Integrating ALES with Application Environments
![]() |
![]() |
![]() |
![]() |
![]() |
![]() |
This chapter provides information about ALES built-in support for integration with specific environments.
ALES provides a number built-in solutions for integration with the following environments:
Before a SSM can be integrated with a server, a SSM configuration that specifies the security providers must be created and the configuration must be bound to the SCM running on the same machine.
As shown in Figure 4-1, installation of ALES creates a default SCM configuration named adminconfig
that contains a SSM configuration and security providers used by the Administration Server itself.
If the SSM instance will be located on the same machine, you can use the SCM and create a SSM configuration under it. If on a separate machine, you must create a new SCM. For step-by-step instructions on managing SCM and SSM configurations, see the Management Console help system.
To create a SSM configuration:
Create a new Security Service Module Configuration
in the right page.The security providers needed depend on the requirements of the application. This section describes the providers included with ALES 2.1. For specific uses of providers with the Web Server SSM, see Security Providers on page 4-9. For step-by-step instructions on managing providers, see the Management Console help system.
Supports web server authentication and single sign-on between web server SSMs. Use this provider in conjunction with the ALES Credential Mapper. |
|
Authenticates users using the ALES relational database provider. |
|
Supports identity assertion using HTTP authentication tokens from the SPNEGO protocol. For more information, see Enabling SPNEGO-based Single Sign-on. |
|
Accepts SAML assertions sent using the Browser POST Profile and returns the corresponding user. For more information, see Enabling SAML-based Single Sign-On. |
|
Supports identity assertion through an X.509 digital certificate, supporting ASN.1 encoding and decoding |
Table 4-3 describes Authorization providers.
Authorizes access to resources based on WebLogic security policy. |
|
Authorizes access to resources based on ALES security policy. |
Table 4-4 describes Credential Mapping providers.
Returns authentication credentials for a user (username and password) from a database. |
|
Returns a SAML assertion for an authenticated user. For more information, see Enabling SAML-based Single Sign-On. |
|
Supports web server authentication and single sign-on between web server SSMs. Returns a ALES assertion for an authenticated user. |
|
Returns authentication credentials for a user (username and password) from the Weblogic LDAP directory. |
Table 4-5 describes Role Mapping providers.
This section covers Web Server SSMs in the following sections:
An ALES Web Server SSM provides the environmental bindings between the ALES and a web server. It can provide six distinct services: Registry, Authentication, Authorization, Auditing, Role Mapping, and Credential Mapping.
Figure 4-2 Web Server SSM Components
A Web Server SSM makes access decisions for the web server to which it is bound. The security configuration on which the access control decisions are based is defined and deployed by the Administration Server via the Security Control Module.
A Web Server SSM can be tailored to specific needs. Using templates provided as part of the product, security developers can customize the look and feel of authentication pages and configure parameters that allow fine tuning for a particular installation. Web applications can have information added to the HTTP request by the security framework, such as roles and response attributes.
ALES provides three Web Server SSMs: IIS Web Server SSM (SSM), Apache Web Server SSM, and Web Services SSM (see Figure 4-3).
Figure 4-3 Web Server SSM Components
The environmental binding is used to bind to and interact with web servers. Binding a web server SSM to the server projects the ALES subsystem into the web server environment. The SSM accepts HTTPS requests from the web server and presents them to the ALES security framework.
Bindings are provided for two types of web servers: ASF Apache and Microsoft IIS. The second function is ultimately for enforcing access control and providing a means of implementing the SAML Browser/POST profile.
Additionally, the Web Server SSM implements the server-side includes (SSIs) that process SAML Browser/POST profile.
The Web Services Security Service APIs enable access to the ALES security framework. These APIs provide the following security services:
Note: The following topics provide a very brief description of these APIs. For more information, see Programming Security for Web Services.
There are two variations of authentication, JAAS-based and identity assertion. JAAS-based authentication collects evidence (credentials) from a user in order to establish user identity.
Note: For more information on JAAS, see Java Authentication and Authorization Service (JAAS) on the Web at http://java.sun.com/products/jaas/.
Identity assertion authentication consumes a trusted token object to establish identity. The Web Services SSM supports both types of authentication.
Note: The Web Services SSM does not support custom callback types.
In addition to providing a simple permit or denied decision on a URL, the authorization service also has the ability to return attributes into the request as determined by the access control policy implemented. Because the inclusion of coding in the application to handle these attributes creates an undue coupling between the application and security infrastructure, the SSM inserts these returned attributes into the HTTP request header. Depending upon the technology used (ASP, CGI, ISAPI), these headers can be extracted and used by the application.
The auditing service audits all transactions through the security subsystem. Every URL accessed is sent through the auditing infrastructure.
Although roles are primarily used in authorization, some applications may wish to have access to the roles to which a user is mapped for the purposes of role-based personalization. In order to provide this information to the running applications, the Web Services SSM adds a list of roles to the HTTP request header. Depending upon the technology used (ASP, CGI, ISAPI), the application can extract this list of roles from the header and use it.
