Information Technology Reference
In-Depth Information
Miscellaneous Topics in Access Management
There are a few items we haven't covered in the course of our study of the
LIMA Access Management model, so let's do so right away.
Protecting Non-Web Applications
While web applications are the bulk of an organisation's modern fleet of
applications, there are important applications built using earlier generations
of technologies.
Native Windows-based applications are probably the second-largest group.
Standalone Java applications are probably another significant group.
Mainframe-based “green screen” applications are a third set altogether.
And then there are Unix system accounts.
Let's be realistic. We can't provide a seamless IAM “layer” over all these
disparate types of applications, but we can come pretty close. Here's how.
Windows-native applications can use SPNEGO directly and transparently
authenticate against Active Directory. They'll need to skip coarse-grained
authorisation and implement just fine-grained authorisation. This is no real
loss of capability or security vulnerability if the fine-grained access control
logic is implemented right.
Standalone Java applications have a choice of techniques, because some of
them are client-server systems, while others run purely on the client. We
recommend building a common security module for the client side of all Java
apps, bundled as a jar file with all of them. The CAS classes that authenticate
against the IAM directory, perform coarse-grained access control checks
against the IAM database and retrieve user attributes from it, should be
replicated within a separate server module to serve Java client applications.
The client security module should call this server module (over HTTP or RMI)
to invoke its services for authentication, coarse-grained authorisation and
attribute retrieval. The client-server systems can have a listener on the
server side to hook into the IAM User Event Bus to provision users.
The pure client systems can't do this and you will have to explore other
mechanisms, some of which may have to be manual. It's a bit of work and
unlikely to be 100% satisfactory, but then, it's a different technology and will
require effort to harmonise with the rest of the ecosystem. There are
