Centralized Security Policy with AquaLogic Enterprise Security: Part 1

by William Dettelback
09/19/2007

Abstract

AquaLogic Enterprise Security (ALES) provides a centralized security policy facility for applications and services. ALES is built on the same core security framework that WebLogic Server and WebLogic Server-based products utilize. This makes it very simple to use ALES as a replacement for the authorization decisions that are performed by those products and as a way to centralize such security policies into one repository. The benefit of this approach is easier maintenance and lower complexity as the number of authorization decisions are performed across multiple products.

This article will discuss how to use ALES with WebLogic Portal and AquaLogic Data Services Platform (ALDSP) and will show how the addition of ALES as a security policy mechanism has little to no impact on how the portal or data services are created.

Understanding ALES

AquaLogic Enterprise Security is based on an inherently distributed architecture. It provides a centralized Policy Administration Point (PAP) in the Administration Server and distributed Policy Decision Points (PDPs) in the form of Security Service Modules (SSMs). SSMs come in several varieties, and one is intended to plug into WebLogic Server-based applications. When this is done with WebLogic Portal, for example, then a portal application's entitlements can be handled by ALES instead of by the default providers.

ALES provides a mechanism to administer entitlement policies centrally for any number of domains and applications while distributing that policy out to the correct SSM. This can be a huge benefit when you have many disparate WebLogic Portal domains that all require some common security policy. With ALES you would administer the policy in one place and let the infrastructure do the distribution for you. The story gets even better when you consider that many BEA products such as WebLogic Server, WebLogic Integration, AquaLogic Data Services Platform, and AquaLogic Service Bus can plug in to ALES as well.

To be more precise, this "plugging in" depends on the core security framework found in WebLogic Server. This framework is based on the idea of pluggable security providers for Authentication, Authorization, Role Mapping, Credential Mapping, and Auditing. An ALES SSM represents a highly specialized form of an Authorization Provider and Role Mapping Provider. Since any BEA product built on WebLogic Server uses the Security Framework to protect itself, it can automatically pass authorization decisions to ALES if so configured.

In this way, we can see that the ALES security policy can overlay the security policies defined individually in each WebLogic Server-based product. As we'll see in this article, this means that security policy is fully externalized from the applications and services themselves, which is a good thing.

Pages: 1, 2, 3

Next Page ยป