Manually Configuring Java EE Applications to Use OPSS 21-3 The specification of this parameter is optional and case sensitive; if unspecified, it defaults to the name of the deployed application. Its value defines the subset of policies in the policy store that the application intents to use. One way of specifying the application stripe is withing the filter element, as illustrated in the following sample: filter filter-nameJpsFilterfilter-name filter-classoracle.security.jps.ee.http.JpsFilterfilter-class init-param param-nameapplication.nameparam-name param-valuestripeidparam-value init-param filter Another way to specify it, is to specify it is within the context-param element as illustrated in the following sample: context-param descriptionJPS custom stripe iddescription param-nameapplication.nameparam-name param-valuestripeidparam-value context-param This last configuration is required if the application contains MBeans accesssing the application policy store and the application name is different from the application stripe name. For details, see Configuring the Application Stripe for Application MBeans . Configuration Examples The following two samples illustrate the configuration of this parameter for a servlet and for an EJB. The following fragment of a web.xml file shows how to configure two different servlets, MyServlet1 and MyServlet2, to be enabled with the filter so that subsequent authorization checks evaluate correctly. Note that servlets in the same WAR file always use the same policy stripe. filter filter-nameJpsFilterfilter-name filter-classoracle.security.jps.ee.http.JpsFilterfilter-class init-param param-nameapplication.nameparam-name param-valueMyAppNameparam-value init-param filter filter-mapping filter-nameJpsFilterfilter-name servlet-nameMyServlet1servlet-name dispatcherREQUESTdispatcher filter-mapping filter-mapping filter-nameJpsFilterfilter-name servlet-nameMyServlet2servlet-name dispatcherREQUESTdispatcher filter-mapping 21-4 Oracle Fusion Middleware Application Security Guide The following fragment of an ejb-jar.xml file illustrates the setting of the application stripe of an interceptor to MyAppName and the use of that interceptor by the EJB MyEjb: interceptor interceptor-classoracle.security.jps.ee.ejb.JpsInterceptorinterceptor-class env-entry env-entry-nameapplication.nameenv-entry-name env-entry-typejava.lang.Stringenv-entry-type env-entry-valueMyAppNameenv-entry-value injection-target injection-target-class oracle.security.jps.ee.ejb.JpsInterceptorinjection-target-class injection-target-nameapplication_nameinjection-target-name injection-target env-entry interceptor ... interceptor-binding ejb-nameMyEjbejb-name interceptor-class oracle.security.jps.ee.ejb.JpsInterceptorinterceptor-class interceptor-binding Note how the preceding example satisfies the interceptor configuration syntax requirements. Application Roles Support The addition of application roles to a subject is controlled by the following parameter, which can be set to true or false: add.application.roles To add application roles to a subject, set the property to true; otherwise, set it to false. The default value is true. The principal class for the application role is: oracle.security.jps.service.policystore.ApplicationRole Anonymous User and Anonymous Role Support The use of anonymous for a servlet is controlled by the following parameters, which can be set to true or false: enable.anonymous remove.anonymous.role For an EJB, only the second parameter above is available, since the use of the anonymous user and role is always enabled for EJBs. To enable the use of the anonymous user for a servlet, set the first property to true; to disable it, set it to false. The default value is true. To remove the anonymous role from a subject, set the second property to true; to retain it, set it to false. The default value is false. Typically, one would want to remove the anonymous user and role after authentication, and only in special circumstances would want to retain them after authentication. The default name and the principal class for the anonymous user are: anonymous Manually Configuring Java EE Applications to Use OPSS 21-5 oracle.security.jps.internal.core.principals.JpsAnonymousUserImpl The default name and the principal class for the anonymous role are: anonymous-role oracle.security.jps.internal.core.principals.JpsAnonymousRoleImpl The following fragment of a web.xml file illustrates a setting of these parameters and the use of the filter JpsFilter by the servlet MyServlet: filter filter-nameJpsFilterfilter-name filter-classoracle.security.jps.ee.http.JpsFilterfilter-class init-param param-nameenable.anonymousparam-name param-valuetrueparam-value init-param init-param param-nameremove.anonymous.roleparam-name param-valuefalseparam-value init-param filter filter-mapping filter-nameJpsFilterfilter-name servlet-nameMyServletservlet-name dispatcherREQUESTdispatcher filter-mapping The following fragment of an ejb-jar.xml file illustrates the setting of the second parameter to false and the use of the interceptor by the Enterprise Java Bean MyEjb: interceptor interceptor-classoracle.security.jps.ee.ejb.JpsInterceptorinterceptor-class env-entry env-entry-nameremove.anonymous.roleenv-entry-name env-entry-typejava.lang.Booleanenv-entry-type env-entry-valuefalseenv-entry-value injection-target injection-target-class oracle.security.jps.ee.ejb.JpsInterceptorinjection-target-class injection-target-nameremove_anonymous_roleinjection-target-name injection-target env-entry interceptor ... interceptor-binding ejb-nameMyEjbejb-name interceptor-class oracle.security.jps.ee.ejb.JpsInterceptorinterceptor-class interceptor-binding The following fragments illustrate how to access programmatically the anonymous subject, and the anonymous role and anonymous user from a subject: import oracle.security.jps.util.SubjectUtil; The next call returns the anonymous subject javax.security.auth.Subject subj = SubjectUtil.getAnonymousSubject; The next call extracts the anonymous role from the subject java.security.Principal p = 21-6 Oracle Fusion Middleware Application Security Guide SubjectUtil.getAnonymousRolejavax.security.auth.Subject subj Remove or retain anonymous role ... The next call extracts the anonymous user from the subject java.security.Principal p = SubjectUtil.getAnonymousUserjavax.security.auth.Subject subj Remove or retain anonymous user ... Authenticated Role Support The use of the authenticated role is controlled by the following parameter, which can be set to true or false: add.authenticated.role To add the authenticated role to a subject, set the parameter to true; otherwise it, set it to false. The default value is true. The default name and the principal class for the authenticated role are: authenticated-role oracle.security.jps.internal.core.principals.JpsAuthenticatedRoleImpl The following fragment of a web.xml file illustrates a setting of this parameter and the use of the filter JpsFilter by the servlet MyServlet: filter filter-nameJpsFilterfilter-name filter-classoracle.security.jps.ee.http.JpsFilterfilter-class init-param param-nameadd.authenticated.roleparam-name param-valuefalseparam-value init-param filter filter-mapping filter-nameJpsFilterfilter-name servlet-nameMyServletservlet-name dispatcherREQUESTdispatcher filter-mapping JAAS Mode The use of JAAS mode is controlled by the following parameter: oracle.security.jps.jaas.mode This parameter can be set to: doAs doAsPrivileged off undefined subjectOnly The default value is doAsPrivileged. For details on how these values control the behavior of the method checkPermission, see Section 20.3.3.1, Using the Method checkPermission. The following two samples illustrate configurations of a servlet and an EJB that use this parameter. Manually Configuring Java EE Applications to Use OPSS 21-7 The following fragment of a web.xml file illustrates a setting of this parameter and the use of the filter JpsFilter by the servlet MyServlet: filter filter-nameJpsFilterfilter-name filter-classoracle.security.jps.ee.http.JpsFilterfilter-class init-param param-nameoracle.security.jps.jaas.modeparam-name param-valuedoAsparam-value init-param filter filter-mapping filter-nameJpsFilterfilter-name servlet-nameMyServletservlet-name dispatcherREQUESTdispatcher filter-mapping The following fragment of an ejb-jar.xml file illustrates a setting of this parameter to doAs and the use of the interceptor JpsInterceptor by the Enterprise Java Bean MyEjb: interceptor interceptor-classoracle.security.jps.ee.ejb.JpsInterceptorinterceptor-class env-entry env-entry-nameoracle.security.jps.jaas.modeenv-entry-name env-entry-typejava.lang.Stringenv-entry-type env-entry-valuedoAsenv-entry-value injection-target injection-target-class oracle.security.jps.ee.ejb.JpsInterceptorinjection-target-class injection-target-nameoracle_security_jps_jaas_mode injection-target-name injection-target env-entry interceptor ... interceptor-binding ejb-nameMyEjbejb-name interceptor-class oracle.security.jps.ee.ejb.JpsInterceptorinterceptor-class interceptor-binding

