Skip navigation.
Arch2Arch Tab BEA.com
 GET INVOLVED
 New to Java?
 Blogs
 CodeShare
 Newsgroups
 User Groups
 Submit Content/Code
 PRODUCT CENTERS
 BEA AquaLogic
 AquaLogic BPM Suite
 AquaLogic Service Bus
 WebLogic Platform
 WebLogic Server
 BEA Workshop
 WebLogic Portal
 WebLogic Integration
 BEA JRockit
 WebLogic Event Server
 BEA WLCP
 More Product Centers
 TECHNOLOGY CENTERS
 Controls
 Web Services
 Eclipse
 XML
 EJB
 Persistence
 JMS
 Vertical Markets
 Dev Toolbox
 BROWSE BY ROLE
 Platform Admin
 RESOURCES
 Dev2Dev Media Center
 Article Index
 Open Source
 Security Advisories
 Utilities & Tools
 Events Calendar
 About Dev2Dev
 SUBSCRIBE
 Dev2Dev Newsletter
 RSS/XML Feeds

Webinar: Security and Architecture

Date: This event took place on April 09 2003

Presentation:

Download the event.

Questions and answers from this presentation:

Question: On your bullet # 4: What is being done in the industry to incorporate security into architecture at planning and design level?
Answer: We are seeing several trends that support the incorporation of security into architecture at a planning and design level:

  1. More and more security infrastructure is being provided by the application infrastructure platform providers as opposed to security providers with single point solutions.
  2. Rapid evolution of open security standards
  3. Industry analysts are increasing focused on developing enterprise security architecture solution maps

Question: A "flat" role-based approach often doesn't match a hierarchical authorization needs. Is this mismatch being addressed?
Answer: Yes, by combining the use of groups and roles. Groups are being used represent the organizational structure found in enterprises today. Most organizational structures contain hierarchical structure. Groups contain a collection of identities which can be comprised of users, business partners, and other groups. Normally in business, membership in a group does not directly provide its members a given set of capabilities. One reason for this is that identities, particularly users, are a member of a number of different groups. Roles are used to represent the various business entities that normally occur in business. As it occurs in real business, it is roles that are used to denote the capabilities that are granted to an identity. The use of roles allows the virtual business entities, such as manager, to be more naturally modeled. Roles also provide a natural way to model classifications of identities. The process of granting one or more roles to an identity needs to separated from the process of making authorization decisions. The role granting process is always one of dynamic decisions since the constraints under which an identity is granted a role needs to change as business processes change to react to competitive forces or opportunity. This statement remains true even if a role is granted to a specified identity (e.g., grant George the Manager role). This is because the granting of the role may have additional conditions that must also be valid, such as day of the week. As a result of this combination, it is possible to handle the hierarchical requirements of various authorization models.

Question: We often struggle with what type of data is strictly too confidential to be downloadable on the Internet. However, re-use of our current e-Commerce web infrastructure for our external users often pushes us to doing this. We have implemented some solutions by providing an Internal URL for highly confidential data and an external URL for all other data. Behind the scenes, these two URL's share the same infrastructure, but the external URL is limited to external user's data. Is this a common practice, or is this "too much" security?
Answer: A solid security infrastructure that includes strong authorization capabilities should allow you to use the same URL for all users. With this type of infrastructure, when a user attempts to access a resource, he/she is identified and authenticated. Based on constraints that you decide (user attributes, role, environmental variables such as whether they accessed from the external internet or the intranet, etc.), the authorization engine evaluates your policies to either grant or deny a user access to a specific resource.

Question: Service-based as distinct from firewall-based?
Answer: Yes. BEA's security framework is "service oriented" in that it is a component that all applications can utilize for security services (such as authentication, authorization, auditing, etc.). Additionally, one can integrate additional 3rd party service services very easily using the open, extensible Service Provider Interfaces.

While perimeter based security, such as that of a firewall, it common in today's enterprises, it does limit the kind of authorization protection that can be offered to the application. Without certain amounts of context that is not available at the perimeter, it is not possible to perform certain types of authorization. In addition, protection exclusively at the perimeter, sometimes referred to as a "hard outer shell with a soft center" leave the application vulnerability to attacks from internal users.

