|
|
Featured White Papers
Sponsored Links
-
Slow Apps? Overloaded DBMS? - FREE Download
FREE Download Feb 14 - March 7th Eliminate bottlenecks & maximize performance ScaleOut StateServer®
US Department of Energy signs on to J2EE
Create a secure single sign-on Web service for multiple n-tier Web applications
- Feedback
- Discuss
As part of the Energy Information Administration's (EIA) ongoing commitment to provide better products and services with increasing efficiency, the EIA's Office of Information Technology (OIT) promised to deliver Web-based data-collection services in limited time and with minimal expense. Therefore, the OIT's technical team developed applications serially, with little opportunity to deploy highly generalized, reusable components. Meanwhile, as development progressed, the IT industry made significant technology advances, and EIA acquired many new technologies at the infrastructure level. In the industry, Java 2 Platform, Enterprise Edition (J2EE) standards and specifications evolved, and many vendors started to support them at different levels. At EIA, we purchased new hardware; acquired licenses for a J2EE server that could support Enterprise JavaBeans (EJB), including session beans and entity beans; and deployed many other new key infrastructure components, such as Virtual Private Network (VPN) and Oracle's Virtual Private Database (VPD), as well as researched LDAP (lightweight directory access protocol) and Kerbero authentication in our intranet and Internet environment. We both played key roles in architecting the EIA's Web applications and setting up their security. Jian Zhong is the technical lead on most OIT Internet data-collection projects, while Mike Lehr acts as OIT's senior application security architect on those same projects.
Based on Zhong's simple methodology, first introduced in "Step into the J2EE Architecture and Process" (JavaWorld, September 2001), we built the first Java Web application using J2EE technologies at EIA. This project won the US Department of Energy's 2001 Technical Excellence Award and helped us gain approval for a second project—a similar Web application with a legacy database containing about 85 tables. The second project involved Web-enabling the data-collection process for one EIA survey. This project, which is going live as we write this article, took only about four months to complete. It went more smoothly than the first project, and we again satisfied the customer's requirements and delivered on time with minimal cost. As each success within the organization improved our position and enlarged our codebase, we thought more seriously about productive, reusable technologies that would require a small degree of up-front investment.
The circumstances and the challenge before us were both commonplace: we needed to find a practical way of gradually implementing more efficient technology and, if possible, retrofitting it to existing applications. After consulting with management, we decided to implement a reusable single sign-on (SSO) component. Two familiar business requirements drove this decision:
- The need to accommodate large projected increases in e-business partners. The EIA has two main classes of e-business partners: respondents, who submit survey data electronically, and employees (both federal and contractor).
- Heightened security concerns in response to terrorist activity. Respondents no longer send paper forms because of recent terrorist events, and thus we have an urgent need to deploy electronic submissions for many surveys. Many respondents will submit for more than one survey as well.
In this scenario, SSO has several advantages. Developing one relatively high-quality SSO component allows better safeguards than developing individual SSO modules. SSO enables more consistent, centralized, and efficient user administration. It allows security personnel some standard and centralized resources—for monitoring failed and successful logons, for example. Equally important, users can conduct their business more quickly and conveniently, partly because they avoid the nuisance of repeated logins, and partly because they can easily change their profiles in one place. The Open Group's "Introduction to Single Sign-On" discusses SSO's advantages in more detail.
