Security in your Software-as-a-Service (SAAS) Application
‘Credit Crunch’ might be the favourite buzzword of the moment, but ‘Security’ and ‘Software as a Service’ are not very far behind. Ok, they’re a long way behind ‘will I lose my house’ or ‘will I have a job tomorrow’, but you get the idea. So I’m proud to associated by this article by Max and Chicco, even in a very minor way (as a reviewer).
Here’s the 2 minute overview of Securing a multi-tenant SAAS Appliction, just published on IBM Developerworks.
- Software as a Service (SAAS) has a great pitch - let us host your software for you, cheaper and less hassle than managing it yourself.
- Most SAAS companies host multiple clients on one server = New security concerns.
- LDAP (Similar to Windows Directory) is a standard already in wide use for Authentication (making sure people who they say they are).
- Spring Security (aka Acegi) is a well used Authorisation toolkit - i.e. make sure those people only do things they are allowed to do.
- The article shows you how to bring SAAS , LDAP and Spring Security together to get secure, scalable , hosted applications using the very best in widely understood technologies.
Of course, I’m not going to spill the beans on how exactly they do it; for that you’re going to have to hotfoot it over to the IBM Developerworks website.
“LDAP (Similar to Windows Directory)” Are you serious?
Comment by honk — October 12, 2008 @ 11:23 pm
@Honk
At a superficial level (in the same way a Ferrari is similar to a Ford) yes.
Both provide tree like structures for the retrieval of (user) information. Windows Directory (what you are usually checked against when you login to your PC in a corporate environment) implements the LDAP standard, so can be a provider of this information should you choose. The article uses Apache Directory, so feel free to comment on which you think is best, and why!
Paul
Comment by Paul Browne — October 12, 2008 @ 11:33 pm
Nice! Chico and Max did a great job. I’m also interested in using OpenID for authentication in SaaS offerings. LDAP could still be involved in some way, I suppose, say for grouping or roles or something similar.
Comment by Adam Monsen — October 14, 2008 @ 3:31 am
Adam - I’ve just realized that the new theme on this blog is exactly the same as yours. Sorry about that.
Had the pleasure of working with Max and Chicco in a previous life. They had to put up with 3 months of ‘why don’t you write an article about that’ and instead of ignoring me (as most people do when I say that) they actually spent the time to put the article together.
Paul
Comment by Paul Browne — October 14, 2008 @ 8:22 am
“LDAP (Similar to Windows Directory)”
“in the same way a Ferrari is similar to a Ford”
I believe here we are comparing a brand new top of the range Ferrari with an older, entry level Ford model which requires some tinkering under the hood to gain MOT status!
http://www.backupanytime.com/whitepaper.htm
Comment by John O'Neill — November 3, 2008 @ 6:34 pm