WebSphere Application Server - Express, Version 6.0.x Operating Systems: AIX, HP-UX, Linux, Solaris, Windows

Securing applications and their environment

Related resources
How do I?...
Overview
What is new
Tutorials
Samples
Web resources for learning

This section discusses all aspects of security.

Part of your security framework WebSphere Application Server plays an integral part of the multiple-tier enterprise computing framework. Based on open architecture, WebSphere Application Server provides many plug-in points to integrate with enterprise software components to provide end-to-end security.

Product security Security infrastructure and mechanisms protect Java 2 Platform, Enterprise Edition (J2EE) resources and administrative resources, addressing your enterprise security requirements.

Securing applications and their environments
WebSphere Application Server supports the J2EE model for creating, assembling, securing, and deploying applications. This article provides a high-level description of what is involved in securing resources in a J2EE environment. Applications are often created, assembled and deployed in different phases and by different teams.
Integrating IBM WebSphere Application Server security with existing security systems
WebSphere Application Server plays an integral part of the multiple-tier enterprise computing framework. WebSphere Application Server adopts the open architecture paradigm and provides many plug-in points to integrate with enterprise software components to provide end-to-end security. WebSphere Application Server plug-in points are based on standard J2EE specifications wherever applicable. The WebSphere Application Server development team is actively involved in various standard bodies to externalize and to standardize plug-in interfaces.
Planning to secure your environment
There are several communication links from a browser on the Internet, through Web servers and product servers, to the enterprise data at the back-end. This section examines some typical configurations and common security practices. WebSphere Application Server security is built on a layered security architecture as showed in the following figure. This section also examines the security protection that is offered by each security layer and common security practice for good quality of protection in end-to-end security.
Implementing security considerations at installation time
Complete these tasks to implement security before, during, and after installing WebSphere Application Server.
Migrating security configurations from previous releases
This article addresses the need to migration your security configurations from a previous release of IBM WebSphere Application Server to WebSphere Application Server, Version 6.
Developing secured applications
IBM WebSphere Application Server provides security components that provide or collaborate with other services to provide authentication, authorization, delegation, and data protection. WebSphere Application Server also supports the security features described in the Java 2 Platform, Enterprise Edition (J2EE) specification.
Assembling secured applications
There are several assembly tools that are graphical user interfaces for assembling enterprise (J2EE) applications. You can use these tools to assemble an application and secure EJB and Web modules in that application. An EJB module consists of one or more beans. You can enforce security at the EJB method level. A Web module consists of one or more Web resources (an HTML page, a JSP file or a servlet). You can also enforce security for each Web resource. You can use an assembly tool to secure an EJB module (Java archive (JAR) file) or a Web module (Web archive (WAR) file) or an application (enterprise archive (EAR) file). You can create an application, an EJB module, or a Web Module and secure them using an assembly tool or development tools like the IBM Rational Application Developer.
Deploying secured applications
Deploying applications that have security constraints (secured applications) is not much different than deploying applications any security constraints. The only difference is that you might need to assign users and groups to roles for a secured application, which requires that you have the correct active registry. To deploy a newly secured application click Applications > Install New Application in the navigation panel on the left and follow the prompts. If you are installing a secured application, roles would have been defined in the application. If delegation was required in the application, RunAs roles also are defined.
Testing security
After configuring global security and restarting all of your servers in a secure mode, it is best to validate that security is properly enabled. There are a few techniques that you can use to test the various security login types. For example, you can test the Web-based BasicAuth login, Web-based form login, and the Java client BasicAuth login. There are basic tests that show that the fundamental security components are working properly.
Administering security
This section describes how to configure and administer security features with the administrative console, including:
  • Global security
  • Authentication mechanisms (directories and user registries)
  • Authorization policies and providers, including Java Authentication and Authorization Service (JAAS)
  • Trust association interceptors
  • Single signon
  • Common Secure Interoperability Version 2 (CSIv2)
  • Secure Sockets Layer (SSL)
  • Java 2 Security manager
  • Security attribute propagation
Configuring security with scripting
This section describes security using administrative scripting, an alternative to using the administrative console.
Securing WebSphere applications
This section provides security instructions that are specific to the various types of applications, such as Web applications or Web services.
Tuning security configurations
Performance issues typically involve trade-offs between function and speed. Usually, the more function and the more processing involved, the slower the performance. Consider what type of security is necessary and what you can disable in your environment. For example, if your application servers are running in a Virtual Private Network (VPN), consider whether you must disable Secure Sockets Layer (SSL). If you have a lot of users, can they be mapped to groups and then associated to your J2EE roles? These questions are things to consider when designing your security infrastructure.
Troubleshooting security configurations
This section describes how to troubleshoot errors related to security.