Question: Do you think a services oriented architecture can help in externalizing identity and policy management from applications?
Answer: Yes. We would view the externalization of identity and policy management from the applications as best practice.

Question: Where do we get information on "how" to apply these best practices on a Weblogic Application?
Answer: http://dev2dev.bea.com/index.jsp

Question: How will BEA help me with the id mgmt portion of the security equation?
Answer: Identity management is a broad topic, but here are some of the things BEA does to assist with this process:

  1. An open security framework that allows a customer to utilize any authentication method.
  2. Support for federated identity standards such as SAML
  3. An open framework that allows for integration to directories, meta-directories, and user provisioning solutions

Question: Externalizing enforcement of security policies and keeping this closer to the application logic - how do you resolve the apparent anomaly?
Answer: BEA has a unique architecture that allows for unified, externalized security administration and distributed runtime enforcement. This prevents any compromise in performance.

Question: What is an "uber" app?
Answer: A very large application

Question: The last 'Best Practice' bullet seems in conflict with the other best practices. The second and third bullet emphasize to externalize the security from the application itself, the last bullet highlights the need to keep the security context as close as possible to the business logic (application).
Answer: BEA has a unique architecture that allows for unified, externalized security administration and distributed runtime enforcement. This prevents any compromise in performance.

Question: Curious that LDAP doesn't appear in Standards taxonomy.
Answer: LDAP can certainly be a key component of identity and policy management. WLS supports integration to LDAP directories and in fact ships with a light weight bundled LDAP directory.

Question: We have a trading application where different groups of users need to be allowed or disallowed from viewing trades that are owned by other groups. So for the same type of object (a trade), a user belonging to a given group has permission to view the trade depending on an attribute of each of the trade object instances themselves. Basic J2EE security doesn't support this granularity of access at the instance level. How does BEA address this kind of requirement?
Answer: J2EE doesn't specify the mechanisms that are required to protect these types of situations. BEA has always had a tradition of embracing J2EE standards but also providing extended capabilities to support the needs of its customers, even if it is beyond the capabilities of J2EE. As such, the authorization and role mapping capabilities provided in WebLogic server provide the capabilities necessary to support this and other situations.

Question: Is there a single sign on application or service imbeded?
Answer: WLS can provide SSO within a single security domain. For multi-domain SSO or for SSO across non-BEA environments, BEA has security partners who are integrated to the WebLogic platform and can provide this type of functionality. They include Netegrity SiteMinder, RSA ClearTrust, etc. In the future, BEA plans support for the SAML standard which supports SSO in many instances.

Question: What is SPML? Security Policy Manipulation Language? Any examples?
Answer: Service Provisioning Markup Language. More information can be found at http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=provision

Question: Do you see widespread adoption of the XACML standard in the near future? I ask because it seems complex enough that the apps/devices probably won't adopt it for a while, maybe years.
Answer: Based on our involvement with standards groups and our partnerships with leading security vendors, we see great interest in the use of XACML as a means to import and export authorization and role mapping policies by a number of prominent companies. What we have not seen yet is anyone working on a stand-alone graphical tool for defining policy that can be represented in XACML. It is our expectation that a tool of this type will be created in the not to distant future.

Question: On Standards: How does LDAP relate to the Credential and AuthN Services; is RADIUS an Authentication Service that makes sense within the presented Taxonomy?
Answer: RADIUS is a security authentication protocol that was designed for dial-up environments. Because RADIUS is a protocol, it can use any number of different identity stores including LDAP.

Question: Will these slides be posted to the dev2dev web site?
Answer: Yes.

Question: In our J2EE application, we want to implement a security system that works with BEA and many other application servers. What standard we should use? We cannot depend completely on weblogic security, I guess.
Answer: There is currently no standard for a consistent and portable security infrastructure for J2EE. There has been some advances made recently with the use of JAAS for authentication and JAAC (JSR115) for pluggable authorization. There has been mixed adoption of JAAS as a pluggable authentication mechanism for J2EE. Also noteworthy, is the new JSR196 that is intended to address the need for a hook point where authentication products can be interposed in the request stream. This JSR would allow authentication products to "drive" the protocols to allow re-direction to authentication servers, as well as support for challenge/response protocols.