- Feedback
Resources
- Also in this week's Spotlight on J2EE"A J2EE Presentation PatternApplets with Servlets and XML," Jeremy Dickson (JavaWorld, May 2002)
http://www.javaworld.com/javaworld/jw-05-2002/jw-0524-j2ee.html - The Open Group's Single Sign-On page
http://www.opengroup.org/security/sso/ - The Open Group's "Introduction to Single Sign-On"
http://www.opengroup.org/security/sso/sso_intro.htm - J2EE BluePrints, including a design patterns catalog and the Pet Store demo architecture overview
http://java.sun.com/j2ee/blueprints/ - Designing Enterprise Applications with the Java 2 Platform, Enterprise Edition, Nicholas Kassem et al. (Addison-Wesley, June 2000; ISBN0201702070)
http://www.amazon.com/exec/obidos/ASIN/0201702770/javaworld - Java 2 Platform, Enterprise EditionPlatform and Component Specifications, Bill Shannon et al. (Addison-Wesley, May 2000; ISBN0201704560)
http://www.amazon.com/exec/obidos/ASIN/0201704560/javaworld - "Step into the J2EE Architecture and Process," Jian Zhong (JavaWorld, September 2001)
http://www.javaworld.com/javaworld/jw-09-2001/jw-0928-rup.html - "A Java Case StudyThe Power of J2EE," Jian Zhong and Betty Barlow (JavaWorld, January 2002) describes how the EIA secured a complete J2EE solution in less than five months
http://www.javaworld.com/javaworld/jw-01-2002/jw-0118-j2ee.html - Also check out the 23 "Gang of Four" design patterns in Design PatternsElements of Reusable Object-Oriented Software, Erich Gamma et al. (Addison-Wesley, January 1995; ISBN0201633612)
http://www.amazon.com/exec/obidos/ASIN/0201633612/javaworld/ - Check out SingleSignOn.Net
http://www.singlesignon.Net/single_sign-on.htm - Netscape's Cookie spec
http://home.Netscape.com/newsref/std/cookie_spec.html - Check out Netegrity's SiteMinder
http://www.netegrity.com/ - Microsoft's .Net Passport
http://www.passport.com/Consumer/default.asp?lc=1033 - The Liberty Alliance Project
http://www.projectliberty.org - "With Liberty and Single Sign-on for All," Todd Sundsted (JavaWorld, February 2002)
http://www.javaworld.com/javaworld/jw-02-2002/jw-0215-liberty.html - Oracle 9iAS Portal Server
http://www.oracle.com/ip/deploy/ias/portal/index.html - Sun ONE Portal Server (formerly iPlanet Portal Server)
http://wwws.sun.com/software/products/portal_srvr/home_portal.html - "Single Sign-On Support in WebSphere Portal Server 1.2," Mark Gilmore and Don Jones (IBM, October 2001)
http://www7b.boulder.ibm.com/wsdd/library/techarticles/0110_gilmore/gilmore.html - "Single Sign-On Using Kerberos in Java," Mayank Upadhyay and Ram Marti (Sun Microsystems)
http://java.sun.com/j2se/1.4/docs/guide/security/jgss/single-signon.html - "Chapter 4Single Sign-On" in Directory Server Access Management Edition Programmer's Reference Guide (iPlanet)
http://docs.iplanet.com/docs/manuals/dsame/50/html/prog/sso.htm#22747 - "Single Sign On—A Contrarian View," Keys Botzum (IBM, August 2001)
http://www7b.software.ibm.com/wsdd/library/techarticles/0108_botzum/botzum.html - Browse the Java 2 Platform, Enterprise Edition (J2EE) section of JavaWorld's Topical Index
http://www.javaworld.com/channel_content/jw-j2ee-index.shtml - Browse the Security section of JavaWorld's Topical Index
http://www.javaworld.com/channel_content/jw-security-index.shtml - Browse our complete list of David Geary's Java Design Patterns columns
http://www.javaworld.com/columns/jw-java-design-patterns-index.shtml - For more design pattern stories, visit the Design Patterns section of JavaWorld's Topical Index
http://www.javaworld.com/channel_content/jw-patterns-index.shtml - Browse the complete listing of Frank Sommers's Web Services columns
http://www.javaworld.com/columns/jw-web-services-index.shtml - Browse the Java and Web Services section in JavaWorld's Topical Index
http://www.javaworld.com/channel_content/jw-webserv-index.shtml - Subscribe to JavaWorld's free weekly email newsletters
http://www.javaworld.com/subscribe - Get under the hood of the technologies shaping our future in JavaWorld's Enterprise Java discussion
http://forums.idg.net/webx?50@@.ee6b80a - Security sleuths talk shop and trade cautionary tales in JavaWorld's Java Security discussion
http://forums.idg.net/webx?50@@.ee6b80e - You'll find a wealth of IT-related articles from our sister publications at IDG.net
About Us | Advertise | Contact Us | Terms of Service/Privacy
Copyright, 2006-2010 Infoworld, Inc. All rights reserved.