Authentication for Java SE Applicaitons 22-9 but, more generally, it also allows the use of any number of login modules in any order. Authentication is then performed on just those login modules and in the order they were passed. The following code fragment illustrates user authentication against a subset of login modules in a prescribed order using getLoginContext: import oracle.security.jps.service.ServiceLocator; import oracle.security.jps.service.JpsServiceLocator; import oracle.security.jps.service.login.LoginService; Obtain the login service ServiceLocator locator = JpsServiceLocator.getServiceLocator; LoginService loginService = locator.lookupLoginService.class; Create the handler for given name and password CallbackHandler cbh = new MyCallbackHandlername, password.toCharArray; Invoke login modules selectively in a given order selectiveModules = new Sting[]{lmName1, lmName2, lmName3}; LoginContext ctx = loginService.getLoginContextnew Subject, cbh, selectiveModules; ctx.login; Subject s = ctx.getSubject; selectiveModules is an array of login module names, and the authentication uses precisely those login modules named in the array in the order listed in the array. Each name in the array must be the name of a service instance listed in the default context of the file jps-config-jse.xml. The following fragment illustrates the configuration of a stack of two login modules: serviceProvider type=LOGIN name=jaas.login.provider class=oracle.security.jps.internal.login.jaas.JaasLoginServiceProvider descriptionCommon definition for any login module instancesdescription serviceProvider serviceInstance name=auth.loginmodule provider=jaas.login.provider descriptionUser Authentication Login Moduledescription property name=loginModuleClassName value=oracle.security.jps.internal.jaas.module.authentication.JpsUserAuthenticati onLoginModule property name=jaas.login.controlFlag value=REQUIRED serviceInstance serviceInstance name=custom.loginmodule provider=jaas.login.provider descriptionMy Custom Login Moduledescription property name=loginModuleClassName value=my.custom.MyLoginModuleClass property name=jaas.login.controlFlag value=REQUIRED serviceInstance jpsContexts default=aJpsContext jpsContext name=aJpsContext serviceInstanceRef ref=auth.loginmodule serviceInstanceRef ref=custom.loginmodule jpsContext jpsContexts 22-10 Oracle Fusion Middleware Application Security Guide

22.3 The OPSS Java SE Client

The OPSS Java SE Client is a set of security services that has a small memory footprint and that is to be used exclusively by Java SE applications. This section explains the subset of security services the OPSS Java SE Client provides and how to configure those services. The OPSS Java SE Client supports the authentication and authorization services only. The type of store used for the authentication service must be XML or LDAP. The type of store used for the authorization service must be XML. All service configurations are specified in the application file jps-config-jse.xml, and the contents of an XML store is specified in the file jazn-data.xml. It is assumed that the OPSS Java SE Client has been installed via the Oracle Entitlement Server Security Module. This section includes the following topics: ■ Supported Services ■ Configuration Examples

22.3.1 Supported Services

The type of stores that the OPSS Java SE Client supports for the authentication service are a local XML-based identity store and a remote already installed LDAP-based identity store. The only authentication method supported is the usernamepassword. The list of supported LDAP identity stores is the following: ■ Oracle Internet Directory 10g and 11g ■ Oracle Virtual Directory 10g and 11g ■ Sun Java System Directory Server 6.3 ■ Active Directory 2003, 2008 ■ Novell eDirectory 8.8 ■ OpenLDAP 2.2. For a special additional configuration required for this type, see Appendix J, Using an OpenLDAP Identity Store. ■ Oracle Directory Server Enterprise Edition 11gR1 11.1.1.3+ ■ IBM Tivoli DS 6.2 The type of store that the OPSS Java SE Client supports for the authorization service is local XML-based policy and credential stores only. The OPSS Java SE Client supports permission- and entitlement-based authorization checks.

22.3.2 Configuration Examples

This section illustrates the configuration of the following artifacts: ■ XML policy and credential stores ■ XML and LDAP identity stores ■ Login Module Principals XML Policy and Credential Stores Configuration The following snippets illustrate the configuration of XML-based policy and credential stores. The contents of an XML-based policy store is specified in the file