Authorization for Java SE Applications 23-3 serviceInstance location=.bootstrap provider=credstoressp name=bootstrap.cred property value=.bootstrap name=location serviceInstance The following fragment illustrates the configuration of the necessary jpsContexts that reference the instances above: jpsContexts default=TestJSE jpsContext name=TestJSE serviceInstanceRef ref=policystore.ldap serviceInstanceRef ref=credstore.ldap jpsContext jpsContext name=bootstrap_credstore_context serviceInstanceRef ref=bootstrap.cred jpsContext jpsContexts The following code fragment illustrates how to obtain programmatically a reference to the LDAP-based policy store configured above, and it assumes that the following system properties have been set in the environment: ■ jps.policystore.hybrid.mode, set to true. ■ oracle.security.jps.config, set to the location of the file jps-config-jse.xml. String contextName=TestJSE; ... public static PolicyStore getPolicyStoreString contextName { try-block JpsContextFactory ctxFact; ctxFact = JpsContextFactory.getContextFactory; JpsContext ctx = ctxFact.getContextcontextName; return ctx.getServiceInstancePolicyStore.class; catch-block ...

23.1.3 Configuring DB-Based OPSS Security Stores

This section assumes that a DB-based store has been set to be used as the OPSS security store. For details about setting up nodes in a DB, see section Section 8.3.1, Prerequisites to Using a DB-Based Security Store. Note the following important points regarding the sample configuration below: ■ The value of the configuration property jdbc.url should be identical to the name of the JDBC data source entered when the data source was created. ■ The values of the bootstrap credentials map and key must match those passed to the WLST script addBootStrapCredential when the bootstrap credential was created. The following fragment illustrates the configuration of DB-based policy, credential, and key stores in the file jps-config-jse.xml valid only for a Java SE application: jpsConfig … propertySets propertySet name=props.db.1 property value=cn=myDomain name=oracle.security.jps.farm.name property value=DB_ORACLE name=server.type property value=cn=myRoot name=oracle.security.jps.ldap.root.name property name=jdbc.url value=jdbc:oracle:thin:myhost.com:1521srv_name 23-4 Oracle Fusion Middleware Application Security Guide property name=jdbc.driver value=oracle.jdbc.driver.OracleDriver property name=bootstrap.security.principal.key value=myKeyName property name=bootstrap.security.principal.map value=myMapName propertySet propertySets serviceProviders serviceProvider class=oracle.security.jps.internal.policystore.OPSSPolicyStoreProvider type=POLICY_STORE name=policy.rdbms descriptionDBMS based PolicyStoredescription serviceProvider serviceProvider class=oracle.security.jps.internal.credstore.rdbms.DbmsCredentialStoreProvider type=CREDENTIAL_STORE name=db.credentialstore.provider serviceProvider class=oracle.security.jps.internal.keystore.KeyStoreProvider type=KEY_STORE name=keystore.provider property name=provider.property.name value=owsm serviceProvider serviceProviders serviceInstances serviceInstance name=policystore.rdbms provider=db.policystore.provider propertySetRef ref = props.db.1 property name=policystore.type value=DB_ORACLE serviceInstance serviceInstance name=credstore.rdbms provider=db.credstore.provider propertySetRef ref = props.db.1 serviceInstance serviceInstance name=keystore.rdbms provider=db.keystore.provider propertySetRef ref = props.db.1 property name=keystore.provider.type value=db serviceInstance serviceInstances jpsContexts default=default jpsContext name=default serviceInstanceRef ref=policystore.rdbms serviceInstanceRef ref=credstore.rdbms serviceInstanceRef ref=keystore.rdbms jpsContext jpsContexts jpsConfig