Question: How does this security architecture fit into your products such as WLI?
Answer: The basis of this security architecture was first introduced into the WebLogic Server 7.1 release. With the release of the v8.1 platform, all BEA platform products utilize the security framework.

Question: What is the relationship BEA maintains with Oblix?
Answer: BEA partners with Oblix for Web SSO.

Question: Which versions of WLS is this new security available?
Answer: Versions 7.0 and 8.1

Question: Can we hear about configuration management, and handling secure data like database passwords?
Answer: There is a number of pieces of configuration data that would be considered as security sensitive, such as passwords to databases. In WebLogic Server, each of these security sensitive pieces of data are encrypted using a shared secret. In addition, it is suggested that customers consider using Java Connection Architecture adapters configured for container managed authentication as a means of integration with legacy systems. Using the adapters in this configuration provides the benefit that neither the application nor the adapter requires the authentication credentials to be "hardcoded" into the source code. Instead, the Java Connection Architecture container utilizes the credential mapping service provided by the BEA security framework as a means to obtain the authentication credentials required for use with the legacy system.

Question: Is this security architecture stuff part of WebLogic 8.1 or is it already available in WebLogic 7.0?
Answer: It is available in both 7.0 and 8.1.

Question: You mentioned delegation. Can you elaborate on how that is handled as a service?
Answer: Policy management is unified but administrative labor can be delegated. For example, policy management for certain user constituencies can be delegated to business units, customers, or partners.

Question: With 7.0, is this security available out of the box?
Answer: Yes.

Question: Our applications need to be write-once, run-anywhere. We are more concerned about standard APIs between our application and the App Server, than we are about standard inferfaces between the App Server and the enterprise. What do you have for us?
Answer: Given application requirements, J2EE defines a minimum set of programmatic security APIs that can be used. These APIs allow developers to determine the identity of the caller and whether the current caller is in a given named role. Beyond these capabilities, J2EE provides little support. It is here that more recent work in the JCP is beginning to address the interfaces between the AppServer and the security environment. In particular, one should look at JAAS and JACC (JSR115).

Question: Some app has very complex business rules for authorization purpose. How can a common infrastructure support the complexity while maintaining as a generic service?
Answer: This is provided by the architecture and the policy language that allows for both the modeling of simple and complex business rules by security administrators in a natural language format. Performance is uncompromised at runtime by allowing the authorization decision point to request context information from the application container.

Question: Why authorization should only be role driven? what about groups (e.g.: locations, depts, unions, etc)? Are we limited here by J2EE?
Answer: Authorization does not have to be driven solely by roles. Other attributes or contextual information can be taken into consideration during the evaluation of a rule. While other information, such as groups and attributes, can be utilized in the authorization decision, this is generally not recommended. It is better to have authorization policies be focused on the business policies that describe how the rules that describe how the business see access to the specific resource.

Question: How does the WL security framework interoperate with OS security built into windows 2000/2003?
Answer: The BEA security framework is capable of delegating decisions, authentication or authorization, to an operating system security system, such as those found in Windows 2000.

Question: Can you please indicate some security features already available in WLS 7.0?
Answer: The entire security framework explained in this webcast is available in WLS 7.0.

Question: Since SAML is used by Liberty and your solution. How is your vision different from that of Liberty?
Answer: BEA is an associate member of the Liberty Alliance. We have initial plans to support SAML which is part of the basis for Liberty. Future plans will look at extended support for Liberty.

Question: How does your architecture implement the standards that you mentioned like SAML and XACML?
Answer: The security architecture is focused first on enabling a number of different security technology to be integrated into the WebLogic platform. BEA has plans to support both SAML and XACML in a future release.

Question: Is role-based security is better than code-based security?
Answer: Role-based and code-base security focusing on protecting different things. Code-based security is focused on providing protection to the application through the protection of the control logic that is provided by the code itself. Code-based security does not allow the context of the request, target object, or data to be taken into consideration.

Question: If roles replace users, where is the user to role map stored?
Answer: This is a deployment option, but it is typically assigned in the authoritative application source (such as an ERP system) and stored in a database or directory.

