Automated deployment and Aggregated access control for SOA composite applications

Modeling, assembling, deploying and managing composite applications built using service oriented architectures (SOA) present many interesting challenges. Among these challenges, we consider two: service deployment and security management for access control. In this application session, these challenges are explored in the context of a prototype banking application: "Jivaro". The Jivaro prototype has features such as automated and configurable business processes using BPEL and manual tasks, multitenancy using virtual portals, and security using LDAP. We focus on two specific management pain points: 1. the difficulty in deploying multiple SOA components into multiple target middleware containers, and 2. inconsistency in access control policies for multi-tier applications. For addressing the deployment issues, we present a real-wo rid deployment scenario involving the use of ANT tasks and scripting interfaces. For addressing inconsistencies in access control policies, we present a solution using the XACML standard, a common authorization model developed as an extension of the Java authorization contract for containers and a common policy store and policy administration point. We compare and contrast current access control policies for J2EE containers and databases with the proposed new common authorization model. We also compare separate access control policy stores versus the proposed solution for a common store. Our aggregated role based authorization model provides consistent access control policies that complement single sign-on and identity propagation schemes. This model also touches upon issues surrounding role and policy based management, specifically regarding the potential of combining security policy administrator roles for different tiers.