US Department of Energy signs on to J2EE
Tutorial Details:
US Department of Energy signs on to J2EE
US Department of Energy signs on to J2EE
By: By Jian Zhong and Mike Lehr
Create a secure single sign-on Web service for multiple n-tier Web applications
s part of the Energy Information Administration's (EIA) ongoing commitment to provide better products and services with increasing efficiency, the EIA's Office of Information Technology (OIT) promised to deliver Web-based data-collection services in limited time and with minimal expense. Therefore, the OIT's technical team developed applications serially, with little opportunity to deploy highly generalized, reusable components. Meanwhile, as development progressed, the IT industry made significant technology advances, and EIA acquired many new technologies at the infrastructure level. In the industry, Java 2 Platform, Enterprise Edition (J2EE) standards and specifications evolved, and many vendors started to support them at different levels. At EIA, we purchased new hardware; acquired licenses for a J2EE server that could support Enterprise JavaBeans (EJB), including session beans and entity beans; and deployed many other new key infrastructure components, such as Virtual Private Network (VPN) and Oracle's Virtual Private Database (VPD), as well as researched LDAP (lightweight directory access protocol) and Kerbero authentication in our intranet and Internet environment. We both played key roles in architecting the EIA's Web applications and setting up their security. Jian Zhong is the technical lead on most OIT Internet data-collection projects, while Mike Lehr acts as OIT's senior application security architect on those same projects.
Based on Zhong's simple methodology, first introduced in " Step into the J2EE Architecture and Process " ( JavaWorld, September 2001), we built the first Java Web application using J2EE technologies at EIA. This project won the US Department of Energy's 2001 Technical Excellence Award and helped us gain approval for a second project?a similar Web application with a legacy database containing about 85 tables. The second project involved Web-enabling the data-collection process for one EIA survey. This project, which is going live as we write this article, took only about four months to complete. It went more smoothly than the first project, and we again satisfied the customer's requirements and delivered on time with minimal cost. As each success within the organization improved our position and enlarged our codebase, we thought more seriously about productive, reusable technologies that would require a small degree of up-front investment.
The circumstances and the challenge before us were both commonplace: we needed to find a practical way of gradually implementing more efficient technology and, if possible, retrofitting it to existing applications. After consulting with management, we decided to implement a reusable single sign-on (SSO) component. Two familiar business requirements drove this decision:
The need to accommodate large projected increases in e-business partners. The EIA has two main classes of e-business partners: respondents, who submit survey data electronically, and employees (both federal and contractor).
Heightened security concerns in response to terrorist activity. Respondents no longer send paper forms because of recent terrorist events, and thus we have an urgent need to deploy electronic submissions for many surveys. Many respondents will submit for more than one survey as well.
In this scenario, SSO has several advantages. Developing one relatively high-quality SSO component allows better safeguards than developing individual SSO modules. SSO enables more consistent, centralized, and efficient user administration. It allows security personnel some standard and centralized resources?for monitoring failed and successful logons, for example. Equally important, users can conduct their business more quickly and conveniently, partly because they avoid the nuisance of repeated logins, and partly because they can easily change their profiles in one place. The Open Group's " Introduction to Single Sign-On " discusses SSO's advantages in more detail.
Business process and requirements analysis
The EIA manages more than 80 energy information surveys. Each program office division manages its own surveys. Currently, only a few surveys are Web enabled. Some users respond to many surveys, while other users respond to the same survey on behalf of many firms. Survey data are submitted via fax, email, telephone, and so on, and are processed in ways appropriate to the particular survey.
We envision that virtually all surveys will be Web enabled so that respondents can at least submit survey data directly from their browsers. As each survey Web application comes online, user authentication will be required, and some respondents will need to authenticate to many applications. The EIA is also bringing intranet applications online, for which EIA contractors and staff require authentication services.
Figure 1 shows the network topology of our enterprise architecture.
Figure 1. Network topology for many n-tier Web applications in an enterprise
How the architecture works from a user's perspective
The SSO application is really a Web service to other Web applications, although this might not be apparent from a user's perspective. For users, the ideal situation would follow these steps:
A user (respondent, contractor, or staff member) goes to the EIA-wide sign-on page
The page asks the user to provide a username and credentials
If the credentials are verified, the user sees a list of Web applications (e.g., surveys) that he has permission to access
If a respondent or internal user tries to access a Web application without authentication, he is redirected to the EIA-wide sign-on page
When visiting other Web applications for which he is authorized, the user is not challenged about his identity because he is already authenticated
When the user signs off from one application, he remains logged in to other applications
How the architecture works from a developer's perspective
From the user's viewpoint, the requirements look simple. Now let's further examine how we could develop each of the many Web applications. We find the first factor common in organizational life: the many Web applications we wish to support are managed by different divisions, developed by different contractors (at different times), and deployed on different application servers (see Figure 2's UML diagram). A key success factor for us was defining an architecture that would accommodate these realities, and then properly defining the SSO solution's scope and staging. A large-scope solution must accommodate a range of somewhat dissimilar tools and provide for the fact that applications cannot all migrate at once. On the other hand, a project covering too small a scope would not be worthwhile.
