Weblogic Authors: Yeshim Deniz, Elizabeth White, Michael Meiner, Michael Bushong, Avi Rosenthal

Related Topics: Weblogic, Cloud Security

Weblogic: Article

WebLogic Enterprise Security

An infrastructure approach to enterprise application security

BEA WebLogic Enterprise Security 4.1 offers a new, integrated approach to addressing the distributed application security problem found with enterprise applications.

With this new distributed, infrastructure-based approach, application security becomes a function of the application infrastructure and is separate from the application itself. Any distributed application deployed using BEA WebLogic Enterprise Security can be secured either through the security features included out of the box, or by plugging in other specialized security solutions from major security vendors that the customer's enterprise standardizes on.

This article defines the major requirements for a distributed application security solution, and explains how WebLogic Enterprise Security 4.1 delivers them to your application.

The introduction of Web-based applications, component-based architectures such as J2EE, and now service-based architectures, has brought about a change in how applications are created. Where once an application would be constructed as a single entity containing both business logic and a set of embedded security mechanisms, applications are now constructed by integrating a number of applications that provide services to other components in a distributed environment.

But as these highly distributed applications proliferate, the ability to secure these applications from malicious use from outsiders as well as control the actions of insiders continues to present a critical challenge. A notable effect of this style of application construction is that the number of potential entry points into the application that could be leveraged for malicious activities increases significantly. With the various components of the application distributed throughout the enterprise and even perhaps across enterprise boundaries, the traditional approach of securing an application at only its perimeter is no longer effective. Security enforced only at the perimeter leaves gaps that can be easily exploited by malicious insiders and results in individual silos of security enforcement at almost every component of the application.

Taming this challenge requires a solution that flexibly stitches the existing application fabric to the existing security foundation, while enabling the efficient administration of policies that govern access to business functions. Application security is not static. Administrators need the power to respond to evolving computing technologies and ever-changing threat environments. They must be able to determine the security posture of every single component executing business functions for which they are responsible. They must be able to update this posture by altering the use of various security technologies or changing the policies governing access to resources. Only by addressing the needs for comprehensive security integration, encapsulated policy enforcement, and responsive administration can an application security solution meet both goals.

Reducing the onerous burden requires two separate innovations: service-based security and unified distributed administration. A service-based security layer offers a universal security abstraction for application containers on one side and pluggable provider interfaces for security solutions on the other side. Of course, such flexibility could create its own set of problems surrounding the configuration of service bindings and maintenance of consistent polices. Avoiding this issue with unified administration requires a robust paradigm for synchronizing, propagating, and analyzing administrative directives.

BEA WebLogic Enterprise Security is the first solution to deliver these two innovations in a single, comprehensive package. It doesn't require enterprises to replace existing application containers or existing security solutions. What it does is allow enterprises to weave these existing components into a seamless whole that is easy to manage, maintain, and extend. For the first time, an information technology organization can have complete visibility into and control over every aspect of security for every business function supported by its applications.

Designed as a security infrastructure for providing security services in a consistent and uniform approach to application containers throughout an enterprise, WebLogic Enterprise Security leverages many of the lessons learned from successful distributed systems while focusing on the reliability, availability, scalability, and performance. In addition, WebLogic Enterprise Security is well suited for environments where an application server decision has not been made. Unlike a number of other products, it does not require customers to utilize any of the components of the BEA WebLogic Platform suite and can be used in environments where these components don't exist (see Figure 1).

One major difference between BEA WebLogic Enterprise Security and other security solutions is the use of a distributed infrastructure that allows for decision points to be colocated with the resources that are being protected. Instead of a central security server where policy decisions are determined, WebLogic Enterprise Security uses a patented approach for distributing configuration and policy information to the decision points that are colocated with the resources that are to be protected. Doing this avoids the performance degradation associated with the latency of network calls to a central decision point, and provides better reliability and availability since there is no runtime dependency on an external process that must be operational and responsive.

At the heart of the WebLogic Enterprise Security infrastructure is a sophisticated security framework known as the "BEA Security Framework", the same one found in BEA WebLogic Server. This allows security services developed for use with WebLogic Server to be utilized by WebLogic Enterprise Security throughout the enterprise. In addition, the use of a common security infrastructure provides customers with a single, unified approach to application security whether or not they use the BEA WebLogic Platform suite.

