This book is designed for security and application developers who want to write their own security providers for use with BEA AquaLogic Enterprise Security. It is assumed that those using this document are application developers who have a solid understanding of security concepts, and that no basic security concepts require explanation. It is also assumed that security and application developers are familiar with BEA AquaLogic Enterprise Security and with Java programming.
Prerequisites for This Document
Prior to reading this guide, you should read the Introduction to BEA AquaLogic Enterprise Security. This document describes how the product works and provides conceptual information that is helpful to understanding the necessary installation components.
Additionally, BEA AquaLogic Enterprise Security includes many unique terms and concepts that you need to understand. These terms and concepts—which you will encounter throughout the documentation—are defined in the Glossary.
Documentation Audience
This document is intended for the following audiences:
Application Developers—Developers who are Java programmers who focus on developing Java applications, incorporating security into Java applications and Enterprise JavaBeans (EJBs), and who work with other engineering, quality assurance (QA), and database teams to implement security features. Application Developers have in-depth working knowledge of Java (including J2EE components such as servlets/JSPs and JSEE).
Security Architects—Individuals who are responsible for designing and implementing the overall security architecture for their organization, evaluating BEA AquaLogic Enterprise Security features, and determining how to best implement policies. Security Architects have in-depth knowledge of Java programming, Java security, and network security, as well as knowledge of security systems and leading-edge security technologies and tools.
Security Developers—Developers (including third-party developers) who focus on defining the system architecture and infrastructure for security products and who develop custom security providers for use with BEA AquaLogic Enterprise Security services. Security Developers work with Security Architects to ensure that the architecture is implemented according to design specifications and that it does not introduce any security holes. Security Developers also work with administrators to ensure that security is properly configured. Security Developers have a solid understanding of certain concepts, including authentication, authorization, and auditing, and an in-depth knowledge of Java and security provider functionality.
Guide to this Document
This document provides application developers with the information needed to develop custom security providers for use with BEA AquaLogic Enterprise Security™ Security Service Modules. This document is organized as follows:
Security Provider Concepts, explains the concepts that you must understand to be able to develop custom security providers. This topic also includes a discussion about JAAS Login Modules.
Design Considerations, provides background information about implementing Security Services Provider Interfaces (SSPIs) and generating MBean types.
Javadocs for BLM API—This document provides reference documentation for the Business Logic Manager (BLM) Application Programming Interfaces. This API can be used to write, manage, and distribute access control policy (users, groups, roles, resources, and authorization and role mapping policies).
Programming Security for Java Applications—Describes how to implement security in Java applications. It includes descriptions of the Security Service Application Programming Interfaces and programming instructions.
Java API—Provides Javadoc documentation for the ALES Java Application Programming Interfaces.
Programming Security for Web Services—Describes how to implement security in web servers using the Web Services SSM. It includes descriptions of the Web Services API.
Web Services API—WSDL generated documentation Web Services SSM interface.
