Wednesday, January 28, 2004 | |
Securing a Web Service - Adding Users My last entry prompted a question on how to add users to the OC4J instance so they could be used as the principals who are authenticated against that secured Web service. The way to do this is to use Oracle's JAAS implementation built into OC4J. Here's the step by step: 1. First you have to tell the JDK you are using to run your OC4J instance who your policy provider is and who your login provider is - this this case Oracle's JAAS implementation. To do this go to your <java_home>\ auth.policy.provider=oracle.security.jazn.spi.PolicyProvider login.configuration.provider=oracle.security.jazn.spi.LoginConfigProvider 2. Next, check out the users and roles for your OC4J instance by running these commands: cd < where <j2ee_home> 3. Now let's create a new user - "mike" - who we will add to the physical role "users". Remember that "users" is what we mapped the J2EE logical role "GreetingRole" to in the orion-web.xml. Here we go: <java_home>\bin\ Here we have authenticated ourselves as administrator with its account admin and password welcome, then issued the command "adduser" to the JAAS realm "jazn.com" - the user is "mike" with a password of "welcome". More on how roles, realms and users relate can be found here. 4. Now let's add "mike" to the users role: <java_home>\bin\ Here again we tell OC4J we are the administrator via "admin" user with a password of "welcome" and then tell it that we are granting the role "users" within the realm "jazn.com" to the actual user "mike". 5. Lastly, you might want to confirm that "mike" belongs to the role users. Try this command: <java_home>\bin\ Re-start OC4J (there is a flag that I can't track down the link to that let's you add users without re-starting) and now "mike" with a password of "welcome" can be an authenticatable user of that Web service. You can change the stub code in my previous entry to use these credentials and your Web service should be quite happy with "mike". I have given you the command line version of what to do here ... on a full OracleAS install Enterprise Manager gives a nice GUI for this. Further, in real life, this would be done through the console by the security administrator rather than some product manager running amok in a blog! comment [] 10:46:28 PM |