| Oracle Application Server is designed to provide both basic and advanced security services while adhering to security standards. Oracle Application Server provides the following security services: -
- Authentication
-
Verifies the identity of users and systems requesting applications, resources, and data (see the sidebar, "Identity Management"). -
- Authorization
-
Provides system-level determination and granting of the proper level of privileges to users or systems, thus possibly limiting their ability to use applications or resources or to manipulate data. -
- Access control
-
Grants access to applications, data, and other resources consistent with security policies based on the authentication of the user , the authorization she has, and the type of access being requested . -
- Accountability and intrusion detection
-
Ensures that activities contrary to policies are detected and recorded. -
- Data protection
-
Protects data from access by unauthorized users via such mechanisms as encryption and integrity checks. Identity Management Identity management is a term used to describe the process of authenticating users and maintaining their identity over time and across multiple applications. Section 4.2.1, describes the framework used for the centralized management of user security in many Oracle Application Server deployments. Some Oracle Application Server components , such as OracleAS Reports Services and OracleAS Forms Services, may be deployed using their own user management and security services. OC4J applications may also be deployed using non-Oracle identity management services, such as Microsoft Active Directory, SunOne (formerly i Planet), and Netegrity SiteMinder. These third-party management services can be used with Oracle Identity Management. |
In managing Oracle Application Server, your security goal should be to deploy the product in such a way that it can pass an independent security assessment. In such a secure deployment, you also need to consider coding practices, eliminate single points of failure in the security mechanism, set minimal privileges as a default, and enable intrusion detection to limit damage from security breaches. Those are extensive security topics that go well beyond the scope of this chapter. See the Appendix, however, for additional sources of security information. |
