InfoCenter Home >
6: Administer applications >
6.6: Tools and resources quick reference >
6.6.18: Securing applications >
6.6.18.7: Protecting individual application components and methods

6.6.18.7: Protecting individual application components and methods

Protecting enterprise beans after redeployment

Security is not automatically updated when changes are made to a bean. You must redeploy the resource security in order for the method groups to pick up the changes to the bean.

Adding a method to a bean

If you add a method to a bean, you must go back into resource security and associate the new method with a method group.

Modifying a method on a bean

If you modify a method on a bean, you must resecure the bean as follows:

  1. Delete the method group for the bean.
  2. Click Finish.
  3. Re-associate the method group with the modified method.

Unprotecting resources

Resources protected under WebSphere can be unprotected, if necessary. Depending on the resources and how they are configured into applications, the techniques for removing security differ. This file describes how to remove security in the following situations:

  • All resources associated with an enterprise application
  • A particular bean associated with an enterprise application
  • All URIs associated with a web application
  • A particular URI associated with a web application

Unprotecting all resources associated with an enterprise application

If you want to remove protection from all the resources associated with an enterprise application, the most efficient approach is to unprotect the application itself. For example, if you have granted the permissions associated with the application ("application-methodgroup" pairs) to a specific user, group or to all authenticated users, the resources are considered protected. To unprotect these resource, you can grant those permissions to "Everyone". By granting the permissions to everyone, a user need not be authenticated to access the resources under that application.

Unprotecting an enterprise bean associated with an enterprise application

If you want to remove protection from a specific bean (or set of beans) associated with an application while maintaining the security on the other resources in the application, remove the bean (or beans) from the application and create a new application that is explicitly unprotected.

When you remove beans from the application, the security configuration associated with the application no longer applies to them. However, enterprise beans are protected unless security policies to the contrary are specified. To completely unsecure them, you need to create a new application consisting of the beans to be unsecured. After performing security configuration steps, grant the permissions associated with the new application to "Everyone." This is equivalent to unprotecting all the resources associated with the new application.

To remove resources from a secured enterprise application, use the "Edit Enterprise Application" task. On the last panel, you can remove resources associated with the application. Use it to remove the desired beans.

Unprotecting all URIs associated with a web application

If you want to remove protection from a web application (including all associated URIs) while maintaining the security on the other resources in the enterprise application, remove the web application (or applications) from the enterprise application.

To remove resources from a secured enterprise application, use the "Edit Enterprise Application" task. On the last panel, you can remove resources associated with the application. Use it to remove the desired web applications.

Unprotecting specific URIs

If you want to remove protection from specific URIs in a web application, remove the method-group configuration for the URIs. Use the "Configure Security Method Groups" task and select the URI you want to unprotect. After the URI is selected, proceed to the next screen, where you view the classification of methods into method groups. For example, the HTTP_GET method may belong to the ReadMethods method group. Select the method groups associated with the methods you want to unprotect and remove them. This eliminates the associate between a method group and a URI, leaving the URI unprotected. Because web resources are unprotected by default, no authentication is required to access them.

Protecting individual JSP files

This file describes the steps necessary for selectively protecting JSP files, that is, how to protect individual JSP files based on their Web paths (URIs) when you do not want to apply the same protection to all the JSP files in the system.

Note, the instructions for adding a JSP Web path to a web application advise you to use the "Add a JSP or a web resource" task wizard in the administrative console. This action adds the JSP Web path, not the actual JSP file, to the Web application. But when you follow the configuration steps to protect a JSP Web path, the Web path is treated separately from the Web application; instead, it is treated as a Web server resource. Therefore, security does not work as intended.

The following procedure will be needed until product defect number 88065 is addressed. Check the "fixed defects" list accompanying IBM WebSphere Application Server fix packs to ascertain whether a given fix pack has addressed the defect.

To protect individual JSP files using WebSphere security, follow these steps:

  1. If you used the "Add a JSP or web resource task" to introduce a new JSP Web path and associate with Web applications, remove all of the Web paths.
  2. Start the WebSphere administrative console.
  3. Select the Topology view.
  4. Expand the Topology tree to show the node, application server, and servlet engine containing the Web application to which you want to add the JSP.
  5. Select the JSP processor servlet in that Web application.
  6. In the list of Web paths, locate:
    /default_host/<webapp-path>/*.jsp
    where default_host is the default virtual host or one that you have created, and <webapp-path> is the path to the Web application.
  7. Click "Add" to add to the Web path list.
  8. Enter the JSP Web path (URI) that you want to protect, such as:
    /default_host/<webapp-path>/toBeProtected.jsp.
    If you have multiple files to protect, enter the URI for each one.
  9. Apply your changes.
  10. Follow the resource security configuration steps to protect these newly added JSP files.
  11. Restart the application server hosting the Web application and JSP files.

Go to previous article: Avoiding known security risks in the runtime environment Go to next article: LDAP with MS Active Directory

 

 
Go to previous article: Avoiding known security risks in the runtime environment Go to next article: LDAP with MS Active Directory