J2EE: Container based security with OC4J

and Active Directory (LDAP)

Following article is pretty straightforward, but cost me quite a lot of time to find
out. Hopefully this can help you in the future.

For my application, I needed a basic login function where only users from a
certain LDAP group are allowed to access the application.

Default j2ee container security

The security options of j2ee are configured in the web.xml file. This configuration
is the same for every web container (Tomcat, OC4J, Glassfish...).

Specify the paths you want to secure: (in this case every .do page)

<security-constraint>
<web-resource-collection>
<web-resource-name>my web application</web-resource-name>
<description>This application has limited access.</description>
<url-pattern>*.do</url-pattern>
</web-resource-collection>

<auth-constraint>
<role-name>authenticated</role-name>
</auth-constraint>
</security-constraint>

List all your security roles (nothing more than repeating the role-names from the
last step.), eventually with description.

<security-role>
<description>This role is for authenticated users.</description>
<role-name>authenticated</role-name>
</security-role>

Configure the manner of login you want to provide to your users. (BASIC, FORM,
DIGEST or CLIENT-CERT) Check
http://java.sun.com/j2ee/1.4/docs/tutorial/doc/Security5.html for more
information. Usually FORM is used. When you choose this option, the user gets a
custom-made html form.

<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/login.jspx</form-login-page>
<form-error-page>/login.jspx?fout=1</form-error-page>
</form-login-config>
</login-config>

Your login form should send the data to 'j_security_check' action and uses
'j_username' and 'j_password' as fieldnames. (See
http://www.onjava.com/pub/a/onjava/2002/06/12/form.html for more information.)
Configuring OC4J
Authentication with Active Directory is built in OC4J and called jazn (Java
AuthoriZatioN). There are many files involved with this jazn, but actually, we only
need the orion-application.xml. This configuration is OC4J specific.

To query the LDAP, you need a service user for Active Directory. Ask system
administration to create one.

First, map your earlier defined security role to a group in Active Directory:

<security-role-mapping name="authenticated">
<group name="LDAP_GROUP" /> <!--LDAP group-->
</security-role-mapping>

Tell OC4J to use a custom LDAP provider.

<jazn provider="XML">
<property name="custom.ldap.provider" value="true"/>
</jazn>

Configure the LDAP retrieval. (change the searchbases and service user
information to your situation.) Mind the Distinguished Names (e.g.
OU=Users,OU=ABC,DC=esk,DC=local): no spaces.

<jazn-loginconfig>
<application>
<name>[application name, should match the deployment name]</name>
<login-modules>
<login-module>
<class>oracle.security.jazn.login.module.LDAPLoginModule</class>
<control-flag>required</control-flag>
<options>
<option>
<name>oracle.security.jaas.ldap.user.searchbase</name>
<value>OU=Users,OU=ABC,DC=esk,DC=local</value>
</option>
<option>
<name>oracle.security.jaas.ldap.user.object.class</name>
<value>user</value>
</option>
<option>
<name>oracle.security.jaas.ldap.lm.cache_enabled</name>
<value>true</value>
</option>
<option>
<name>oracle.security.jaas.ldap.membership.searchscope</name>
<value>nested</value>
</option>
<option>
<name>oracle.security.jaas.ldap.provider.connect.pool</name>
<value>true</value>
</option>
<option>
<name>oracle.security.jaas.ldap.user.searchscope</name>
<value>subtree</value>
</option>
<option>
<name>oracle.security.jaas.ldap.role.searchbase</name>
<value>OU=Groups,OU=ABC,DC=esk,DC=local</value>
</option>
<option>
<name>oracle.security.jaas.ldap.user.name.attribute</name>
<value>sAMAccountName</value>
</option>
<option>
<name>oracle.security.jaas.ldap.role.object.class</name>
<value>group</value>
</option>
<option>
<name>oracle.security.jaas.ldap.member.attribute</name>
<value>member</value>
</option>
<option>
<name>oracle.security.jaas.ldap.connect.pool.initsize</name>
<value>2</value>
</option>
<option>
<name>oracle.security.jaas.ldap.connect.pool.prefsize</name>
<value>10</value>
</option>
<option>
<name>oracle.security.jaas.ldap.provider.type</name>
<value>Active Directory</value>
</option>
<option>
<name>oracle.security.jaas.ldap.connect.pool.maxsize</name>
<value>25</value>
</option>
<option>
<name>oracle.security.jaas.ldap.role.name.attribute</name>
<value>cn</value>
</option>
<option>
<name>oracle.security.jaas.ldap.provider.user</name>
<value>[Service User: username]</value>
</option>

<option>
<name>oracle.security.jaas.ldap.provider.credential</name>
<value>[Service User: password]</value>
</option>
<option>
<name>oracle.security.jaas.ldap.role.searchscope</name>
<value>subtree</value>
</option>
<option>
<name>oracle.security.jaas.ldap.connect.pool.timeout</name>
<value>300000</value>
</option>
<option>
<name>oracle.security.jaas.ldap.provider.url</name>
<value>ldap://ldap.organisation.be:389</value>
</option>
</options>
</login-module>
</login-modules>
</application>
</jazn-loginconfig>
More nice to know
• Use a LDAP browser to find out where the groups and users are located
and what their DNs are: e.g. http://ldapadmin.sourceforge.net/

• The configuration you created in orion-application.xml is copied to

[oc4j_home]/j2ee/home/config/system-jazn-data.xml at deployment. Check
this file to find out whether the deployment of the OC4J security
configuration was successful.