How to characterize IBM FileNet P8 content Query and storage with the Java Security API

This paper is divided into two parts, the first part expounds the security mechanism of FileNet content Engine; The second part illustrates how to use the security-related Java API to set security, which guarantees the security of the stored content.

FileNet Content Engine Security mechanism Introduction

FileNet content Engine is one of the core modules in FileNet P8 system, which is mainly responsible for contents storage and content management. Content Engine provides a range of services in an object-oriented container to support enterprise content management and customer customization objects. Content Engine creates relationships between these numeric objects and then manages their respective builds and lifecycles. Content Engine can manage access to business objects in different distributed environments, and can maintain information about the behavior, attributes, and attributes of these objects.

Because different users can have different permissions on different objects, the FileNet content Engine uses a series of security models to secure the storage content, which is mainly divided into the following sections:

FileNet Content Engine Authenticatio (authentication): Includes JAAS and ws-security two ways.

FileNet Content Engine Authorization (authorized): FileNet content Engine Domain security.

Mainly includes User and Group in FileNet Content Engine, ACE (Access control Entries), ACLs (Access control List), safety evaluation order, security Policie S,markings and marking Sets.

Here are some of the following:

FileNet Content Engine Authentication

Authentication is the act of authenticating a user's identity based on a user's credentials. Certification to do is to answer: Who is the user? Is the current user really the role he represents? Authorization is the act of continuing after authentication, and the authorization to do is to determine whether a user is authorized to access a resource or perform an operation.

In the authentication process for FileNet P8, there are two criteria that are at the core, namely, the Java authentication and Authorization Service (JAAS) Standard and Web Services secur ity standard.

JAAS Overview

JAAS provides a policy-based, reliable, and secure framework; With this pluggable framework, applications, such as Content Engine, can be independent of the underlying authentication technology.

The client program needs to obtain the JAAS Subject before invoking the content Engine Java API, and invokes the content Engine EJB by interacting with the content Engine Java API. The client's JAAS Subject is transparently passed through each EJB invocation to the Java EE Application Server side, the server-side validates the JAAS Subject, and then approves the caller's identity before the caller can execute the code in the Content Engine EJB. When Content Engine Authenticated users, JAAS interacts with the Directory service providers to verify that the user is legitimate.

Ws-security Overview

The core of Web service is XML, through Web service, different types of systems can communicate. FileNet provides a WEB service interface in the Content Engine service, which supports various types of connections.

One of the core standards of Web Service is the ws-security standard. The Ws-security Web service defines three main security mechanisms: Secure token propagation, message integration, and message confidentiality. Ws-security provides configuration files that define how different types of security credentials are formatted and inserted into a Web service message.

Certification Framework for Content Engine

Content Engine is deployed in the Java EE application and can be published in one or more Java EE application Server instances. The core components of this application are:

Content Engine Web Service listener: This listener is stored in the Web container of the application server with a servlet-based application package; The request from the Web service is ws-security hea The ders process is passed to the Content Engine EJB layer, as shown in the following illustration: