Securent Entitlement Management Solution. v 3.1 GA. JACC Agent for WebSphere. September Part No. 31GA-JACCAGENTWEBSPHERE-1

Similar documents
Securent Entitlement Management Solution. v 3.1 GA. PDP and PEP Cache Clustering. September Part No. PDPPEPCACHE-31GA-1

Securent Entitlement Management Solution. v 3.1 GA. PEP Configurations. September Part No. PEPCONFIG-31GA-1

Oracle Fusion Middleware

Introduction. Enterprise Java Instructor: Please introduce yourself Name Experience in Java Enterprise Edition Goals you hope to achieve

Adapter for Mainframe

J2EE Development. Course Detail: Audience. Duration. Course Abstract. Course Objectives. Course Topics. Class Format.

Entrust Identification Server 7.0. Entrust Entitlements Server 7.0. Administration Guide. Document issue: 1.0. Date: June 2003

BEA WebLogic Server Integration Guide

Designing a Distributed System

The team that wrote this redbook

BEA WebLogic. Server. MedRec Clustering Tutorial

Server and WebLogic Express

FuegoBPM TM Enterprise Process Orchestration Engine Configuration Instructions for a JVM Engine

Oracle FLEXCUBE Installation Guide Oracle FLEXCUBE Universal Banking Release [September] [2013] Part No. E

Chapter 6 Enterprise Java Beans

Nimsoft Monitor. websphere Guide. v1.5 series

Novell Access Manager 3.1

web.xml Deployment Descriptor Elements

Copyright. Restricted Rights Legend. Trademarks or Service Marks. Copyright 2003 BEA Systems, Inc. All Rights Reserved.

Chapter 1 GETTING STARTED. SYS-ED/ Computer Education Techniques, Inc.

Vision of J2EE. Why J2EE? Need for. J2EE Suite. J2EE Based Distributed Application Architecture Overview. Umair Javed 1

Enterprise Java Security Fundamentals

BEAWebLogic. Enterprise Security. WebLogic Server v8.1 Installation

IBM Workplace Collaboration Services API Toolkit

BEAProducts. ISV Partners Guide

Java Programming Language

BEAWebLogic. Portal. MobileAware Interaction Server Installation Guide

BEA WebLogic Mobility Server Installation Guide

IBM WebSphere Application Server V3.5, Advanced Edition for Linux Extends Support to Red Hat, Caldera, SuSE, and TurboLinux

How to install and configure Solr v4.3.1 on IBM WebSphere Application Server v8.0

IBM WebSphere Application Server V3.5, Advanced Edition Expands Platform Support and Leverages the Performance of the Java 2 Software Development Kit

Oracle Banking APIs. Part No. E Third Party Simulation Guide Release April 2018

J2EE Interview Questions

IBM Advanced Rational Application Developer v7. Download Full Version :

Artix for J2EE. Version 4.2, March 2007

Oracle FLEXCUBE Installation Guide Oracle FLEXCUBE Universal Banking Release [February] [2016]

JBoss SOAP Web Services User Guide. Version: M5

BEAWebLogic. Portal. Getting Started with Autonomy Search

Exam Name: IBM Certified System Administrator - WebSphere Application Server Network Deployment V7.0

Enterprise Java Unit 1-Chapter 2 Prof. Sujata Rizal Java EE 6 Architecture, Server and Containers

Inside WebSphere Application Server

2017, IBM Corporation Liberty z/os Good Practices. WebSphere Liberty z/os Applications and Application Deployment

Oracle Access Manager Oracle FLEXCUBE Universal Banking Release [May] [2017]

How to use J2EE default server

Web Application Architecture (based J2EE 1.4 Tutorial)

Deploying Intellicus Portal on IBM WebSphere. Version: 7.3

Primavera Unifier and Enterprise Manager. Supported Versions of Enterprise Manager. Primavera Unifier Metrics Collected for Enterprise Manager

Red Hat Single Sign-On 7.1 Authorization Services Guide

BEA Liquid Data for. WebLogic. Deploying Liquid Data

ORACLE IDENTITY MANAGER SIZING GUIDE. An Oracle White Paper March 2007

WAS: WebSphere Appl Server Admin Rel 6

Tivoli Policy Director for WebLogic Server

WebSphere Application Server - Overview

Oracle Access Manager Integration Oracle FLEXCUBE Payments Release [Feb] [2018]

Java EE Application Assembly & Deployment Packaging Applications, Java EE modules. Model View Controller (MVC)2 Architecture & Packaging EJB Module

Developing Java TM 2 Platform, Enterprise Edition (J2EE TM ) Compatible Applications Roles-based Training for Rapid Implementation

C IBM. IBM WebSphere Application Server Network Deployment V8.0 Core Administrati

