This and That

There are clouds

2012-02-10T07:18:00.002-05:00

When you look at the sky do you see a cloud? I bet more often than not you see clouds. And this precisely is the problem with many of the cloud providers. They exist in isolation, and often do not help companies deploying to multiple clouds solve many problems (especially in the security area) effectively.

Let’s take an example of a hypothetical XYZ Corporation. XYZ decides to leverage a few SaaS providers for its need in the area of Human Capital Management (HCM), Finance & Payroll, and Customer Relationship Management (CRM)-XYZ signs up with three different cloud based providers.

All looks good on the surface, but there are problems.

Let take a walk down the triad of AAA (Authentication, Authorization, and Audit) issues with the above setup.

Authentication: Where is the source of Identity hosted? Is it hosted at XYZ or is it hosted at a Cloud Provider?
How does the cloud provider trust an external source of Identity
How does XYX securely provide its users/employees/contractor to the hosted cloud provider and continue to keep its users in sync with the cloud provider.

3. Since we are talking multiple SaaS providers, what if a user John Doe is represented in various ways in the SaaS provider’s identity store. Representation from jdoe, john.doe, and jodoe has all been in corporate LDAP for years. Now imagine trying to reconcile John Doe across SaaS providers.

Typically SaaS (Cloud) providers are not aware of other cloud providers and they can’t offer services that leverage other providers.

For example if there was a business need to ensure the principle of “separation of duties” continued to be enforced when the John Doe is a user in HCM and Finance & Payroll offered by different vendors. How does one ensure that the HCM and Payroll system do not allow John Doe to both change his pay grade (an HCM function) and release payment (a Finance and Payroll feature ) on his expenses.

The separation of clouds causes problems in Authorization and Audit too. For example how does one audit that John Doe did not access HCM function when a given CRM function was accessed.

There are a few ways to solve this problem:

If it hurts, don't it – don’t sign up with multiple cloud providers - just kidding.
Put a level of indirection, a service like apigee may help
Standardize – Cloud Interoperability standard under development and JavaEE 7 will help, but a lot more is needed.
Cloud vendors to externalize some of their data to allow third party reconciliation, audit, authorization checks etc.

This is a hard problem, none of the solutions are easy, without side effects, or will work for everyone.

Do you face this problem? What are other ways to address this issue? Is there any effort to address this issue?

Why Facebook's hacker way will change

2012-02-08T12:15:00.003-05:00

http://www.msnbc.msn.com/id/46263927/ns/technology_and_science-tech_and_gadgets/t/facebook-hacker-way-way-life/

My take on this:

Hacking and moving fast is to facebook's advantage right now-no doubt. Hacking is ok, when there is little legacy code. Most interaction with FB services today is by humans, who are smart enough to deal with changes when the web interface changes.

As more machines(programs/automation) interact with FB and as it matures, FB will face the same inevitable slow down that other once fast growing companies have faced.

Comments, thoughts welcome.

Getting ready for Java development on Ubuntu

2011-11-01T20:47:00.004-04:00

It has been a while since I coded in Java. Now that I am getting back in to the thick of it, I thought to use Ubuntu distribution of Linux. Turns out with 11.10 version (and probably earlier) it does not support Sun/Oracle JDK and the default package manager only installs Open JDK.

All of this wouldn't be an issue if I didn't eed IntelliJ Idea as my IDE. IntelliJ prints an ugly warning that Open JDK isn't supported.

On Oracle's java website they don't provide a deb package for Ubuntu. I wasn't successful converting deb to rpm.

Turns out installing binary (bin) jdk on Ubuntu works like a charm and Intelli Idea is happy.

Now it is my turn to be a happy java developer again. :-)

SSL Debugging in WebLogic

2011-05-24T11:59:00.002-04:00

It has been a while since I posted anything here. While I come up with something new to write, here is post that will give you insight on the topic. Thanks to my friend Larry for the post.

Service Oriented Security 101 at Oracle Develop

2010-09-21T14:10:00.002-04:00

Come hear about our vision of Service oriented security and how OPSS is being used at Oracle. Looks like my session is one of the last sessions of this years OOW, so if you still hanging out, stop by Thursday 23th, 3:30 pm at Hotel Nikko Ballroom III

See more security sessions at this link.

