High Level Arthitecture

Architecture of Preallowed® Distributed Authorization Service

Root Locus, Inc. Preallowed® is built on a single, Web 2.0 standards-based, high-performance architecture that scales to support the largest global enterprises and the Internet. A common set of compliance services that include workflow, risks repository, business process modeling, and analysis engines, enable efficient cross-enterprise compliance management from a single solution, independently of any underlying application. J2EE standards-based architecture allows Root Locus, Inc. Preallowed® applications to run on the J2EE-based platforms. The best way to describe the Preallowed® architecture is through analyzing how applications address authorization traditionally as well as what our competitors offer for a solution and finally describing what we are proposing and what will be the benefits of using our service.

Existing (Traditional) Authorization Architecture

Most of the existing applications sooner or later will have to face a challenge of implementing a way of providing an authorized access to a set of resources. The resources might include but not limited to specific file types (JSP, images, PDF documents, multimedia content), data storage, and variety of different input/output devices.

The easiest way is to implement some authorization module that will encapsulate the authorization rules. The business logic module will consult the authorization module that will grant or deny the access to any specific resource or a group of resources for a specific user or a user that belongs to a specific role. This approach is very straight forward and usually does not require a lot of investment. It starts to break down when the company has to implement the same authorization module for every new application. The reusability quickly becomes a factor which results in higher maintenance costs.

What's even more important is that the desired level of protection for corporate assets is more difficult to maintain when the number of applications is increasing. It is more likely that some user with limited permissions will get unauthorized access to some resource that might result in height legal settlement cost.

Existing Competitors’ Architecture.

A good way to address the problems that traditional systems face is to separate the authorization logic into a globally accessible remote service. Some companies choose to build the solution of this kind in house; the others purchase a 3rd party vendor's system. In this case the authorization logic is totally decoupled from the application logic and is encapsulated in a module that acts as a black box.

The authorization subsystem has internal credential store that defines roles, permissions, subjects and the relationships between them. The maintenance of this system is better comparing to a traditional authorization solution bundled into the application. Still the solution presents some challenges that can not be ignored. The subsystem has a well defined interface that the applications requiring the authorization will have to use. Usually the interface to the authorization subsystem is proprietary which restricts the applications flexibility. The authorization system of this kind requires a full time staff trained to support a it and manage the credentials store database either directly or through some administrative interface either built in-house or provided by the vendor as a part of the solution. Since the authorization subsystem has to be installed in-house on the customer’s infrastructure, the infrastructure has to meet the vendor’s requirements which might be difficult and will introduce additional costs. Also, since this solution is running on the customers infrastructure, it will put additional load requirement, for instance it will require more hard disk space, more memory, more space allocated in the database for a storing credentials which also has cost implications.

Proposed Preallowed® Architecture

Preallowed®, the authorization solution proposed by the Root Locus, Inc., tries to address the areas of concern described in the previous architecture types.

Preallowed® is implemented as a global distributed Web 2.0 service hosted at the preallowed.com domain. Preallowed® will expose its services via a variety of different interfaces. Initially we will offer the most commonly used interfaces implemented as Servlet Adapter, Web Services Adapter, and RMI Adapter. In the future, more adapters implementing specific interfaces will be added depending on customers’ needs and software evolution. Our service will be made available to any programming platform (Java/J2EE, .NET, etc...) and will support any type of application (either classical web application or a standalone desktop application).

Like competitors’ solutions, the Preallowed® service totally decouples the customers’ application logic from the authorization procedures. It also decouples the customers’ infrastructure from the authorization service infrastructure optimizing the load requirements for the clients’ applications, leaving more room for growing clients’ business processes. Authorization requests to the service happen over the Internet. To address privacy issues introduced by WWW communication layer, the requests will be encrypted using the strongest encryption protocol available. To prevent the “man in the middle” intrusion, all the messages will be digitally signed as well. Subscribing customers will have to alter their application code to delegate authorization request Preallowed® service. In case of a web application, for instance, all the clients’ application requests are intercepted with a servlet filter that will delegate authorization calls to Preallowed® service and will either grant or deny a page for viewing.

Preallowed® service will assure high availability to address customers’ needs for 24/7 operation mode. Credentials data store is maintained in Preallowed® facilities. Clients will be able to manage their credentials through a web application offered as a part of the solution. The web site will be hosted at http://www.preallowed.com URL and will be implemented as a Web 2.0 application using latest available technologies. Each client will maintain a set of accounts to manage their applications’ credentials. Every individual client data will be protected from other clients. The clients will be able to obtain detailed access log and other types of statistical reports offered for viewing at http://www.preallowed.com.