Securing Enterprise Java Components With SiteMinder

White Paper

PU B L I S H E D : J U N E 2 0 0 0

This document is subject to change without notice

With existing Web Agents. by providing a complete set of services to those components. J2EE components are deployed to an application server which hosts them in containers for access by clients. or EJB components (which may make up a full-fledged distributed application.sun. One of the many benefits of J2EE components is that they can be ported to. JavaServer Pages TM (JSP). and by handling many details of application behavior automatically. Enterprise JavaBeans TM (EJB) components. Enterprise Edition (J2EE) defines the standard for developing multitier enterprise applications. and hosted by any vendor’s application server provided it complies with Sun’s J2EE API and test specifications. a file.SiteMinder Application Server Agents Introduction To quote Sun Microsystems (http://java. the repository for user authorization and authentication” J2EE builds upon the Java 2 Platform. J2EE simplifies enterprise applications by basing them on standardized. and adds full support for servlets. Protected Resources Web Server Browser HTTP.) Netegrity has introduced a family of SiteMinder Application Server Agents.) by intercepting end-user requests sent to the Web server.g. JSPs. and XML technology for business-tobusiness transactions. etc. This document is subject to change without notice . an application. Standard Edition. Granularity of such security is at the resource level.. which in turn makes calls to SiteMinder’s Policy Server. modular components. SSL SiteMinder Web Agent RSA SiteMinder Policy Server SSL User Directory and Privilege Storage Netegrity SiteMinder Architecture In order to secure more fine-grained objects such as servlets. Netegrity’s SiteMinder can protect entry to a resource (e. This document explains how SiteMinder’s Application Server Agents secure individual J2EE components by interoperating with the hosting application server.html) “the JavaTM 2 Platform. without complex programming.

) Application Server JSP Engine Browser HTTP EJB Container EJB HTTP Server Servlet Engine JNDI EJB EJB JDBC J2EE Components Persistence (e. application servers combine several technologies to facilitate the development. namely: • • • • • • • Centralized user privilege management across platforms. RDBMS) Application Server Architecture This document is subject to change without notice .) Although market -leading application servers provide their own proprietary security model. most companies need the vendor-neutral. Web servers. NT. enterprise-wide security infrastructure offered by Netegrity’s SiteMinder.. and support the deployment and access of distributed J2EE components: • • • Frontend HTTP server (the entry point to the application server from a Web browser) Component containers (hosting all the components deployed to the application server) Component transaction monitor (an infrastructure that manages component distribution. role-based administration. and custom agents) Application Server Architecture The figure below shows a typical application server architecture for HTTP clients (Web browsers. persistence. operating systems. application servers.SiteMinder Application Server Agents Application Server Overview In order to better understand how SiteMinder secures J2EE components. hosted by. dynamic access control rules and policies. and accessed from the application server. and authentication methods) Personalized Web content (Web pages can be personalized for the particular privileges of each user) Developer APIs (to accommodate local authentication methods. Essentially. relational databases) Distributed policy management (user-centric. etc. let’s review briefly how those components are deployed to. transactions. and applications Cross-domain single sign-on Seamless integration with multiple native user directories (LDAP. with optional delegation of administrative rights) Easy integration with multiple existing environments (heterogeneous Web servers.g.

