Security is one of the biggest problems facing Web-application development. Among other worries, the diversity of Web clients means that Web development must account for the differing capabilities and limitations of the various clients (browsers) accessing an application. When management learns the word "extranet,"the problems multiply as outside stakeholders gain access to previously internal systems. IBM Corp. attempts to address security-and configuration-management obstacles with its SecureWay On-Demand Server (ODS).
ODS is one of a suite of electronic-business applications from IBM. Last week, the InfoWorldTest Center's Maggie Biggs reviewed IBM's SecureWay Host-On-Demand 4.0, a Web-to-host connectivity product. (See "IBM HOD 4.0 gets security boost," September 20.)ODS consists of two pieces. The first part is a Java API that allows developers to integrate ODS functionality into a Java application. The second part is an environment for deploying and managing the completed application and providing user access to it. This environment is a complete framework for managing user profiles and for providing client access control and profile-based application customization. The framework includes users, groups, servers, and applications managed by ODS.
ODS provides two layers of management. First, administrators control which users have access to what pieces of an application. An administrator can even control which data fields users can access. Second, users can customize their environments further to accommodate their needs or the limitations of the browsers they employ. These two layers of management make for a complete framework, but the framework comes at a price: significant complexity and some product immaturity. ODS suffered from some annoying glitches during my testing.
In its basic configuration, ODS requires a Lightweight Directory Access Protocol (LDAP) server as well as a DB2 database, simply for its own use. After installing the product, I discovered that I needed to set up the user account db2admin, something that isn't clearly explained in the documentation. This virtually ensures that ODS won't successfully start up after the requisite NT reboot.
If you're developing on the cutting edge, using Java to produce applets, servlets, or application server-based applications, the framework that ODS provides can help you manage a critical aspect of application deployment and management. However, you will find that you need to carefully manage the browsers deployed by ODS to avoid compatibility problems. If your Web development is in a more traditional HTML-CGI or ASP mode, you might find that ODS isn't worth the effort for the limited use you'll get from it.
Eric Hammond (firstname.lastname@example.org) is a free-lance writer and a developer at Viewmark, a new-media design firm in Englewood, Colorado.
THE BOTTOM LINE: FAIR
IBM SecureWay On-Demand Server 2.0
Summary: Putting together and managing user access to Web applications is a complex process. With SecureWay On-Demand Server (ODS), IBM attempts to give Web-application developers (especially those working with Java) and administrators an environment for managing user access. It allows you put access control in front of an application, providing security as well as application elements customized for a particular user's environment. Though the product provides a good security framework, it is complex, and my testing uncovered some glitches that soured my experience.
Business Case: ODS attempts to solve a problem that otherwise might require writing a lot of custom software or compromise business needs in fitting the solution into traditional Web-authentication models. On the flip side, however, these traditional models may solve a significant percentage of access issues without the added complexity and cost of ODS.
+ Java-based product provides broad platform support+ Standards-based approach allows easier integration with existing applicationsCons:
- Assumes cutting-edge development and deployment environment- Many pieces add to development and administration complexity- Some documentation and software glitchesCost: US$89 per server; $79 per seat. "Soft" costs: learning period and time spent developing applications for the ODS API.
Platform(s): Web servers: IBM HTTP Server, Apache server, Lotus Domino Go, Microsoft IIS, Netscape Enterprise and FastTrack Servers. Operating systems: Windows NT 4.0, AIX 4.3, OS/390 R5, Solaris