OpenSSO Enterprise Policy Agent 3.0: Processing Requests

I have included two images of flow charts in this blog entry that show how a request for a resource is processed: one image is web-agent specific and one is J2EE-agent specific.

These charts show the possible scenarios that can take place when an end user makes a request for a resource. Therefore, the end user points a browser to a URL. That URL is a resource, such as a JPEG image, HTML page, JSP page, etc. When an agent is configured to protect that resource ("protect" is not always the correct word, but the agent has a role to watch the resource anyway), it intervenes to varying degrees and checks the request. The situation might be that all requests are granted for that particular resource. Maybe then the request is logged and maybe it isn't logged. Hopefully, the flow charts reflect the key details.

Coming up with a flow chart that provides just the right level of detail is a tricky proposition: too much detail and the image is too complex; not enough detail and the image doesn't provide much useful info. Anyway, after getting much input from developers, this is what I came up with.



The flow chart that  follows illustrates how a request for a resource is handled by a web agent. Therefore, the web agent is protecting resources on a web server or web proxy server. The flow chart shows the processes the web agent goes through to protect such resources.

 How a Resource Request is Processed by a Web Agent

Flow chart of a single rescource request in web agents.


The flow chart that  follows illustrates how a request for a resource is handled by a J2EE agent. You can see that the J2EE security that is available in application servers (though J2EE agents often protect resources on portal severs, too) adds a layer of complexity to the chart. The J2EE agent flow chart also shows how the filter mode setting affects the processing of a request.

 How a Resource Request is Processed by a J2EE Agent

11/01/08: The flow chart in the link that follows was updated today. The "Yes" lines coming out of the top right side were not aligned properly. The problem has now been fixed. However, the print was too small and difficult to read. Therefore the image has been split into two (see below). It should be easier to read.

To see the two images combined as one, see the following: Single Image

------------------------------------------

11/06/08: The following two flow charts were just updated today. The original chart has been split into two to allow the text to be larger. Hopefully, it's easier to read this way.

J2EE agent: flow chart showing a request for a resource, PART A

J2EE agent: flow chart showing a request for a resource, PART B


Comments:

John,

The J2EE Agent diagram looks like 100% of the requests are going to bypass the majority of the flowchart in the first box. Can you help me understand what happens in the "User attempts to access resource" box for J2EE Agents?

thanks
Brian

Posted by Brian Frey on October 31, 2008 at 07:25 AM PDT #

Doh!

You're right! Something got lost in translation.

The box "User attempts to access resource" should not have a line coming from it with a "yes" attached.

There should be line coming from the diamond with the words "Is filter mode set to NONE?". That line should actually go to the box with the words "Log (audit log) resource allow message."

Also, the next diamond (Is resource on the not-enforced list?) should also have a line coming from it. That line should skip the "Log (audit log) resource allow message." box and go straight to "Allow access to resource."

I have updated version of the image coming from the art team. I'll update the blog when it comes in.

Thanks for pointing that out.

Posted by John Domenichini on October 31, 2008 at 08:19 AM PDT #

Okay, the error that Brian pointed out in the J2EE agent flow chart has been fixed.

Thanks again Brian.

John D.

Posted by John Domenichini on November 01, 2008 at 04:07 AM PDT #

Is there any way to increase the text size of the J2EE agent diagram to make it easier to read? The Web agent diagram is perfect readability wise.

Posted by David C on November 03, 2008 at 09:25 PM PST #

All right, I had the image redone. It's been split into two images, which allows the text to be larger. How's this?

Posted by John Domenichini on November 06, 2008 at 05:11 AM PST #

Yes, that's easier on the eyes. Thanks.

Posted by David C on November 06, 2008 at 05:37 AM PST #

Post a Comment:
  • HTML Syntax: NOT allowed
About

What does this box do?

Search

Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today