InfoCenter Home >
5: Securing applications -- special topics >
5.1: The WebSphere security components >
5.1.1: Security features

5.1.1: Security features

This section briefly describes some of the features of WebSphere Application Server that you can use to secure your applications.

The security system has two facets. First, it enables administrators to define security policies to establish control of resources. Administrators use security policies to tell WebSphere Application Server how security is to be handled. The security system also provides built-in security services to enforce the policies.

The IBM WebSphere Application Server security system provides a number of features, including the following:

Authentication policies and services
Authentication is the process of verifying that users are who they say they are. You can indicate how you want WebSphere Application Server to verify the identity of users who try to access your resources. You can choose a supported directory service, the operating system registry, or a custom registry to verify the identity of users and groups.
Authorization policies and services
Authorization is the process of determining what a user is allowed to do with a resource. You can specify policies that give different users differing levels of access to your resources. If you define authorization policies, WebSphere Application Server will enforce them for you.
Delegation policies
Delegation allows an intermediary to do work initiated by a client under an identity based on the associated delegation policy. Therefore, enforcement of delegation policies affect the identity under which the intermediary performs downstream invocations, that is, the calls made to complete the current request. When making downstream requests, the intermediary uses the client's credentials by default; other choices are also possible. The result is that the downstream resources do not know the identity of the intermediary; they see the identity under which the intermediary is operating. There are three possibilities for the identity under which the intermediary operates are when making the downstream requests:
  • The client's identity (default)
  • Its own identity
  • An identity specified by configuration
A unified security administration model
The different components of WebSphere Application Server use the same model for security, so after you learn how to set up security for one type of resource, you can apply that knowledge to other resources. Enterprise beans, servlets, JSP files, and Web pages are all administered similarly in terms of security. You can combine all of these resources into an application for which you also establish security.
Single sign-on support
Application Server supports third-party authentication, a mechanism for achieving single sign-on across the Internet domain that contains your resources. You can use single sign-on to allow users to log on once per session rather than requiring them to log on to each resource or application separately.
Password encoding in configuration files
Several of the WebSphere configuration files contain user IDs and passwords. These are needed at run time to access external secure resources such as databases. Passwords are encoded, not encrypted, to deter casual observation of sensitive information. Password encoding combined with proper operating system file system security is intended to protect the passwords stored in these files.

Go to previous article: Security components Go to next article: Authentication model

 

 
Go to previous article: Security components Go to next article: Authentication model