Introduction to WebLogic Enterprise Security
This document summarizes the features of the BEA WebLogic® Enterprise SecurityTM products (version 4.2, Service Pack 2) and presents an overview of the architecture and capabilities of the security services. It provides a starting point for understanding the family of BEA WebLogic Enterprise Security products and security infrastructure.
This chapter covers the following topics:
This document is intended for all users of the BEA WebLogic Enterprise Security product family, including:
The BEA WebLogic Enterprise Security products incorporate many terms and concepts that are defined in the glossary. BEA recommends that you review the terminology to become familiar with the various terms and concepts.
As the world's leading application infrastructure company, BEA supplies a complete platform for building, integrating, and extending J2EE applications to provide business solutions. Companies select the BEA WebLogic Enterprise Platform as their underlying software foundation to decrease the cost of information technology, leverage current and future assets, and improve productivity and responsiveness.
Now, BEA is extending its Application Security Infrastructure by offering the BEA WebLogic Enterprise Security product line-a family of security solutions that provides enhanced application security and includes: policy-based delegated administration, authentication with single sign-on, consolidated auditing, and dynamic-role and policy-based authorization with delegation.
BEA WebLogic Enterprise Security products are designed with an open and flexible standards-based framework that enforces security through a set of services. Resources and applications are protected by configuring and managing these services to meet the specific requirements of your business.
The BEA WebLogic Enterprise Security product family provides an application security infrastructure consisting of an Administrative Application and a family of Security Service Modules for heterogeneous distributed environments. This infrastructure allows you to remove security technology and hard-coded policies from the application business logic. The security policy is no longer embedded in the application and the developer is no longer responsible for enforcing security policies through the application.
Using a distributed computing architecture, BEA WebLogic Enterprise Security products provide an enterprise-wide application security solution. The BEA WebLogic Enterprise Security product family is the only enterprise-wide application security infrastructure solution on the market.
The Administration Application allows you to centrally manage and distribute security configuration and policy as shown in Figure 1-1. In addition to the Administration Application, the Business Logic Manager (BLM) API is provided. This API supports the management of security policy (users, groups, roles, resources, resource authorization policies, and policy distribution), but it does not support security configuration distribution. When a security configuration and/or policy is changed, you must use the Administration Application to distribute it so as to take effect throughout the enterprise, across multiple application execution environments. An open standards-based design allows customers, integrators and vendors to develop and incorporate their own custom security services. And, common security functions can be leveraged by applications throughout the enterprise.
Figure 1-1 Typical Application Execution Environment
The key features of the BEA WebLogic Enterprise Security product family include:
With the rush to build web-based applications and market services over the Internet, many developers had little comprehension of the security issues they would soon confront. Managing security is a huge challenge for any information technology organization that is providing new and expanded services to its employees, customers, and partners through both web-based and legacy applications. The advent of the Internet made protecting information and applications increasingly difficult to manage, monitor, and maintain. Financial transactions (ATM machines, bank transfers, credit card purchases and payments, stock market transactions), personal medical information (implementation of new Health Insurance Portability and Accountability Act or HIPPA regulations), Federal government facilities (Homeland Security affecting both military and civilian) provide only a few examples of areas where the concern for security has become essential and sometimes mandated by law.
Most applications require some form of security. As the complexity and volume of users and resources increases and with the rapid changes in business requirements that continue to evolve, the need for more stringent and robust security technologies becomes evident. To serve a worldwide network of users, an information technology organization must address the fundamental issues of maintaining the confidentiality, integrity and availability of the system and its data, providing the right information, to the right person, at the right time, across a diverse enterprise.
Because these applications often comprise a number of different components that may or may not reside on the same server or even in the same domain, policy management becomes extremely difficult and ensuring enterprise or regulatory compliance can prove impossible.
Figure 1-2 Application Execution Environment
A typical application execution environment is multi-tiered as shown in Figure 1-3 and may be distributed (vertically or horizontally) between multiple machines running on different operating system platforms. In this case, you must protect each tier or application component. The type of security policy and technology for each one may be different and you need to be able to enforce security at each layer.
Figure 1-3 Multi-tiered Application Execution Environment
To address the multitude of potential breaches of security associated with multi-tiered environments, companies have had to purchase and integrate a variety of different and custom security technologies from a host of different vendors:
Integration of security technologies requires the application developer to embed these technologies and hard-code both integrated and unified security policy requirements within each application. Thus, as the number of applications increases, the expenses associated with application development and maintenance also increases. As a best practice, the application developer should not be responsible for developing, implementing, and managing security policy.
Early authorization implementations used static and inflexible approaches to define the different types of access granted or denied for a user. Because this type of implementation is extremely time-consuming (if only due to the number of users and the different types of user storage methods in use), it has become impractical for many implementations. Further, the cost of maintaining static first-generation security services can be exorbitant.
BEA has developed an Application Security Infrastructure that can be external to and isolated from the application itself. Using a services-oriented policy-based architecture, you can replace the integrated security silo technologies and hard-coded policies. Figure 1-4 illustrates how a basic application execution environment can be protected using an integrated approach. Each component in the application requires protection, although the type of security typically varies.