Figure 2. UML for the development process of many n-tier Web applications
How the architecture works from an architect's perspective
Clearly, a suitable architecture for us had to meet several design goals. It needed to:
Provide SSO services to many n-tier Web applications
Support centralized, enforceable, and efficient security administration
Allow gradual deployment (i.e., not all Web applications need to adopt it at once)
Be consistent with J2EE standards and suitable for use with generic J2EE applications (including those not yet designed)
Extend to non-J2EE applications
Support federation (sharing) of user identities across enterprises
Be simple and quick to develop (to keep costs down)
Provide quick and easy retrofitting to existing J2EE applications
Work with commercial off-the-shelf (COTS) tools (e.g., LDAP) when they are available or when they represent the most appropriate source of desired functionality
Support different kinds of credentials for different users?both passwords and certificates, for example
Comply with existing security standards, such as password requirements
Approaches to authentication and SSO
We wanted a good context in which to evaluate different solutions to our problem, so we reviewed the current state of industry standards and products for authentication and SSO. We first looked at relevant parts of the J2EE specification and at the J2EE BluePrints program. Then we reviewed COTS offerings from several vendors.
What is in the J2EE spec?
Both the servlet and Enterprise JavaBean (EJB) specifications offer similar methods for accessing user identity and role information after the user authenticates. However, the servlet and EJB specifications do not define how to achieve authentication or SSO; that is left to individual vendors. In javax.servlet , programmatic security consists of the following javax.servlet.http.HttpServletRequest methods:
java.lang.String getRemoteUser()
boolean isUserInRole(String role)
java.security.Principal getUserPrincipal()
The getRemoteUser() method returns the client's authentication username. The isUserInRole() method determines if a remote user is in a specified security role. The getUserPrincipal() method determines the principal name of the current user and returns a java.security.Principal object.
The EJB container must provide access to the caller's security context information from the enterprise beans' instances via the getCallerPrincipal() and isCallerInRole(String role-Name) methods. The security methods in javax.ejb.EJBContext are:
java.security.Principal getCallerPrincipal();
boolean isCallerInRole(String roleName);
How do BluePrints handle authentication?
As evidence that the specifications for authentication and SSO are not yet stable, we note that successive versions of J2EE BluePrints (i.e., for the Java Pet Store) have offered different solutions to these problems. Version 1.0.1 offered a form-based architecture solution, 1.1.2 offered a servlet-based architecture, and 1.3 offered a filter architecture. We considered
Read
Tutorial at: Click here to view the tutorial
Rate Tutorial: US Department of Energy signs on to J2EE
View Tutorial: US Department of Energy signs on to J2EE
Related
Tutorials:
 Signed and delivered: An
introduction to security and authentication -
JavaWorld -
December 1998
Signed and delivered: An
introduction to security and authentication -
JavaWorld -
December 1998
|
XML for the
absolute beginner - JavaWorld - April 1999
XML for the
absolute beginner - JavaWorld - April 1999
|
Choosing an enterprise-wide standard Java IDE - JavaWorld March 2000
Choosing an enterprise-wide standard Java IDE - JavaWorld March 2000
|
Tweak your IO performance
for faster runtime - JavaWorld November
2000
Tweak your IO performance
for faster runtime - JavaWorld November
2000
|
Device programming with MIDP, Part
1 - JavaWorld
January
2001
Device programming with MIDP, Part
1 - JavaWorld
January
2001
|
To EJB, or not to
EJB?
To EJB, or not to
EJB?
|
Step into
the J2EE architecture and process
Step into
the J2EE architecture and process
|
US Department of Energy signs on to J2EE
US Department of Energy signs on to J2EE
|
Rumble in the
jungle: J2EE versus .Net, Part
2
Rumble in the
jungle: J2EE versus .Net, Part
2
|
Get the inside
track on J2EE architect certification
Get the inside
track on J2EE architect certification
|
Add concurrent processing with message-driven beans
Add concurrent processing with message-driven beans
|
Clustering and Load Balancing in Tomcat 5, Part 1
The latest version of the Tomcat servlet container provides clustering and load balancing capabilities that are essential for deploying scalable and robust web applications.
|
Apache Geronimo
Apache Geronimo
Welcome to Apache Geronimo, the J2EE server project of the Apache Software Foundation. Please help us make this a world class, certified J2EE container!
|
JView 2004 2.1 Released - J2EE Performance Profiler
JView 2004 J2EE Performance Tuning and Monitoring Enterprise Edition Trial Download
|
Testing J2EE applications
Testing J2EE applications
There are certain aspects of J2EE applications that people associate with end-to-end tests rather than object tests. These include page flow—or navigating a Web application—and using container services, such as security and
|
Tools and Libraries for the Advancement of Sciences (was: J.A.D.E.)
Tools and Libraries for the Advancement of Sciences (was: J.A.D.E.)
Our Vision
To provide the most comprehensive Java TM library for the scientific community.
To create synergy between all sciences (e.g. math, physics, sociology, biology, astron
|
Application of Bioinformatics in various Fields
Application of Bioinformatics in various Fields
Application of Bioinformatics in various Fields
Bioinformatics is the use of IT in biotechnology for the data storage, data warehousing and analyzing the DNA sequences. In Bioinfomatics knowledge of
|
Biological Databases Links
Biological Databases Links
Biological Databases
Biological Databases are like any other databases. Biological Database contains the sequence data of DNA, RNA etc.. These database are organized for optimal retrieval and analysis.
Here are the
|
Open Source Web Frameworks in Java
Open Source Web Frameworks in Java
Open Source Web Frameworks in Java
Struts
Struts Frame work is the implementation of Model-View-Controller (MVC) design pattern for the JSP. Struts is maintained as a part of Apache Jakarta project and is open
|
Free Web Site Hosting Services
Below is the listing of the hosting providers providing free web hosting services. These services helps you building your sites even if you have no experience in HTML writing.
Zero
|
|
|
|
