Ubuntu Here We Come! -
Java Finally To Become
100% Open Source
Reader wrote: Since
November 206, wow! that
is a long process.
May. 15, 2008 06:29 PM
|
 |
 |
|
|
|
|
YOUR FEEDBACK
SOA World Conference
Virtualization Conference $200 Savings Expire May 16, 2008... – Register Today! Did you read today's front page stories & breaking news?
SYS-CON.TV |
TODAY'S TOP SOA & WEBSERVICES LINKS Feature
Identity Propagation in a SOA
The shortcomings of current solutions
May. 11, 2006 10:00 AM
Digg This!
One of the challenges IT organizations face is how to propagate identities in complex business processes that are commonly found in Service Oriented Architectures (SOAs). Identities, which are passed from one service invocation to the next in a business process, give the process a user context. Identities can be used to determine access rights to SOA services and for audit and compliance purposes.
This article shows the need for identities in an SOA, provides examples of SOAs, and reviews the status and shortcomings of current solutions.
Introduction to Identity Propagation The presentation and logic tiers exist in the portal application server and the data tier resides in the database. The identity of a procurement agent is established when the user starts accessing the portal application from the Web browser and the identity spans all three tiers of the portal. This identity is used for authentication and authorization purposes throughout the business processes tha span the portal. Identity propagation in this case spans from the Web browser, to the portal, to the backend database (see Figure 1). To fully illustrate identity propagation, let's dig deeper into this scenario and see how the identity is propagated. The procurement application, which sits in the portal, requires the user to log in to gain access. When the agent initially accesses the portal, the portal presents a JSP- or HTML-based form that requires a username and password. These credentials are sent over an encrypted SSL channel to prevent anyone from sniffing the password over the wire. Let's assume that the portal is running in a J2EE application server. The application would typically use a Java Authentication and Authorization Service (JAAS) login module to process the username and password, and then authenticate and authorize the user. The username and password credentials are checked against an LDAP directory, or perhaps an identity management infrastructure. If the login is successful, a JAAS subject is created in the current execution context of the J2EE portal. This object is used to identify the user in the J2EE container. The subject is used to authorize any subsequent requests from the user to a secured resource in the application server. For example, the secured resource may be an Enterprise Java Bean (EJB) that accesses the portal's backend database. The subject is used to determine if the user should have access to the EJB. The user identity could also be propagated to the database using proprietary techniques such as impersonation, which could be used to determine if the user should have access to the backend data. Figure 2 shows how an identity can be passed from the browser to the backend database. The identity is first passed from the browser to the portal application. From there, it can be propagated to EJBs or databases. At each step, the identity is bound to the resource. For example, JAAS is used to bind the identity of the portal user to an executing thread in the portal procurement application. This way, the user's identity can be used to determine access to subsequent resources. The identity can also be used for audit and compliance purposes. The portal can set alerts for authentication or authorization failures in the banking application or database. Useful data can also be mined based on the user identities passing through the portal. For example, the bank could determine if purchasing agents are trying to exceed their purchasing limits.
Identities in an SOA Think of an SOA as an evolution of the three-tier architecture where applications, like the portal, are loosely coupled applications built as a collection of services. The idea is to expose business logic as services in a reusable and interoperable fashion. For example, a service could:
These services can also be orchestrated business processes where services are wired together into business flows and are often orchestrated using open standards such as BPEL. For example, consider an auto loan service, where a bank customer submits an application online. The service processes the application and does a credit check on the applicant. If the applicant's credit meets a certain standard, it's forwarded to the fulfillment service. After the processing is finished, the paperwork is sent to the orchestrating process (see Figure 4). SOA is quite flexible and powerful, but its decoupled design makes it difficult to propagate an identity across business processes. For example, a transaction may span a multitude of messaging services such as Web Services, MQSeries, and JMS. Each service has its own way of transporting identities. JMS and MQSeries can pass SOAP-based XML messages in their payload, but these services often aren't XML-based and use different payload types. SOAP-based Web Services have a distinct advantage over other messaging protocols since they can use WS-Security headers in the SOAP envelope to propagate identities (see Figure 5). The WS-Security header is standardized security metadata located in a SOAP header in the SOAP envelope. WS-Security provides data integrity (XML encryption) and data authenticity (XML signature). In addition, it offers a way to insert standard security tokens such as X.509 certificates, Kerberos tickets, and Security Assertion Markup Language (SAML) assertions in the WS-Security header. For example, SAML was designed to provide a standardized exchange of security information using XML documents referred to as SAML assertions. The following code shows how an identity would be bound to a SOAP message using SAML:
<wsse:Security ...> Binding the original requestor's identity to the request itself is the way to propagate identities. The request may be modified throughout the lifecycle of the transaction, but the identity of the requester must always be attached to the request. In this context, identity propagation presents many advantages. At each step, the user's identity is used to determine access to any secured resource. WS-Security provides the semantics for binding user information to SOAP messages. In the listing above, the identity of the user is Joe User, who is in the purchasing organization at Widget, Inc. This identity is bound to the SOAP message using SAML as defined by the open WS-Security. The SAML token goes beyond just identifying the user. It can also package additional information about the user in the form of attributes, which are used for authorization decisions. Attribute statements provide specific details about the subject; for example, the user holds Gold status. Authorization decision statements identify what the subject is entitled to do. For example, SAML assertion attributes can be mapped to roles defined in an access control infrastructure. A relying party that processes a SAML token could use these statements for fine-grained access control.
