 10-2 Oracle COREid Access and Identity Troubleshooting
| Problem | Cause/Solution |
|---|---|
|
The application is configured to use COREid SSO. When you try to access the application, Access Server crashes and restarts. |
This will happen if you have configured the incorrect search base in Oracle Internet Directory, or the group name is not properly created. |
|
When you try to access the COREid SSO application, it throws a Class Not Found exception. |
Confirm you copied the COREid file |
|
When you try to access the COREid SSO application, it gives an internal server error. |
Confirm that the Access SDK installed on the OC4J server is configured to use the appropriate Access Server, as discussed in "Configure the Access SDK to Each OC4J Instance". Also confirm that OC4J is running. |
|
When you try to access the COREid SSO application, it does not appear in the login page. |
Confirm you have enabled your authentication scheme with proper settings, using Access Manager, as discussed in "Configure COREid Form-Based Authentication". |
|
When you try to access the COREid SSO application, the login page keeps coming back. |
Confirm that the form-based authentication scheme is enabled, and that the form variable names (for user and password) in your login page are the same as you configured in the COREid form-based authentication scheme, and that the credential mapping scheme and password validation scheme are configured for the form-based authentication scheme. Refer to "Configure COREid Form-Based Authentication". |
|
You have configured the application to use Oracle COREid Access and Identity, but you always get an "unauthorized" or "unauthenticated" error. |
Confirm that the COREid login module is correctly configured for this application in |
|
You have configured the application to use Oracle COREid Access and Identity, but you get an internal server error. |
Confirm that the LDAP server (Oracle Internet Directory, for example) that is configured with the COREid Identity Server is running and accessible. |
|
You have configured the application to use COREid SSO, but when you attempt to access it, after you enter the user name and password, the application hangs. |
Confirm that the action URL used in the form page is protected with an authentication scheme without password, such as the basic scheme. (Protecting the action URL with a password-protected authentication scheme results in an execution loop.) See "Create a Login Form". |
