Security Beta Ships for Multi-Platform Web Services

Java, .Net and Open Source developers should be able to centrally manage security for the web-based applications, including web services. That's the vision of Cafesoft, a start-up security firm in San Diego. Take a look inside at a beta version of single sign-on security software -- and even download some beta software for free.

Tags: Cams, Security, Support, Access Control, Resources, AccessControlRequest, Servers,

A small San Diego start-up is preparing later this quarter to ship the first commercial version of its centrally manageable security software, custom-designed to support cross-platform web services and web-based applications.

The company, Cafesoft, has dubbed its first product Cams (Cafesoft Access Management System). The first public beta release of its security suite is available now as a free download for web applications running on Apache and Tomcat for both Linux and Windows NT/2000.

While Cams 1.0 will focus security support for cross-platform Apache and Tomcat applications running across multiple servers, Cafesoft CEO Gary Gwin said their ultimate goal is a single sign-on technology platform that developers and sysadmins can use across multiple web services environments: J2EE, .Net and Open Source.

"Getting application security to work cohesively across web tiers is a difficult challenge for any programming staff, so this is where Cams comes into play," Gwin told Integration Developer News. Cams leverages the Apache Portable RT Library, and includes single sign-on and fine-grained access control to web server content and J2EE applications. Gwin said he also intends to fit Cams to support .NET web services.

To that end, Cams has flexible, open APIs and ships with the source code for the web agents (currently Apache and Tomcat) and login modules (SQL and LDAP user repository support). This allows customers to tweak existing components for which source is provided -- or write their own.
In addition, users can modify source that ships with Cams to create web agents for key commercial software platforms Cafesoft does not currently support (such as Microsoft .NET platforms, as well as vendor-specific Java application servers including BEA, JBoss, SunONE and IBM).

Expanded out-of-the-box support for both J2EE application servers and .NET framework applications is also planned. Gwin told IDN that later this year, Cams will bundle more support for commercial J2EE and .NET platforms by including support for SAML 1.0 and other access control standards later in 2003. This enhancement will also better enable Cams to support installations that use a combination of Open Source and Java/.NET technologies, he added.

"We're encouraged that the Java and .NET worlds are beginning to converge on some security standards, and we certainly intend to implement those, like SAML, where bundling those technologies into Cams will make life easier for the developer and those responsible for security," Gwin said.

Inside Cams Security Approach
Cams centralizes Apache/Tomcat application security administration and access, rather than requiring developers or sysadmins to build access control systems into each application and server. For access control, Cams also delivers single-sign-on to multiple web servers and applications by providing a platform on which multiple servers can securely share authentication and access control information -- across servers and web-based applications

But what about other providers of Apache-centric management and security services, such as Covalent? "Unlike Covalent, we created our own software from the ground up because our requirement was to set the stage to get our security software to run on various OSes, ranging from Linux, Unix, NT and Mac," Gwin explained. The inspiration for Cams came from Gwin's work in professional services for commercial clients seeking a more centralized way to invoke and manage application-level security for multiple web and legacy servers.

The key to Cams' multi-server security support is Cafesoft's decision to integrate a native user repository with industry-standard LDAP (directory) and SQL databases. This approach also supports other repositories through the Java JAAS (Java Authentication and Authorization Service) API.

Other Cams features include:
  • Single-sign-on to multiple web applications
  • Business policy-driven access control
  • Centralized and delegated management of permissions
  • Flexibility to extend via APIs and integrate with other software
  • Cross-platform support, including Linux

  • Various components of the Cams architecture include more than two dozen granular applets for setting, managing and troubleshooting access control to application and data layers.

    These include:

    Caches AccessControlCheck instances.

    The interface to an AccessControlRequest for a Cafesoft SecurityDomain's Access Control Engine.

    Defines the interface to an AccessControlResponse corresponding to an AccessControlRequest to a Cafesoft SecurityDomain's Access Control Engine.

    Defines an interface for a rule that implements access control logic.

    A tagging interface that identifies a class as a valid child "element" within an

    Defines the interface for classes that load, store, create and remove AccessControlRule instances.

    Defines an interface for a client-side AccessControlService hosted under a CamsClient.

    Extends the AccessControlRequest by adding methods that allow it to be mutable.

    Internal representation of the AccessControlResponse object.

    Represents an entitlement or authorization to access a set of Resources.

    Represents a homogeneous collection of non-overlapping Permission instances.

    Defines the interface for a class that can create Permission instances based on: a Permission type, a resource pattern, a list of actions and either an AccessControlRule or a SecurityDomain name. The resources matching a Permission are either protected by an AccessControlRule or by another SecurityDomain to which access control is delegated.

    Defines an interface for iterating over Permissions.

    Represents a set of Resources using a pattern that matches Resource identifiers.

    Represents a user or system's request for a generic Resource, which may be protected by the Cafesoft Access Management System.

    Defines the interface for a class that can create ResourceRequest instances based on: a resource type, a resource identifier.

    A full description of the Cams components is available.

    "The Cams architecture allows developers to use the same security infrastructure to protect resources across web and application tiers," Gwin said. Cams utilizes caching at both the agent and server levels to ensure that the logic for frequently accessed resources is memory resident.

    Load balancing is achieved by distributing requests across agents on the front end, Gwin added. Cams also allows developers and sysadmins to support standard J2EE security services within supported containers. In addition, the Cams open API also empowers developers to extend and integrate Cams with other software.