Updated: 2.9.2002; 22:17:40 GMT

Security Weblog



daily link  Tuesday, August 13, 2002

Tech series - access management with a portal

Let's say you want to let your partners to manage their users that access your extranet. Sounds like identity management ... and everybody is doing this identity management thing today, isn't it?  So to make it a bit more interesting, let's say you have a portal in place that is already taking care of security, personalisation and session management. And yes, the portal is custom-made, developed couple of years ago and you have no access to its source code and of course, no documentation. What do you do?

Option 1. Put an access management system in front of the portal to authenticate users and then rewrite headers of the request with userid of authenticated user and send the request further to the portal servlets. Hmm, but this requires modification of portal code to extract the userid, which we don't want to do...

Option 2. Put an access proxy in front of the portal that would authenticate users and them impersonate them to the Portal. I.e it challenges a user to log-in, intercepts his or her username and password, authenticates him/her against directory, connects to the portal, sends in the username and password and then relay all the communication between user and the portal. Smart, isn't it... or is it? In fact, since the proxy and the portal have their own LDAP schemas this wouldn't work. Attempts to merge the schemas would likely fail because this would break the functioning of either the proxy or the portal. And because directory replication is not able to handle the translation of the schema, you have to use metadirectory. Which means additional product, additional costs and performance and synchronisation issues. No straightforward, simple and cheap option.

  10:34:39 PM  permalink  
The Open Group Mobile Directory Business Scenario

"The Scenario envisages an architecture where applications and intelligent network components access information stored in Directories in order to support mobility. Some of that information is generated by applications and system administrators. Some of it is generated in real-time by network components."

  10:06:31 PM  permalink  

Bruce Schneier made it into the Atlantic Online. Great. But otherwise I think he has lost his edge a bit since he started a company. It is perhaps tough to have a business to run and still keep up to date with all the things that are rolling on outside you. [link from matt]  9:27:18 PM  permalink  

Older but useful: brief on METADirectories (from METAGroup;-)  8:47:13 PM  permalink  

  
August 2002
Sun Mon Tue Wed Thu Fri Sat
        1 2 3
4 5 6 7 8 9 10
11 12 13 14 15 16 17
18 19 20 21 22 23 24
25 26 27 28 29 30 31
Jul   Sep
General

About
Reading list
Resources
Contact me

News

SANS NewsBites
Crypto-gram
UKCrypto
Information Security
all.net
Objectwatch
CBDi Forum

Channels

RSS Better Living Through Software
RSS Brent Sleeper: Web Services
RSS David Fletcher's Government and Technology Weblog
RSS DeveloperWorks.com - Security Articles
RSS Dictionary.com Word of the Day
RSS Digital Identity
RSS Digital Identity World
RSS Eric J. Norlin's Blog
RSS IBM Developer Works - Web Architecture Articles
RSS Joel on Software
RSS Jon's Radio
RSS KableNET
RSS Loosely Coupled weblog
RSS Mark O'Neill's Radio Weblog
RSS O'Reilly Network Articles
RSS onlineblog.com
RSS Scott Loftesness: Digital Identity
RSS Scott Loftesness: Trusted Computing
RSS Scripting News
RSS Security Blog
RSS SecurityFocus
RSS Web Services Architect
RSS Web Services Articles from The Stencil Group
RSS WebServices.Org
RSS Windley's Enterprise Computing Weblog


Click to see the XML version of this web page.

jenett.radio.simplicity.1.3R
Radio Userland


Copyright 2002 © Jiri Ludvik.
Last update: 2.9.2002; 22:17:40.