Service-Oriented Security
The WebLogic Enterprise Security approach is to simplify the integration of application containers with security solutions. An application container is the runtime infrastructure that supports the execution of components. Web servers may act as containers for CGI, JSP, or ASP components. Application servers may act as containers for J2EE and .NET components. Packaged applications act as the containers for the business functions they provide. Stand-alone programs in languages such as Java or C must act as their own containers. Web services may run on top of frameworks, in which case the framework is the container, or as stand alone components, in which case they are like other stand-alone programs. Application components already delegate security functions to the container and WebLogic Enterprise Security takes this process one step further by having the container delegate security functions to it.

In principle, every instance of a particular type of container can use the same integration interface, saving a great deal of time and effort. In practice, the situation is actually even better because the model for this interface can be the same across all container types. There are three primary kinds of information any type of security function might need from a container: the security context of the request, such as the username and password or any embedded security tokens; the identity of the resource that is the target of the request, such as the "change address" method of the "Customer" object in the "Accounts Receivable" application; and optionally the context of the request, such as the request parameters that represent the particular address and the particular customer. These three categories of information are the same for all possible containers and all possible security functions. It's simply a matter of encoding them according to the conventions of each type of container and dispatching the appropriate pieces of data to each security function in the correct order.

Figure 2 illustrates this approach. When a container receives a request on a protected resource, it makes a call to the universal security abstraction. This abstraction then invokes all the necessary individual security services, shielding the container and the component from the details. The container receives a decision indicating whether it should deny or fulfill the request.

The goal of BEA WebLogic Enterprise Security is to make integration with applications as easy as possible. In cases where applications already execute in a container-like abstraction, it may be possible to provide shrink-wrapped integration. Containers that provide open mechanisms for extending the container where security decisions can be interposed in the normal flow of handling a business request, such as a Web server's plug-in mechanism, can be used to integrate with WebLogic Enterprise Security. In its initial release, WebLogic Enterprise Security provides packaged integration for a number of containers, including BEA WebLogic Server and the Netscape/Sun ONE Web Server.

In the case of stand-alone applications, each application must individually call the WebLogic Enterprise Security API. For existing applications, there are a variety of straightforward techniques developers can use to add this delegation. Depending on the internal architecture, such techniques include using interceptors, changing the dispatch function, or creating proxy objects. For new applications, developers can create a mini-container abstraction that intercepts requests, calls WebLogic Enterprise Security and acts on the results. While these techniques all require some additional programming, this effort will be repaid many times over by eliminating the burden of maintaining all the embedded security code.

Service Provider Integration
After BEA WebLogic Enterprise Security receives a request from an application container, it manages security processing through a sophisticated internal framework. This security framework is the same framework used in BEA WebLogic Server. The first important point to note about this framework is that every step must pass through an auditing phase that generates a comprehensive set of events for the execution of that step. By filtering and capturing these events, an auditing provider can create as fine grained a log as necessary to comply with enterprise policies. The second important point to note is that security processing is a pipeline. Security functions follow a natural order, with downstream steps requiring the results from upstream steps. The requester's identity must be established before deciding whether to grant that identity access to a resource. Determining what roles an identity currently fulfills must occur before evaluating whether one of those roles authorizes it to perform a particular action on a resource. Within the logical processing order, this processing is very flexible. If a whole new category of security function emerges, WebLogic Enterprise Security can transparently enable it for all application containers by inserting it into its proper place in the pipeline.

For each step defined in the pipeline, WebLogic Enterprise Security invokes the service provider designated to handle that step. As shown in Figure 3, each security service has a corresponding Service Provider Interface (SPI) that defines the functions that security providers providing the service must support. To plug into WebLogic Enterprise Security, a security solution simply has to offer implementations of the SPI for services it knows how to provide. In many cases, these interfaces will consist simply of a wrapper around existing client libraries provided by the solution vendor. By taking advantage of WebLogic Enterprise Security's universal security abstraction, enterprises can transparently and efficiently switch to alternative services providers, upgrade to new versions of existing providers, or even implement their own custom providers to handle special cases.

