• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

Where to store the user credentials in an enterprise application(EAI)

 
Ranch Hand
Posts: 37
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
We are developing a Event Notification Service. The application at a high level looks like below:



Our developene scope involves widget and the ENS.

"ENS" acts as a central point of collection for certain types of events that are of interest to users. Any user who wants to know when these types of events occur registers with ENS, which identifies events in order and matches notifications with subscriptions.

The user who wants to subscibe should be a valid user of the intergrated application(db, sap system etc)

The sequence of events:



ENS are the web-services.

ENS polls the SAP(and other applications) and this is where the problem is becoming more complex. In SAP there is data-level authorization. So not all users are allowed to see all the events/data.

If the SAP has PUSHed the data, along with the User info who has authorized to see, then no issues at all.

Case 1: Scheduler is initiated by the ENS

1. User subscribes to a subscription. At the time of subscription, user is checked for his authorization in the SAP system. If OK, then he will be allowed for Subscription.
2. The scheduler runs at the scheduled time.
3. The scheduler identifies the users who are subscribed.
4. The scheduler uses the stored credentials of the users(stroed in ENS) to POLL if the event occured.
5. Notify users if there are changes.

Disadvs here:

* User credentials are stored somewhere external - Security team might not accept it
* Reduntant hits if more than one user is subscribed for the same piece of information

Case 2: Scheduler is intitated by the WIDGET. User creds will be stored in the users local machine only. Diadv:

* If the subscription is daily, and if the user system/widget is not up. The user might miss the notifications that happened on say, weekends.
* Reduntant hits to the server if more than one user is subscribed for the same piece of information.

my question/doubts:

What is the best pracitces in storing the Users db, sap etc credentials.

How often should the user be authenticated? Should be everytime the messages are delivered?(if I use this strategy, it will affect the source system)


 
Bartender
Posts: 2661
19
Netbeans IDE C++ Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I have moved this question to our Security forum.
Although it fits in several of our forums, this is the one where you can get the safest and most secure advise.
 
reply
    Bookmark Topic Watch Topic
  • New Topic