Authentication for Java SE Applicaitons 22-3 property name=security.principal.alias value=MyCredentialMapName property name=security.principal.key value=MyCredentialMapKey property name=ldap.url value={LDAP_URI} property name=max.search.filter.length value=500 extendedProperty nameuser.search.basesname values valuecn=users,dc=us,dc=oracle,dc=comvalue values extendedProperty extendedProperty namegroup.search.basesname values valuecn=groups,dc=us,dc=oracle,dc=comvalue values extendedProperty serviceInstance serviceInstances jpsContexts default=ldap_idstore jpsContext name=ldap_idstore serviceInstanceRef ref=idstore.ldap jpsContext jpsContext name=bootstrap_credstore_context serviceInstanceRef ref=bootstrap.cred jpsContext jpsContexts Note the following points: ■ The name of the serviceInstance idstore.ldap in the example above can have any value, but it must match the instance referenced in element serviceInstanceRef. ■ The name of the serviceProvider idstore.ldap.provider in the example above can have any value, but it must match the provider in element serviceInstance. ■ To add properties to a provider instance with a prescribed script, see Appendix E.1, Configuring OPSS Service Provider Instances with a WLST Script. ■ The credentials to access the identity LDAP store are specified with the instance properties security.principal.key and security.principal.alias and stored in the bootstrap credential store.

22.2.3 Supported Login Modules for Java SE Applications

A login module is a component that authenticates users and populates a subject with principals. This process occurs in two distinct phases: during the first phase, the login module attempts to authenticate a user requesting, as necessary, a name and a password or some other credential data; only if this phase succeeds, the second phase is invoked. During the second phase, the login module assigns relevant principals to a subject, which is eventually used to perform some privileged action.

22.2.3.1 The Identity Store Login Module

A Java SE application can use a stack of login modules to authenticate its users; each module in the stack performs its own computations independently from the others in the stack. These and other services are specified in the file jps-config-jse.xml. 22-4 Oracle Fusion Middleware Application Security Guide OPSS APIs includes the interface oracle.security.jps.service.login.LoginService which allows a Java SE application to invoke not just all login modules in a stack, but a subset of them in a prescribed order. The name of the jps context defined in the configuration file jps-config-jse.xml passed to the method LoginContext in the LoginService interface which is determines the stack of login modules that an application uses. The standard JAAS API LoginContext can also be user to invoke the login modules defined in the default context. The sequence in which a jps context lists the login modules in a stack is significant, since the authentication algorithm takes this order into account in addition to other data, such as the flag that identifies the module security level required, sufficient, requisite, or optional. Out-of-the-box, the identity store service is file-based, its contents being provisioned the file system-jazn-data.xml, but it can be reconfigured to be an LDAP-based identity store. OPSS supports the Identity Store login module in Java SE applications, which can be used for authentication or identity assertion. Identity Store Login Module The class associated with this login module is the following: oracle.security.jps.internal.jaas.module.idstore.IdStoreLoginModule An instance of this module is configured in the file jps-config-jse.xml as illustrated in the following fragment: serviceInstance name=idstore.loginmodule provider=jaas.login.provider descriptionIdentity Store Login Moduledescription property name=loginModuleClassName value=oracle.security.jps.internal.jaas.module.idstore.IdStoreLoginModule property name=jaas.login.controlFlag value=REQUIRED serviceInstance Properties specific to this login module include the following: remove.anonymous.role defaults to true add.application.role defaults to true

22.2.3.2 Using the Identity Store Login Module for Authentication

This section illustrates the use of the Identity Store login module for basic username and password authentication. Invoke IdStoreLoginModule The following code fragment illustrates how to set a callback handler and a context: import javax.security.auth.Subject; import javax.security.auth.login.LoginContext; Subject sub = new Subject; CallbackHandler cbh = new YourCallbackHandler; LoginContext context = new LoginContextappName, subject, cbh; context.login;