JAAS in Oracle way (OC4J) (Very Confusing)


General J2EE: JAAS in Oracle way (OC4J) (Very Confusing)

  1. JAAS in Oracle way (OC4J) (Very Confusing) (2 messages)

    Hi folks,

       I am working on OC4J 9.0.3 and identy management tool
       (XYZ)which is used for Authentication and Authorization
       Here we are suppose to develope plugin between OC4J and
       XYZ product, plugin is going to provide AA of all J2EE
       Applications residing on OC4j AND Single Sign On.

       We thought about different possibilities of doing this.
       (1) By using Custom LoginModule (JAAS specs) but OC4J
       supports partial implementation means it supports only
       authentication part. We thought we can use LoginModule
       with Custom UserManager(of OC4J) but this approach is
       failed because We are not able to configure Custom
       LoginModule in oc4j(Don't want to config at jazn-
       data.xml file for JAZN JAAS Implementation of Oracle
       because it uses its own Usermanager)
       Here I want your help guys...
       How to specify the custom LoginModule in OC4J ?
       How could I achieve Single Sign on iny this scenario ?
       Single Sign On could be poosible if I am able to create
       http based CallBackHandler will be called by LoginModule?
       It will be great if anybody can help me for this point.
       (2) By using Oracle JAAS's provider i.e JAZN. But again
       we have to use Oracle Directory Server which can be synch
       with othere Directory Server. But it is simple overhead
       and forcing client to get OID. I don't know when Oracle
       will stop providing thier own implementation which of no
       Also guys let me know if you have implemented SSO and
       able to bypass Container's security constraints.

       Let me know If I mistaken anywhere in my understanding.

       Thanks guys in Advance.

  2. Oracle is working on it[ Go to top ]

    On the developing a custom login module, I have not written one but Oracle JAAS Users Guide points to how you can deploy one. I was told that you can develop a module using standard J2EE practices. I asked Oracle for sample login module but never got one.

    On replacement of JAZNUserManager, in 9.0.3 it is possible to replace it with your own and if you look on the web you can find samples of DatabaseUserManager.

    But in 9.0.4 it you can not replace JAZNUserManager.
    "In 10gAS, it is not possible to replace the JAZNUserManager. It is being considered as an option for 10.0.3 but for now, we don't even support it. I have asked development to provide alternatives but no responses so far. "

    Vijay Kumar
    Lockheed Martin.
  3. JAAS on OC4J (Confusing)[ Go to top ]

    Thanks for reply.
    About replacement of JAZNUserManager, yeah it is possible and I did that.
    But as I said I need to implement SSO, in that I need access to httprequest and
    httpresponse objects so that I can check cookie in Usermanager, can decide whether I need to autheticate the user again or not. But this is not possible
    if I implement Usermanager which has to implement com.evermind.security.UserManager which won't provide any access.
    Where as JAZNUserManager has method added by Oracle which takes httprequest object as argument.
    And I can add this kind of method but no use as all are callbacks.
    Please let me know If you can give me any pointers for this.

    Thanks once again.