All the low-level features handling servlets such as connection to the network are controlled by the servlet engine (or servlet “container”. the JSP is automatically compiled to a servlet by the JSP engine. EJB components are hosted by an EJB container that must comply with Sun’s EJB specification. A bean class ultimately implements the EnterpriseBean interface and must have methods matching the signatures of the home and remote interfaces. The bean class also implements the methods used by the EJB container to manage the bean.) Advanced EJB containers manage the entity bean’s persistence to the backend database (container-managed persistence or CMP. or retrieve and update data that can’t be adequately captured in entity beans. you need to define two interfaces and two classes: • Home Interface: Since the EJB container manages the lifecycle of a bean. the servlet then runs the request and returns the results to the Web server. the remote interface represents a “contract” between the clients and the bean that lists the services that the bean uses. each managing collections of related EJB objects. Remote Interface: A Java interface that defines the methods that a bean presents to the clients (this interface is used to point to the EJB Object entity. Alternatively. servlets now run in an application server process instead of the Web server. business logic can be implemented in reusable EJB components called by the servlet.) • • • This document is subject to change without notice . The home interface is associated with a Java Naming and Directory Interface (JNDI) name. find. Enterprise JavaBeans Enterprise JavaBeans (EJB) components are distributable. packaged “business” objects. they can store information that may need to be secured.SiteMinder Application Server Agents Servlets Servlets are Java programs that have primarily been used with Web servers. or remove EJB objects .”) The home interface is a Java interface used by clients to tell the EJB container to create. An application server can include multiple EJB containers. They provide a portable and scalable replacement for CGI programs. model the workflow of entity beans. To implement and describe an EJB component to an EJB container. it is responsible for creating and removing bean instances (or EJB “objects. EJB containers are managed by an application server which takes care of all the EJB environment infrastructure. Servlets handle both presentation logic (how responses to user requests are displayed in the browser) and business logic (code that processes the user request. EJB components can be persistent (entity beans whose instances represent tangible entities such as a row in a database table) or non-persistent (session beans used to manage processes and tasks.) Because servlets are persistent. JavaServer Pages JavaServer Pages (JSP) are HTML or XML pages that incorporate Java code (standard classes or JavaBeans components) to produce dynamic Web pages. The first time an end-user requests a JSP page from the Web server or application server. Bean Class: A Java class that provides the EJB component’s business logic. JSPs can be seen as particular applications of servlets.) Servlet developers tend to encapsulate business logic in separate classes to promote reusability. Primary Key: A very simple Java class that provides the unique data necessary to lookup a particular EJB object in the database (entity beans only.) In other words.) Bean-managed persistence (BMP) is more complicated because the bean developer must explicitly write the persistence-handling code in the bean class. With the emergence of J2EE application servers. In this model.

the client requests a bean by calling a create() or findXxxx() method on its home interface. Names.) A deployment descriptor is a serialized class used to customize an enterprise bean’s class at runtime without having to change the bean’s class itself (deployment descriptors will also be available in XML in the next release of the EJB specification.SiteMinder Application Server Agents An EJB client essentially performs the following tasks (see figure below. Names. the JAR’s table of contents. JNDI Server Create / Find EJB Container EJB Home EJB Home Stub Home Interface Home Interface getList EJB Object Stub Remote Interface EJB Object Remote Interface EJB Class Application Server EJB Conceptual Architecture This document is subject to change without notice ..e.) Call methods on the bean (EJB Class) When the client does not need a bean object anymore.) • • • • Get a context from the application server via JNDI and use that context to look up a home interface for a particular bean Use the home interface (EJB Home stub) to find or create a bean object (i. Names.e.) InitialContext Lookup Names. you need to package in a Java Archive (JAR) file the classes described above plus a deployment descriptor and a JAR manifest (i.) To deploy an EJB component to an EJB container. it calls the remove() method on the home interface or call remove() directly on the EJB object (entity beans only..

