Using JAAS Authentication in Java Clients 4-13
weblogic.jndi.WLInitialContextFactory; env.putContext.PROVIDER_URL, t3:weblogic:7001;
env.putContext.SECURITY_PRINCIPAL, javaclient; env.putContext.SECURITY_CREDENTIALS, javaclientpassword;
ctx = new InitialContextenv;
4.5 Java Client JAAS Authentication Code Examples
A complete working JAAS authentication sample is provided with the WebLogic Server product. The sample is located in the SAMPLES_
HOME\server\examples\src\examples\security\jaas directory. For a description of the sample and instructions on how to build, configure, and run this
sample, see the package.html file in the sample directory. You can modify this code example and reuse it.
Notes: For information on JNDI contexts and threads and how to
avoid potential JNDI context problems, see JNDI Contexts and Threads and How to Avoid Potential JNDI Context Problems in
Programming JNDI for Oracle WebLogic Server.
In versions of WebLogic Server prior to 9.0, when using protocols other than IIOP with JNDI, the first user is sticky in the sense that it
becomes the default user when no other user is present. This is not a good practice, as any subsequent logins that do not have a username
and credential are granted the identify of the default user.
In version 9.0, this is no longer true and there is no default user. To return to the previous behavior, the
weblogic.jndi.WLContext.ENABLE_DEFAULT_USER field must be set, either via the command line or through the InitialContext
interface.
4-14 Programming Security for Oracle WebLogic Server
5
Using SSL Authentication in Java Clients 5-1
5
Using SSL Authentication in Java Clients
The following topics are covered in this section:
■
Section 5.1, JSSE and WebLogic Server
■
Section 5.2, Using JNDI Authentication
■
Section 5.3, SSL Certificate Authentication Development Environment
■
Section 5.4, Writing Applications that Use SSL
■
Section 5.5, SSL Client Code Examples The sections refer to sample code which is included in the WebLogic Server
distribution at: SAMPLES_HOME\server\examples\src\examples\security\sslclient
The sslclient directory contains an instructions.html file, ant build files, and the following Java and JavaServer Pages .jsp files:
■
MyListener.java
■
NulledHostnameVerifier.java
■
NulledTrustManager.java
■
SSLClient.java
■
SSLClientServlet.java
■
SSLSocketClient.java
■
SnoopServlet.jsp You will need to look at the examples when reading the information in the following
sections.
5.1 JSSE and WebLogic Server
The Java Secure Socket Extension JSSE is a set of packages that support and implement the SSL and TLS v1 protocols, making those capabilities programmatically
available. WebLogic Server provides Secure Sockets Layer SSL support for encrypting data transmitted between WebLogic Server clients and servers, Java clients,
Web browsers, and other servers.
WebLogic Servers JSSE implementation can be used by WebLogic clients, but is not required. Other JSSE implementations can be used for their client-side code outside the
server as well.
The following restrictions apply when using SSL in WebLogic server-side applications:
5-2 Programming Security for Oracle WebLogic Server
■
The use of other third-party JSSE implementations to develop WebLogic Server applications is not supported. The SSL implementation that WebLogic Server uses
is static to the server configuration and is not replaceable by customer applications.
■
The WebLogic implementation of JSSE does support JCE Cryptographic Service Providers CSPs; however, due to the inconsistent provider support for JCE,
Oracle cannot guarantee that untested providers will work out of the box. Oracle has tested WebLogic Server with the following providers:
– The default JCE provider SunJCE provider included with JDK 5.0. See
http:java.sun.comj2se1.5.0docsguidesecurityjceHow ToImplAJCEProvider.html
for information about the SunJCE provider.
– The nCipher JCE provider.
Other providers may work with WebLogic Server, but an untested provider is not likely to work out of the box. For more information on using the JCE providers
supported by WebLogic Server, see Configuring SSL in Securing Oracle WebLogic Server.
WebLogic Server uses the HTTPS port for Secure Sockets Layer SSL encrypted communication; only SSL can be used on that port.
5.2 Using JNDI Authentication