Security Vs Identity Services

2010-04-26T20:49:00.004-04:00

Often I hear these terms used interchangeably. I see them differently. Security services provide the basic building blocks like crypto, hashing etc. Identity Services provide stuff like Enterprise SSO, Audit, Authorization etc. While in Java language there is an admirable collection of APIs/libraries for Security, identity services don't have much.

What do you think? Do you make this distinction?

OPSS podcast - Service Oriented Security

2010-03-22T11:54:00.005-04:00

While I give you many tips and tricks on this blog, hear Rohit Gupta's podcast to learn the vision behind OPSS.

OPSS Scripts for Programmatic Policy Mgmt.

2010-03-17T18:13:00.004-04:00

In the last post I gave example of WLST command necessary to grant code source permission to an application that will allow the application to use OPSS policy management API to modify the policy.

Here are more details.

I am using JDev build Build JDEVADF_11.1.1.2.0_GENERIC_091029.2229.5536.
The JDev is installed at the default location on my windows machine. Ran wlst command at C:\Oracle\Middleware\oracle_common\common\bin>wlst.cmd

In the WLST shell type
grantPermission(codeBaseURL="file:///C:/Documents and Settings/vishukla/Application Data/JDeveloper/system11.1.1.2.36.55.36/o.j2ee/drs/PolicySource/-", permClass="oracle.security.jps.service.policystore.PolicyStoreAccessPermission", permTarget="context=APPLICATION,name=PolicySource#V2.0", permActions="*")

1. The first bold entry is the exploded path where the application is during application development.
2. The second bold entry is the application stripe which by default is applicationame+"#"+"application version". By some quirk, each application version in JDev starts its counter at 2.
3. The third bold entry is the action, in this case I have a wild card to indicate all actions on the policy. However, in any non trivial environment you should use specific actions like "alterAppRole" as specified in the API javadoc.

Here are the command line output

wls:/DefaultDomain/serverConfig> grantPermission(codeBaseURL="file:///C:/Documen
ts and Settings/vishukla/Application Data/JDeveloper/system11.1.1.2.36.55.36/o.j
2ee/drs/PolicySource/-", permClass="oracle.security.jps.service.policystore.Poli
cyStoreAccessPermission", permTarget="context=APPLICATION,name=PolicySource#V2.0
", permActions="*")
{appStripe=null, permActions=*, principalName=null, permClass=oracle.security.jp
s.service.policystore.PolicyStoreAccessPermission, principalClass=null, permTarg
et=context=APPLICATION,name=PolicySource#V2.0, codeBaseURL=file:///C:/Documents
and Settings/vishukla/Application Data/JDeveloper/system11.1.1.2.36.55.36/o.j2ee
/drs/PolicySource/-}

Programmatic Authorization Policy Mangament with OPSS

2010-03-08T15:30:00.009-05:00

In the simplistic cases, often the authorization policy management is done using the provided tooling. OPSS provided tooling in the form of EM(GUI) and WLST (script) to manage policy.

For more advanced needs, OPSS also provides API for programmatic policy management.The Policy API is protected by codesource permission. Hence applications using the API will need to have the required permission. See the example 18.3.4.2 in FMW Security guide on the code necessary to use the API. What the example assumes is that proper policy access permission is granted before hand. I.e the application code running the example has PolicyStoreAccessPermission( "context=APPLICATION,name=applicationStripe" , "grant")

Here is the example of OPSS WLST command that needs to be run to grant the requirement Permission. Replace all bold entries with values appropriate for your environment. The first entry is the path to the application jar that is making the programmatic API call, the second bold entry is the application stripe.

grantPermission -codeBaseURL "file:/scratch/foo/abc.jar" -permClass oracle.security.jps.service.policystore.PolicyStoreAccessPermission -permTarget "context=APPLICATION,name=myAppName" -permActions "grant"

See this link for details on running FMW WLST commands.

There are two basic ways an application can use the example 18.3.4.2. One is to modify the application policy for itself, the other is to modify the application policy for another application.
The later might be the case when you have authorization management of the application structured as another application. In the second case, the code source for the second application needs to be granted the PolicyStoreAccess permission.

Fixed - eZShare app and Infinite loop in the browser

2009-11-13T16:30:00.007-05:00

With the latest version of the App, this issue is fixed.

