One of the main issue with distributed application portal security is that
preventing or limiting access to functionality alone may not be the best approach.
The complementary alternative is to also control and protect data: content,
application resources, and virtual profiles. Once a user is authenticated,
if data is entitlement protected and granularity is adequate, users can be
provided with more functionality, while still increasing security.
Application logic independence
Next, security checking should be designed to be off-loaded to
a dedicated process freeing the business logic from dependency on security
configuration, and security configuration made available at run time, with
Data access control
Controlling data access, alternately to function access, in a heterogeneous
distributed environment is an issue by itself.
It is really a more sophisticated task than simply preventing access to functions
but it also offers advantages that can not efficiently be achieved differently.
Data access control is not a new issue as it was traditionally handled by the database
management system in autonomous and client-server environments.
But today, data is usually not limited to a single well structured database as
it resides in multiple, varied, and distributed sources, some structured, some less.
Some data is also available from multiple sources with varying priorities.
Once data and application resources are properly protected,
portals and applications can offer extended functionality access to users,
yet each user is only provided data that he is entitled to. Additionally, with
managed application resource security, security checking can be assigned to
dedicated processes, typically on dedicated servers or advanced appliances,
freeing application servers from the associated load while also removing
dependencies between the application business logic and the security
configuration(s), so that, for example, adding or changing defined profiles
(types or levels of users) does not imply modifying the applications
using the corresponding security configuration.
With proper design, environment, setup, and configuration, unlimited
granularity security configuration can be achieved and modified, at run-time
as required, even with advanced graphic tools, all, while operating in full