InfoCenter Home > 5.1: The WebSphere security componentsSecurity for WebSphere Application Server is managed as a collaborative effort by several components:
The security collaboratorsThe security collaborators reside in the application server process and are the key run-time components for enforcing the security constraints and attributes specified in the deployment descriptors. There is a collaborator for Web resources in the Web container and another collaborator in the enterprise-bean container. The Web collaborator performs authentication and authorization. The enterprise-bean collaborator performs authorization, but not authentication, and sets the run-as identity for delegated request. The enterprise-bean collaborator relies on the Secure Association Service (SAS) to authenticate Java client requests to enterprise beans. Both collaborators do the following when a client request is made for a Web or enterprise-bean resource:
The Web collaborator can perform an additional authentication operation before the two above: If the client has not already authenticated, the Web collaborator can challenge the user, to collect a user ID and password. The challenge mechanism is specified as the login-configuration element in the Web archive's web.xml deployment descriptor. The enterprise-bean collaborator performs an additional operation after the two mentioned above. It sets the run-as identity, based on the delegation policy. The delegation policy determines the identity to use if the enterprise bean invokes methods on any other enterprise beans. The delegation policy or run-as mode is specified in the ejb-jar.xml deployment descriptor. For example, when a client makes an HTTP request to a protected Web resource such as a JSP file, the request is dispatched to the Web collaborator for the security check. The collaborator determines if the client should be authenticated and, if so, challenges the client to collect a user ID and password. The Web collaborator authenticates the user ID and password supplied by the client against a user registry, for example, the local operating-system registry. If the client is successfully authenticated, the collaborator then consults an internal authorization table to determine whether the user is in one of the roles protecting the resource and, if so, permits access. Security policiesSecurity attributes for enterprise and Web applications are specified in XML deployment descriptors, typically using a tool like the application assembly tool (AAT). The deployment descriptors contain much more than security attributes, but only those related to security are discussed here. The security attributes include roles, method permissions, the run-as mode or delegation policy, login-configuration or challenge type, and data-protection (confidentiality and integrity) settings. When an application is deployed, the roles are mapped to users or groups. This combination of the users and groups is mapped to roles and to the enterprise beans and Web methods protected by the roles. This mapping forms the authorization table. There is an authorization table for each enterprise application, and it is consulted by the collaborators during the authorization check. For more information on security-related attributes for deployment, see:
The Secure Association Service (SAS)SAS performs authentication for Java clients of enterprise beans and helps to provide message protection or encryption between such clients and WebSphere application servers using RMI/IIOP over SSL for communication. User RegistryIn environments that enforce security restrictions on applications, one of the first steps toward meeting such restrictions is to require users to authenticate--to prove their identities--in order to access applications. To prove an identity, a user submits a piece of information, for example, a password or a certificate, to the security system, and the system checks the information against a database of known users. If the submitted information matches the information in the database, the user has successfully authenticated. The database of known users is a registry. WebSphere Application Server supports the following types of registries:
SSLSecure Sockets Layer (SSL) is a public-key network-security protocol that can perform both authentication and message encryption. SSL is used between Web browsers, Web servers, and WebSphere application servers to encrypt message data. For instructions on how to configure SSL in WebSphere Application Server, see article 6.6.18, Securing Applications. |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|