JSR196/JSR115 based OpenSSO Agent
By Kalpana Karunamurthi on Jan 28, 2009
Before I move and start blogging about my current assignment, I thought it would be a good idea to dedicate some posts to my previous assignment. Just before moving to Glassfish sustaining, I was involved in developing a new OpenSSO Agent which would be based on JSR196 and JSR115 specifications for performing authentication and authorization respectively. The experience on working on this agent was mind-blowing.
Implementing the JSR196 provider was little straight forward with the help of this blog. But JSR115 provider posed a real challenge. When I started off, there was not much documentation about building a new JSR115 provider except for the specification. Trust me, the specification was very complicated. Now that I have crossed all the hurdles, there exists a JSR115 provider which stores all the security constraints declared in web.xml in the OpenSSO Policy Store. The policies follow the OpenSSO Policy format. The provider authorizes against the OpenSSO Enterprise.
So what does this agent do ?. The Agent protects the application from the unauthorized intrusions. The authenication and authorization for the entry happens against the OpenSSO Enterprise Framework. The important advantage of the agent would be, this agent can work with any container as long as the container supports the specifications. (I have to add, currently some tweaking is required in the provider code to make this happen, since the agent's installer and configurator is written for Glassfish 2.1. Also, the admin apps of Glassfish uses its own default provider). It has also improvised a lot of usability from earlier Agent frameworks.
Usecase of the agent is something like this : When an application is deployed, the J2EE policies declared in the web.xml is captured by the JSR115 provider. They are converted into OpenSSO policy format and stored in OpenSSO policy store. When a protected resource is accessed, the JSR196 provider comes into action. It redirects to the OpenSSO for performing authentication. Once authenticated by the OpenSSO, the JSR115 provider takes over to perform authorization of the access. The JSR115 provider depends on the OpenSSO policy engine to evaluate the policies and allow/deny the authenicated user for access of the protected resource.
Check-in of this code would be done in couple of days .. so all those interested can try out this agent and i'll be extremely interested to hear your feedback.