Introduction: Security

Explore the key concepts pertaining to securing applications and their environment. WebSphere Application Server plays an integral part of the multiple-tier enterprise computing framework. Based on open architecture, WebSphere Application Server provides many plug-in points to integrate with enterprise software components to provide end-to-end security. Security infrastructure and mechanisms protect Java 2 Platform, Enterprise Edition (J2EE) resources and administrative resources, addressing your enterprise security requirements.

Global security
Administrative security determines whether security is used at all, the type of registry against which authentication takes place, and other values, many of which act as defaults. Proper planning is required because incorrectly enabling administrative security can lock you out of the administrative console or cause the server to abend.
Java 2 security
Java 2 security provides a policy-based, fine-grain access control mechanism that increases overall system integrity by checking for permissions before allowing access to certain protected system resources. Java 2 security guards access to system resources such as file I/O, sockets, and properties. Java 2 Platform, Enterprise Edition (J2EE) security guards access to Web resources such as servlets, JavaServer Pages (JSP) files and Enterprise JavaBeans (EJB) methods.
User registries
WebSphere Application Server provides implementations that support multiple types of registries and repositories including the local operating system registry, a standalone Lightweight Directory Access Protocol (LDAP) registry, a standalone custom registry.
Local operating system user registries
With the registry implementation for the local operating system, the WebSphere Application Server authentication mechanism can use the user accounts database of the local operating system.
Authentication mechanisms
An authentication mechanism defines rules about security information, for example, whether a credential is forwardable to another Java process, and the format of how security information is stored in both credentials and tokens.
Lightweight Directory Access Protocol user registries
WebSphere Application Server security provides and supports the implementation of most major LDAP directory servers, which can act as the repository for user and group information.
Authentication protocol for EJB security
You can choose from two authentication protocols: z/OS Secure Authentication Service (z/SAS) and Common Secure Interoperability Version 2 (CSIv2).
Authorization technology
Authorization information determines whether a user or group has the necessary privileges to access resources.
Java Authentication and Authorization Service
The Java Authentication and Authorization Service is a standard Java API that supports the Java 2 security authorization to extend the code base on the principal as well as the code base and users.
Secure Sockets Layer
The Secure Sockets Layer (SSL) protocol provides transport layer security with authenticity, integrity, and confidentiality, for a secure connection between a client and server in WebSphere Application Server. The protocol runs above TCP/IP and below application protocols such as Hypertext Transfer Protocol (HTTP), Lightweight Directory Access Protocol (LDAP), and Internet Inter-ORB Protocol (IIOP), and provides trust and privacy for the transport data.
WebSphere Application Server Version 6.0.x servers support the CSIv2 and SAS authentication protocols.
Identity mapping
Identity mapping is a one-to-one mapping of a user identity between two servers so that the proper authorization decisions are made by downstream servers. Identity mapping is necessary when the integration of servers is needed, but the user registries are different and not shared between the systems.
Plug point for custom password encryption
A plug point for custom password encryption can be created to encrypt and decrypt all passwords in WebSphere Application Server that are currently encoded or decoded using Base64-encoding.
Secure transports with JSSE and JCE programming interfaces
This topic provides detailed information about transport security using Java Secure Socket Extension (JSSE) and Java Cryptography Extension (JCE) programming interfaces. Within this topic, there is a description of the IBM version of the Java Cryptography Extension Federal Information Processing Standard (IBMJCEFIPS).
Web component security
You can develop a Web module and enforce security at the method level of each Web resource.
Security role references
Web application developers or EJB providers that use the available programmatic security J2EE APIs, isUserInRole(String roleName) or isCallerInRole(String roleName), use a role-name in the code.
UDDI registry security and UDDI registry settings
In addition to the configuration of UDDI registry security, there a number of other UDDI registry settings which may affect the behavior of the UDDI registry. Some of these settings are security specific, others are points to bear in mind when configuring security.
J2EE connector security
The J2EE connector architecture defines a standard architecture for connecting the Java 2 Platform, Enterprise Edition (J2EE) to heterogeneous enterprise information systems (EIS).
Asynchronous messaging - security considerations
This topic describes considerations that you should be aware of if you want to use security for asynchronous messaging with WebSphere Application Server.



Related information
Overview and new features for securing applications and their environment
Concept topic    

Terms of Use | Feedback

Last updated: Aug 29, 2010 5:25:00 PM CDT
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=vela&product=was-base-dist&topic=welc6tech_sec_intro
File name: welc6tech_sec_intro.html