Out of the box, WebLogic Enterprise Security includes security service providers for a security service that simply use the framework SPIs. Other implementations of a security service can be created and integrated to the facilities of the underlying framework through the same SPIs. These clean SPIs make it possible to plug and unplug different security providers as the security ecology evolves, benefiting everyone involved. Although BEA can individually upgrade the providers included with WebLogic Enterprise Security, security vendors can easily make their services available to all supported containers by coding their products to the appropriate SPIs. Moreover, enterprises can quickly implement customized security processing where necessary.

BEA WebLogic Enterprise Security Architecture
Security Service Modules

The pieces of WebLogic Enterprise Security that provide a universal security abstraction are called Security Service Modules (SSMs). An SSM instance includes the interface to the container, the security framework, and all the service providers configured for that instance. Each SSM instance supports a container instance (see Figure 4).

Every SSM requires configuration of its service providers and their corresponding policy information. An initial configuration occurs upon installation and enrollment of the SSM with the administration server, but updates then occur as service providers change and policies evolve. With perhaps a hundred different server machines involved in the execution of some applications, each with multiple instances of containers, the need for a sophisticated approach to administration is pretty clear.

Service Control Modules
The first point of sophistication is the aggregation of administrative operations across multiple instances on the same machine. In most enterprise architectures, it is quite common to run multiple instances of a Web or an application server on the same machine. In some cases, particularly powerful servers may run instances of different types of containers on the same machine. Obviously, if every instance communicated directly with the administrative system there would be a lot of duplicative resource consumption on that machine. Moreover, many types of containers allow administrators to dynamically create and destroy instances so WebLogic Enterprise Security needs a means to control the creation and destruction of corresponding SSM instances. Therefore, every machine on which SSMs may run has a Service Control Module (SCM) as shown in Figure 5.

Administration Server
BEA WebLogic Enterprise Security maintains named configurations in the administration server. In addition to the service providers assigned to the configuration, it maintains a hierarchy of all protected resources managed by that configuration. This hierarchy can include levels for groups of applications, applications, components, objects, and methods so policies can apply to any level of this tree. Resources inherit policies from their ancestors in this tree, though administrators can override this inheritance. All of this configuration, resource, and policy information resides in the policy store, which can be an Oracle or Sybase database. This policy store also maintains information about administrative roles and privileges. WebLogic Enterprise Security has an administrative resource tree that it protects just like application resources. The tree has four main branches: (1) operations on users and groups; (2) operations on policies for role assignment and authorization; (3) operations on protected resource definitions; and (4) operations on service provider configurations. Each of these branches is further divided. Branch 1 has subdivisions corresponding to the user and group hierarchy. Branches 2 and 3 have subdivisions corresponding to the resource tree. Branch 4 has subdivisions corresponding to the configuration tree. An individual administrator may be assigned create, read, update, or delete privileges for any set of branches of this resource hierarchy. In addition to this flexibility in compartmentalization, WebLogic Enterprise Security offers other features for administration.

BEA WebLogic Enterprise Security doesn't impose a rigid security model on enterprises that hinders the integration of application components with security services and forces the costly workaround of mixing security code with business logic. Instead, it delivers an open framework, common throughout BEA's application platform suite, so that components running on existing application platforms can seamlessly cooperate with the existing security ecology. This framework eliminates dependencies between application components and security services - new application components can seamlessly utilize existing security services and new security services can seamlessly support existing application components. This capability reduces the life-cycle cost of securing existing application components with existing security services.

By embracing the principles of distributed computing, WebLogic Enterprise Security preserves flexibility without sacrificing control. Its innovative administrative model enables enterprises to have complete visibility into and control over the security configuration of every application component as well as the specific policies used to control access to business functions. They can administer security from a single location, propagating both configuration and policy changes throughout the distributed application fabric. This capability enables better assessment and mitigation of security risks.

In addition to supporting existing security services, WebLogic Enterprise Security offers groundbreaking role mapping and authorization services that make it easy to untangle security code from business logic. Because they offer an unprecedented level of flexibility in evaluating the context of a request, enterprises don't have to mix security code with business logic to achieve policy enforcement. This capability decreases the cost of maintaining applications and enables more responsive risk management. It is representative of BEA WebLogic Enterprise Security's overriding goal - to increase IT efficiency and improve system security while supporting business objectives by embracing business procedures rather than constraining them.

