Session security support

You can integrate HTTP sessions and security in IBM WebSphere Application Server. When security integration is enabled in the session management facility and a session is accessed in a protected resource, you can access that session only in protected resources from then on. You cannot mix secured and unsecured resources accessing sessions when security integration is turned on. Security integration in the session management facility is not supported in form-based login with SWAM.

Security integration rules for HTTP sessions

Only authenticated users can access sessions created in secured pages and are created under the identity of the authenticated user. Only this authenticated user can access these sessions in other secured pages. To protect these sessions from unauthorized users, you cannot access them from an unsecure page.

Programmatic details and scenarios

IBM WebSphere Application Server maintains the security of individual sessions.

An identity or user name, readable by the com.ibm.websphere.servlet.session.IBMSession interface, is associated with a session. An unauthenticated identity is denoted by the user name anonymous. IBM WebSphere Application Server includes the com.ibm.websphere.servlet.session.UnauthorizedSessionRequestException class, which is used when a session is requested without the necessary credentials.

The session management facility uses the WebSphere Application Server security infrastructure to determine the authenticated identity associated with a client HTTP request that either retrieves or creates a session. WebSphere Application Server security determines identity using certificates, LPTA, and other methods.

After obtaining the identity of the current request, the session management facility determines whether to return the session requested using a getSession method call or not.

The following table lists possible scenarios in which security integration is enabled with outcomes dependent on whether the HTTP request is authenticated and whether a valid session ID and user name was passed to the session management facility.

  Unauthenticated HTTP request is used to retrieve a session HTTP request is authenticated, with an identity of "FRED" used to retrieve a session
No session ID was passed in for this request, or the ID is for a session that is no longer valid A new session is created. The user name is anonymous A new session is created. The user name is FRED
A session ID for a valid session is passed in. The current session user name is "anonymous" The session is returned. The session is returned. Session Management changes the user name to FRED
A session ID for a valid session is passed in. The current session user name is FRED The session is not returned. An UnauthorizedSessionRequest Exception error is thrown* The session is returned.
A session ID for a valid session is passed in. The current session user name is BOB The session is not returned. An UnauthorizedSessionRequestException error is thrown* The session is not returned. An UnauthorizedSessionRequestException error is thrown*


* A com.ibm.websphere.servlet.session.UnauthorizedSessionRequestException error is thrown to the servlet.


Related concepts
Session management support
Related tasks
Managing HTTP sessions



Searchable topic ID:   rpersecg
Last updated: Jun 21, 2007 9:56:50 PM CDT    WebSphere Application Server for z/OS, Version 5.0.2
http://publib.boulder.ibm.com/infocenter/wasinfo/index.jsp?topic=/com.ibm.websphere.zseries.doc/info/zseries/ae/rprs_secg.html

Library | Support | Terms of Use | Feedback