InfoCenter Home >
5: Securing applications -- special topics >
5.1: The WebSphere security components >
5.1.1: Security features

5.1.1: Security features

This section briefly describes some of the features of WebSphere Application Server that you can use to secure your applications.

The security system has two facets. First, it enables administrators to define security policies to establish control of resources. Administrators use security policies to tell WebSphere Application Server how security is to be handled. The security system also provides built-in security services to enforce the policies. Note:  WebSphere Application Server only supports HP-UX platfroms with non-trusted mode. HP-UX platforms with trusted mode are not supported.

The IBM WebSphere Application Server security system provides a number of features, including the following:

Authentication policies and services
Authentication is the process of verifying that users are who they say they are. You can indicate how you want WebSphere Application Server to verify the identity of users who try to access your resources.
Authorization policies and services
Authorization is the process of determining what a user is allowed to do with a resource. You can specify policies that give different users differing levels of access to your resources. If you define authorization policies, WebSphere Application Server will enforce them for you.
A unified security administration model
The different components of WebSphere Application Server use the same model for security, so after you learn how to set up security for one type of resource, you can apply that knowledge to other resources. Servlets, JSP files, and Web pages are all administered similarly in terms of security. You can combine all of these resources into an application for which you also establish security.
Password encoding in configuration files
Several of the WebSphere configuration files contain user IDs and passwords. These are needed at run time to access external secure resources such as databases. Passwords are encoded, not encrypted, to deter casual observation of sensitive information. Password encoding combined with proper operating system file system security is intended to protect the passwords stored in these files. The following is a list of files that contain encoded, but unencrypted passwords:
  • sas.server.props
  • sas.client.props
  • admin.config
  • ear/META-INF/ibm_application_bnd.xml
Go to previous article: Security components Go to next article: Authentication model

 

 
Go to previous article: Security components Go to next article: Authentication model