AssureAccess simplifies application security integration for applications and portals running on the BEA WebLogic PlatformTM by both supporting proprietary BEA WebLogic Server interfaces and providing market-leading application security integration solutions like:

• BEA WebLogic Server 7.0 Security Service Provider Interface (SSPI)
• Universal Java Plug-In
• Servlet Filter

AssureAccess and BEA WebLogic Platform Security Interfaces
As security in the BEA WebLogic Platform becomes more sophisticated, the interfaces available to 3rd party application security providers change. In BEA WebLogic Server 7.0, BEA offers an SSPI that gives application security providers full control of authorization, while previous versions offer a Custom Security Realm that is limited to providing input for standard Java Security.

BEA WebLogic Server 7.0 SSPI
In BEA WebLogic Server 7.0, BEA implements the new SSPI, providing both greater security functionality and an alternative to Java Security. The SSPI allows application security products like AssureAccess to apply dynamic, fine-grained, policy-based access management to deployed application resources without modifying the application.
AssureAccess was the first application security product to support the SSPI, and implements SSPI interfaces that enable the following functions:

Authentication - manages logins through standard AssureAccess mechanisms, including the JAAS LoginModule, certifies perimeter authentications, validates prior authentications for authorization, and enables single sign-on.
Authorization - enables dynamic, policy-based authorization using the AssureAccess policy model by overriding Java Security.
Auditing - collects and centrally stores WebLogic audits using the AssureAccess Audit service, simplifying administration.
Role Mapper - extends Java Security by enabling dynamic, policy-based role protection and assignments using the AssureAccess policy model.

BEA WebLogic Server Security Realm
For applications running on versions prior to BEA WebLogic Server 7.0, AssureAccess provides full support for the BEA WebLogic Server Security Realm. The Security Realm works with the Java Security model, enabling authentication, single sign-on, and supporting fine-grained access control when combined with other AssureAccess security integration solutions.

AssureAccess Extends BEA WebLogic Platform Security
In addition to the security interfaces provided by BEA WebLogic Platform, AssureAccess also offers four other application security integration solutions designed to provide maximum security granularity with minimum integration effort.

Universal Java Plug-In
AssureAccess takes a wholly new approach to securing resources served by EJB containers with its Universal Java Plug-In. Rather than modifying beans to call the API directly, or using a pre-compiler, AssureAccess allows application developers to incorporate policy-based access control into J2EE applications without either step. This functionality secures both new and existing applications with a single click, and is only available in AssureAccess.

Protecting deployed applications requires three steps:
1. Browsing for the application through the AssureAccess Management Console
2. Protecting application resources (Servlets, JSPs, EJBs) using policies
3. Restarting the application server

Servlet Filter
AssureAccess provides a servlet filter compliant with the Servlet 2.3 specification, enabling Bolt-On security for resources in the JSP/Servlet container. The functionality allows application developers to protect web-based resources in the J2EE application server without modifying the application. JSPs, servlets, and all static content (HTML, gif, jpg) can be protected using complex security policies. The servlet filter also brings web-like features such as forms based login and authentication strength to the application server environment.

JSP Tag Library
Internet applications typically have presentation logic coded as a set of JSPs, while business logic is normally contained in a set of application EJBs. AssureAccess provides fine-grained access control through APIs embedded in the JSP code. This allows the developer to control which page elements (text, links, and menu items) are available to individual users.

AssureAccess simplifies including security into applications by providing a JSP tag library. The JSP tag library enables JSP pages that authenticate, authorize, audit and check attribute values to be easily created while abstracting security logic. The tags also allow the developer to redirect to another page, or omit HTML code on conditional failures.

Java API
The AssureAccess Java API can be called from within any Java application component (Servlet, JSP, EJB). Part of the API is designed specifically for the J2EE application environment, simplifying username/password authentication, authorization and audit. Since AssureAccess is 100% pure Java, every aspect of the product functionality is available through the complete API.

The API can leverage authentications done through other AssureAccess security options, enabling Single Sign-On. Alternately, it can authenticate users directly by backing an HTML login form and setting user session.

API integration is typically used to implement fine-grained access control from within a Servlet, JSP, or EJB. The application developer can conditionally display user interface elements from within a JSP by managing access to user-defined resources. Similarly, in a Servlet or EJB, access controls can be used to protect blocks of code or individual methods.