they fail to fully support enterprise-wide security such as single sign-on to an entire Web site (or portal. SSL SiteMinder Application Server Agents RSA SiteMinder Policy Server SSL User Directory and Privilege Storage Netegrity SiteMinder Application Server Agents This document is subject to change without notice . JSP Engine HTTP Daemon or Int. or a full-fledged Web server integrated with the application server) to secure application-server resources as shown in the following figure. ASAs are to J2EE applications what SiteMinder Web Agents are to general-purpose Web-server resources. and assemble them into what will become a distributed J2EE-based application.) In this way. the remote interface. enterprise beans’ JAR files) to meet the specific needs of a distributed application. Introducing SiteMinder Application Server Agents SiteMinder Application Server Agents (ASA) are a set of servlets that communicate with the SiteMinder Policy Server via the SiteMinder Agent API. Instead of interfacing with a Web Server as Web Agents do.. While the most advanced application servers available today include security features. an online banking application may specify very strict security requirements on some components. Web Server EJB Container EJB EJB Servlet Engine EJB Browser HTTP. in-house business components.SiteMinder Application Server Agents Anatomy of a Secure J2EE Application In an ideal component architecture. Public Key Infrastructures (PKI) applications. or newly-developed components. Netegrity has enriched its SiteMinder offering with Application Server Agents to support enterprise-wide security for J2EE components hosted in market-leading application servers by seamlessly interoperating with those application servers. etc. The next step is for the application server administrator to deploy packaged business components (e. The in-house application developer creates EJB clients from the EJB Object interfaces (see EJB Conceptual Architecture figure above.) concurrent use of heterogeneous user directories. ASAs interface with an application server’s HTTP daemon (an HTTP server process. and the bean classes for a business component. the independent bean provider (or business-component vendor) creates the home interface. the application developer can use existing. auditing and reporting. industry-standard business components. For example.g.

) In order to allow you to “SiteMinder-enable” J2EE components hosted by your application server. An application server proxy (plug-in) communicates with the application server’s engine which uses the application server’s Java Virtual Machine (JVM) to interpret compiled servlets.conf) using the following syntax: agentname = webagent. etc. This document is subject to change without notice . (The application server’s servlet engine has to be configured to use that class.SiteMinder Application Server Agents How SiteMinder Application Server Agents Work SiteMinder Application Server Agents are designed to protect fine-grained resources hosted in an application server.. the end-user sends a request from a Web browser to the application server’s HTTP deamon (or integrated Web server). The results of the servlet process are sent back to the end-user via the application server’s HTTP deamon. by superseding the native application server’s security functionality. Basically.hostname This implementation allows the invocation of all three types of agents simultaneously (i.) Responses for the Java Servlet Agent are the same as for the existing Web Agent. JavaServer Pages. a call to a servlet is intercepted by the SiteMinder Java Servlet Agent which provides a SiteMinder-enabled version of the servlet class extending the application server’s class.ejbagent. SiteMinder includes three types of application server agents supporting: • • • Files / JSPs (existing Web Agent described in previous Netegrity White Papers) Servlets (Java Servlet Agent) EJB components (EJB Agent) SiteMinder Application Server Agents are specified in an agent configuration file (WebAgent. SiteMinder’s Java Servlet Agent supports the following levels of access: • • • Basic authentication (basic and over SSL) Form-based authentication Single sign-on with Java Servlet Agents and existing Web Agents The Java Servlet Agent provides application server-specific invokers and base servlets that can be used in conjunction with each other or independently. for each class you can define what type of agent you want to support. Netegrity provides: • • • A set of APIs (servlet class framework extending your application server’s classes.servletagent.) A SiteMinder EJB precompiler A SiteMinder EJB compiler SiteMinder Java Servlet Agent Java servlets (or JavaServer Pages compiled to servlets) run in an application server process. With SiteMinder. such as servlets. classes replacing the EJB initial context factory provided by the application server. and EJB components.e.

