Wednesday, January 28, 2004

Securing a Web Service - Adding Users

My last entry prompted a question on how to add users to the OC4J instance so they could be used as the principals who are authenticated against that secured Web service. The way to do this is to use Oracle's JAAS implementation built into OC4J. Here's the step by step:

1. First you have to tell the JDK you are using to run your OC4J instance who your policy provider is and who your login provider is - this this case Oracle's JAAS implementation. To do this go to your <java_home>\jre\lib\security directory and edit the file java.security. Add the following two lines:

auth.policy.provider=oracle.security.jazn.spi.PolicyProvider login.configuration.provider=oracle.security.jazn.spi.LoginConfigProvider

2. Next, check out the users and roles for your OC4J instance by running these commands:

cd <j2ee_home>
<java_home>\bin\java -jar jazn.jar -user admin -password welcome -listusers
<java_home>\bin\java -jar jazn.jar -user admin -password welcome -listroles

where <j2ee_home> is where your OC4J lives and <java_home> is where your JDK lives.

3. Now let's create a new user - "mike" - who we will add to the physical role "users". Remember that "users" is what we mapped the J2EE logical role "GreetingRole" to in the orion-web.xml. Here we go:

<java_home>\bin\java -jar jazn.jar -user admin -password welcome -adduser jazn.com mike welcome

Here we have authenticated ourselves as administrator with its account admin and password welcome, then issued the command "adduser" to the JAAS realm "jazn.com" - the user is "mike" with a password of "welcome".

More on how roles, realms and users relate can be found here.

4. Now let's add "mike" to the users role:

<java_home>\bin\java -jar jazn.jar -user admin -password welcome -grantrole users jazn.com mike

Here again we tell OC4J we are the administrator via "admin" user with a password of "welcome" and then tell it that we are granting the role "users" within the realm "jazn.com" to the actual user "mike".

5. Lastly, you might want to confirm that "mike" belongs to the role users. Try this command:

<java_home>\bin\java -jar jazn.jar -user admin -password welcome -listusers jazn.com -role users

Re-start OC4J (there is a flag that I can't track down the link to that let's you add users without re-starting) and now "mike" with a password of "welcome" can be an authenticatable user of that Web service. You can change the stub code in my previous entry to use these credentials and your Web service should be quite happy with "mike".

I have given you the command line version of what to do here ... on a full OracleAS install Enterprise Manager gives a nice GUI for this. Further, in real life, this would be done through the console by the security administrator rather than some product manager running amok in a blog!



comment []
10:46:28 PM    


© Copyright 2004 Mike Lehmann .
Last update: 3/31/2004; 9:27:37 PM .

Click here to visit the Radio UserLand website. Valid CSS! Subscribe to "Lehmann Blogger" in Radio UserLand. Click to see the XML version of this web page. Click here to send an email to the editor of this weblog.