SUN Enterprise Development with iplanet Application Server

Oracle FLEXCUBE OBIEE Reports Oracle FLEXCUBE Universal Banking Release [December] [2016]

TIBCO Foresight Transaction Insight

National Language Support for Windows NT and AIX Now Available with IBM WebSphere Application Server V3.0.1, Standard Edition

Microsoft Active Directory Plug-in User s Guide Release

BEAWebLogic. Server. Deploying Applications to WebLogic Server

Tivoli SecureWay Policy Director Authorization ADK. Developer Reference. Version 3.8

IBM Worklight V5.0.6 Getting Started

BEAWebLogic. Adapter for HIPAA. Installation and Configuration Guide

Artix Orchestration Installation Guide. Version 4.2, March 2007

Enterprise JavaBeans (I) K.P. Chow University of Hong Kong

Outline. Project Goal. Overview of J2EE. J2EE Architecture. J2EE Container. San H. Aung 26 September, 2003

BEAWebLogic RFID. Edge Server. Supported Configurations

BEAWebLogic. Platform. 8.1 Supported Configurations: Red Hat Enterprise Linux 4.0 AS, ES on IBM pseries

Configuring an IBM Forms 8.0 Cluster using WebSphere Application Server v

Enterprise JavaBeans. Layer:01. Overview

Gateway Property File Creation Oracle Banking Payments Release [May] [2018]

Pulse Secure Policy Secure

Oracle Enterprise Manager

The Host Integration (PCOMM / HoD) License Manager

TIBCO iprocess Workspace Plug-ins Installation. Software Release 11.2 September 2009

Distributed Multitiered Application

Oracle WebLogic Server 11g: Administration Essentials

J2EE - Version: 25. Developing Enterprise Applications with J2EE Enterprise Technologies

DISCLAIMER COPYRIGHT List of Trademarks

BEAWebLogic. Server. Programming WebLogic Deployment

Appendix C WORKSHOP. SYS-ED/ Computer Education Techniques, Inc.

Payments Weblogic JMS Configuration Oracle FLEXCUBE Payments Release [May] [2017]

Deploying Oracle FLEXCUBE Application on WebSphere Oracle FLEXCUBE Universal Banking Release [December] [2016]

IBM WebSphere Application Server V4.0. Performance. 10/02/01 Copyright 2001 IBM Corporation WS40ST11.prz Page 248 of of 28

Artix Orchestration Release Notes. Version 4.0, June 2006

SECTION II: JAVA SERVLETS

Websphere Server 8.5 Best Practices Oracle FLEXCUBE Universal Banking Release [December] [2016]

GATEWAY Property File Creation Oracle FLEXCUBE Universal Banking Release [December] [2016]

Classloader J2EE rakendusserveris (Bea Weblogic Server, IBM WebSphere)

BEAWebLogic. Server. Monitoring and Managing with the J2EE Management APIs

Oracle Insurance Rules Palette

Deccansoft Software Services. J2EE Syllabus

Oracle WebLogic Server

NetBeans IDE Field Guide

Installing and Configuring the Runtime Processes 2

GlassFish v2.1 & Enterprise Manager. Alexis Moussine-Pouchkine Sun Microsystems

Anno Accademico Laboratorio di Tecnologie Web Introduzione ad Eclipse e Tomcat

Transcription:

Securent Entitlement Management Solution v 3.1 GA JACC Agent for WebSphere September 2007 Part No. 31GA-JACCAGENTWEBSPHERE-1

Copyright Copyright 2006-2007 Securent, Inc. All Rights Reserved. Restricted Rights This software and documentation is subject to and made available only pursuant to the terms of the Securent Inc. License Agreement and may be used or copied only in accordance with the terms of that agreement. It is against the law to copy the software except as specifically allowed in the agreement. This document may not, in whole or in part, be copied, photocopied, reproduced, translated, or reduced to any electronic medium or machine-readable form without prior consent, in writing, from Securent, Inc. THE SOFTWARE AND DOCUMENTATION ARE PROVIDED AS IS WITHOUT WARRANTY OF ANY KIND INCLUDING WITHOUT LIMITATION, ANY WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. FURTHER, Securent DOES NOT WARRANT, GUARANTEE, OR MAKE ANY REPRESENTATIONS REGARDING THE USE, OR THE RESULTS OF THE USE, OF THE SOFTWARE OR WRITTEN MATERIAL IN TERMS OF CORRECTNESS, ACCURACY,RELIABILITY, OR OTHERWISE.