If you run into an infinite loop running eZShare sample app with JDev 11.1.1.2.0, a workaround is to remove the AdfFacesFilter from your app's web.xml.

ie. remove the following

AdfFacesFilter & the Filter mapping for it.

JDev 11gR1 & WebLogic

2009-08-21T09:58:00.002-04:00

Did you know JDev 11gR1 embeds WLS 11gR1 (10.3.1) . When you develop an application in JDev and run it, JDev deploys the application automatically in the embedded WLS and launches the application's start page.

A less obvious fact is that this embedded WLS also comes with WLS Admin Console that is accessible from http://localhost:7101/console with weblogic/weblogic1 as the administrative account.

Deleting Application Policies with WLST

2009-08-14T11:49:00.003-04:00

OPSS can automatically delete application policies when the application is undeployed. This is controlled by flags I talked about in my previous posts.

Now there are occasions where you might want to delete application policies manually. Here is a WLST command sample.

Launch WLST command as /common/bin/wlst.sh
Connect to Admins server, connect('weblogic','welcome1',"localhost:7001")
Sample Output
Connecting to t3://localhost:7001 with userid weblogic ...
Successfully connected to Admin Server 'AdminServer' that belongs to domain 'domain1'.

Warning: An insecure protocol was used to connect to the
server. To ensure on-the-wire security, the SSL port or
Admin port should be used instead.
Delete the authZ policy for a an application, deleteAppPolicies(appStripe="TB#V1.0#9")
Sample Output

wls:/domain1/serverConfig> deleteAppPolicies(appStripe="TB#V1.0#9")
{appStripe=TB#V1.0#9}
Location changed to domainRuntime tree. This is a read-only tree with DomainMBean as the root.
For more help, use help(domainRuntime)

Note the application stripe is a fully qualified name and include the application + the version.

Application policy and App un-deployment

2009-08-07T14:35:00.005-04:00

You can deploy an ADF application with EM to a WebLogicServer Domain. Lets say the ADF app is secured. When the app is deployed, the security policies are also deployed with the app to the the target server. This happens automatically within JDeveloper. But when the app is deployed to a remote WLS this is exposed as configuration choice that the application deployer (Administrator by another name) will have to make.

This is controlled with the flags I blogged in my last post.

What about undeploying application security policies, when the corresponding application is undeployed. Turns out this does not happen automatically in 11gR1, and requires the application to be packaged(EAR file) with an "Weblogic-Application-Version" entry in its manifest file.

JDev automatically creates a MANIFEST file for the application when the application is packaged(deploy to an EAR). Here is an example manifest file.

Manifest-Version: 1.0
Created-By: 1.6.0_07 (Sun Microsystems Inc.)
Weblogic-Application-Version: V1.0

When this app is un-deployed its application policies are automatically removed.

Deploying a Secure application wiht EM

2009-08-07T13:29:00.005-04:00

As a reader of this blog, you probably know that Oracle Platform Security Services (OPSS) supports application life cycle from design, to deployment to monitoring etc. Now the security configuration management is exposed through Enterprise Manager - Fusion Middleware Control(names ,names, when will we use shorter names, but let me not get off track). It allows administrator to control how security related artifacts (policies, credentials etc) are deployed to the target server.

The feature is documented in the Oracle Fusion Middleware Security guide (section 7.2.1) but the doc is somewhat awkward. I recently has some email exchange with a customer about this, and I thought while we improve the doc, the clarification might be of interest to others.

"

The following three application security artifacts are of interest during application deployment process.

Identities - Which mean users and groups and application roles to groups/users mapping. These are defined by a Developer during application development process within JDev.

In most scenarios, the identities should not be migrated when deploying an application to a remote WLS (it is controlled with the check box, )

Mapping Application role to enterprise groups/users in a remote WLS environment is a post application deployment task to be done by an Administrator.

Policies - Which include Application roles and permissions granted to application roles.

When deploying the app for the first time, the policies should always be migrated to the Policy store, which is the option controlled by "Append" radio button
Upon re-deploying the app, to preserve any application policy modification made in the policy store, the admin should choose the "Ignore" radio button.