21.1.1 Interceptor Configuration Syntax

The following requirements and characteristics of the specifications apply to all parameters configured for the JpsInterceptor: ■ The setting of a parameter requires specifying its type in the element env-entry-type. ■ The setting of a parameter requires the element injection-target, which specifies the same class as that of the interceptor in the element injection-target-class, and the parameter name rewritten as a string where the dots are replaced by underscores in the element injection-target-name. ■ The binding of an interceptor to an EJB is specified by the EJB name and the interceptor’s class, that is, the interceptor is referred to by its class, not by name. 21-8 Oracle Fusion Middleware Application Security Guide

21.1.2 Summary of Filter and Interceptor Parameters

The following table summarizes the description of the parameters used by the JpsFilter and the JpsInterceptor:

21.1.3 Configuring the Application Stripe for Application MBeans

If your application satisfies the following conditions: ■ It contains MBeans that access the policy store and perform authorization checks. ■ The application stripe name is not equal to the application name. then, for the MBean to access the application stripe in the domain security store, the stripe name must be specified by the global parameter or context parameter application.name in the file web.xml, as illustrated in the following sample: context-param descriptionJPS custom stripe iddescription param-nameapplication.nameparam-name param-valuestripeidparam-value context-param Table 21–1 Summary of JpsFilter and JpsInterceptor Parameters Parameter Name Values Default Function Notes application.name Any valid string. The value is case sensitive. The name of the deployed application. To specify the subset of policies that the servlet or EJB is to use. It should be specified if several servlets or EJBs are to share the same subset of policies in the policy store. add.application.roles TRUE or FALSE TRUE To add application roles to a Subject. Since it defaults to TRUE, it must be set to FALSE only if the application is not to add application roles to a Subject. enable.anonymous TRUE or FALSE TRUE To enable or disable the anonymous user in a Subject. If set to TRUE, it creates a Subject with the anonymous user and the anonymous role. remove.anonymous.role TRUE or FALSE FALSE To keep or remove the anonymous role from a Subject after authentication. Available for servlets only. For EJBs, the anonymous role is always removed from a Subject. If set to FALSE, the Subject retains the anonymous role after authentication; if set to TRUE, it is removed after authentication. add.authenticated.role TRUE or FALSE TRUE To allow addition of the authenticated role in a Subject. Since it defaults to TRUE, it needs be set to FALSE only if the authenticated role is not be included in a Subject. oracle.security.jps.jaas.mode doAsPrivileged doAs off undefined subjectOnly doAsPrivileged To set the JAAS mode.