18 Integrating Java EE Application Security with OPSS 18-1 18 Integrating Java EE Application Security with OPSS This chapter provides the starting material for application developers looking to integrate their Java EE applications with security components in OPSS. It explains the guidelines to follow to integrate required components, and it also outlines those to follow to integrate advanced, optional security features. This chapter is not a comprehensive guide on identity management technologies but a departing point for developers to get acquainted with security integration tasks. It contains the following sections: ■ Introduction ■ Terminology ■ Oracle Identity and Access Management Suite ■ Security Life Cycle of an Application ■ Getting Started with Application Security Integration ■ Required Security Features ■ Integrating Authentication ■ Integrating Authorization ■ Integrating the Credential Store

18.1 Introduction

The goal of this chapter is to get developers and application architects acquainted with the various tasks required to integrate application security with OPSS. OPSS provides an abstraction layer in the form of standard application programming interfaces APIs that insulate developers from security and identity management implementation details. Integrating application security with OPPS provides applications with a uniform way to implement security, identity management, and audit services across an enterprise. For a complete list and links to all available APIs, see Appendix H, References.

18.2 Terminology

This section defines most of the acronyms used in this chapter. Some of them have been introduced elsewhere in this guide, but they are included here for the sake of completeness. 18-2 Oracle Fusion Middleware Application Security Guide Identity and Access Management IAM IAM is a set of tools, processes, and best practices to manage user identities and their access to resources. Oracle Application Development Framework ADF ADF is a comprehensive Java EE development framework integrated with the Oracle JDeveloper development environment. ADF greatly simplifies Java EE development and minimizes the need to write code by providing application infrastructure as part of the framework. Being also integrated with Oracle Fusion Middleware Security, ADF allow developers to implement security concepts using a declarative approach. Oracle Access Manager OAM OAM provides a full range of Web access security management functions including Web single sign-on, user self-service, and self-registration. Oracle Adaptive Access Manager OAAM OAAM secures access to Web resources through strong multi-factor authentication and real-time fraud prevention. Oracle Authorization Policy Manager OAPM OAPM is graphical interface tool to provision and administer security application artifacts. Oracle Enterprise Manager OID OID provides an LDAP-based directory for the storage of identity, policies, and business-related data. Oracle Enterprise Manager OEM OEM is the central tool to manage Oracle applications. Oracle Identity Manager OIM OIM is a user provisioning and administration tool that facilitates adding, updating, and deleting user accounts from enterprise applications. Oracle Security Developer Tools OSDT OSDT provides the cryptographic building blocks necessary to develop secure applications. It includes secure messaging and the implementation of a secured service-oriented architecture. OPSS Subject An OPSS subject is a collection of principals and, possibly, user credentials such as passwords or cryptographic keys. The Oracle WebLogic Server authentication populates the OPSS subject with principals, that is, with users and groups, and application roles. Oracle Web Services Manager OWSM OWSM is a tool to secure, manage, and deploy SOAP-based applications, that is, built on service-oriented architectures.