Credentials - Which are username/password tuples used by the applications

The radio button "Append" means credentials packaged with the application will be deployed to the remote WLS's credential store. In case a credential with the same map and key names already exists in the domain credential store, the migration process will skip that credential, and continue with others.
The radio button "Ignore" means credentials packaged with the application will not be deployed to the remote WLS's credential store. In this case, the administrator is then expected to create a credential valid for the environment, before the application works as designed by the developer."

Shout out to my colleague Sam for reviewing this post.

Upgrade to Fusion Middleware 11gR1

2009-07-17T17:29:00.004-04:00

So you are on OAS 10.1.x release and want to upgrade to 11gR1. It is a daunting topic, for starters here is the upgrade center. For upgrading custom JavaEE application upgrade see this whitepaper which incidentally I co-wrote.

Let me know if you run into any problems (specifically wrt to Security) during upgrade.

In case you are wondering what I am upto in October

2009-07-16T10:46:00.003-04:00

Come check out the Oracle Open World sessions on OPSS. I hope we get a chance to exchange some ideas after all that's what this Open World is all about.

Whats in your wallet?

2009-07-15T11:45:00.004-04:00

Ok, behind the clever title (which has been used before in Oracle internal wiki & no relation to Capital One) here is the situation. Often applications access some protected service (WebService, Database, LDAP etc). Many applications store user name/password(Credentials) required to authenticate to these services in some configuration file. Often these credentials are stored in a clear text where they are susceptible to prying eyes, and raise a few eyebrows at the corporate security groups.

Business developers need a place to store these credentials securely and a guarantee that only authorized applications/users can access these.
Enter OPSS's Credential Store Framework(CSF). CSF allows only authorized applications to access credentials that are stored outside of the application, securely in Oracle Wallet (hence What's in your wallet, title). Nice, so developers don't need to worry about secure credentials storage themselves.

But wait, here is the icing on the cake, since the credentials are stored outside the application, administrators can change/update the credentials without changing any application code using the Management tool Oracle Fusion Middleware provides (Enterprise Manager & WLST command).

But wait, there is more, OPSS allows provides build in auditing so if your admin want they can enable audit policy on Credential Store access without any application code changes but again few clicks with the aforementioned management tools.

But wait, there is more, OPSS allows these credentials to be stored in an LDAP (and protected by an LDAP), which is what we recommend in a production situation instead of Oracle wallet.

Check out CSF documentation,

Happy coding.

The foundation for security in Oracle Fusion Middleware and Fusion Applications

2009-07-06T11:11:00.002-04:00

Now that Oracle has released Fusion Middleware 11gR1, I can talk about security aspects of it. Starting this release Oracle has combined the security frameworks used in Oracle Application Server with the security framework used in WebLogic Server into "Oracle Platform Security Services" or OPSS.

OPSS is the foundation of security used across the entire Fusion Middleware Suite and Fusion Applications. See details.

Going back to dark ages

2009-02-11T21:34:00.002-05:00

After coding in Java for over a decade, half of that with IntelliJ I am now trying to code Objective-C in Xcode. As with learning to use any new IDE this is not a fun exercise and I am constantly comparing Xcode to IntelliJ & so far there is only one winner. I can only find only a few built-in refactorings in Xcode. Does Xcode has anything like plugins? Is there a better tool for refactoring Objective-C?

getting the current Subject in oc4j

2009-02-04T13:10:00.003-05:00

This is a copy of an email I sent.

The problem: How do you get the subject associated with the currently authenticated user.

Solution: There are two ways in oc4j.

* The standard way

http://download.oracle.com/docs/cd/E12524_01/web.1013/e12514/authoriz.htm#CHDDAFBF

1. Configure JAAS mode and
2. invoke Subject.getSubject(AccessController.getContext());

* OC4J proprietary way

Invoke oracle.oc4j.security.Security.getSubject()

This requires an oc4j patchset in 10.1.3.3 and is automatically available in 10.1.3.4

iPhone SDK not on Windows :-(

2009-01-27T12:14:00.004-05:00

I was quite surprised to find that iPhone SDK is not available on Windows. Arghh. Lately I am seeing double standards in EU hunting Mr. Softie. What is the big deal that MS bundles IE on its OS. Folks who need another Browser can download any of the freely available browser. The fact that you can't uninstall IE does not get in my way of using a browser of my choice.
But that i can't replace the battery on my iPhone/iPod is a blocking issue when the batteries die. I don't want to be held hostage by the battery maker.

