Setting up Basic Authentication in iSQL*Plus 10.x

There are a couple of ways to protect the standard iSQL*Plus URL. One way is to use the default setup for the DBA URL and extend this to also protect the standard URL. The other way is to create a new role which protects just the standard URL. You will need to do this setup manually, and here's the instructions on how to do it.

I've written this using a Windows install, but the process is the same for other operating systems. Just change the % to $, and switch the to / in the paths.

Protect both the standard and DBA URLs using the webDba role

The webDba role is already configured in an Oracle database install to protect the DBA URL using basic authentication. To extend this same authentication to include the iSQL*Plus standard URL, perform the following steps: 

  1. Edit %ORACLE_HOME%oc4jj2eeoc4j_applicationsapplicationsisqlplusisqlplusWEB-INFweb.xml to add another <url-pattern> element:
    <url-pattern>*</url-pattern>

    Your <security-constraint> element should now look like this:

    <security-constraint>
          <web-resource-collection>            <web-resource-name>dba.uix</web-resource-name>
                <description>
                </description>
                <url-pattern>/dba.uix</url-pattern>
                <url-pattern>/dbA.uix</url-pattern>
                <url-pattern>/dBa.uix</url-pattern>
                <url-pattern>/dBA.uix</url-pattern>
                <url-pattern>/Dba.uix</url-pattern>
                <url-pattern>/DbA.uix</url-pattern>
                <url-pattern>/DBa.uix</url-pattern>
                <url-pattern>/DBA.uix</url-pattern>
                <url-pattern>*</url-pattern>
             </web-resource-collection>
             <web-resource-collection> <web-resource-name>DynamicDba</web-resource-name>
                <description>
                </description>
                <url-pattern>/dba/dynamic</url-pattern>
             </web-resource-collection>
             <auth-constraint>
                <role-name>webDba</role-name>
             </auth-constraint>
             <user-data-constraint>
                <transport-guarantee>NONE</transport-guarantee>
             </user-data-constraint>
        </security-constraint>
  2. From the directory %ORACLE_HOME%oc4jj2eeisqlplusapplication-deploymentsisqlplus, run the following commands:  

    set ORACLE_HOME=<your_oracle_home>
    set JAVA_HOME=%ORACLE_HOME%jdk
    cd %ORACLE_HOME%oc4jj2eeisqlplusapplication-deploymentsisqlplus

    Change <your_oracle_home> to the location of your Oracle Home, for example, C:oracleprogramsora10g.

  3. Use JAZN to add a user and assign it a role to access the iSQL*Plus URLs. This is the same as setting up the DBA URL described in the SQL*Plus documentation.   

    %JAVA_HOME%binjava -Djava.security.properties=%ORACLE_HOME%oc4jj2eehomeconfigjazn.security.props -jar %ORACLE_HOME%oc4jj2eehomejazn.jar -user "iSQL*Plus DBA/admin" -password welcome -adduser "iSQL*Plus DBA" plusdba plusdba

    %JAVA_HOME%binjava -Djava.security.properties=%ORACLE_HOME%oc4jj2eehomeconfigjazn.security.props -jar %ORACLE_HOME%oc4jj2eehomejazn.jar -user "iSQL*Plus DBA/admin" -password welcome -grantrole webDba "iSQL*Plus DBA" plusdba

    If you want to use the JAZN shell, here's the equivalent commands:

      %JAVA_HOME%binjava -Djava.security.properties=%ORACLE_HOME%oc4jj2eehomeconfigjazn.security.props -jar %ORACLE_HOME%oc4jj2eehomejazn.jar -user "iSQL*Plus DBA/admin" -password welcome -shell 

    JAZN>adduser "iSQL*Plus DBA" plusdba plusdba
    JAZN>grantrole webDba "iSQL*Plus DBA" plusdba
    JAZN>exit 

    A little handy hint that I discovered while setting this up. If you use the JAZN shell, you need to exit the shell before any changes take place. I had a lot of frustration figuring out this procedure until I worked out this little feature!

