But where does it fit in our Enterprise IT landscape? I will try to explain it in layman IT terms.
1) Our typical enterprise deployment landscape consists of a Firewall, a web server and Enterprise application server . In this application server, we have applications running inside the containers. And inside the containers, we have components, such as web pages, JSPs, Servlets, Enterprise JavaBeans. And inside, of course, we have the Java code which consists of objects. Now, let’s take a look at various levels of security in our IT landscape.
2) Once the request comes into our network, the client submits the request and needs to traverse the firewall. In order for the client to traverse the firewall, the security includes inspection of the packets that are transmitted by the client origin, where the client came from, protocol the client used, perhaps the port number that the client used to connect, maybe a variety of other factors. These checks are done on the network level. So, firewall is responsible for Network-level security. It doesn ‘t know anything about the user.
3) The request, once it reaches the webserver, authentication can happens. Identity typically is packaged into a token. The token is then delivered to the application server which then decodes the token and looks into the identity of the user.
4) Once we know the identity, we can start applying some authorization decisions. Authorization decisions that are available here are a relatively high level, whether the request is allowed to access the particular application or not. So here we have the application level security.
Here we can make use of Oracle Access Manager that ca
If OAM is aware of the URL tha
We can also use other products, such as Oracl
5) The container is aware of the components that are present inside the application, and can enforce security for those components. So the container will be an enforcement point for the access to the components inside.
Further below container, it is Enterprise
6) Inside that component, we have logical objects such as Web Services, or a piece of java code or a sql query. So, here we need to compute permissions for these logical objects.
Now who enforces security here? There is nothing known which can do this job easily. So everyone writes cus
Since we are writing t
7) So here comes the role of Oracle Entitlement Server. With OES, we can not only secure logical objects but components and much more.
8) Advantages of using OES over custom code are:-
- a) OES comes with Administration application which makes life very easy.
- b) Maintains the rules in one central point. Having all the things at one place helps in monitoring, auditing and reporting for compliance purpose.
- c) Security modules(at run time) perform all the authorization decisions related to the protected resources. It has flexible topologies. They can be built-in or centralized.
- d) OES offers web services interfaces, hence the ability to integrate it, for example, with non-Java platforms, such as the .net platform, or SharePoint servers that are very common in the enterprise.
- e) If the requirement changes, we don’t need to re-write the code. Just make few policy changes and we are done. It saves hell lot of effort and $$$$.
- f) On high level, it can also perform fine-grain authorization as well. Basically what it means is that it can perform authorization on such attributes (security role, etc) on which OAM or OAAM cannot do authorization. Suppose we get a complex requirement of validating so many things before giving access. Since OAM and OAAM might not be able to evaluate such requirements based on complex rules, ideally we will have to take care of it in code but with OES, it can be easily achieved.
Hope this slightly explains what OES is and where does it fit ?
Stay tuned for more OES related articles.
Reference: Oracle OES
If you want to know when I have shared new learnings here, you can also Subscribe to Blog.