N-Tier Security Silos

2009-01-26T14:11:00.003-05:00

With the N-tier architecture the person managing the tiers tend to be separate and have separate skills sets. It often leads to knowledge silos and is especially visible when it comes to security. E.g it will be hard pressed to get a DBA who is good at securing Apache http Server. I wonder if there is a need for a security platform that helps to bridge this gap. An example could be that MidTier is more aware of security configured at the Data Tier and mid tier can take advantage of security at Data tier.
I wonder if this is an issue for you? How have you dealt with this?

SSL between MidTier & DataBase

2009-01-06T15:21:00.003-05:00

Essentially the SSL support between an app server (MT) & Datatier(Database) depends on two things.
1. If the Databases support SSL (Oracle DB support this)
2. The DB driver support this (could be thin or a thick client)

Assuming OC4J is connecting to Oracle DB (which is configured to listen in SSL) here are the steps using Oracle JDBC thin driver.

1.
For OracleAS, you could config SSL as the connection pool
properties, for example:

connection-pool-name="scottConnPoolTCPS"
jndi-name="jdbc/sslDS"
name="jdbc/sslDS"/

factory-class="oracle.jdbc.driver.OracleDriver"
user="scott"
password="tiger"

url="jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=tcps)
(HOST=sracanov-a
u2.au.oracle.com)(PORT=2484))(CONNECT_DATA=(SERVICE_NAME=orcl)))"
commit-record-table-name=""
value="/somepath/Wallets/client/
ewallet.p12"/
value="SSL_DH_anon_WITH_3DES_EDE_CBC_SHA,
SSL_DH_anon_WITH_RC4_128_MD5,SSL_DH_anon_WITH_DES_CBC_SHA"/

WLS to Oracle DB

For WLS, I don't see any doc for this type configuration. I don't
think it could be configured as the connection pool preperty.
However, these might work:

1) Specify the property in the java program as the following example:
//import packages
import java.sql.*;
import oracle.jdbc.*;
import oracle.jdbc.pool.OracleDataSource;

//specify the properties object
java.util.Properties info = new java.util.Properties();
...
// Set the SSL version
info.put ("oracle.net.ssl_version","3.0");

// Set the wallet location
info.put ("oracle.net.wallet_location", "(SOURCE=(METHOD=file)
(METHOD_DATA=(DIRECTORY=directory)))");

// Set the cipher suite
info.
put("oracle.net.ssl_cipher_suites","SSL_DH_DSS_WITH_DES_CBC_SHA");

// Force dn to match service name
info.put("oracle.net.ssl_serevr_dn_match","TRUE");

2) Using WLS SSL protocal, like submitting Context.SECURITY_PROTOCOL
= "ssl" along with in getting the JNDI initial context.
Copying Steve and Dave, they may have more infor on this.

Thanks to Frances Zhao for this information & let me know of your experience with this information.

Foundation for Security in Oracle Fusion Middleware:Oracle Platform Security Services

2008-10-24T12:29:00.001-04:00

Here is my presentation from Oracle Open World 08 on OPSS

Oracle Platform Security Services

2008-09-23T19:46:00.002-04:00

As some of you know I am the product manager for this security framework. Come see the official OPSS page at the OTN & attend the OPSS session at the OOW 08.

Session at Oracle Open World 2008

2008-09-17T14:37:00.003-04:00

The theme for this year's Open World is Your.Open.World. I am presenting a session on Oracle Platform Security Services (OPSS). The session in titled "Foundation for Security in Oracle Fusion Middleware: Oracle Platform Security Services" on Wednesday 09/24/2008 at 17:00 - 18:00 in Marriott Golden Gate C3. Please join the session to talk about security foundation for Oracle Fusion Middleware. See you at OOW 08.

JAAS authentication integration with Containers

2008-08-14T15:38:00.003-04:00

Often developers write custom jaas login modules. Upon successful authentication the loginContext.getSubject API returns an authenticated subject. LoginModule doesn't automatically make the JavaEE container aware of this subject. So if you need to invoke isUserInRole or IsCallerInRole API and have it evaluate based on the subject created by the loginContext you will need to assert the subject into the container which basically means having the subject associated with the current thread serving the request. Once you do that your programmatic login is integrated with the container. On oc4j the api to do this is Security.setSubject and on WLS the equivalent is Security.RunAs which takes in a subject and a privileged action.

