« Singleton BPEL Processes | Main | Quis Cusotdiet Ipsos Custodes »

An Application-Centric Approach to Security

By antony.reynolds on August 30, 2006 1:27 AM

An Application-Centric Approach to Security


or Security as a Service


I was discussing security with some of my colleagues last week and it suddenly struck us how different modern security approaches should be.  Traditionally application access control has been embedded within the application.  Within the J2EE world we are seeing this move from the application domain into the infrastructure domain.  This is a key change because it simplifies the provisioning problem, provisioning now becomes a job of mapping application roles onto user groups and identifying which groups and hence roles an individual should belong to.


It also simplifies the application developers life.  Now they don't have to provide a user administration module within their code, this is provided by the infrastructure and may be handled through simple flat files and editing XML files in a development environment through to a full access and user management environment in the deployed production environment.


This ties nicely into service oriented architecture as it now enables the concept of security as a service to become more concrete.  At the J2EE level this works well.  However the standards need to be developed further to enable seamless flowing of identity across services and through a service orchestration.


One area where standards are lacking is in the format of usernames.  For many apps this isn't a problem, but for some applications that manage individual user details this is a crucial detail that must be understood, and applications can end up being specific to a particular name format.


Generally however the standards are almost there and we are on the edge of a service oriented security environment.  All it requires now is for developers to embrace it, freeing them from the need to write their own provisioning and security code.


So developers of the world rise up and embrace service oriented security - you have nothing to lose but your provisioning code!


For a good explanation of application centric security check out the security corner blog.

AddThis Social Bookmark Button

Post a comment

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)

Search All Blogs

Google Search


Only search this blog

About This Entry

This page contains a single entry from the blog posted on August 30, 2006 1:27 AM.

The previous post in this blog was Singleton BPEL Processes.

The next post in this blog is Quis Cusotdiet Ipsos Custodes.

Many more can be found on the main index page or by looking through the archives.

Top Tags

RSS

Subscribe to this blog's feed
Powered by
Movable Type and Oracle