Servlet aliasing is the ability to give a name to a chain of servlets used together for performing a task. This model allows servlets to handle HTTP requests for many types of content. and the last servlet in the chain returns the results to the browser. The model also allows for invocation based on a URL as well as MIME type (the format of the data returned by the servlet is defined by a MIME content type.) For example. In this model. aliased servlets must extend the SiteMinderServlet base class instead of HttpServlet. the EJB object’s context must be looked up (thru JNDI. SiteMinder EJB Agent EJB components can be invoked in different ways: • • • From a servlet (using a thin (HTTP) client) From a client application (standalone client. Application server-specific invokers are used to supersede the default application-server invokers so that SiteMinder functionality can be provided in the application server. The SiteMinder Java Servlet Agent includes three types of invokers for: • • • JavaServer Pages File Servlets (handling requests for MIME types such as HTML.SiteMinder Application Server Agents Application Server-Specific Invokers An application server invoker is a servlet that calls other servlets by class name.g.netegrity. Servlets are usually mapped to a particular virtual directory under the Web server. not just servlets. This document is subject to change without notice . The initial context can be thought of as the root for the EJB location (JNDI requires that you have an initial context for all makes a call to the invoker servlet which then calls the service() method of the servlets it invokes.) The SiteMinder Java Servlet Agent ensures that whether a servlet is called by its class name or by an alias.) The SiteMinder Java Servlet Agent provides an application server-specific invoker that extends the classes provided by the application server thus allowing its resources to be protected by SiteMinder. For example pointing your browser to http://www. The purpose of providing an abstract base class is to support servlet aliasing. a Java Swing application) From another EJB object within the EJB container In all cases. each servlet gets its input from the preceding servlet in the chain. Base servlets provide a final implementation of the Java Servlet API’s service() method. the application needs to implement that servlet as a subclass of the SiteMinder servlet base class (in other words. GIF. access to the doGet and doPost methods for that class name will be checked in the SiteMinder Policy Server. and JPEG) Standard Servlets Base Servlets Base servlets define a base class (SiteMinderServlet) from which application servlets can inherit.) A context represents a starting point for a naming (or directory) service. e. If an application wants to protect an aliased servlet through SiteMinder.

The SmEJBContext class (part of the netegrity.class. This is to make sure that once an EJB component has been SiteMinder enabled.MyEJBHome”). SiteMinder takes care of that. which checks assertions about resources made in SiteMinder’s Policy Server to make sure the user invoking that EJB object is in that role (smRoles/x where x is the role name) getCallerIdentity(). returns the SiteMinder user’s Directory name getAPI().SiteMinder Application Server Agents MyEJBHome home = (MyEJBHome)ctx.siteminder.lookup(“beanManaged. MyBean. the SiteMinder EJB compiler (after deployment) The SiteMinder EJB Agent features a JNDI-compliant configurable lookup implementation which looks into the application server’s lookup and allows for customized caching and load balancing if desired. This document is subject to change without notice .) Two Netegrity tools are used to “SiteMinder-enable” EJBs to be hosted by an application server: • • smejbpc.class becomes MyBeanSm.. only requests which have been validated by the SiteMinder Policy Server will be processed. The SiteMinder EJB Agent supports basic authentication and anonymous log-in. e. Single sign-on between servlets (and JSPs) via SMSESSION provides support for other access levels (when EJB components are called by servlets. Overload the public methods to check that the request has come through a valid SiteMinder context. the deployement descriptor (defined in the JAR file) and the JNDI_ROOT directory as arguments. the SiteMinder EJB pre-compiler (before deployment) smejbc.ejb API) provides the following methods: • • • • isCallerInRole(String roleName). looks up the context ctx (cast to the home interface) of MyEJBHome.) EJB Agent Pre-Compiler The SiteMinder pre-compiler gets the input directory (the root of the EJB component) and the deployment descriptor as arguments. It then creates a subclass of the bean (the subclass simply appends Sm to the bean class name.) adding the following SiteMinderspecific calls: • Overload the setContext() method to create an SmEJBContext instance as a wrapper around the native application server context.) An instance of the SmEJBContext class is obtained by casting the EJBContext class of a SiteMinderenabled EJB to SmEJBContext (non-invasive approach. This lets the EJB component access the SiteMinder responses as well as the caller identity and role membership from the SiteMinder Policy Server. • EJB Agent Compiler The SiteMinder compiler gets the deployed JAR file.g. which makes all the SiteMinder Policy Server responses available to the EJB (the key benefit is that EJB components don’t need to hold a handle to LDAP or ODBC directories. returns the handle to the EJB agent API instance the agent is using (to avoid configuration duplication) getResponse(String name).