Question: What do you think would be the key feature of a security enforcement standard?
Answer: As many of the industry analysts have reported, it is not so much about a single technology. Enterprises continue to struggle with the integration of various point security technologies into a single, pervasive security infrastructure. In addition, any security infrastructure would include the concept of "defense in depth" which basically implies that the various security protections applied to the environment should be layered into a set of hurdles that an attacker would need to overcome. Finally, it is critical that the application itself not rely solely on the ability of protection mechanisms at its perimeter for its entire protection. Instead, application's need to assume that the perimeter defenses have been compromised and that it is on its own to provide protection. In order to know exactly how much protection is necessary for the application to provide, it is recommend that security vulnerability assessments be performed.

Question: Is role-based or code-based security is more granular?
Answer: Given the proper architecture, it can be equally granular.

Question: Security and personalization, do they go together or are completely separate things from your perspective?
Answer: These two concepts are closely tied. Personalization implies what a person can see. Entitlements or authorization implies what a person can do. Ideally, a person only sees what he/she can do. As a result, these concepts go hand in hand. BEA's WLS Portal product utilizes the security framework in v8.1.

Question: Are these standards currently mature? SAML, WS-Security, XKMS, XACML, XML Signature, XML Encryption, etc. Which ones are supported by BEA?
Answer: While a number of these have been approved as standards, they are just beginning to appear in commercial products. Only time will tell whether these specifications, regardless of their standard status, are mature enough to be used in wide-scale deployments.

Question: Is there any interface to Active Directory access like .NET framework (ADSI) in BEA App server?
Answer: WebLogic Server has provided the ability to use Active Directory as an identity repository since the 7.0 release. As a means to provide a more heterogeneous access, the integration is performed using the LDAP protocol.

Question: Is the security service available for the 7.x version of the application server?
Answer: Yes, it is available in v7.0 and v8.1.

Question: The presentation didn't address whether new applications written to JAAS interfaces will be able to leverage WLS authentication modules.
Answer: WLS supports the JAAS authentication standard both as a means of integration authentication services as well as a means to perform credential collection and delegated authentication in client applications.

Question: As the security infrastructure scales to connect more and more applications together, will LDAP scale? Or at some point does an RDBMS become necessary?
Answer: The use of LDAP versus RDBMS is more to do with the number and types of identity stores that are required to be utilized by an enterprise application. In some enterprises, it is an IT choice of whether to use LDAP or RDBMS. This choice is can be based on a number of factors. In many cases, an enterprise is attempting to create a unified view of identity through the use of either meta or virtual directories. Both of these technologies attempt to address the issue of creating a single virtual view of identity from multiple different identity stores.

Question: Is Microsoft's "Integrated Window's authentication" possible for Intranet applications hosted on WebLogic rather than IIs?
Answer: These is currently no support for Microsoft's "Integrated Windows" authentication with the authentication providers supplied in WebLogic Server. It is possible, through the creation of a Servlet filter, to provide support for this and other proprietary protocols in the future. In particular, proposed JSR196 would define a standard hook point in J2EE Servlet container implementations to place support for this.

Description:

The emergence of the intranet and extranet and the evolution of web application development have changed the landscape for application-level security. Applications and their mission critical data and processes are being exposed to an exponentially larger and more diverse community of users. And &ndash application security "silos" are no longer an efficient and effective method of delivering application-level security across the enterprise. With heightened security awareness and the evolution of the Chief Security Officer role, the visibility of application-level security within most organizations is ever-increasing.

This webinar will take a closer look at the business and architectural issues that organizations are facing today in the area of application-level security. These issues include growing user populations, web services, and security infrastructure re-use. It will also provide insight into current industry trends and best practices currently being presented to address the growing needs in this domain. Finally, you'll hear about BEA's approach to delivering a service-oriented architecture for application-level security. This approach provides critical benefits to organizations in the areas of stronger and more consistent security, reusability, interoperability, and ease of development.

Come hear BEA System's Chief Security Architect, Paul Patrick, speak on the security issues organizations are facing today and gain valuable insight to assist with your planning for the future.

Presenter:

BEA System's Chief Security Architect, Paul Patrick

Discuss

Discuss Post your questions or comments below

Bookmark Webinar

del.icio.us del.icio.us
Digg Digg
DZone DZone
Furl Furl
Reddit Reddit