I am working on OC4J 9.0.3 and identy management tool
(XYZ)which is used for Authentication and Authorization
Here we are suppose to develope plugin between OC4J and
XYZ product, plugin is going to provide AA of all J2EE
Applications residing on OC4j AND Single Sign On.
We thought about different possibilities of doing this.
(1) By using Custom LoginModule (JAAS specs) but OC4J
supports partial implementation means it supports only
authentication part. We thought we can use LoginModule
with Custom UserManager(of OC4J) but this approach is
failed because We are not able to configure Custom
LoginModule in oc4j(Don't want to config at jazn-
data.xml file for JAZN JAAS Implementation of Oracle
because it uses its own Usermanager)
Here I want your help guys...
How to specify the custom LoginModule in OC4J ?
How could I achieve Single Sign on iny this scenario ?
Single Sign On could be poosible if I am able to create
http based CallBackHandler will be called by LoginModule?
It will be great if anybody can help me for this point.
(2) By using Oracle JAAS's provider i.e JAZN. But again
we have to use Oracle Directory Server which can be synch
with othere Directory Server. But it is simple overhead
and forcing client to get OID. I don't know when Oracle
will stop providing thier own implementation which of no
Also guys let me know if you have implemented SSO and
able to bypass Container's security constraints.
Let me know If I mistaken anywhere in my understanding.
Thanks guys in Advance.
On the developing a custom login module, I have not written one but Oracle JAAS Users Guide points to how you can deploy one. I was told that you can develop a module using standard J2EE practices. I asked Oracle for sample login module but never got one.
On replacement of JAZNUserManager, in 9.0.3 it is possible to replace it with your own and if you look on the web you can find samples of DatabaseUserManager.
But in 9.0.4 it you can not replace JAZNUserManager.
"In 10gAS, it is not possible to replace the JAZNUserManager. It is being considered as an option for 10.0.3 but for now, we don't even support it. I have asked development to provide alternatives but no responses so far. "
Thanks for reply.
About replacement of JAZNUserManager, yeah it is possible and I did that.
But as I said I need to implement SSO, in that I need access to httprequest and
httpresponse objects so that I can check cookie in Usermanager, can decide whether I need to autheticate the user again or not. But this is not possible
if I implement Usermanager which has to implement com.evermind.security.UserManager which won't provide any access.
Where as JAZNUserManager has method added by Oracle which takes httprequest object as argument.
And I can add this kind of method but no use as all are callbacks.
Please let me know If you can give me any pointers for this.
Thanks once again.