Security Services for integrating other products and web services to project.net

  1. Security Services for integrating other products and web services to …
    1. The Current Plan
    2. Third Party Security Engines
We plan to integrate other products and services to project.net via web services integration and java integration. We must provide one place where customers manage access permissions. This may be the current project.net workspace security interface or some other centralized interface. When integrating other products at the java level, we can use the project.net security API (net.project.security).

If we use the existing project.net security engine to provide access security for external products via web services, then we need a strategy for making the project.net authentication and access security available to the other products. Alternatively we need to identify a central access security service that can be shared by project.net and all other products being integrated with project.net.

The Current Plan

  1. Continue to use the project.net internal security engine for now. Refactoring the security is not a critical at this time and will require over 3 three developer months to refactor to a new engine.
  2. all third party functionality that is integrated with the project.net application at the interface level shall use the project.net internal security engine.
  3. The Project.net authentication and access security will be exposed via a web services layer.
  4. When refactoring the security engine, the use of Spring and Acegi is recommended.
  5. The biggest limitation of the current security engine it's use of Space-Module context. This can make it difficult to define access rules for groups of Spaces.

sachin mittal wrote: I feel we should use existing Project.net security engine to access security for external products. Basically user would have permissions to which all external products they can access via Project.net.

Third Party Security Engines

sachin mittal wrote: I did some research on open source products that can serve as a central authentication and security engines. Here is the list:

Acegi Security - is a powerful, flexible security solution for enterprise software (particularly with Spring). It provides comprehensive authentication, authorization, instance-based access control, channel security and human user detection capabilities. http://sourceforge.net/projects/acegisecurity

jGuard - written in java. his goal is to provide a security framework based on jaas (java authentication and authorization security) . this framework is written for web and standalone applications, to resolve simply, access control problems. http://sourceforge.net/projects/jguard

JOSSO - Java Open Single Sign-On - is an open source J2EE-based SSO infrastructure aimed to provide a solution for centralized platform neutral user authentication and authorization. http://sourceforge.net/projects/josso

Kasai - is a 100% Java based authentication and authorization framework. It allows you to integrate into your application a granular, complete and manageable permission scheme. http://sourceforge.net/projects/kasai