Security as a Service

Oracle Fusion Middleware is highly predicated on service-oriented architecture (SOA) environments. SOA provides many benefits including the ability to build composite applications based on service (or component) reuse, as well as flexible and dynamic connectivity among services.

Oracle Identity Management, as part of Oracle Fusion Middleware, provides many services that can be shared and reused across the enterprise. For example, Oracle Directory Services are the basic building blocks for user and resource information. Likewise, Oracle Identity Management is designed to provide identity management and access control services deployed outside applications, thus clearly separating security from business logic, the most efficient weapon against application “silos.”

With Oracle Identity Management 11gR1, Oracle extends its identity-as-a-service approach to the developer community. From now on, in-house developers, third-party application providers, and integrators can benefit from the same security services that Oracle Fusion Middleware components relie on. For example, in a typical scenario, a developer at Company XYZ designs an application from the ground up using Oracle JDeveloper and Oracle’s Application Development Framework (ADF). After deployment, Company XYZ realizes that in order to support a very large number of users, the application needs to communicate with enterprise-strength identity services such as those provided by Oracle Identity Management. In this case, the application can easily “switch” from the original ADF-based security to full-fledged Oracle Identity Management services such as Oracle Access Manager or Oracle Entitlements Manager without any change to either the application itself or the security services originally used by the developer.

Oracle Identity Management 11gR1 provides security services in the form of an enterprise-wide framework known as Oracle Platform Security Services or OPSS for short.

OPSS is a self-contained, portable set of security services that run on Oracle WebLogic Server. OPSS provides an abstraction layer that insulates developers from security and identity management implementation details. At development time, OPSS services can be directly invoked from the development environment (Oracle JDeveloper) through wizards. When the application is deployed to the runtime environment, systems and security administrators can access OPSS services for configuration purposes through Oracle Enterprise Manager Fusion Middleware Control or command line tools.

OPSS security services comply with the following industry standards: role-based-access-control (RBAC); Java Platform, Enterprise Edition (Java EE), Java Authorization and Authentication Services (JAAS), and Java Authorization Contract for Containers (JACC). With OPSS, developers don’t need to know the nitty-gritty of cryptographic key management or interfaces with user repositories and other identity management infrastructures.

The OPSS framework includes services that are consumed by Oracle WebLogic Server’s Security Services Provider Interface (SSPI). In addition, OPSS includes Java Platform Security (JPS), Oracle Fusion Middleware’s security framework.

SSPI provides Java EE container security in permission-based (JACC) mode and in resource-based (non-JACC) mode. It also provides resource-based authorization for the environment, thus allowing customers to choose their security model. SSPI is a set of APIs designed to implement pluggable security providers in order to support multiple types of security services, such as custom authentication or a particular role mapping.

JPS, on the other hand, was first released with Oracle Application Server 9.0.4 as a JAAS-compatible authentication and authorization service working with XML-based and Oracle Internet Directory providers. In Oracle Identity Management 11gR1, JPS has been expanded to include the following services: Credential Store Framework (a set of APIs that applications can use to create, read, update, and manage credentials securely), User and Role API (designed to access identity information in a uniform and portable manner), Oracle Fusion Middleware Audit Framework (used by all the components part of Oracle Fusion Middleware), and JDeveloper/ADF integration (application security life cycle support, from development to staging to full-fledged production).

More Here