NTLM support in Oracle HTTPClient

2008-04-15T11:30:00.004-04:00

Continuing my coverage of authentication support in Oracle HTTPClient from my previous posting. HTTPClient started supporting NTLM in 10.1.3.x time frame. It is supported but not yet documented. This document is created by Alex Kosowski who took over HTTPClient development from me a few years ago.

How to use NTLM with Oracle HTTPClient

Purpose

This document provides a brief description of NTLM, and describes how to use NTLM authentication with Oracle HTTPClient.

NTLM Overview

NTLM is a proprietary challenge/response authentication protocol used by Microsoft browsers, proxies, and servers. A client using NTLM is able to prove its identity to a server without sending a password.

NTLM is a connection-oriented protocol. Once the connection is authenticated, no further credentials are required as long as the connection remains open.

Proxy servers may also use NTLM for client authentication. However, unlike request-oriented authentication like Basic and Digest, an NTLM client may only authenticate its connection with the proxy, not the resource server.

NTLM support has been built into the Oracle HTTPClient, from OC4J 10.1.3.1 and up.

NT Domain Name

In NTLM, the NT Domain name qualifies the username. The account identifier is \. The NT Domain may be specified in HTTPClient by prefixing the username with the NT Domain name followed by a backslash.

For example, for the NT Domain OPERATIONS and the username jsmith, the fully qualified username is OPERATIONS\jsmith.

If no NT Domain is given, the default (if any) is assumed. The default NT Domain is set in HTTPClient using the System Property HTTPClient.ntlm.defaultDomainName. If the username is given without an NT Domain, and no default NT Domain is defined in HTTPClient, the NTLM-protected server may assume its own default NT Domain.

Realm

A Realm, as specified in authentication schemes such as Basic, does not apply to NTLM. The NTLM challenge does not have a realm directive. Therefore, all NTLM credentials are assumed to be part of the same empty ("") realm within HTTPClient.

How to connect to an NTLM-protected resource server (e.g. IIS)

To connect to an NTLM-protected resource server, add the NTLM credentials to the HTTPClient AuthorizationInfo credential store. As with Basic and Digest authentication, HTTPClient will automatically query the credential store, when challenged by an NTLM server.

Credentials may be added either by using an HTTPConnection instance

HTTPConnection conn = new HTTPConnection( myHost, myPort );
conn.addNtlmAuthentication( myUsername, myPassword );

or directly using AuthorizationInfo.

AuthorizationInfo.addNtlmAuthentication( myHost, myPort, myUsername, myPassword )

A complete example:

HTTPConnection conn = new HTTPConnection( myHost, myPort );
conn.addNtlmAuthentication( myUsername, myPassword );
HTTPResponse response = conn.Get( "/index.htm" );
int status = response.getStatusCode();
assertEquals( 200, status );

How to connect to an NTLM-protected proxy server

To connect to an NTLM-protected proxy server, add the NTLM credentials to the HTTPClient AuthorizationInfo credential store. As with Basic and Digest authentication, HTTPClient will automatically query the credential store, when challenged by an NTLM server.

Credentials may ONLY be added directly using AuthorizationInfo; the HTTPConnection.addNtlmAuthentication(..) method does not add credentials for a proxy.

AuthorizationInfo.addNtlmAuthentication( myProxyHost, myProxyPort, myUsername, myPassword )

A complete example:

HTTPConnection conn = new HTTPConnection( myHost, myPort );
conn.setCurrentProxy( myProxyHost, myProxyPort );
AuthorizationInfo.addNtlmAuthentication( myProxyHost, myProxyPort, myUsername, myPassword, conn.getContext() )
HTTPResponse response = conn.Get( "/index.htm" );
int status = response.getStatusCode();
assertEquals( 200, status );

Authentication with Oracle HTTPClient

2008-03-24T16:42:00.006-04:00

Oracle's HTTPClient supports Basic, Digest and NTML (since 10.1.3.1) schemes. I could not find good documentation on these. Here is my attempt to fill this gap. These code examples are taken from unit tests I wrote some years back.

Basic Authentication

I won't go in details on HTTP Basic auth. But here is an example of code that shows how the reader can configure HTTPClient to send HTTP Basic authentication info.

