SAP Mobile Platform Security Framework

SAP Mobile Platform delegates the functions of storing and maintaining users and access control rules to the enterprise’s existing security solutions. It uses a plug-in model to delegate the security checks to the configured providers that use the CSI component.

CSI has a service provider plug-in model that integrates with the customer’s existing security infrastructure. If none of the default providers shipped with SAP Mobile Platform meet your security needs, you can implement a custom login module, authorizer, and attributer that interfaces with the security back-end of choice, and plug it into SAP Mobile Platform as long as it implements the interfaces described in this section.

Administrative access to the SAP Mobile Platform server and the domains is controlled by the providers in the “admin” security configuration. Access to the packages deployed in the various SAP Mobile Platform domains is controlled by the security configuration associated with the packages. Different message-based synchronization (MBS) subscriptions and the mobile business object (MBO) operations in a package may require different roles to access them. The user authentication and role requirement at runtime is enforced by the security configuration associated with the package. The security configuration includes authentication, authorization, attribution, and audit providers.

A CSI SecContextFactory instance is associated with a single security configuration in SAP Mobile Platform and is cached to avoid the overhead in creating and initializing the factory for each authentication. A separate SecContext instance is created for each client authentication request, and is saved for the duration of the client connection. For example, a replication-based synchronization (RBS) session involves authenticating the user, the begin sync event, and the end sync event. For MBS, each message sent by the client results in a separate session in SAP Mobile Platform that triggers user authentication, and an authorization check to verify the user’s authority to execute the operation and method invocation requested in the message.

• Authentication
  Authentication within CSI is performed internally using the Java Authentication and Authorization Services (JAAS) model by supplying the client credentials in an object instance that implements the javax.security.auth.callback.CallbackHandler interface.
• Authorization
  The authorization provider interface is defined by the com.sybase.security.provider.Authorizer interface.
• Attribution
  The attribution capabilities provide attribute information for attributed objects within the security system and provide lists of objects.
• Multiple Provider Interaction
  When multiple active providers are configured, CSI reconciles conflicting decisions across the providers.
• Shared Data Structures for Providers
  Provider instances use a shared map to store information and share it with other providers.
• Capability Query
  CSI provides the capabilities API to allow a CSI client to interrogate the capabilities of the underlying providers within CSI.
• CSI Audit Generation and Configuration
  CSI provides audit trail generation and configuration.