Entegrity has taken a different approach to building a Web authentication and authorization product by targeting developers of new application Web sites. The company offers versatile, prepackaged servlets, and the AssureAccess management console seems geared toward developers rather than administrators. But its performance was disappointing; our environment was able to handle 2,400 simultaneous connections, but the average response time was a staggering 44 seconds per page.

After installing Sun Microsystems' latest JDK and Allaire's JRun application server, we modified the schema on our Netscape LDAP server to reflect the AssureAccess integration. We transferred the AssureAccess variables manually into the schema file on our LDAP server. The process was simple, but we were surprised that AssureAccess lacks a tool to automate the schema update. The rest of the server product installation was smooth.

Rather than defining Web resources first (as we did with the other products), we defined a set of access rules based on the authentication provider and user. We then tied these rules together into policies that were assigned when we defined the new Web resource. With AssureAccess, Web resources can be URLs or J2EE (Java 2 Platform, Enterprise Edition) components (such as Enterprise JavaBeans).

AssureAccess integrates tightly with new and existing Web applications; we had little difficulty tying it to our ASP environment. We compiled the prepackaged COM (Component Object Model) source code with the Microsoft JDK and found it easy to request AssureAccess session information, such as the current user name for our ASPs. Requesting this information was useful for retrieving existing user preferences stored in our Microsoft SQL database. The other products we tested use similar methods for API calls or use HTTP header variables to perform the same function. We configured the system for forms-based login, but pitfalls, such as complex Web page redirections and problematic communication between the COM API and our LDAP server, slowed the process.

AssureAccess has forgone the traditional client-management tool and ships with a Web-based management tool only. Not surprisingly, the management tool was nearly as disorganized as the installation procedure. Even with its handful of useful configuration options and policy builders, the tool has a patchwork feel. For example, page navigation disappears from page to page, which makes administration confusing. Other options are good but somewhat obscure. For example, we saw several instances where LDAP syntax could have been replaced with a more user-friendly interface. Program developers would find these features more helpful than administrators would.

Web-Based Policy-Management Tool Features Click here to enlarge

We found a number of useful prepackaged access rules, such as time-date validation, client IP validation and authentication-method validation. For example, we could set up a rule that restricted access to our Web administration pages to normal business hours. AssureAccess also lets administrators add customized Java classes for rule validation. We looked for a user-administration tool in the Web GUI and found a poor one buried in the LDAP configuration pages. Entegrity says AssureAccess was not designed for user administration, since most LDAP servers bundle sophisticated user-management GUIs. This is surprising for a product in the user-authentication and -authorization market.

AssureAccess uses an architecture that distributes some of the traffic from the directory/policy server to the Web server. When the AssureAccess Web server component starts, it requests a list of policies for resources on the server from the central AssureAccess management server (which in turn retrieves the list from the LDAP repository). During authentication, a session identifier is generated on the AssureAccess authentication server and sent back to the client as a 256-bit encoded cookie. We liked this technique because the encoded cookie acts only as a lookup key and does not contain any user information, so it's useless if intercepted.

Opening performance numbers were promising, but the transactions per second steadily dropped while average response time climbed past 40 seconds. An Entegrity Systems engineer recommended and assisted us with a configuration using a COM API to process logins. When we pushed the test to 2,400 users, we saw about 20 percent of the connections fail across all three Web servers. We found it interesting that CPU usage on all servers never exceeded 50 percent, though CPU usage for all the other products consistently exceeded 50 percent for the duration of the tests. AssureAccess caches user profiles on individual Web servers to improve performance during each session, but the caching didn't seem to help.

AssureAccess 1.2, $15,000 (up to 1,000 users) to $45,000 (unlimited users on a server). Entegrity Solutions, (408) 487-8600; fax (408) 487-8610. www.entegrity.com