URL url = new URL("http://localhost:1234");
HTTPConnection client = new HTTPConnection(url);

try {
client.addBasicAuthorization("realm name", "user", "password");
HTTPResponse response = client.Get(url.getFile());
//assertEquals(200, response.getStatusCode());

} finally {
client.stop();
}

Digest Authentication

HTTPConnection client = new HTTPConnection(url);
try {
client.addDigestAuthorization("ProxyAuthDigestSchemeTestServlet",validUserName,validPassword);
HTTPResponse response = client.Get(url.getFile());
// assertEquals(200, response.getStatusCode());

} finally {
client.stop();
}

Starting 10.1.3.1 HTTPClient supported NTML as well. I'll cover NTLM support in HTTPClient in my next post.

Setting authentication method on the HTTPConnection object is just one way to set the credential. The two other ways are providing authentication info via an AuthorizationPrompter implementation or Providing it in the AuthorizationInfo object. See OracleHTTPClient javadoc for details.

Debugging HTTPClient

2008-03-24T16:28:00.004-04:00

Oracle HTTPClient extensively logs activity during setup and communication. This page provides some tips for enabling logging in HTTPClient.

HTTPClient versions 10.1.2 & earlier

HTTPClient versions 10.1.2. and earlier used a proprietary logging mechanism.

To enable all logging, set the "HTTPClient.log.mask" system property to "-1"

HTTPClient versions 10.1.3 & later

HTTPClient versions 10.1.3 and later uses the standard JDK java.util.logging package.

By default, HTTPClient is enabled by the JDK java.util.logging properties specified at JVM startup. This is describe in the JavaDoc for java.util.logging.LogManager. Usually the JDK logging properties are configured in "/lib/logging.properties".

Additionally, HTTPClient logging may be enabled using System Properties. Set the "HTTPClient.log.level" System Property to one of the valid java.util.logging.Level values. See Log Levels, below.

Log Levels

HTTPClient only uses the trace portion of the JDK logging levels. This is because HTTPClient is a utility library, and is unaware of the application context within which an error occurs.

For example, consider the occurrence of a connection loss. A financial application may log a connection loss as SEVERE. A server-monitoring application may log a connection loss as INFO. Since the severity depends on the application context, HTTPClient internally only logs messages at trace levels (CONFIG and lower), and expects the application to log exceptions as appropriate for the application.

The following list indicates the HTTPClient usage of java.util.logging.Level:

* SEVERE - Not used by HTTPClient (v11 & up), reserved for application
* WARNING - Not used by HTTPClient (v11 & up), reserved for application
* INFO - Not used by HTTPClient (v11 & up), reserved for application
* CONFIG - System properties and other configuration data
* FINE - Exceptions and other error conditions
* FINER - Warnings
* FINEST - Informational logging

* ALL - Everything logged in HTTPClient is visible at this level

If the version of HTTPClient is 11 and later, verbose logging may be enabled. To enable verbose mode, set the Java System Property "HTTPClient.log.verbose=true".

Verbose logging adds the following fields to the logging output:

* Log Entry Date
* Logger Name - Usually the class name where the log entry occurred
* Log Level - Per java.util.logging.Level
* Exception Stack Trace

In iAS Installation

HTTPClient logging in iAS is effectively the same as standalone, except for the way Java System Properties are set. HTTPClient logging is directed to system out, which is written to one of the iAS logs.
Enabling

To set the HTTPClient logging System Properties, following these steps:

1. Open the file $ORACLE_HOME/opmn/conf/opmn.xml
2. Search for the OC4J process whose id matches that of the OC4J instance where you want to enable HTTPClient logging

For example:

3. Set the HTTPClient logging System Properties in the value attribute of the element "java-options", under the element "start-parameters"
4. Start the OC4J instance
5. Review the HTTPClient log where the iAS installation writes the System Out. This log may be "$ORACLE_HOME/opmn/logs/OC4J~<>~default_island~1"

Thanks to Alex Kosowski for providing latest version of this information.

Security in Oracle Application Client Container

2008-01-03T15:38:00.000-05:00

The Application Client container has been part of the JavaEE spec for a while now. The JavaEE specification devotes barely 4 or 5 pages to it. The Application Client container provides access to a subset of JavaEE apis in a remove JVM. A standalone java application that wishes to use JavaEE feature could be run in an application client container.