More Stories By Paul Patrick

As chief security architect for BEA Systems, Paul Patrick is responsible for the overall security product strategy at BEA. He plays a key role in driving the design and implementation of security functionality across all of BEA’s products, and is the architect for BEA’s new enterprise security infrastructure product, WebLogic Enterprise Security. Prior to becoming chief security architect, Paul was the lead architect of BEA’s ObjectBroker CORBA ORB and co-architect of WebLogic Enterprise (now Tuxedo). He is also the author of several patent applications as well as industry publications and a book on CORBA.

Comments (1) View Comments

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.

Most Recent Comments
Pascal Mattiocco 03/17/04 01:22:56 AM EST

Well written article but not very usefull article. Always the same bla bla bla about how Weblogic security works at 10000 feet. We need more concrete examples on how the technology work practically.

@ThingsExpo Stories
To get the most out of their data, successful companies are not focusing on queries and data lakes, they are actively integrating analytics into their operations with a data-first application development approach. Real-time adjustments to improve revenues, reduce costs, or mitigate risk rely on applications that minimize latency on a variety of data sources. In his session at @BigDataExpo, Jack Norris, Senior Vice President, Data and Applications at MapR Technologies, reviewed best practices to ...
"Evatronix provides design services to companies that need to integrate the IoT technology in their products but they don't necessarily have the expertise, knowledge and design team to do so," explained Adam Morawiec, VP of Business Development at Evatronix, in this SYS-CON.tv interview at @ThingsExpo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA.
Digital Transformation (DX) is not a "one-size-fits all" strategy. Each organization needs to develop its own unique, long-term DX plan. It must do so by realizing that we now live in a data-driven age, and that technologies such as Cloud Computing, Big Data, the IoT, Cognitive Computing, and Blockchain are only tools. In her general session at 21st Cloud Expo, Rebecca Wanta explained how the strategy must focus on DX and include a commitment from top management to create great IT jobs, monitor ...
In his Opening Keynote at 21st Cloud Expo, John Considine, General Manager of IBM Cloud Infrastructure, led attendees through the exciting evolution of the cloud. He looked at this major disruption from the perspective of technology, business models, and what this means for enterprises of all sizes. John Considine is General Manager of Cloud Infrastructure Services at IBM. In that role he is responsible for leading IBM’s public cloud infrastructure including strategy, development, and offering m...
No hype cycles or predictions of a gazillion things here. IoT is here. You get it. You know your business and have great ideas for a business transformation strategy. What comes next? Time to make it happen. In his session at @ThingsExpo, Jay Mason, an Associate Partner of Analytics, IoT & Cybersecurity at M&S Consulting, presented a step-by-step plan to develop your technology implementation strategy. He also discussed the evaluation of communication standards and IoT messaging protocols, data...
Recently, WebRTC has a lot of eyes from market. The use cases of WebRTC are expanding - video chat, online education, online health care etc. Not only for human-to-human communication, but also IoT use cases such as machine to human use cases can be seen recently. One of the typical use-case is remote camera monitoring. With WebRTC, people can have interoperability and flexibility for deploying monitoring service. However, the benefit of WebRTC for IoT is not only its convenience and interopera...
Product connectivity goes hand and hand these days with increased use of personal data. New IoT devices are becoming more personalized than ever before. In his session at 22nd Cloud Expo | DXWorld Expo, Nicolas Fierro, CEO of MIMIR Blockchain Solutions, will discuss how in order to protect your data and privacy, IoT applications need to embrace Blockchain technology for a new level of product security never before seen - or needed.
Recently, REAN Cloud built a digital concierge for a North Carolina hospital that had observed that most patient call button questions were repetitive. In addition, the paper-based process used to measure patient health metrics was laborious, not in real-time and sometimes error-prone. In their session at 21st Cloud Expo, Sean Finnerty, Executive Director, Practice Lead, Health Care & Life Science at REAN Cloud, and Dr. S.P.T. Krishnan, Principal Architect at REAN Cloud, discussed how they built...
Nordstrom is transforming the way that they do business and the cloud is the key to enabling speed and hyper personalized customer experiences. In his session at 21st Cloud Expo, Ken Schow, VP of Engineering at Nordstrom, discussed some of the key learnings and common pitfalls of large enterprises moving to the cloud. This includes strategies around choosing a cloud provider(s), architecture, and lessons learned. In addition, he covered some of the best practices for structured team migration an...