23.2 Unsupported Methods for File-Based Policy Stores

This release does not support, for file-based policy stores, methods involving the following features: ■ Bulk authorization ■ Complex queries ■ Cascading deletions Bulk authorization is encapsulated in the following method of the interface oracle.security.jps.service.policystore: Authorization for Java SE Applications 23-5 java.util.SetResourceActionsEntry checkBulkAuthorizationjavax.security.auth.Subject subject, java.util.SetResourceActionsEntry requestedResources throws PolicyStoreException Complex queries relates to any method that takes a query. When the policy store is file-based, the query must be simple; if such a method is passed a complex query and the policy store is file-based, the method will throw an exception. A simple query is a query with just one search criterion; a complex query is a query with two or more search criteria; each call to addQuery adds a criterion to the query. The following code fragment that illustrates the building of a simple query that returns of all permissions with a display name matching the string MyDisplayName: PermissionSetSearchQuery query = new PermissionSetSearchQuery; query.addQueryPermissionSetSearchQuery.SEARCH_PROPERTY.DISPLAY_NAME, false, ComparatorType.EQUALITY, MyDisplayName, BaseSearchQuery.MATCHER.EXACT; getPermissionSetsquery; The following example illustrates the building of a complex query that returns all permission sets with a given resource type and a given resource instance name: PermissionSetSearchQuery query = new PermissionSetSearchQuery; query.addQueryPermissionSetSearchQuery.SEARCH_PROPERTY.RESOURCE_TYPE, false, ComparatorType.EQUALITY, MyResourceType, BaseSearchQuery.MATCHER.EXACT; query.addQueryPermissionSetSearchQuery.SEARCH_PROPERTY.RESOURCE_NAME, false, ComparatorType.EQUALITY, MyResourceInstanceName, BaseSearchQuery.MATCHER.EXACT; query.setANDMatch; getPermissionSetsquery; Cascading deletions relates to any method that includes the Boolean argument cascadeDelete. The only value allowed for this argument in case the policy store is file-based is FALSE. Here is an example of such a method in the interface ResourceTypeManager: void deleteResourceTypeEntryReference rtRef, boolean cascadeDelete throws PolicyObjectNotFoundException, PolicyStoreOperationNotAllowedException, PolicyStoreException 23-6 Oracle Fusion Middleware Application Security Guide 24 Developing with the Credential Store Framework 24-1 24 Developing with the Credential Store Framework This chapter describes how to work with the APIs for the Credential Store Framework CSF. In an earlier chapter, we explained how applications can use CSF to securely store the credentials for external systems Web sites, databases, and so on in a credential store; and the additional benefits of CSF, such as the ability to audit credential store operations and use common Oracle Fusion Middleware user interfaces. Prior to using the information in this chapter to work with the CSF APIs, it is strongly recommended that you familiarize yourself with the context in which these APIs are used. For details, see: ■ Chapter 19, Developing Secure Applications with Oracle Platform Security Services ■ Section 19.2.4, The Credential Store Framework API , which shows a common usage scenario This chapter contains the following sections: ■ About the Credential Store Framework API ■ Overview of Application Development with CSF ■ Setting the Java Security Policy Permissions ■ Guidelines for the Map Name ■ Configuring the Credential Store ■ Steps for Using the API ■ Examples ■ Best Practices

24.1 About the Credential Store Framework API

A credential store is used for secure storage of credentials. The credential store framework CSF API is used to access and perform operations on the credential store. The Credential Store Framework: ■ enables you to manage credentials securely ■ provides an API for storage, retrieval, and maintenance of credentials in different back-end repositories 24-2 Oracle Fusion Middleware Application Security Guide ■ supports file-based Oracle wallet and LDAP-based credential management Critical create, update, delete functions provided by the CSF API include: ■ verifying if a credential map, or a credential with a given key, exists in the store ■ returning credentials associated with mapname, key ■ assigning credentials to mapname, key ■ deleting credentials associated with a given map name, or a given map name and key ■ resetting credentials for a specified mapname, key Operations on CredentialStore are secured by CredentialAccessPermission, which implements the fine-grained access control model utilized by CSF.

24.2 Overview of Application Development with CSF

Knowledge of the following areas is helpful in getting your applications to work with the credential store framework: ■ Determining appropriate map names and key names to use. This is critical in an environment with multiple applications storing credentials in the common credential store. ■ Provisioning Java security policies. Policy permissions are set in the policy store, which can be file-based system-jazn-data.xml or LDAP-based. Setting appropriate permissions to enable application usage without compromising the security of your data requires careful consideration of permission settings. ■ How to define the credential store instance in jps-config.xml. You will need to define the service instance in jps-config.xml only if manually crafting the configuration file. ■ Steps to take in setting up the environment. The steps are different for stand-alone applications and those that operate in an Oracle WebLogic Server environment. Subsequent sections provide details about each of these tasks.

24.3 Setting the Java Security Policy Permissions

The Oracle Platform Security Services policy provider is set when the server is started. When the provider is file-based, the policy data is stored in system-jazn-data.xml. See Also: ■ Chapter 10, Managing the Credential Store See Also: Section 9.1, Managing the Policy Store . Note: The file-based provider is already configured by default, and can be changed to an LDAP-based provider. See Section 8.6, Migrating the OPSS Security Store .