InfoCenter Home > 4.4.1.1.3: Securing sessionsHTTP sessions and security are integrated in IBM WebSphere Application Server. When WebSphere security is enabled, all resources from which sessions are created or accessed must be either secured or unsecured. You cannot mix secured and unsecured resources. Security integration rules for HTTP sessions
Programmatic details and scenariosIBM WebSphere Application Server maintains the security of individual sessions. An identity or user name, readable by the com.ibm.websphere.servlet.session.IBMSession interface, is associated with a session. An unauthenticated identity is denoted by the user name "anonymous." IBM WebSphere Application Server includes the com.ibm.websphere.servlet.session.UnauthorizedSessionRequestException interface, which is used when a session is requested without the necessary credentials. The Session Manager uses the WebSphere security infrastructure to determine the authenticated identity associated with a client HTTP request that either retrieves or creates a session. WebSphere security determines identity using certificates, LPTA, and other methods. After obtaining the identity of the current request, the Session Manager determines whether the session requested using a getSession() call should be returned. To turn off the association of user identity with a session, set the following system property: HttpSessionSecurity=false The following table lists possible scenarios whose outcomes depend on whether the HTTP request was authenticated and whether a valid session ID and user name was passed to the Session Manager.
* UnauthorizedSessionRequestException is sent to the application server error log. If getSession(true) was specified in the servlet, a new session is created by using the current authenticated name. |
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|