Test Center Analysis: BEA Offers Up New Enterprise Security Architecture

BEA Systems hopes to remove that complexity with WebLogic Enterprise Security, a product that provides a distributed security service layer to all enterprise applications. Unveiled Monday, BEA's software provides a comprehensive, easy-to-manage, single-security architecture that covers most security services such authentication, authorization, identity assertion, role and credential mapping, and auditing. The software aims to provide a single point of authentication for enterprise applications--a goal that has become increasingly more difficult to achieve with today's complex enterprise applications. It is slated to ship by the end of this month, with pricing at $10,000 per CPU.

Typical users who log into corporate portals unknowingly must go through a myriad of authentication points to access several systems. In most deployments, each application authentication point must tie into a single-sign-on (SSO) server and work smoothly with other applications further down a business process. Large enterprises end up combining multiple SSO servers to balance the load or provide a fail-safe method. That approach, however, doesn't guarantee proper timing at each application authentication point, nor will it solve load problems since a bottleneck will still exist due to the SSO server's centralized architecture.

The security control mechanism gets more complex at the component level, where component instances must guarantee the right access to a user. Here, it's like the Wild West, where anything goes: Authentication depends on security policies implemented by the application server. Developers usually end up controlling authentication at the module level. One way to work around this free-for-all would be to use multiple application servers for security. That approach, however, gobbles up administration time.

BEA's new enterprise security architecture sets out to remove these problems by distributing security at every layer of an enterprise application, according to the company. WebLogic Enterprise Security achieves application security heterogeneity by using service modules that work like plug-ins and hook into application containers or security APIs. For instance, with Java application servers, the WebLogic Service Modules connect through the JACC API. Further, each WebLogic Service Module lives in the server where the application or components reside and communicates with applications via a container, a Web server or its own API.

All policies are replicated to each server through a centralized Web-based monitoring system that streamlines delegation by distributing policies across each server. This architecture shifts the responsibility of securing applications away from the developer and into the hands of an administrator. Every server becomes responsible not only for its applications but for its security policies as well.

The modules also work independent of any application stack. Regardless of whether developers work with Enterprise JavaBeans (EJBs), databases, servlets or .Net components, the WebLogic Service Modules should work transparently. BEA also offers a module intended to work with legacy applications that require specialized authentication. Developers will have to code their access methods to WebLogic Service Modules when working with legacy applications, but they do not have to recreate new forms of authentication or revamp existing code because the service modules act independently from each other.

Through this approach, applications can also add multiple authentication methods. Two components, for instance, can call separate security services and validate the same user for different reasons. The architecture is also extensible, which means that any third-party Web services vendor can create plug-ins for the WebLogic Service Modules.