ICW - Technology for Health

Open Source at ICW: SAF in SourceForge

Abstract

This article provides an overview of how open source software is incorporated into the development process at InterComponentWare AG (ICW). It includes an example of a project that is hosted on SourceForge.net called the Security Annotation Framework (SAF), which is an instance-level access control framework developed by ICW. You can learn how an annotation-driven approach to instance-level access control promotes the separation of an application's security logic from its business logic.

There are a number of aspects to open source at ICW including the use of third party open source software components, using open source development approaches and contributing to external open source projects. ICW also contributes internally developed software back to the open source community.

Using open source, ICW has built an adaptable, customizable, and modular ICW eHealth Framework (eHF). SAF was created within the context of the eHF security modules to address specific security requirements.

This article is aimed at experienced Java developers who are familiar with the Spring Framework, Java Annotations, Java Authentication and Authorization Services (JAAS) and Aspect Oriented programming (AOP). Have a look at the Resource Section if you want to read more on these topics.

ICW's Open Source Approach to Software Development

One of ICW's product lines is currently implementing an internal open source approach to software development. This approach will be used to allow developers at ICW working across different product lines and in various locations to share responsibility for elements of ICW's technology platform.

Using an open source development approach lets ICW build an adaptable, customizable and standards-based framework on top of which healthcare solutions can easily be developed and deployed. This approach helps to increase transparency and collaboration in the development process.

Open Source Software used internally at ICW

Many open source software components are used in the development of ICW's software such as application development frameworks, lightweight containers, persistence frameworks, build management tools and version control tools.

Some of these open source software components are:

• Apache Axis - web services
• Apache HTTP Server - web server
• Apache Tomcat - servlet container
• Maven - build environment
• The Spring Framework - web application framework

How does ICW contribute to the Open Source Community?

The Security Annotation Framework

The Security Annotation Framework (SAF) is a generic framework focused on processing security annotations on Spring beans as well as domain objects and it can be used to enforce access decisions for domain object instances. An annotation-driven approach to instance-level access control provides additional security functionality beyond the standard security services available in Java EE.

Take for example, a Personal Health Record (PHR) that runs on top of the eHF. A professional user has been authorized by a record owner to access one specific document, but not other documents in the record owner's PHR. In both cases the same Java method is used, but the required outcome of the access decision is different. The SAF addresses this requirement by allowing for instance-based authorization decisions. In this particular example, the access decisions would be based on the specific document that's being accessed and therefore the expected outcome can be achieved.

The SAF complements Java EE security by instance-level access control concepts and has been implemented to leverage the underlying JAAS services. SAF significantly increases the testability and reusability of application components. It also allows the implementation of instance-level access control features into applications without having to modify the existing business logic. It can be used with any authorization provider.

SAF Article

Based on the SAF, Martin Krasser, ICW ProfessionalGate, also published an article on Enterprise Security in the Java Magazin issue 7.2007 (available since June 6^th). This article gives an introduction to security architectures and explains how to implement instance-level access control features into applications using the SAF and Java Authentication and Authorization Service (JAAS) extensions.

Next Steps

You can find more documentation on the SAF project in SourceForge. The following topics are covered:

• Architectural Context
• Annotations
• Access manager
• Configuration

There is also a documented sample application included in the material called Hello SAF, which demonstrates usage of the framework. The next version of SAF, version 0.8.1, will be released in July 2007.

Additional Resources

• SAF SourceForge Project: This is the homepage of the Security Annotation Framework project on SourceForge.net.
• JDK 5.0 Documentation: Java annotations are a way to add metadata to source files. The link above is part of the online documentation provided by Sun Microsystems.
• The Spring Framework: This site provides an overview of the Spring framework and related technologies like Aspect Oriented Programming (AOP).
• Aspect Oriented Programming: You can find out more information about AOP here.
• Java Magazin: M. Krasser, Instanzbasierte Zugriffskontrolle, JavaMagazin 7.2007.
• Apache 2.0 License

Do you want to discuss this article?

You can do so in the forums under the heading Community Discussions.
You need to be a member of IDN to contribute. If you're not already a member, why not register now? It only takes a minute and it's free.