SYS-CON Events announced today that Synametrics Technologies will exhibit at SYS-CON's 22nd International Cloud Expo®, which will take place on June 5-7, 2018, at the Javits Center in New York, NY. Synametrics Technologies is a privately held company based in Plainsboro, New Jersey that has been providing solutions for the developer community since 1997. Based on the success of its initial product offerings such as WinSQL, Xeams, SynaMan and Syncrify, Synametrics continues to create and hone inn...
The 22nd International Cloud Expo | 1st DXWorld Expo has announced that its Call for Papers is open. Cloud Expo | DXWorld Expo, to be held June 5-7, 2018, at the Javits Center in New York, NY, brings together Cloud Computing, Digital Transformation, Big Data, Internet of Things, DevOps, Machine Learning and WebRTC to one location. With cloud computing driving a higher percentage of enterprise IT budgets every year, it becomes increasingly important to plant your flag in this fast-expanding busin...
"Digital transformation - what we knew about it in the past has been redefined. Automation is going to play such a huge role in that because the culture, the technology, and the business operations are being shifted now," stated Brian Boeggeman, VP of Alliances & Partnerships at Ayehu, in this SYS-CON.tv interview at 21st Cloud Expo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA.
In his session at 21st Cloud Expo, Raju Shreewastava, founder of Big Data Trunk, provided a fun and simple way to introduce Machine Leaning to anyone and everyone. He solved a machine learning problem and demonstrated an easy way to be able to do machine learning without even coding. Raju Shreewastava is the founder of Big Data Trunk (www.BigDataTrunk.com), a Big Data Training and consulting firm with offices in the United States. He previously led the data warehouse/business intelligence and B...
Cloud Expo | DXWorld Expo have announced the conference tracks for Cloud Expo 2018. Cloud Expo will be held June 5-7, 2018, at the Javits Center in New York City, and November 6-8, 2018, at the Santa Clara Convention Center, Santa Clara, CA. Digital Transformation (DX) is a major focus with the introduction of DX Expo within the program. Successful transformation requires a laser focus on being data-driven and on using all the tools available that enable transformation if they plan to survive ov...
A strange thing is happening along the way to the Internet of Things, namely far too many devices to work with and manage. It has become clear that we'll need much higher efficiency user experiences that can allow us to more easily and scalably work with the thousands of devices that will soon be in each of our lives. Enter the conversational interface revolution, combining bots we can literally talk with, gesture to, and even direct with our thoughts, with embedded artificial intelligence, whic...
Smart cities have the potential to change our lives at so many levels for citizens: less pollution, reduced parking obstacles, better health, education and more energy savings. Real-time data streaming and the Internet of Things (IoT) possess the power to turn this vision into a reality. However, most organizations today are building their data infrastructure to focus solely on addressing immediate business needs vs. a platform capable of quickly adapting emerging technologies to address future ...
With tough new regulations coming to Europe on data privacy in May 2018, Calligo will explain why in reality the effect is global and transforms how you consider critical data. EU GDPR fundamentally rewrites the rules for cloud, Big Data and IoT. In his session at 21st Cloud Expo, Adam Ryan, Vice President and General Manager EMEA at Calligo, examined the regulations and provided insight on how it affects technology, challenges the established rules and will usher in new levels of diligence arou...
SYS-CON Events announced today that Evatronix will exhibit at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Evatronix SA offers comprehensive solutions in the design and implementation of electronic systems, in CAD / CAM deployment, and also is a designer and manufacturer of advanced 3D scanners for professional applications.
22nd International Cloud Expo, taking place June 5-7, 2018, at the Javits Center in New York City, NY, and co-located with the 1st DXWorld Expo will feature technical sessions from a rock star conference faculty and the leading industry players in the world. Cloud computing is now being embraced by a majority of enterprises of all sizes. Yesterday's debate about public vs. private has transformed into the reality of hybrid cloud: a recent survey shows that 74% of enterprises have a hybrid cloud ...
22nd International Cloud Expo, taking place June 5-7, 2018, at the Javits Center in New York City, NY, and co-located with the 1st DXWorld Expo will feature technical sessions from a rock star conference faculty and the leading industry players in the world. Cloud computing is now being embraced by a majority of enterprises of all sizes. Yesterday's debate about public vs. private has transformed into the reality of hybrid cloud: a recent survey shows that 74% of enterprises have a hybrid cloud ...