Web Access Management - Architectures

Architectures

There are two different types of architectures when it comes to web access management architectures: plug-in (or web agent) and proxy.

Plugins are programs that are installed on every web/application server, register with those servers, and are called at every request for a web page. They intercept the request and communicate with an external policy server to make policy decisions. One of the benefits of a plugin (or agent) based architecture is that they can be highly customized for unique needs of a particular web server. One of the drawbacks is that a different plugin is required for every web server on every platform (and potentially for every version of every server). Further, as technology evolves, upgrades to agents must be distributed and compatible with evolving host software.

Proxy-based architectures differ in that all web requests are routed through the proxy server to the back-end web/application servers. This can provide a more universal integration with web servers since the common standard protocol, HTTP, is used instead of vendor-specific application programming interfaces (APIs). One of the drawbacks is that additional hardware is usually required to run the proxy servers.

Solutions like CA SiteMinder typify the agent-based approach - although CA SiteMinder offers a proxy option; Novell Access Manager and maXecurity from P2 Security employ a proxy approach.