Chapter 16. Application integration 369
Allow only authorized users to access any given Web application, regardless
of the source (entry point).
The idea of segregation for external and internal users creates a baseline
infrastructure for enforcing different access control enforcement points for
those entry channels, because there may be cases where you need to
enforce users to only use one specific channel (that is, internal users should
access the internal application server only).
Control access to the application pages based on the user’s group
membership.
This can be accomplished either by application coding (that is, programmatic)
or by using WebSEAL (that is, independent). The ideal approach is to use
WebSEAL, keeping the access control functions transparent and independent
from the application.
Allow transaction execution only for particular group members or individual
users.
This requirement is related to the way the application handles transactions
and how many internal back-end systems it needs to check in order to
execute a transaction. This is a more programmatic approach in the sense
that the application needs to combine different business logic to decide
whether a user is authorized for a particular operation, which can be different
for other users. This situation can even go to the limit of only allowing
operation for a user under a very special situation, such as allowing money
transfers only to predefined accounts.
16.5 Implementation architecture
We start from a working environment with Access Manager already configured.
The Access Manager Policy Server is installed in the production network,
WebSEAL machines are part of the external infrastructure, and all incoming
HTTP/HTTPS Web requests are directed to the WebSEAL servers in the DMZ.
The new system architecture also requires some additional component
installation, in particular new WebSEAL servers for internal access control. The
application may require some restructuring for some of the controls, especially to
transfer some of the WebLogic controls (as for roles) to Access Manager.
Although this is done without affecting the application code, it is worth mentioning
that any further control should now rely on Access Manager. Figure 16-2 on
page 370 shows the new system architecture that we use with additional
WebSEAL servers in the internal network, making the intranet path controlled by