SAS ® Business Intelligence Web Application Security Configuration Primer

Securing Web-based resources is one of the biggest challenges for IT today. Almost all IT organizations use security measures through authentication and authorization to protect their Web resources. Thus, it is vital for SAS Business Intelligence Web applications to integrate within a secure Web environment. This paper explores just that. SAS Business Intelligence Web applications are implemented based on the SAS Metadata Server, which typically is tied to the local OS for host authentication, but it can be integrated with an external authentication mechanism already in place for an organization’s Web space. The latter is called Web (or trusted) authentication. Web-based authentication can occur in various Web components such as Web (HTTP) server, reverse proxy security server, or application server. We will examine the pros and cons of various Web security configurations, Single SignOn (SSO) capability through third-party security packages, and how SAS Business Intelligence Web applications operate within each one. INTRODUCTION Security implementation of J2EE Web applications consists of two parts: authentication to control access to the Web application and authorization to control what operation is allowed on resources, such as servers and data, by the authenticated user. This paper mainly focuses on the authentication process for Web applications, which requires coordinating with existing Web infrastructure. J2EE-based SAS Business Intelligence Web applications use two authentication mechanisms: local OS user-registrybased host authentication, also called SAS authentication, and Web authentication, also called trusted authentication. The most popular user registry for Web authentication is an LDAP directory server, but a flat password file or DBMS is also permitted. To support Web authentication, SAS Business Intelligence Web applications must integrate with an organization’s authentication mechanism for the Web space. The choice of authentication for a Web application is configurable through a pluggable Java Authentication and Authorization Service (JAAS) login module[1]. Web authentication can occur in various Web components such as a Web (HTTP) server, a reverse proxy server, or an application server. The factors in Web security configuration of J2EE Web applications include the authentication mechanism, the location of the authentication challenges, the type of user registry, and possibly Single Sign-On (SSO) capability with a third-party security package or other Web applications. The first thing that you need to understand is the difference between the traditional Web HTTP server security mechanism and the J2EE Web application security arrangement. HTTP server security was originally designed to protect static documents. On the other hand, J2EE Web applications are fully independent Java programs that run in an application server or servlet container and include a security mechanism or standard called JAAS. Technically, an application server is more than just a servlet container, but the terms are used interchangeably in this paper. J2EE Web applications can function without the involvement of HTTP servers, but, in most cases, HTTP servers and application servers are considered an integral part of Web infrastructure. The proxy server is another important component in the Web security configuration. Its original purpose was to protect Web users from the Web by restricting access to Web domains and to enhance Web traffic performance by caching resources. A proxy server that protects Web applications and application servers from outside access is called a reverse proxy server. A reverse proxy server that provides security screening through user registry is called a reverse proxy security server (RPSS). The RPSS might be a separate process or a plug-in to the Web server, such as IBM’s WebSEAL[2,5] and CA’s eTrust SiteMinder Web Server Agent[3]. J2EE Web applications can use different authentication mechanisms and still maintain portability of the code through the configurable JAAS login module. The next section provides an example of JAAS login module usage for a Web application. SAS Presents SAS Global Forum 2009