Contents Introduction... 1 Securent JACC Agent approach to protect WebSphere Server Applications... 1 Integrating Securent JACC Agent with WebSphere Application Server... 4 Example of JACC Agent authorization process... 5 Protecting Web Resources in WebSphere Application Server application... 5 Protecting EJB Resources in WebSphere Application Server application... 8 iii

Introduction This document explains about how Securent JACC Agent for WebSphere Application Server helps in implementing the fine-grained autherization decisions for web applications developed using Websphere Application Server. Note: Securent JACC Agent is developed using Sun Microsystem s Java Authorization Contract for Containers (JACC) specification that is part of Java 2 Platform, Enterprise Edition (J2EE) 1.4. JACC defines a contract between J2EE containers and authorization providers. The contract enables thirdparty authorization providers (like Securent JACC Agent) to plug into J2EE application servers, such as WebSphere Application Server, to make the authorization decisions when a J2EE resource is accessed. The access decisions are made through the standard java.security.policy object. Securent JACC Agent implements the policy class, policy configuration factory class, and policy configuration interface, as per the J2EE JACC specification. More information about the J2EE JACC specification can be found at: http://java.sun.com/j2ee/javaacc/index.html Securent JACC Agent approach to protect WebSphere Server Applications Websphere security providers are modules that plug into a WebSphere Server security realm to provide security services to applications. Provider determines whether access should be granted or denied to WebSphere Server resources. If the Websphere security providers supplied with the WebSphere Server product do not fully meet your security requirements, you can supplement or replace them with custom security providers. Securent JACC Agent is a custom authorization provider for Websphere Application Server. Securent JACC Agent can be used for protecting WebSphere Application server resources like EJBs, Servlets, JSPs and WebServices. 1

The above figure illustrates the following sequence of events: 1. Users that access protected resources are authorized using the Securent JACC Provider. 2. The WebSphere Application Server container uses information from the J2EE application deployment descriptor to determine the required role membership. 3. WebSphere Application Server uses the embedded Securent JACC Provider to request an authorization decision from the Securent Entitlement Server (PDP). Additional context information, when present, is also passed to the PDP. This context information is comprised of the J2EE application name and J2EE module name. If the PDP database has policies that are specified for any of the context information, the authorization server uses this information to make the authorization decision. 4. The authorization server consults the permissions that are defined for the specified user within the PDP DB. 5. The PDP returns the access decision to the embedded Securent JACC Provider. 6. WebSphere Application Server either grants or denies access to the protected method or resource, based on the decision that is returned from the PDP. Securent JACC Provider also provides centralized administration of multiple servers. Cell Manager WebSphere Application Server Securent JACC Provider Local Replica PDP DB Securent PDP PDP DB Node WebSphere Application Server Securent JACC Provider Local Replica PDP DB The above figure is an example architecture showing WebSphere Application Servers secured by Securent JACC Provider. The participating WebSphere Application Servers use a local replica of the Securent Entitlement Server to make authorization decisions for incoming requests. The local policy databases are replicas of the master policy database. Having policy database replicas on each participating WebSphere Application Server node optimizes performance when making authorization decisions and provides failover capability. 2

Although the authorization server can also be installed on the same system as WebSphere Application Server, this configuration is not illustrated in the diagram. It is possible to have separate WebSphere Application Server profiles on the same host that is configured for different PDPs. Such an architecture requires that the profiles are configured for separate Java Runtime Environments (JRE) and therefore you need multiple JREs installed on the same host. Securent JACC Agent authorization process is carried out in the following manner: 1. A user sends a request to the WebSphere container to access a WebSphere resource for performing a given operation. 2. The WebSphere container receives the request and invokes the method implies(protection domain, permission)on Securent JACC Provider. 3. The Securent JACC Provider extracts the subject (i.e. username) from ProtectionDomain and the requested resource from Permission object and in turn calls the method isuseraccessallowed(subject,resource,action) on Securent Policy Enforcement Point (PEP). 4. The Securent PEP makes the API call to the Securent Entitlement Server (PDP) by constructing a XacmlRequest using the subject, resource and action. The API method that is called is isuseraccessallowed(xacmlrequest). 5. The isuseraccessallowed(xacmlrequest) method returns one of the following two boolean values: TRUE - indicates that the requested access is permitted or FALSE - indicates that the requested access is explicitly denied 6. If the method returns true, the requested operation will be processed by the WebSphere Container. If it is false, it throws Unauthorized Access message to the client. 3