class.g. EJB Agent Lookup The EJB agent’s JNDI-compliant lookup implementation supports: • Standalone Clients by using netegrity.) • This document is subject to change without notice . e.) EJB Agent Response The EJB Agent supports a subset of the existing Web Agent or Java Servlet Agent response. one when the servlet/JSP is in the same application server instance.jndi.) Servlets/JSPs using two calls.SmInitialContextFactory as the INITITAL_CONTEXT_FACTORY property of javax.InitialContext (username and password are passed thru the same property. deployment descriptor. MyBeanHome.conf configuration file allows developers to provide their own lookup implementation using methods provided with the SiteMinder API (SiteMinder Application Server Agents ship with default implementations.SiteMinder Application Server Agents The SiteMinder compiler creates client stubs as well as the home and remote interfaces by appending Sm to the bean home.siteminder. Context. the lookupimpl entry in the WebAgent. They ensure that all the communication between the invoking client and the application server are authenticated and authorized by SiteMinder. All the HTTP redirections and cookie responses are disallowed (no such notions in EJB components. etc.naming. these proxy classes are put in a JAR file in the JNDI_ROOT directory. int port) for a remote application server.) Note: this step is totally independent of SiteMinder Pre-compile the bean using smejbpc (the bean is now renamed to fit SiteMinder’s EJB Agent) and modify the deployment descriptor to use the SiteMinder-enabled bean instead of the original application server bean Run the application server’s compiler to create all of the SiteMinder-specific stubs for the SiteMinderenabled bean and create a JAR file for the bean Deploy the SiteMinder-enabled bean (JAR file) to the application server using the application server deployment tools Use smejbc to provide home and remote proxy classes to make sure that the communication between a client and the server goes thru SiteMinder (Note: The lookup is ultimately done in the EJB container.getInitialContext(String hostname.getContext. Once compiled. using the same identity as the protected resource.) SiteMinder throws an exception if the Policy Server fails to authenticate or authorize an end-user. SiteMinder-Enabled Bean LifeCycle SiteMinder-enabling an enterprise bean includes the following steps: • • • • • Develop the bean (class compilation..getInitialContext() if the calling servlet is in the same application server instance. one for a remote application server. • EJB Agent Custom Lookup Once users are authenticated by SiteMinder.) The application server’s administration services need to be re-started to present the SiteMinder-enabled bean Update the clients (Context.getContext.class becomes MyBeanHomeSm.

Netegrity’s SiteMinder can protect entry to a resource (e. an application. Enterprise Edition (J2EE) that allow customers to integrate their Java application servers with SiteMinder into a proven.g.) by intercepting end-user requests sent to the Web server. etc.SiteMinder Application Server Agents Summary With existing Web Agents. a portal and its affiliates) from a single sign-on session. Corporate resources that are secured through SiteMinder can be seamlessly accessed throughout the enterprise environment (e. heterogenous user directories. application servers are seen as resource providers part of the enterprise-wide environment. users benefit from a single point of control for security allowing them to preserve their existing information asset infrastructure in terms of Web servers. a file.. and database management systems.) or Enterprise JavaBeans (EJB) components (which may make up a full-fledged distributed application. In this model.g. Granularity of such security is at the resource level. JavaServer Pages (JSP. file-based applications.. integrating with multiple. In order to secure more fine-grained objects such as Java servlets. the repository for user authorization and authentication information.) Netegrity has introduced SiteMinder Application Server Agents for the Java 2 Platform. vendor-neutral. standards-based security infrastructure. This document is subject to change without notice . which in turn makes calls to SiteMinder’s Policy Server. Thanks to SiteMinder. and fine-grained J2EE components deployed to market-leading application servers. application servers.

SiteMinder Application Server Agents Appendix SiteMinder Application Server Agents Availability Application Server Agents will be available with SiteMinder Version 4.0 (A dvanced Edition) Later releases of Application Server Agents will support additional application servers based on customer requirements.1 IBM WebSphere Version 3. This document is subject to change without notice .5 (MS Windows NT and Sun Solaris) The application servers supported with the first release are: • • BEA WebLogic Server V 4.5.

Sign up to vote on this title
UsefulNot useful