Chapter 14. Building End-to-End Security ArchitectureA Case Study

Topics in This Chapter

• Overview

• Use Case Scenarios

• Application Architecture

• Security Architecture

• Design

• Development

• Testing

• Deployment

• Summary

• Lessons Learned

• Pitfalls

• Conclusion

The objective of this case study is to use a simplified real-world example of a Web portal to illustrate how to define and implement an end-to-end security solution using the security design methodology, design patterns, and best practices introduced in this book. Real-life business scenarios are usually complex and may be full of many constraints that are difficult to generalize for a case study. This case study is intended to encapsulate the complexity of a typical multi-tier application environment that includes J2EE applications, Web services, identity management, and external integration with partner business services. It will articulate a software design process that proactively captures all security requirements and defines an end-to-end security design and implementation model addressing all required security considerations. It will also illustrate how to identify risks; balance trade-offs; identify and apply security patterns; and perform factor analysis, tier analysis, threat profiling, and reality checks. You will learn how to adopt a patterns-driven security design process, the best practices and pitfalls and how to align the security of the different logical tiers together to deliver end-to-end security of the entire Web portal solution.

This security architecture and its design patterns apply to generic J2EE-based and Web services applications and does not require any specific vendor implementations. Sample artifacts and Java program code excerpts for the security patterns relevant to the case study are available for download at http://www.coresecuritypatterns.com.