Authorize is built upon a proven architecture
that can scale from complete deployment on a single
server to multi tier deployment with different components
deployed on many federated servers. It contains the
following components, which can be deployed in a configuration
to suit your needs.
The Policy Enforcement Point (or PEP). This is a client
convenience component that submits Authorisation Requests
specific to the client's application. If Authorize is
being integrated directly with an application, then
this component written in the language of choice is
used to interact with Authorize. Authorize comes with
some pre-built brokers. In the case where Authorize
is being plugged into an application server for example
as a JAAS plug in, then the broker is not required.
In this case Authorize can provide a superset of JAAS
functionality without any source code changes.
The Policy Decision Point (or PDP). This is mainly
a rules-based engine that processes each Authorisation
Request against the Actor's Authorisation Attribute
Certificate (AAC). That certificate is either included
in the Authorisation Request (PUSH model) or issued
by the Issuer subsequent to a request submitted by the
Agent. Certificates are cached on the agent to enable
very fast response times.
Attribute Certificate Server (ACS)
This is an AAC cache. It is optional, and if present,
is aimed at reducing the workload on the Repository
(and its Issuers). Even though each Agent has its own
cache, this component ensures multiple Agent requests
for the same certificate are honoured quickly.
Repository (and its Issuer(s))
This is where the authorisation-related information
is stored. Requests to issue AACs are received by the
Issuer(s), while data manipulation of the authorisation-related
information is done through Console(s).
One or many Consoles are used to create and manage
authorisation policies. In addition to the Console,
existing policy information such as that stored in a
JAAS policy file can be imported resulting in automatic
creation of users, roles, permissions etc.