Where have all the PEP's gone?

I've been having a lot of conversations which customers lately around integrating security services - mostly authentication and authorization - into their enterprise. They've been asking basically the same question - "Where are the Policy Enforcement Points (PEP)?"

First of all, I think this is more than a simple product road map question. For the record - Oracle Access Manager (OAM) supports a large number of Web Server/Operating System platforms. Oracle Entitlement Server (OES) has a Security Module (SM) for a number of Web Servers, WLS + layered products, IBM WebSphere, Oracle VPD support and even Microsoft SharePoint.

Product Management can correct me, but this seems like a pretty good list. So what is the issue?

I think the issue is that many of the customers that I talk to are using a number of application frameworks to build their applications (Struts, JSF, Spring, Hibernate, ADF etc). This means that they want an application framework specific PEP and not a generic Java, JACC, JEE or even Application Server specific PEP. Even though these frameworks are built on these standards, implementing a policy enforcement point at those levels means that the access control policies are going to be based on resources like Java Permissions, Java Servlets or Enterprise JavaBeans. If the goal is to author access control policies which are closely aligned to the business, then securing these lower level resources, especially in the context of an application framework, is practically a non-starter.

So, why not just create PEPs for these application frameworks?

Easier said than done! Not every application framework has a tidy way of wedging an external PEP into the request flow, or reusing the application framework's PEP to call out to a 3rd party PDP. In most cases, externalizing authentication is pretty straight forward, but if you want 3rd party authorization, especially around framework specific objects (Struts Action, JSF UIComponent etc), it will get messy!

Oracle's Application Developer Framework (ADF) and Spring with SpringSecurity (ACEGI) both have the ability to externalize authorization built in, though ADF is based on standard Java security and ACEGI isn't.

In other cases, where there's a will, there's a way. I've pulled together a catalog of some approaches for integrating into various containers. Take a look. I've used these types approaches in the field to integrate various PDPs.

So, what do you think?

- Is dependency injection (aspect oriented) a reasonable way to add this type of fine grained authorization?
- For Struts, is creating a custom RequestProcessor a workable solution? It would allow for authorization at the Struts Action level.
-Is there something short of a custom Render Kit which would meet the requirements for JSF?
-Is a generic approach like JSP tag libraries best?