Security in your Software-as-a-Service (SAAS) Application

‘Credit Crunch’ might be the favourite buzzword of the moment, but ‘Security’ and ‘Software as a Service’ are not very far behind. Ok, they’re a long way behind ‘will I lose my house’ or ‘will I have a job tomorrow’, but you get the idea. So I’m proud to associated by this article by Max and Chicco, even in a very minor way (as a reviewer).

IBM Developer works logo

Here’s the 2 minute overview of Securing a multi-tenant SAAS Appliction, just published on IBM Developerworks.

  1. Software as a Service (SAAS) has a great pitch – let us host your software for you, cheaper and less hassle than managing it yourself.
  2. Most SAAS companies host multiple clients on one server = New security concerns.
  3. LDAP (Similar to Windows Directory) is a standard already in wide use for Authentication (making sure people who they say they are).
  4. Spring Security (aka Acegi) is a well used Authorisation toolkit – i.e. make sure those people only do things they are allowed to do.
  5. The article shows you how to bring SAAS , LDAP and Spring Security together to get secure, scalable , hosted applications using the very best in widely understood technologies.

Of course, I’m not going to spill the beans on how exactly they do it; for that you’re going to have to hotfoot it over to the IBM Developerworks website.


  1. honk · October 12, 2008

    “LDAP (Similar to Windows Directory)” Are you serious?

  2. Paul Browne · October 12, 2008


    At a superficial level (in the same way a Ferrari is similar to a Ford) yes.

    Both provide tree like structures for the retrieval of (user) information. Windows Directory (what you are usually checked against when you login to your PC in a corporate environment) implements the LDAP standard, so can be a provider of this information should you choose. The article uses Apache Directory, so feel free to comment on which you think is best, and why!


  3. Adam Monsen · October 14, 2008

    Nice! Chico and Max did a great job. I’m also interested in using OpenID for authentication in SaaS offerings. LDAP could still be involved in some way, I suppose, say for grouping or roles or something similar.

  4. Paul Browne · October 14, 2008

    Adam – I’ve just realized that the new theme on this blog is exactly the same as yours. Sorry about that.

    Had the pleasure of working with Max and Chicco in a previous life. They had to put up with 3 months of ‘why don’t you write an article about that’ and instead of ignoring me (as most people do when I say that) they actually spent the time to put the article together.


  5. John O'Neill · November 3, 2008

    “LDAP (Similar to Windows Directory)”
    “in the same way a Ferrari is similar to a Ford”
    I believe here we are comparing a brand new top of the range Ferrari with an older, entry level Ford model which requires some tinkering under the hood to gain MOT status!

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s