Apply Web Services Security to EJB Applications

At JavaOne 2007 earlier this year, Aravindan Ranganathan and Malla Simhachalam presented a hands-on lab titled Securing Identity Web Services. The lab showed how to provide different levels of stock quote service according to the identity of an end-user – authenticated users see real-time stock data while ‘guests’ see delayed quotes.

Since then, Malla, Mrudul Uchil and Marina Sum have written up the lab tutorial as a three-part series of articles showing how identity can be carried from an incoming web services request right through to an EJB. The sample application shows the request and response messages graphically, and provides links to the XML message data – a particularly nice feature that shows exactly what is going on.

Highly recommended for anyone putting together the pieces of web services, identity and EJB apps.

SSO from Sun Java System Access Manager to SharePoint Portal Server 2003

Back in December of last year, Marina Sum and I co-wrote the article Sun and Microsoft Interoperate for Web Authentication, Part 1. In that article we examined how Sun Java System Access Manager‘s policy agents work with Microsoft Internet Information Server (IIS) to provide single sign-on and authorization in a heterogeneous environment. At the end of the piece, we promised further articles on integration with SharePoint Portal Server 2003 and Outlook Web Access in Microsoft Exchange 2003.

Well, it’s been a while, but the planets finally aligned for Robertis Tongbram, Access Manager policy agent engineer, and Marina to create the second article (deep breath): Sun and Microsoft Interoperate for Web Authentication, Part 2 – Sun Java System Access Manager and SharePoint Portal Server 2003. The article works from the basics of authentication and authorization in SharePoint to configuring single sign-on between Access Manager and SharePoint via the policy agent. If you’re wrestling with SharePoint, I recommend you go take a look.

Basic Authorization with Sun Java System Access Manager

As I reported yesterday at The Aquarium, Robert Skoczylas of Indigo Consulting and Sun tech author Marina Sum just published Developing Secure Applications with Sun Java System Access Manager, Part 1: Basic Authorization at Sun Developer Network. This article, part 1 of a series, presents a case study of implementing authentication, single sign-on, and authorization at a fictional health-care insurance company.

There’s some really good stuff in there – Robert and Marina work from a high-level description of the problem right down to specific Access Manager customizations. In particular, the detailed description of customizing Access Manager’s policy framework is well worth the read for anyone working with, or evaluating, Sun Java System Access Manager.

Lost my Wikipedia Virginity

I was nosing about on Wikipedia the other day when I noticed a link to a page for Sun Java System Access Manager. The link went to the standard ‘editing’ page, so I decided to register at Wikipedia and create my first entry. Quite painless. The entry is a stub, and I’m not sure how much I can add without falling foul of Wikipedia’s policy on spam. As it stands, I think the stub is useful context, particularly as the link was already present in a couple of pages. I guess I’ll sit back and see if anyone posts a request for expansion.

Sun Java System Access Manager 7.1 is here!

You might have seen the news today that Sun just released Java Enterprise System 5. While it’s not called out in the press release, Sun Java System Access Manager 7.1 is part of Java ES 5. Although it’s been widely previewed in beta in the Netbeans Enterprise Pack and Java EE SDK, it’s still worth calling out the new features:

So, go to the download page, grab Access Manager 7.1 and give it a whirl. It’s in all of the system/suite downloads except the availability suite.

Turkcell Deploying Mobile Strong Authentication

From Orhan Alkan comes this report of Turkcell deploying mobile strong authentication with Sun Java System Access Manager. Orhan and his colleagues in the Sun Turkey Professional Services team developed a custom authentication module to handle the signature validation in Access Manager.

Orhan was kind enough to give me some more detail by email: the subscriber’s private key is in the SIM, so it is portable across phones. Authenticated subscribers can access all of Turkcell’s web-based customer applications including billing, enabling services such as international calls and roaming and changing rate plans, and even access their accounts at banks such as Garanti, Akbank and Isbankasi.

Recalling an earlier entry on Turkcell’s ID-WSF pilot – they certainly seem to be in the vanguard of mobile operators when it comes to identity.

Sun and Microsoft Interoperate for Web Authentication, Part 1

In between all the talk of federation, PHP and web services, we sometimes lose sight of the fact that bread-and-butter single sign-on and access control still has huge value in improving both security and the user experience. Over at the Sun Developer Network, Marina Sum and I just published an article – Sun and Microsoft Interoperate for Web Authentication, Part 1 – focusing on how Sun Java System Access Manager and its policy agents integrate with Microsoft IIS to provide both single sign-on and access control – right down to Windows ACLs on files on disk.

As the article mentions, some functionality (specifically, the basic authentication plugin – from the ‘Configuration of the Policy Agent for HTTP Basic Authentication’ heading to the end – sorry, there is no handy name anchor in there to link to) will be released in AM Policy Agent for IIS 2.2-Hotpatch6 sometime in the next few weeks. I’ll post here as soon as this is available; at that point you will be able to work through the entire article. In the meantime, much of it works with the current policy agent, so you can get started straight away.