Wednesday, May 25, 2011

Design Patterns in Declarative Security


Reusability and abstraction have enabled organizations to create complex software at lower costs. Unfortunately, application authorization is the proverbial wheel that keeps getting re-invented. Each application developer becomes a security architect and determines how to abstract security policy within the application. This becomes very challenging, as the authorization decisions demand more variables and rules. To learn about declarative security register for a free webcast here

Historically, fine-grained authorization has been hard-coded into application security. While URL-based coarse-grained authorization can be enforced using conventional web access management solutions, application-centric security decisions are dynamically enforced at run-time. For instance, if access to confidential data is granted to a user only if he meets certain conditions, then those checks are typically performed at run-time. This led to complexities with building security for applications. It also led to a joint evolution of security policies with application logic which negatively impacted developer productivity.

Declarative Security solutions solve this problem by externalizing authorization logic from applications thus removing the complexity of building security for application developers. Similar to the manner in which SQL simplified database queries for developers, declarative security simplifies the art of describing security. This makes it easy to specify complex granular authorization policies not only for applications but also for web services and databases.

Implementing web services security is an area where this design pattern can greatly improve development. Instead of securing the web service internally, the service can be secured externally without changing code when security policy needs to be altered.

Oracle Entitlements Server (OES) implements declarative security into an enterprise grade solution that can be used to make mission critical real-time authorization decisions. OES extends declarative security to protect applications, middleware and databases-- user interface elements, server-side transactions, database columns and rows, even "business" objects like reports, and accounts can be protected. Plus, it allows you to model extremely rich authorization policies based on a combination of identity attributes, business conditions and application context. For example, financial services companies can centrally enforce policies that restrict traders to customer accounts by region, trading exchange, time of day, and/or a customer’s net worth. Previously, such policies would be embedded deep inside application code making policy changes expensive and challenging to implement resulting in fragmented policies.

Join us for a live webcast to learn more Oracle Entitlements Server. Register here


Also there is more information on OES
here.