    I didn't have to restart iSQL*Plus for this to take effect, but I did have to exit the JAZN shell.

  4. Test this has now been set up. Open a browser window and enter the iSQL*Plus URL:
  5. http://<;machine_name>:5560/isqlplus

    You should see an authentication dialog displayed. Enter plusdba/plusdba as your login. The iSQL*Plus login screen should be displayed. Close your browser (to remove the basic authentication), and do the same to test the iSQL*Plus DBA login:

    http://<;machine_name>:5560/isqlplus/dba

Protect  the standard URL using a new role, and the DBA URL using the webDba role

The other way of setting  up basic authentication for the iSQL*Plus standard URL, is to have two roles, one for the DBA URL, and one for the standard URL. So you can have one login for the DBA URL, which can also access the standard URL, and another login that can only access the standard URL.

As before, we reuse the webDba role which is already configured in an Oracle database install to protect the DBA URL. Then we  create a new role to protect the iSQL*Plus standard URL. Here are the steps you need to perform:

  1. Edit %ORACLE_HOME%oc4jj2eeoc4j_applicationsapplicationsisqlplusisqlplusWEB-INFweb.xml to add the another <security-constraint> element:   
    <security-constraint>
             <web-resource-collection> <web-resource-name>login.uix</web-resource-name>
                <description>
                </description>
                <url-pattern>*</url-pattern>
             </web-resource-collection>
             <auth-constraint>
                <role-name>webUser</role-name>
                <role-name>webDba</role-name>
             </auth-constraint>
             <user-data-constraint> <transport-guarantee>NONE</transport-guarantee>
             </user-data-constraint>
        </security-constraint>

    And add another <security-role> element:

  2.     <security-role>
           <description>Privileged access to iSQL*Plus URL.</description>
           <role-name>webUser</role-name>
      </security-role>
  3. From the directory %ORACLE_HOME%oc4jj2eeisqlplusapplication-deploymentsisqlplus, run the following commands: 
  4. set ORACLE_HOME=C:ora102
    set JAVA_HOME=%ORACLE_HOME%jdk
    cd %ORACLE_HOME%oc4jj2eeisqlplusapplication-deploymentsisqlplus

  5. Add a the role webUser to the "iSQL*Plus DBA" realm.
    %JAVA_HOME%binjava -Djava.security.properties=%ORACLE_HOME%oc4jj2eehomeconfigjazn.security.props -jar %ORACLE_HOME%oc4jj2eehomejazn.jar -user "iSQL*Plus DBA/admin" -password welcome -addrole "iSQL*Plus DBA" webUser  

    Add a user to the "iSQL*Plus DBA" realm.

    %JAVA_HOME%binjava -Djava.security.properties=%ORACLE_HOME%oc4jj2eehomeconfigjazn.security.props -jar %ORACLE_HOME%oc4jj2eehomejazn.jar -user "iSQL*Plus DBA/admin" -password welcome -adduser "iSQL*Plus DBA" plususer plususer

    Grant the role webUser to the plususer user. 

    %JAVA_HOME%binjava -Djava.security.properties=%ORACLE_HOME%oc4jj2eehomeconfigjazn.security.props -jar %ORACLE_HOME%oc4jj2eehomejazn.jar -user "iSQL*Plus DBA/admin" -password welcome -grantrole webUser "iSQL*Plus DBA" plususer

    If you want to use the JAZN shell, here's the equivalent commands: 

    %JAVA_HOME%binjava -Djava.security.properties=%ORACLE_HOME%oc4jj2eehomeconfigjazn.security.props -jar %ORACLE_HOME%oc4jj2eehomejazn.jar -user "iSQL*Plus DBA/admin" -password welcome -shell

    JAZN>adduser "iSQL*Plus DBA" plususer plususer
    JAZN>addrole "iSQL*Plus DBA" webUser
    JAZN>grantrole webUser "iSQL*Plus DBA" plususer
    JAZN>exit  

