Securing Java Clients

Unlike Web clients using Internet browsers, application clients require a different strategy for implementing security. In the past, application clients of WebLogic Server used JNDI for authentication. Although JAAS is a standard extension to security in J2EE 1.3, it's the preferred method of application client authentication in WebLogic Server. Security implementations based on JNDI works under WebLogic Server, but some methods in the weblogic.jndi.Environment class based on JNDI authentication have been deprecated. This is why BEA recommends using JAAS for all username and password authentication. For two-way SSL authentication, JNDI is used because JAAS does not handle this.

WebLogic Server, being J2EE 1.3–compliant, supports Java Authentication and Authorization Service (JAAS) version 1.0. WebLogic Server supports JAAS authentication on the server, and JAAS authentication and authorization on application clients. To authenticate application clients, using JAAS is preferred over JNDI, but this chapter will cover both ways starting with the JNDI authentication.

JNDI Authentication

JNDI uses the security models already in place in the Java platform; it does not implement its own. That being said, there are several environment variables that can be used within JNDI. For a simple authentication within JNDI with WebLogic Server, your must create a Hashtable object and include the following key mapping fields, which are contained within the javax.naming.Context object:

• Context.INITIAL_CONTEXT_FACTORY— Defines the fully qualified context factory to use to create an initial context

• Context.PROVIDER_URL— Defines configuration for the service provider to use; in this case, WebLogic

• Context.SECURITY_PRINCIPAL— Holds the principal for authenticating the caller to the service

• Context.SECURITY_CREDENTIALS— Holds the credentials for authenticating the caller to the service

After setting these parameters, create a new initialContext with the variables and then perform the lookup on the resource. If it does not authenticate, an exception is thrown. Listing 28.1 gives an example of using JNDI authentication to get an object.

Listing 28.1 A JNDI Call to WebLogic

Context con = null;
try{
Hashtable environment = new Hashtable();
      environment.put(Context.INITIAL_CONTEXT_FACTORY,
                          "weblogic.jndi.WLInitialContextFactory");
      environment.put(Context.PROVIDER_URL, "t3s://weblogic:7002");
            environment.put(Context.SECURITY_PRINCIPAL, "user");
environment.put(Context.SECURITY_CREDENTIALS, "password");
con = new InitialContext(environment);
Object myEJB = (Object) con.lookup("myEJB");
}catch(NamingSecurityException e){
}finally{
if (context != null)
con.close();
}

Listing 28.1 is an example of a one-way SSL authentication with JNDI. If a private key and a chain of X.509 certificates are needed as an extra measure of security, two-way SSL authentication is required. To find more information about two-way SSL authentication, BEA has information on edocs at http://edocs.bea.com/wls/docs81/security/SSL_client.html.