OC4J provides a standalone application client container as documented on http://download-uk.oracle.com/docs/cd/B32110_01/web.1013/b28958/appclient.htm

While more details are on this above link, I am clarifying here the usage of Callback handler within oc4j's application client container.

The application client container reads a jar that is bundled with application-client.xml. In this deployment descriptor one can specify their Callback handler among various other things. A callback handler typically collect user name password from the user. If you don't provide the callback handler implementation, the Application Client Container looks for jndi.properties file in your application client jar.

OC4J requires username, password and provider url to connect over ormi. These three properties can either be provided in the jndi.properties bundled with your application client, or your callback handler implementation must provide them. If both jndi.properties and the callbackhandler implementation are there the callbackhandler takes priority.

You might need to write your own custom Callbackhandler implementation to launch gui for example. The customer callback handler would implement the javax.security.auth.callback.CallbackHandler interface. You will need to bundled your Callbackhandler and its dependencies in the jar that is passed to Oc4j's Application Client container.

Note that the CallbackHandler implementation has to supply a no args constructor, for oc4j's app client container only looks for a no args call back handler.

Now you don't need to write your own login module. When the oc4j application client container needs to authenticate, it will get the user name and the password from the Callbackhandler. It uses its own LoginModule to send the user name and password over the wire to the server to authenticate the client.

Dear readers, A question for you: Does the limitation to provide an implementation of CallbackHandler with a no args constructor seem overbeering to you? The JavaEE spec is silent about this.

I'll run with Security Manager if only I can get my policy right

2007-11-29T19:19:00.005-05:00

So we know running with a Security Manager enhances security (with performance trade off). However not many applications run with SM. Running with SM degrades performance. In some testing I did, it did so on average by 10%, but it really depends on your application and the code path under test. So this performance hit might cause many applications to not consider running with SM. Another reason is that why you turn up SM you applications don't run properly. The access denied exception can be pretty hard to debug and to gather the set of minimum permissions required to run with SM is a tedious task. OC4J has since 10.1.3.1 provided a tool to solve this second issue. Its called PrintingSecurityManager. This security manager is available as a separate jar and can be used in any application, including ones not tied to OC4J or JEE. Basically this tool records security exception and coverts them into a policy grant(based on JDK's default policy file fomat) that would avoid a given security excetion. Now your job remains to review these grants before your put them in your policy file. See this docfor details.

I am hoping this becomes a tool in your arsenal.

Getting this out before the new year rolls in

2007-11-20T15:27:00.000-05:00

Better late than never. I presented a BOF at JavaOne 07 with Jeff Trent. We talked about JavaSE, JavaEE & JACC security. We focussed on Authorization aspects of the security. The idea was to give folks 101 on JavaSE & JavaEE(my fingers want to type J2ee so bad) security and how JACC bridges the gap in the two world. Yup, before JACC the authorization model in JavaSE & JavaEE were so different.
Another pre JACC problem is that in JavaEE world there was no standard way to plug in third party Authorization providers. Each app server supported a different mix(if any). Assuming your app server vendor supports third party Authorization Provider plug in, the moment you switch you app server, that integration went kaput.
JACC solves this problem cleanly and in a portable fashion.

JavaSE, deals with Permission, Protection domain, SM & Access Controller. The JavaEE model dealt with security constraints & method permission elements. Every App server dealt with these in their own way. The JACC spec unified these two. The spec is basically divided in three parts. Provider Configuration, Pollicy Configuration and Policy Decision & Enforcement Contracts. Now I would have named these contracts a little different. e.g App Server, Deployment Tool & Runtime contracts. Or something along the lines. You get the drift?

Read on for the lowdown on the three contracts.

The first contract deals with how and app server will install a jacc provider, what a compliant provider should do etc. (See jsr 115 for normative text)
The second contract introduces new permission objects and sets rules on translating security contraints and method permissions into these new permission objects. The objects are then stored in the jacc provider.
The third contract lays the responsibility for PEP(policy enforcement point). It talks different ways for enforcing authorization.

Now what I haven't seen much of if the use of this feature to integrate with Third Party AuthZ providers. I am hoping a reader could point any such integration. Please feel free to add your comments.