A typical information technology environment consists of various types of servers-HTML, proxy, BEA WebLogic, Legacy, J2EE, and application-that access numerous LDAP and database servers containing information such as your user community (name, address, etc.). While the WebLogic platform servers provide application-level security for J2EE components, J2EE-based web services, portal and portlets (EJB, JSP/Servlet, JDNI, JDBC, JMS, MBeans), BEA WebLogic Enterprise Security provides application security for additional platforms and web servers.
Figure 1-4 Integrated Application Security
The open flexible architecture of the BEA WebLogic Enterprise Security products provides advantages to all levels of users and introduces an advanced design for securing your applications. With distributed computing, applications must be integrated across the network, as shown in Figure 1-5. BEA WebLogic Enterprise Security provides a distributed enterprise security solution that, together with clear and well-documented policies and procedures, can insure the confidentiality, integrity and availability of its applications and data.
Applications across the enterprise are built on a heterogeneous infrastructure with diverse resources. With an application security infrastructure as shown in Figure 1-5, the BEA WebLogic Enterprise Security products support a fully distributed architecture; integrating all applications across the network.
Figure 1-5 Distributed Computing Security Infrastructure Vision
The BEA WebLogic Enterprise Security products provide a variety of services that use the WebLogic security framework, including enhanced policy-based authorization with role mapping, authentication with support for single-sign on and credential mapping, and customizable auditing features. A services-oriented strategy to application security infrastructure improves efficiency and strengthens security by providing a unified and consistent approach across the enterprise. BEA delivers security services that allow third-party security technologies to be exposed as reusable services, to further reduce integration time and costs, promote choice, and insure investment protection.
The type of security services you implement depends on the type of the application component you want to protect. A set of security providers delivered with each Security Service Module provide the ability to configure and enforce each security service, using the Administration Console described in Security Administration.
The security services seek to provide ease of use, manageability for end users and administrators, and customizability for application developers and security developers. Administrators who configure and deploy applications can use the security providers included with the product that support most standard security functions or can create custom security providers. The product environments supported include WebLogic Server Version 8.1, Internet Information Services (IIS) and Apache Web Servers, web services, and Java applications. BEA WebLogic Enterprise Security will expand this family of Security Service Modules in subsequent releases.
Supports BEA WebLogic Server, Version 8.1 and enhances the existing security services in the application server, providing customizable auditing, multi-domain standards-based single sign-on, database and Microsoft Window NT authentication, database credential mapping, and expanded policy expression capabilities for authorization and role assignments.
Supports the IIS Web Server. After installation, the security service module (SSM) binds with the web server through the web server application programming interface (ISAPI) so that the SSM can be used to protect web server application resources.
Supports the Apache Web Server. After installation, the SSM binds the web server through the web server filter so that the SSM can be used to protect web server application resources.
Supports web servers. After installation, the SSM security services can be accessed by a web server through the Web Services application programming interface and used to protect web server application resources.
An application programming interface (API) that allows security developers to develop environment interfaces or even integrate an application security infrastructure into an application. These interfaces support the most commonly required security functions and are organized into services that are logically grouped by functionality.
Each Security Service Module is delivered with a full set of security providers. Table 1-1 lists the types of providers that are available for configuration.
The modular BEA WebLogic Enterprise Security service architecture provides specific benefits for:
Because most security for web applications and EJBs can be implemented by a system administrator, application developers do not need to be concerned about the details of securing the application, unless there are special considerations that must be addressed explicitly in the code. Security developers can also take advantage of BEA-supplied Application Programming Interfaces (APIs). These APIs are found in the weblogic.security
package as described in Javadocs for WebLogic Security Providers.
Administrators can use the security providers supplied as part of the product to implement an integrated solution. Administrators can use the Administration Application to define security roles and assign security policies to resources to create an authorization scheme that suites the needs of their business. In addition, the administrator can modify, test, and deploy the security policy quickly and efficiently.
Third-party providers are integrating their products by using the Security Service Provider Interfaces (SSPI). As the underlying integration mechanism for security providers, the SSPI allows development of custom security providers. The SSPIs are available for Adjudication, Auditing, Authentication, Authorization, Credential Mapping, Identity Assertion, and Role Mapping. For information on the SSPIs, see Javadocs for Security Service Provider Interfaces.
This architecture allows security developers to provide integrated solutions that are easy to use. The result is a reduction in development requirements, which means an increased return on investment when implementing an enterprise security management solution. And, custom security services developed for WebLogic Platform 8.1 are compatible with the BEA WebLogic Enterprise Security services.
A dynamic role-based policy architecture eliminates the need for application developers to design and implement business policy and embed it within each and every instance of an application. More efficient security policy administration enables an organization to adapt quickly to dynamic business processes as security policies are designed, tested, deployed, and distributed quickly by security administrators with no coding required.
Delegated administration allows for centralized control and delegated labor, enabling administrators more familiar with the needs of a particular user constituency to implement business policy.
It also allows the implementation of policies across a much larger, more complex, user community with standard security policy (for example, consisting of employees, business partners, customers). If a change to a policy is required, it can be distributed throughout the enterprise and take effect whenever desired. With BEA WebLogic Enterprise Security products, if your application is already written to use some form of authentication or authorization schema, and the schema changes, no changes are required within the application.
BEA WebLogic Enterprise Security products adhere to the following standards.