Thursday, January 3, 2008

Security in Oracle Application Client Container

The Application Client container has been part of the JavaEE spec for a while now. The JavaEE specification devotes barely 4 or 5 pages to it. The Application Client container provides access to a subset of JavaEE apis in a remove JVM. A standalone java application that wishes to use JavaEE feature could be run in an application client container.

OC4J provides a standalone application client container as documented on

While more details are on this above link, I am clarifying here the usage of Callback handler within oc4j's application client container.

The application client container reads a jar that is bundled with application-client.xml. In this deployment descriptor one can specify their Callback handler among various other things. A callback handler typically collect user name password from the user. If you don't provide the callback handler implementation, the Application Client Container looks for file in your application client jar.

OC4J requires username, password and provider url to connect over ormi. These three properties can either be provided in the bundled with your application client, or your callback handler implementation must provide them. If both and the callbackhandler implementation are there the callbackhandler takes priority.

You might need to write your own custom Callbackhandler implementation to launch gui for example. The customer callback handler would implement the interface. You will need to bundled your Callbackhandler and its dependencies in the jar that is passed to Oc4j's Application Client container.

Note that the CallbackHandler implementation has to supply a no args constructor, for oc4j's app client container only looks for a no args call back handler.

Now you don't need to write your own login module. When the oc4j application client container needs to authenticate, it will get the user name and the password from the Callbackhandler. It uses its own LoginModule to send the user name and password over the wire to the server to authenticate the client.

Dear readers, A question for you: Does the limitation to provide an implementation of CallbackHandler with a no args constructor seem overbeering to you? The JavaEE spec is silent about this.