Single Sign-On Ships for Microsoft, Java, Apache

A small San Diego web services security firm is shipping a centrally manageable security software solution to offer developers and sysadmins single-sign-on capabilities for mixed apps using Microsoft, Java and Open Source technologies. See how cross-platform identity and security management might not have to wait for next-gen standards. Also, get the free download.

Tags: Cams, Security, Server, Apache, Microsoft, Support, Open Source,

Web services security firm Cafésoft is offering developers and sysadmins a single-sign-on solution that will work across mixed Microsoft, Java, Unix and Apache application platforms.

Rather than requiring developers to implement security into each application or node, Cams offers a centralized approach to application security enforcement and management.

The key to cross-platform SSO, Gary Gwin, Cafésoft president and CEO told IDN, is a two-step architecture that consists of Cafésoft's centralized Cams security server augmented by a family of "web agents" that connect the central Cams server to a variety of app server platforms, including Microsoft's IIS, Open Source Apache and Tomcat, and J2EE app servers BEA WebLogic and JBoss, as well as Oracle's 9iAS.

"With Cams, you centralize security management in these heterogeneous environments," Gwin added. "Even if you use only IIS, Cams provides web single-sign-on and many other features that make it advantageous to use, such as support for MS-SQL, Active Directory and LDAP user directories."
Cams' service-oriented architecture deploys into heterogeneous environments and scales for high-volume sites.

Cams provides user directory integration with industry-standard LDAP and SQL databases, including Microsoft SQL Server, Microsoft Active Directory and Microsoft SiteServer LDAP. In addition to web and application servers, custom Java and C/C++ applications can be secured by integrating Cams clients into each application.

Primary product features include:
  • Web single sign-on to multiple web applications and servers;
  • Access control based on roles (RBAC), date/time, location and custom rules;
  • Centralized application security policy management and event logging;
  • Flexible extension via open APIs to integrate with a wide variety of commercial and Open Source software platforms; and
  • Integrated cross-platform support across Windows NT/2000/2003, Linux/UNIX and Solaris.

Gwin is already seeing a positive response, especially from companies that want to more tightly integrate their Java, Microsoft or Apache/Tomcat web and web services applications. "We're seeing quite a few IIS sites with Tomcat, many sites where JBoss is in use or under consideration, and BEA WebLogic, of course, is quite common and is often deployed with Apache as a web proxy," he said. "In short, we're seeing quite a few companies large and small that are combining Open Source with commercial software on the web layer."

Inside the Cams Build-Out
The inspiration for Cams came from Gwin's work in professional services for commercial clients seeking a more centralized way to invoke and manage application-level security for Open Source servers -- one that could work across a mix of commercial web, legacy and Apache/Tomcat servers. Cams also provides web single-sign-on that can cope with managing multiple identities and logins when a user moves between web applications and servers on the same site.

Cams has flexible, open APIs and ships with the source code for the web agents (currently Apache and Tomcat) and login modules (SQL and LDAP user repository support). This allows customers to tweak existing components for which source is provided -- or write their own.

Cams uses a combination of Java, Microsoft and Open Source technologies and approaches to achieve its centralized SSO, Gwin told IDN. "By leveraging JAAS Login Modules and other Java libraries such as JDBC and JLDAP (donated by Novell to OpenLDAP), Cams can use any SQL database or LDAP v3 server for a user directory. For example, we're able to use the JLDAP library with our Login Modules that integrate Cams with Microsoft Active Directory and SiteServer LDAP."

But finding the key to full cross-platform SSO and identity management required Cams to focus on the ways data can be shared or transferred across platforms.

"The most difficult part is how to determine the schema that must be supported. We've tried to make each Login Module as flexible as possible. We also ship the source code for our Login Modules with Cams," Gwin told IDN. "This enables users to customize our Login Modules as required to support custom schemas. Usually, they won't need to do so, but the power is there in case they need to."

He cites the following example: "We have one site that needed to authenticate users against an LDAP server that was outside of their administrative control, and get user role data from a local SQL database. They were able to easily combine the source code from our JDBC and LDAP Login Modules to create a new hybrid JDBC/LDAP Login Module that accomplished their objective."

Cams had some of its roots in working with Apache/Tomcat, and Gwin noted several key lessons from that work that has helped Cams progress to work across Java and Microsoft platforms.

"Having the source code for Tomcat facilitated development of our first web agent," Gwin said. "We were then able to create a native code agent for Apache that followed the same design pattern. If we needed to look under the hood, we did. This paved the way for the IIS web agent, where we leveraged the design and code from the Apache web agent.

"We've not ported changes to the design back and forth a number of times, which has really helped solidify the design. With respect to the user directories, it was very helpful to have all the information on the OpenLDAP site available along with the JLDAP libraries and example code at Novell. We were then able to leverage this same code with minor tweaks to support Active Directory and Microsoft SiteServer LDAP."

A Drill-Down into Cams' SSO Architecture
Another key to Cams' multi-server security support is Cafésoft's decision to integrate a native user repository with industry-standard LDAP (directory) and SQL databases. This approach also supports other repositories through the Java JAAS (Java Authentication and Authorization Service) API.

Other Cams features include:
  • Single-sign-on to multiple web applications
  • Business policy-driven access control
  • Centralized and delegated management of permissions
  • Flexibility to extend via APIs and integrate with other software
  • Cross-platform support, including Linux

Various components of the Cams architecture include more than two dozen granular applets for setting, managing and troubleshooting access control to application and data layers. These include:

Caches AccessControlCheck instances.

The interface to an AccessControlRequest for a Cafesoft SecurityDomain's Access Control Engine.

Defines the interface to an AccessControlResponse corresponding to an
AccessControlRequest to a Cafésoft SecurityDomain's Access Control Engine.

Defines an interface for a rule that implements access control logic.

A tagging interface that identifies a class as a valid child "element" within an

Defines the interface for classes that load, store, create and remove
AccessControlRule instances.

Defines an interface for a client-side AccessControlService hosted under a CamsClient.

Extends the AccessControlRequest by adding methods that allow it to be mutable.

Internal representation of the AccessControlResponse object.

Represents an entitlement or authorization to access a set of Resources.

The PermissionCollection interface represents a homogeneous collection of non-overlapping Permission instances.

Defines the interface for a class that can create Permission instances based on: a Permission type, a resource pattern, a list of actions and either an AccessControlRule or a SecurityDomain name The resources matching a Permission are either protected by an AccessControlRule or by another SecurityDomain to which access control is delegated.

Defines an interface for iterating over Permissions.

The ResourcePattern interface represents a set of Resources using a pattern that matches Resource identifiers.

Represents a user or system's request for a generic Resource, which may be protected by the Cafésoft Access Management System.

Defines the interface for a class that can create ResourceRequest instances based on: a resource type, a resource identifier.

A full description of the Cams components is available.

"The Cams architecture allows developers to use the same security infrastructure to protect resources across web and application tiers," Gwin said. Cams utilizes caching at both the agent and server levels to ensure that the logic for frequently accessed resources is memory resident.

Load balancing is achieved by distributing requests across agents on the front end, he added. Cams also allows developers and sysadmins to support standard J2EE security services within supported containers. In addition, the Cams open API also empowers developers to extend and integrate Cams with other software.