The credential service returns sensitive credentials to an application so that the application can use systems that require a secondary (or tertiary) layer of authentication. The Web Services SSM extracts mapped credentials from the security system and makes them available in the HTTP header for use by the application. Depending upon the technology used (ASP, CGI, ISAPI), the application can extract the credential headers and use them to authenticate to other back-end systems.
Installing a SSM deploys a JAR file that contains all ALES security providers. However, before any of the security providers can be used, you must use the Administration Console to configure them. You have the option of configuring either the security providers that ship with the product or custom security providers, which you may develop yourself or purchase from third-party security vendors.
Note: To use security providers with the SSM, you must deploy the security provider MBean JAR file (MJF) to the providers directory on both the machine on which you install the SSM and on the machine on which you install the Administration Console.
The Web Server SSMs use the following security providers:
For more information on security providers, see SSM Security Providers on page 4-3. For more information on how to develop custom security providers, see Developing Security Providers for BEA AquaLogic Enterprise Security.
This section describes the Web Server SSM features in the following sections
This section covers the following topics:
Web single sign-on enables users to log on to one web server and gain access to other web servers in the same domain without supplying login credentials again, even if the other web servers have different authentication schemes or requirements. Figure 4-4 shows the basic components of a web single sign-on service.
While web single sign-on facilitates access and ease of use, it does not improve security. In fact, security requirements should be considered when implementing a web single sign-on solution.
The Web Server SSM supports the following single sign-on (SSO) use cases.
Figure 4-5 Web Server SSM to Web Server SSM Single Sing-on
Figure 4-6 Web Server SSM to WebLogic Server SSM Single Sign-On
The Web Server and WebLogic Server 8.1 SSMs support single sign-on using the ALES Identity Assertion provider. For instructions on how to implement Single Sign-On, see "Configuring Web Single Sign-on with ALES Identity Assertion" in Installing the Web Server and Web Services Security Service Modules.
The authentication service supports the following features:
Note: If a new callback type is encountered during authentication, the Web Server SSM ignores it.
The authorization service supports the following features:
..
" and decodes URL encoding. The resource is presented as the path element of a URL and the file or application name. For example, http://www.bea.com/framework.jsp?CNT=index.htm&FP=/products/aqualogic/
is presented as /framework.jsp
. The query arguments CNT and FP and associated values are made available in the application context.isAuthenticationRequired()
method to check if a resource is protected by a security system. This feature is important because you may want to leave some web server resources unprotected.The auditing service has the following capabilities:
The role mapping service supports hard-coded roles in applications. Generally hard-coding behavior into an application based on roles is not recommended. It is possible, however, that some customers may need to replace an existing system that uses this mechanism or may want to use roles for user interface personalization. Support for this feature requires that a list of mapped roles available from a security provider for a particular request be provided in a usable form by applications running within the web server.
Note: It is important to note that roles are not global in ALES but can change depending upon the resource and various elements of the context.
ALES defines two types of credential objects: username/password credentials and generic credentials; however, there is no limitation as to the format of objects that can be used. Credentials can be "mapped" and associated with a resource and identity or an alias.
The credential mapping service has the following features:
Administering the security configuration involves writing policies for users, groups, roles, and the web application resources that the SSM protects. The Web Server SSM has the following features:
To manage session behavior, the Web Server SSM supports the following capabilities:
The web server is configured to use the filter component of the Web Server SSM. Local configuration of the web server should only be necessary once and should be static. The Web Server SSM has the following configuration capabilities:
The Web Server SSM has the following constraints and limitations:
This section provides an overview of integration tasks. Integration tasks center on managing SSM configurations (including the security providers) and configuring the web server to use the web filters. For step-by-step instructions, see the Installing Web Server and Web Services Security Service Modules.
The major tasks performed are:
For detailed instructions on setting up Web Server SSM instances, see the Installing Web Server and Web Services Security Service Modules.
During the instance creation process, the default.properties
configuration file is created. This file contains the connection information for the ALES services.
This section describes how the IIS and Apache SSMs bind to the web server.
To load the web server SSM into IIS:
To load the web server SSM into Apache HTTP server:
This section provides an overview of integration tasks required for using the WebLogic Server SSM. For step by step instructions, see Installing WebLogic Server v8.1 Security Service Module. That guide provides specific steps for integration tasks associated with WebLogic Server, WebLogic Portal, and Aqualogic Data Services.
The WebLogic Server SSM basically provides a means of replacing WebLogic Server's security framework with ALES.
Warning: The WebLogic security framework controls access to it's own administration console as well as the applications it is hosting. When replacing this framework with ALES, you must configure ALES to secure the server's administration console when the WebLogic Server SSM is deployed. If this is not done, the WebLogic administration console will not be accessible.
//asi/console
tree using the Clone function.For detailed instructions on setting up SSM instances, see the SSM installation guides.
During the instance creation process, the default.properties configuration file is created for the web server SSM. This file contains the connection information for the ALES services.
For instructions, see Installing the WebLogic Server v8.1 Security Service Module.
![]() ![]() |
![]() |
![]() |