InfoCenter Home >
5: Securing applications -- special topics >
5.1: The WebSphere security components >
5.1.1: Security features
This section briefly describes some of the features of WebSphere
Application Server that you can use to secure your applications.
The security system has two facets. First, it enables administrators
to define security policies to establish control of resources.
Administrators use security policies to tell WebSphere Application
Server how security is to be handled. The security system also provides
built-in security services to enforce the policies.
Note: WebSphere Application Server
only supports HP-UX platfroms with non-trusted
mode.
HP-UX platforms with trusted mode are not
supported.
The IBM WebSphere Application Server security system provides a number
of features, including the following:
- Authentication policies and services
- Authentication is the process of verifying that users are who they
say they are. You can indicate how you want WebSphere Application
Server to verify the identity of users who try to access your resources.
You can choose a supported directory service, the operating system
registry, or a custom registry to verify the identity of users and groups.
- Authorization policies and services
- Authorization is the process of determining what a user is allowed
to do with a resource. You can specify policies that give different
users differing levels of access to your resources. If you define
authorization policies, WebSphere Application Server will enforce
them for you.
- Delegation policies
- Delegation allows an intermediary to do work initiated by
a client under an identity based on the associated delegation
policy. Therefore, enforcement of delegation policies affect the
identity under which the intermediary performs downstream invocations,
that is, the calls made to complete the current request. When making
downstream requests, the intermediary uses the client's credentials
by default; other choices are also possible. The result is that the
downstream resources do not know the identity of the intermediary;
they see the identity under which the intermediary is operating. There
are three possibilities for the identity under which the intermediary
operates are when making the downstream requests:
- The client's identity (default)
- Its own identity
- An identity specified by configuration
- A unified security administration model
- The different components of WebSphere Application Server use the
same model for security, so after you learn how to set up security for
one type of resource, you can apply that knowledge to other resources.
Enterprise beans, servlets, JSP files, and Web pages are all administered
similarly in terms of security.
You can combine all of these resources into an application for which
you also establish security.
- Single sign-on support
- Application Server supports third-party authentication, a
mechanism for achieving single sign-on across the Internet domain
that contains your resources. You can use single sign-on to allow users
to log on once per session rather than requiring them to log on
to each resource or application separately.
- Password encoding in configuration files
- Several of the WebSphere configuration files
contain user IDs and passwords. These are
needed at run time to access external secure
resources such as databases. Passwords are
encoded, not encrypted, to deter casual observation
of sensitive information. Password encoding
combined with proper operating system file
system security is intended to protect the
passwords stored in these files. The following
is a list of files that contain encoded,
but unencrypted passwords:
- sas.server.props
- sas.client.props
- admin.config
- ear/META-INF/ibm_application_bnd.xml
|
|