|
| Sun ONE Identity Server Policy Agent Guide |
The Sun ONE Identity Server Policy Agent enables Application Servers to enforce authentication and authorization using Sun ONE Identity Server services, thereby securing client access to the hosted J2EE applications and enforcing J2EE security policies defined in the deployed application's Deployment Descriptors.
This chapter provides a brief overview of Sun ONE Identity Server Policy Agent for Application Server, as well as some concepts you will need to understand before proceeding with the Installation program.
Topics include:
Uses of Policy Agent for Application Server
The Sun ONE Identity Server Policy Agent for Application Server may be installed for protecting a variety of hosted J2EE applications which may require a varying set of security policy implementation. The security infrastructure of J2EE provides declarative as well as programmatic security which are platform independent and are supported by all the compliant J2EE application servers. For details on how to use J2EE platform's declarative as well as programmatic security, refer to J2EE documentation which can be found at http://java.sun.com/j2ee.
The Agent provides the ability to enable role-to-principal mapping for protected J2EE applications with Sun ONE Identity Server principals. Thus at runtime, when a J2EE policy is evaluated, it is done against the information available in Sun ONE Identity Server. Using this functionality, administrators may configure their hosted J2EE applications to be protected by the Agent which provides real security services and also other key features such as single sign-on.
Examples
A Commerce Application
A commerce application may have a variety of specialized Enterprise JavaBeans components that offer a spectrum of services to the clients. For instance, there could be a specialized component that provides the ability to create purchase orders. Similarly, there could be a specialized component that provides the ability to approve a purchase order. While such components provide the basic business services for the application to function, the very nature of tasks that they accomplish require a security policy to enforce appropriate use of such services.
Using the deployment descriptors, the application vendor or developer can express intent by protecting such components using abstract security role names. For example, there could be a role called "Buyer" which protects the component that provides the ability to create a purchase order. Similarly, there could be a role called "Approver" which protects the component that provides the ability to approve a purchase order. While these roles convey the intent of the application vendor or developer to enforce such security policies, they will not be useful unless these abstract role names are mapped to real life principals such as actual users or actual roles that reside in Identity Server.
The Agent provides the ability to the container to enforce such a runtime linkage of abstract security roles to real life principals. Once the Agent is installed and configured, the Application security roles can be mapped to real principals. For example, the role "Buyer" may be mapped to a Identity Server role called "Staff". Thus when a user "Arvind" tries to access the application's protected resources, the Agent will allow this access if and only if the actual user "Arvind" is a member of the mapped role "Staff".
An Intranet Employee Portal
An intranet employee portal may offer services such as payroll information and online benefits administration. While such services may be offered in a read-only manner to regular employees, administrators may have special privileges that can allow them to update the associated data. For instance, there could be a specialized Enterprise JavaBeans component that provides two services—one for reading payroll information and the other for updating payroll information. Using the Agent to protect this application, it will be possible to grant the administrators the privileges necessary to update payroll information, while the employees may only have read-only access.
A Content-Based Web Application
A content based web application can offer pay per-view services. The application may be partitioned into two domains—the public domain which is accessible to anonymous users, and the private domain which is accessible only to the subscribers of this particular service. Using the Agent, it will be possible to enforce that only authenticated and authorized users may be allowed to access the private domain of the application, while any user has the ability to access the public domain. Specific Servlets and JSPs that provide application functionality will be protected by the Agent by enabling the mapping of the associated security roles with actual Identity Server principals.
Supported Servers
Sun ONE Identity Server Policy Agent supports the following Application Servers:
- WebLogic 6.1 SP2 on Solaris 8, Windows 2000 Server and HP-UX 11 operating systems
- WebSphere 4.0.4 AE on Solaris 8
- Sun ONE Application Server 7.0 on Solaris 8, Solaris 9 and Windows 2000 Server.