SOA Identity Propagation To simplify this problem, identity propagation should ideally be carried out with a single security token - for instance, a SAML assertion as described above. Secure identity propagation lets you make sure that only appropriate requests are processed. It also provides an audit trail throughout a transaction. Identity propagation requires that the identity of the original requester be bound to each step of the business process or transaction. Business processes found in SOAs often span a multitude of protocols. The security token should have a standard way to bind to these protocols. A SAML token, as a standard XML representation for describing user identity and attributes, is uniquely suited for this purpose. Figure 6 shows a simple example of a SAML token spanning the services and protocols in the credit check service. Currently, a SAML token is attached only to SOAP protocols. It would be useful to extend it to other native protocols such as JMS, SQL*net/ODBC, or even Inter-ORB. Ideally, all SOA-protected resources should be able to leverage SAML tokens. These protected resources should also be able to use an identity management Single Sign-On (SSO) server to determine access rights based on the tokens. When a policy is changed in the SSO server, it would affect all of the components that use it for security decisions. Page 1 of 2 next page »
SOA WORLD LATEST STORIES
SUBSCRIBE TO THE WORLD'S MOST POWERFUL NEWSLETTERS SUBSCRIBE TO OUR RSS FEEDS & GET YOUR SYS-CON NEWS LIVE!
|
SYS-CON FEATURED WHITEPAPERS MOST READ THIS WEEK |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|
| | | | | | | | |
|
|
|
|
|
|
| | | | | | | | | | | | | | | | |
|
|
| SYS-CON MEDIA: | | | | |
| SYS-CON EVENTS: | | | | | |
| INTERNATIONAL SITES: | | | | | | | | | | |
 |
Terms of Use & Our Privacy Statement  About Newsfeeds / Video Feeds |
| Copyright ©1994-2008 SYS-CON Publications, Inc. All Rights Reserved. All marks are trademarks of SYS-CON Media. |
| Reproduction in whole or in part in any form or medium without express written permission of SYS-CON Publications, Inc. is prohibited. |
.gif)
For example, consider a procurement business process for an application that's used by a number of purchasing agents. Each agent has a different purchasing privilege. Say a senior agent can purchase up to $50,000 in a transaction, while a junior agent can buy only $25,000. If the business process that enables the purchase is composed of a number of SOA services, each service must know the user's identity to enforce purchasing privileges.
Many organizations make
the faulty assumption
that SOA is a panacea
that can, and should be,
applied to every
situation. The reality is
that service orientation
is not the right answer
for every scenario. The
expense of service
orientation cannot always
be recouped and, in some
cases, 
Open source has made
significant inroads into
middleware deployments in
the enterprise. More and
more, open source is
being used to deliver the
benefits of SOA and open
source to the enterprise.
There are many custom
Enterprise Service Bus
deployments waiting to be
upgraded to a simple
Adopting SOA is a lot
like gardening. It takes
time, skill, a lot of
hard work, and the
process can be messy and
even a bit frustrating at
times. I know you've
probably heard tons of
different analogies that
attempt to put SOA and
governance into everyday
terms and I'm sure that
growin 
Once upon a time data
modeling played a central
role in the process of
developing applications.
Thus far in the SOA era,
there has been a heavy
emphasis on process, and
data has all-too-often
been lost in the SOA
shuffle. In this talk, we
present a data model for
SOA - i.e., a service-
