This book is designed for security and application developers who want to write their own security providers for use with BEA AquaLogic Enterprise Security. It is assumed that those using this document are application developers who have a solid understanding of security concepts, and that no basic security concepts require explanation. It is also assumed that security and application developers are familiar with BEA AquaLogic Enterprise Security and with Java programming.
Prerequisites for This Document
Prior to reading this guide, you should read the Introduction to BEA AquaLogic Enterprise Security. This document describes how the product works and provides conceptual information that is helpful to understanding the necessary installation components.
Additionally, BEA AquaLogic Enterprise Security includes many unique terms and concepts that you need to understand. These terms and concepts—which you will encounter throughout the documentation—are defined in the Glossary.
Documentation Audience
This document is intended for the following audiences:
Application Developers—Developers who are Java programmers who focus on developing Java applications, incorporating security into Java applications and Enterprise JavaBeans (EJBs), and who work with other engineering, quality assurance (QA), and database teams to implement security features. Application Developers have in-depth working knowledge of Java (including J2EE components such as servlets/JSPs and JSEE).
Security Architects—Individuals who are responsible for designing and implementing the overall security architecture for their organization, evaluating BEA AquaLogic Enterprise Security features, and determining how to best implement policies. Security Architects have in-depth knowledge of Java programming, Java security, and network security, as well as knowledge of security systems and leading-edge security technologies and tools.
Security Developers—Developers (including third-party developers) who focus on defining the system architecture and infrastructure for security products and who develop custom security providers for use with BEA AquaLogic Enterprise Security services. Security Developers work with Security Architects to ensure that the architecture is implemented according to design specifications and that it does not introduce any security holes. Security Developers also work with administrators to ensure that security is properly configured. Security Developers have a solid understanding of certain concepts, including authentication, authorization, and auditing, and an in-depth knowledge of Java and security provider functionality.
Guide to this Document
This document provides application developers with the information needed to develop custom security providers for use with BEA AquaLogic Enterprise Security™ Security Service Modules. This document is organized as follows:
Introduction to Developing Security Providers, which prepares you to learn more about developing security providers for use with AquaLogic Enterprise Security. It specifies the audience and prerequisites for this guide, and provides an overview of the development process.
Security Provider Concepts, which explains the concepts that you must understand to be able to develop custom security providers. This topic also includes a discussion about JAAS LoginModules.
Design Considerations, describes the capabilities of the security providers shipped with BEA AquaLogic Enterprise Security and the general architecture of a security provider, and provides background information about implementing Security Services Provider Interfaces (SSPIs) and generating MBean types. This section also suggests ways your custom security providers might work with databases that contain information security providers require.
The BEA corporate web site provides all documentation for BEA AquaLogic Enterprise Security. Other BEA AquaLogic Enterprise Security documents that may be of interest to the reader include:
Introduction to AquaLogic Enterprise Security—This document summarizes the features of the BEA AquaLogic® Enterprise Security products and presents an overview of the architecture and capabilities of the security services. It provides a starting point for understanding the family of BEA AquaLogic Enterprise Security products.
Javadocs for Security Service Provider Interfaces—This document provides reference documentation for the Security Service Provider Interfaces that are provided with and supported by this release of BEA AquaLogic Enterprise Security.
Policy Managers Guide—This document defines the policy model used by BEA AquaLogic Enterprise Security, and describes how to import and export policy data.
Javadocs for BLM API—This document provides reference documentation for the Business Logic Manager (BLM) Application Programming Interfaces that are provided with and supported by this release of BEA AquaLogic Enterprise Security. This API can be used to write, manage, and distribute access control policy (users, groups, roles, resources, and authorization and role mapping policies).
Programming Security for Java Applications—This document describes how to implement security in Java applications. It includes descriptions of the Security Service Application Programming Interfaces and programming instructions.
Javadocs for Java API—This document provides reference documentation for the Java Application Programming Interfaces that are provided with and supported by this release of BEA AquaLogic Enterprise Security.
Programming Security for Web Services—This document describes how to implement security in web servers using the Web Services Security Service Module. It includes descriptions of the Web Services Application Programming Interfaces.
Wslddocs for Web Services API—This document provides reference documentation for the Web Services Security Service Module Application Programming Interfaces that are provided with and supported by this release of BEA AquaLogic Enterprise Security.