The product plays an integral part of the multiple-tier
enterprise computing framework. Based on open architecture, this product provides
many plug-in points to integrate with enterprise software components to provide end-to-end
security. Security
infrastructure and mechanisms protect application and administrative resources, for enterprise security.
- Securing applications and their environments
-
WebSphere Application Server supports the Java Platform, Enterprise Edition (Java EE) model for
creating, assembling, securing, and deploying applications. This article provides a high-level
description of what is involved in securing resources in a Java EE environment. Applications are
often created, assembled, and deployed in different phases, by people in different roles.
- Setting up and enabling security
-
You must address several issues prior to authenticating users,
authorizing access to resources, securing applications, and securing communications.
These security issues include migration, interoperability, and installation.
After installing WebSphere Application Server, you must determine the proper
level of security that is needed for your environment.
- Configuring multiple security domains
-
By default, all administrative and user applications in WebSphere Application Server use the global security configuration.
For example, a user registry defined in global security is used to authenticate users for every application in the cell.
You can create additional WebSphere security domains if you want to specify different security attributes for some or all
of your user applications
- Authenticating users
-
The process of authenticating users involves a user registry and
an authentication mechanism. Optionally, you can define trust
between WebSphere Application Server and a proxy server, configure single
sign-on capability, and specify how to propagate security attributes between
application servers.
- Authorizing access to resources
-
WebSphere Application Server provides many different methods for
authorizing accessing resources. For example, you can assign roles to users
and configure a built-in or external authorization provider.
- Securing communications
-
WebSphere Application Server provides several methods to secure
communication between a server and a client.
- Developing extensions to the WebSphere security infrastructure
-
WebSphere Application Server provides various plug points so that
you can extend the security infrastructure.
- Auditing the security infrastructure
-
The security auditing subsystem has been introduced as part of the security infrastructure. The primary responsibility of
the security infrastructure is to prevent unauthorized access and usage of resources. Security auditing enables
you to implement your code to capture and store supported auditable security events. During runtime, all code other than
the Java EE application code is considered to be trusted. Each time a Java EE application accesses a secured resource, any
internal application server process with an audit point included can be recorded as an auditable event.
- Configuring security with scripting
- This section describes security using administrative scripting, an alternative
to using the administrative console.
- Securing WebSphere applications
- This section provides security instructions that are specific to the various
types of applications, such as Web applications or Web services.
In the navigation tree, expand Securing applications and their environment > Securing WebSphere applications to view the contents of this section.
- Tuning, hardening, and maintaining
-
After you have installed WebSphere Application Server, there are
several considerations for tuning, strengthening, and maintaining your security
configuration.
- Troubleshooting security configurations
-
Troubleshoot specific problems that are related to configuring and enabling security configurations.