Integrating Securent JACC Agent with WebSphere Application Server Following are the steps to integrate JACC agent with WebSphere Application Server. 1. Unzip file SecurentJACCAgent.zip to <SECURENT_JACC_HOME> directory. 2. Copy securentjaccagent.jar, pep.jar, and papclient_classes.jar to the directory - WebSphere\AppServer\lib\ 3. Edit pep_config.xml file. Provide PDP configuration details. Edit <jacc-config> tag and set the values for application group and application to be protected. Edit <app-group name="prime group"> tag with the required application group and Edit <web-application name="jaccejbdemo"> tag with the required application to be protected. Edit <websphere-resource> tag for protecting web resources like jsps, servlets, actions, etc. and provide value as webapp and set attribute - enableaction=true. This setting will protect all web resources and actions (If set to false, then the web resources in the application will not be protected). You can also edit <websphere-resource> tag for protecting EJB resources like ejb beans, ejb method, etc. and provide value as ejb and set attribute - enableaction=true. This setting will protect all ejb resources (If set to false, then the ejb resources in the application will not be protected). Edit <subject source="session"> tag. You can set its value to either session or request. (Source should be the place from where the user is to be recoginsed. Example: Session,request etc.) Edit <attributename="username"> tag to use the attribute key name in the session or request. 4. Start the WebSphere Application server. 5. Open the Websphere Server Console (e.g. http://ipadrress:port/ibm/console). 6. From the WebSphere Application Server administrative console, click the link Security > Secure administration, applications, and infrastructure 7. A screen will be displayed on the right side. Click the link External Authorization Providers 8. A screen will be displayed. Click the link External JACC Provider 9. A screen will be displayed. Set the following values for the fields as explained below. Name = securent JACC Authorizer Description = Securent Policy class name = net.securent.agent.jacc.websphere.securentpolicy Policy configuration factory class name = net.securent.agent.jacc.websphere.securentpolicyfactory Role configuration factory class name = [blank] Provider initialization class name = [blank] 4

10. Click Apply and then click Save (in the top section of the screen). 11. Select radio button External Authorization using a JACC Provider 12. Click Apply and then click Save (in the top section of the screen). 13. Select the checkbox for Enable Application Security under Application Security. 14. Select the checkbox for Enable Administrative Security under Application Security. 15. Click Apply and then click Save (on Top of the screen) 16. Application and application group mentioned in pep_config.xml should be created in Securent PAP. The links under application and application group need to be created as resources. Note: In pep_config.xml file, if the value for tag <record> is set to true, then PAP will automatically create resources while you are accessing particular page or action in the WebSphere application that is protected by Securent EMS. If value for tag <record> is set to false, then you need to create resources manually in PAP Console. Note: Create environment variable by name securent.agentconfig and value having the directory path: <SECURENT_JACC_HOME>\pep_config.xml under Application servers > server1 > Process Definition > Java Virtual Machine > Custom Properties. Click new button. Enter the above mentioned environment variables and click Apply and then click Save. Example of JACC Agent authorization process Following is the example of a customized JACC Agent authorization process. Protecting Web Resources in WebSphere Application Server application Securent JACC Agent for WebSphere protects the Web Resources like JSPs, Servlets, HTML files, CSS files, etc. Following example describes the same. 1. Login to the sample application running on the WebSphere Application Server. The user name entered in the login page will be taken as the subject in the authorization request. 2. The sample Websphere application contains the following two resources which we want to protect. a. images b. GalleryMenu JSP 3. Assume that necessary arrangements are made in the Securent Administration Console by creating a resource hierarchy for the sample application having images and GalleryMenu JSP as resources. Configure the entitlement policies for resources - images and GalleryMenu JSP - by defining Allow policies on them for the Role of External Users, as shown in the following Resource Based Entitlement screen in the PAP Console. 5

4. Because of the above setting in PAP console, the sample application will show the two resources - images and GalleryMenu JSP. 5. Now set Deny policy on the two resources - images and GalleryMenu JSP - for the Role of External Users, as shown in the following Resource Based Entitlement screen in the PAP Console. 6

6. This setting will effect in non-availability of the two resources - images and GalleryMenu JSP in the sample WebSphere application as shown below. 7

Protecting EJB Resources in WebSphere Application Server application Securent JACC Agent for WebSphere can also be used to protect EJB resources. Following example describes the same. 1. Deploy EJB application - EjbClient - in the WebSphere application server. 2. In the PAP Console, create EjbClient_war application under Prime Group. 3. In the pep_config.xml file set the values: <websphere-resource type="ejb" enableaction="true">*</websphere-resource> <record>true</record> 4. Now access the EJB application that is deployed in the WebSphere Application Server. 5. In the PAP, the EJB resources will now get created under Ejbclient_war application. Here, the resource hierarchy shows the Servlets and EJB methods present in the deployed WAR file. The EJB class name is HelloBean and it has three user defined methods - sayhello, sayhai and saybyee. 6. Set Allow policy for the Role External Users for the application EjbClient_war. 8

7. Now access the EJB application that is deployed in the WebSphere Application Server. The browser displays the following information. 8. In the PAP Console, set Deny policy for the two EJB method resources - HelloBean sayhello and HelloBean sayhai - for the Role External Users for the application EjbClient_war. 9

9. Now access the EJB application that is deployed in the WebSphere Application Server. The browser displays the following information. 10

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback