Deployment of an External Application

When deploying an application to an application server, the security configuration for the application server is applicable to all IBM Cúram Social Program Management applications deployed to that application server instance. Therefore, care must be taken when considering the deployment architecture for more than one application. This is important when deciding if an internal and external application will be deployed to the same application server instance.

An example of some considerations to think about are:

• Is identity only being used for internal users?
• Is an alternative authentication mechanism used , e.g., LDAP;
• Will both internal and external users be authenticated by LDAP?

The answers to the considerations above will affect the setting of the application server properties (i.e. properties specified in the AppServer.properties file), that affect the behavior of the Cúram JAAS login module. These considerations will also drive the implementation of the curam.util.security.PublicAccessUser class and curam.util.security.ExternalAccessSecurity interface for external users.

The application server properties in the Cúram JAAS login module allow for finer grained control over the authentication of user types. External users and internal users can be authenticated differently, as can different types of external users, in a situation where the internal and external applications are deployed to the same application server. These properties include the following:

• curam.security.user.registry.disabled.types ;

  Set this property to a comma separated list of user types for which the application server user registry will not be queried, i.e. the implementation within the PublicAccessUser.authenticate() method is responsible for authenticating the external user of this type. For example, LDAP could be configured to be the user registry.

• curam.security.user.registry.enabled.types.

  Set this property to a comma separated list of user types for which the user registry will be queried, i.e., the implementation within the PublicAccessUser.authenticate() method does not have to fully authenticate the user. The user registry will be responsible for authenticating this type of external user. For example, LDAP could be configured as the user registry, and in this case, LDAP could be responsible for the authentication of these external user types.

These properties are dependent on the implementation of the curam.util.security.PublicAccessUser class and ExternalAccessSecurity interface.

Consider the following example project requirements:

• An internal user must authenticate with LDAP.
• An external user of type 'EXT_PUBLIC' must authenticate with IBM Cúram Social Program Management and not LDAP;
• An external user of type, 'EXTERNAL' must authenticate with LDAP only and not IBM Cúram Social Program Management.
• Both the internal and external applications are deployed to the same application server instance.

The following settings could cater for the example above:

• curam.security.check.identity.only set to true ;
• curam.security.user.registry.disabled.types=EXT_PUBLIC.

As well as the properties being set, the PublicAccessUser extension (and curam.util.security.ExternalAccessSecurity implementation) must have the logic to cater for the different types of external users and how they will be authenticated.