    I didn't have to restart iSQL*Plus for this to take effect, but I did have to exit the JAZN shell.
  6. Test this has now been set up. Open a browser window and enter the iSQL*Plus URL:
  7. http://<;machine_name>:5560/isqlplus

    You should see an authentication dialog displayed. Enter plususer/plususer as your login. The iSQL*Plus login screen should be displayed. Close your browser (to remove the basic authentication), and do the same to test the iSQL*Plus DBA login:

    http://<;machine_name>:5560/isqlplus/dba

The user you have just created, plususer, should be able to login to standard iSQL*Plus URL, but should not have access to the iSQL*Plus DBA URL.

When you create a user to access the iSQL*Plus DBA URL (as described in the SQL*Plus User's Guide and Reference), you should also grant the webUser role so it can access the standard iSQL*Plus URL. 

Some Handy Commands

Just to add to this topic, I thought I'd add a few extra commands, to save you some typing, that you might need while setting all this up.

To stop iSQL*Plus:

%ORACLE_HOME%binisqlplusctl stop

To start iSQL*Plus:

%ORACLE_HOME%binisqlplusctl start

To remove the user plususer  using JAZN:

%JAVA_HOME%binjava -Djava.security.properties=%ORACLE_HOME%oc4jj2eehomeconfigjazn.security.props -jar %ORACLE_HOME%oc4jj2eehomejazn.jar -user "iSQL*Plus DBA/admin" -password welcome -remuser "iSQL*Plus User" plususer

To list the users using JAZN:

%JAVA_HOME%binjava -Djava.security.properties=%ORACLE_HOME%oc4jj2eehomeconfigjazn.security.props -jar %ORACLE_HOME%oc4jj2eehomejazn.jar -user "iSQL*Plus DBA/admin" -password welcome -listusers

To list the  realms using JAZN:

%JAVA_HOME%binjava -Djava.security.properties=%ORACLE_HOME%oc4jj2eehomeconfigjazn.security.props -jar %ORACLE_HOME%oc4jj2eehomejazn.jar -user "iSQL*Plus DBA/admin" -password welcome -listrealms

To create the user plusdba in the "iSQL*Plus DBA" realm using JAZN:

%JAVA_HOME%binjava -Djava.security.properties=%ORACLE_HOME%oc4jj2eehomeconfigjazn.security.props -jar %ORACLE_HOME%oc4jj2eehomejazn.jar -user "iSQL*Plus DBA/admin" -password welcome -adduser "iSQL*Plus DBA" plusdba plusdba

To grant the role webDba to the plusdba user using JAZN:

%JAVA_HOME%binjava -Djava.security.properties=%ORACLE_HOME%oc4jj2eehomeconfigjazn.security.props -jar %ORACLE_HOME%oc4jj2eehomejazn.jar -user "iSQL*Plus DBA/admin" -password welcome -grantrole webDba "iSQL*Plus DBA" plusdba

To grant the role webUser to the plusdba user using JAZN:

%JAVA_HOME%binjava -Djava.security.properties=%ORACLE_HOME%oc4jj2eehomeconfigjazn.security.props -jar %ORACLE_HOME%oc4jj2eehomejazn.jar -user "iSQL*Plus DBA/admin" -password welcome -grantrole webUser "iSQL*Plus DBA" plusdba

Comments:

Thanks for the hint about closing JAZN...that was becoming quite frustrating! Everything is working now. Thanks again!

Posted by Greg H. on September 12, 2006 at 05:00 PM DDUT #

It took me a while to work out why my updates weren't working as well. It seems exiting JAZN commits the changes. A small issue that can cause a lot of frustration.

Posted by Alison Holloway on September 12, 2006 at 05:15 PM DDUT #

Post a Comment:
  • HTML Syntax: NOT allowed
About

A blog on Oracle VM, PHP and any other projects I work on.

Search

Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today