Use this page to specify the Web authentication settings that are associated with a Web client.
Property name | Value | Explanation |
---|---|---|
com.ibm.wsspi.security.web.webAuthReq | lazy | This value is equivalent to the Authenticate only when the URI is protected option. |
com.ibm.wsspi.security.web.webAuthReq | persisting | This value is equivalent to the Use available authentication data when an unprotected URI is accessed option. |
com.ibm.wsspi.security.web.webAuthReq | always | This value is equivalent to the Authenticate when any URI is accessed option. |
com.ibm.wsspi.security.web.failOverToBasicAuth | true | This value is equivalent to the Default to basic authentication when certificate authentication for the HTTPS client fails option. |
The application server challenges the Web client to provide authentication data when the Web client accesses a Uniform Resource Identifier (URI) that is protected by a Java 2 Platform, Enterprise Edition (J2EE) role. The authenticated identity is available only when the Web client accesses a protected URI.
This option is the default J2EE Web authentication behavior that is also available in previous releases of WebSphere® Application Server.
The missing images and the error message are a side-effect of this option. The images do not display because the URIs for the images now need authentication, which requires you to log in. You can ignore this error message.
Default: | Enabled |
The Web client can access validated authenticated data that it previously could not access. This option enables the Web client to call the getRemoteUser, isUserInRole, and getUserPrincipal methods to retrieve an authenticated identity from an unprotected URI.
When you select this option with the Authenticate only when the URI is protected option, the Web client can use authenticated data when the URI is protected or not protected.
When this option is selected and Form-based authentication is being used, a WASPostParam cookie is generated during the authentication procedure of the HTTP POST request even if the target URL is unprotected. A WASPOSTParam cookie is a temporary cookie used to store HTTP POST parameters. This results in the Web client being sent the unnecessary cookie with an HTTP response. This might cause unexpected behavior when the size of the cookie is larger than the browser limit. To avoid this behavior, a custom property, com.ibm.websphere.security.util.postParamMaxCookieSize can be set to cause the security code to stop generating the cookie if the maximum size is reached.
Default: | Disabled |
The Web client must provide authentication data regardless of whether the URI is protected.
Default: | Disabled |
When the required HTTPS client certificate authentication fails, the application server uses the basic authentication method to challenge the Web client to provide a user ID and password.
Default: | Disabled |