Show TOC Start of Content Area

This graphic is explained in the accompanying text Security Provider Service  Locate the document in its SAP Library structure

Purpose

The J2EE Engine supports the architecture defined in the Sun J2EE 1.3 Specification. The architectural requirements of this specification concerning security are:

·        Portability – the J2EE Engine supports the “Write Once, Run Anywhere” application feature.

·        Isolation – the J2EE Engine platform is able to perform authentication. It also enables access control observing the deployer’s instructions using the deployment attributes. This can be configured by the system administrator.

·        Extensibility – using the J2EE Engine security functions from security-enabled applications does not influence the portability of these applications.

·        Flexibility – the security mechanisms and demands used by the application regularly verify the security policy, and make it easier to fulfill the security features for the distinct J2EE installation or application.

·        Abstraction – the security demands of the application components are specified logically by the deployment descriptors. The deployment descriptors enable you to describe exactly how the security roles for access rights are organized. The J2EE Engine Security Provider service enables the deployer to specify the changes of the security properties.

·        Independence – the Security Provider service behavior and the deployment contracts are applied using various security technologies.

·        Compatibility testing – the J2EE Engine security architecture is designed to avoid ambiguity and improves the compatibility of the implementation.

·        Secure interoperability – the components of an application that are executed on the J2EE Engine can call the services provided by the J2EE Engine, or by other providers, despite the differences in their security policy.

Integration

There is integration with the services that are related to the Security Provider. You can perform authorization checks on the users’ permissions using a certificate generated by the Key Storage service, or to enforce the privacy of the connection using the SSL Provider service. These different security aspects are described later in the documentation.

Features

The Security Provider service enables you to manage the security policy, the users, the authentication and authorization mechanisms on the system, and to restrict access to the resources or the applications deployed on the J2EE Engine. The Security Provider service consists of the following main modules:

Security Provider Modules

Module

Description

Further Information

Authorization management

You can maintain the authorization mechanisms used on the J2EE Engine.

See Users and Authorizations on the J2EE Engine.

Authentication (login modules management)

You can manage the authentication mechanisms on the J2EE Engine, or on the applications running on it. Note that J2EE Engine fully supports the JAAS specification.

See Authentication on J2EE Engine.

Log on to the server

This module allows authentication to the server and, in this way, access to be given or not to the security sensitive resources on the J2EE Engine and the applications running on it.

See Logging on to the J2EE Engine.

Protection domains management

You can perform code-based security operations for the sensitive resources of the J2EE Engine or the applications running on it. That is, not only users can have restrictions, but the application’s access to different resources can also be controlled.

See Managing Protection Domains and Managing Code Based Permissions.

Resource management

You can restrict access to the resources on the J2EE Engine or the applications running on the Engine. That is, you can apply specific rights to a user or application, which will control its behavior.

See Resource Management.

Roles management

You can create security roles, and to map users and groups to them. This allows you to manage the mapping between permission and a user or group to a security role. Later on you can add specific permissions or restrictions to the role, and they will be applied to the users mapped to the role.

See Security Roles Management.

Securing connections

This module enables different types of security layers to be used, that is, you can connect using different types of security layers. In order to use them you need Key Storage and SSL Provider services.

See Key Storage Service and SSL Provider Service.

Users and user store management

Enables you to manage users and groups. You can also manage the user stores configurations on J2EE Engine.

See J2EE Engine User Management Using the Visual Administrator.

Cryptography

You can manage the cryptography providers order.

See Managing Cryptography Providers.

User’s sessions

Management of the users’ sessions.

See Managing Login Sessions.

User Storage service

A service that maintain the DBMS user store.

See User Storage Service.

 

 

End of Content Area