10 security in websphere application server 8
DESCRIPTION
websphere 8 securityTRANSCRIPT
-
By Joseph Amrith Raj
WebSphere Application Server v8
Primer
Chapter
10
-
Security 2
Josephs WebSphere Library
J O S E P H S W E B S P H E R E L I B R A R Y
WebSphere Application Server v8
Primer, part-10: Security
WebSphere Library
http://twitter.com/WebSphere_Lib http://facebook.com/webspherelibrary
-
Security 3
Josephs WebSphere Library
Table of Contents Introduction .................................................................................................................................................. 4
Overview of Security in WAS ........................................................................................................................ 4
Web Security ............................................................................................................................................. 5
Web and EJB Container security for J2EE resources. ................................................................................ 6
EJB Security ............................................................................................................................................... 6
Java 2 Security ........................................................................................................................................... 6
Web Services Security ............................................................................................................................... 7
Whats new in WebSphere Application Server v8 Security .......................................................................... 8
Out of the box security enhancements .................................................................................................... 11
CSI v2 communications ........................................................................................................................... 11
HTTPOnly for web security Single Sign-on ............................................................................................. 11
HTTPOnly for session security ................................................................................................................. 12
Session Management security integration ............................................................................................. 12
Web authentication behavior ................................................................................................................. 13
Security Configuration Report .................................................................................................................... 14
Audit Log Handling Options ........................................................................................................................ 15
References .................................................................................................................................................. 16
About Author .............................................................................................................................................. 17
Connect With US ......................................................................................................................................... 18
-
Security 4
Josephs WebSphere Library
Introduction This section gives you an overview of the security in the websphere application server. WebSphere
Application Server [from here on referred as WAS] is a J2EE based application server. Security in WAS is
based on the standard and open architecture. It provides security infrastructure to protect the J2EE
resources. Also, provides the security requirements of
Authentication
Resources Access control
Data Integrity
Confidentiality
Privacy
Secure Interoperability
Overview of Security in WAS
Security in WAS is built on top of the security from the Operating System, Security from Java Technology
followed by WebSphere Application Server security. [as shown in the above diagram]
-
Security 5
Josephs WebSphere Library
Image taken from IBM Infocenter
The above diagram shows the open architecture paradigm of the WAS. WAS supports Simple
WebSphere Authentication Mechanism [SWAM], Lightweight Third Party Authentication [LTPA] and
Kerberos as the authentication mechanisms. WAS Supports unix, windows and IBM I local OS, LDAP, file
based and JDBC based user registry implementations. Also you can use the combination of these
Authentication mechanisms and user registries.
The security technologies implemented includes: Java 2 security model, Common Security
Interoperability v2 (CSIv2), Java Authentication and Authorization Service (JASS) and Java 2
Connector architecture (JCA).
Trust association enables you to integrate third-party security servers with IBM WebSphere
Application Server security like Access Managers, WebSEAL, and Caching proxy.
Security attribute propagation enables WebSphere Application Server to transport security
attributes from one server to another in your configuration.
The interoperability mode option enables Single Sign-on (SSO) connections between WebSphere
Application Server v6.1.x or later to interoperate with previous versions of the application
server.
Web Security When a security policy is specified for a web resource and IBM WebSphere Application Server security is
enforced, the web container performs access control when the resource is requested by a web client.
WebSphere Application Server supports the following login methods:
HTTP basic authentication HTTPS client authentication Form-based Login
-
Security 6
Josephs WebSphere Library
Simple and Protected GSS-API Negotiation (SPNEGO) token
Web and EJB Container security for J2EE resources. Web & EJB container provides two kinds of security
declarative security for which security policies can be conveyed using XML entries in
Deployment Descriptor/using annotations.
Programmatic security way in which EJB code will have calls to the security API.
EJB Security WebSphere supports EJB 3.0 API [from v7 onwards], which enables the use of the concept of
annotations for conveying security configuration information. When security is enabled, EJB container
enforces access control on EJB method invocation.
A Java application client can provide the authentication data in several ways. Using the
sas.client.props file, a Java client can specify whether to use a user ID and password to
authenticate or to use an SSL client certificate to authenticate.
At run time, the Java client can either perform a programmatic login or perform a lazy authentication. In lazy authentication when the Java client is accessing a protected enterprise bean for the first time, the security run time tries to obtain the required authentication data. Depending on the configuration setting in sas.client.props file the security runtime either looks up the authentication data from this file or prompts the user.
A Java client can also use programmatic login. WebSphere Application Server supports the JAAS programming model and the JAAS login (LoginContext) is the recommended way of programmatic login.
Java 2 Security WebSphere Application Server supports the Java 2 security model.
System codes such as the administrative subsystem, the web container, and the EJB container,
are running in the WebSphere Application Server security domain, which in the present
implementation are granted with AllPermission and can access all system resources.
Application code running in the application security domain, which by default is granted with
permissions according to J2EE specifications, can access only a restricted set of system
resources.
WAS run-time classes are protected by the WebSphere Application Server class loader and are
kept invisible to application code.
-
Security 7
Josephs WebSphere Library
Web Services Security WebSphere Application Server enables you to secure web services based upon the Organization
for the Advancement of Structured Information Standards (OASIS) Web Services Security
Version 1.1 specification.
-
Security 8
Josephs WebSphere Library
Whats new in WebSphere Application Server v8 Security There are new customizable options available when specifying the default audit log wrapping
behavior.
WAS v8 supports the JSR 196: Java Authentication SPI for Containers (JASPI, or sometimes called JASPIC) specification, which enables third-party security providers to handle the Java Platform, Enterprise Edition (Java EE) authentication of HTTP request and response messages destined for web applications
WAS v8 supports all security updates as defined in the Java Servlet 3.0 specification (JSR-315), including the new servlet security annotations, use of new programmatic security APIs and the dynamic updating of the servlet security configuration.
In WAS v8, you can configure a unique instance of a federated repository at the domain level in a multiple security domain environment.
The security configuration report now includes information about session security, web Attributes, and the HttpOnly setting to enable you to get a more complete view of your server security settings.
When you install WAS, it comes with some default security settings which are known as out of
box security. There were some enhancements/changes made to these out of the box settings
Common Security Interoperability Version 2 [CSIv2] connections now require SSL. inbound and outbound connections to WebSphere Application Server are set to
require SSL to provide stronger transport level security New HttpOnly settings on LTPA and session cookies guard against cross-site scripting
attacks. When HttpOnly settings are enabled, cross-site scripting attacks are mitigated
by permitting only HTTP elements in cookies. Session security is enabled to restrict access to the user who created the session.
When a session is created for a user, only that user can access the session. Web authentication is set to make login information available to unprotected resources.
This enables those resources to access information in a secure session without failing and can also be used to determine the login under which unprotected resources were accessed.
Ive highlighted the changes in the next two screenshots
In Global security panel
-
Security 9
Josephs WebSphere Library
In Server container settings
Security auditing service provider
-
Security 10
Josephs WebSphere Library
-
Security 11
Josephs WebSphere Library
Out of the box security enhancements
CSI v2 communications Go to Security Gloabal security RMI/IIOP security CSIv2 inbound/outbound
HTTPOnly for web security Single Sign-on
-
Security 12
Josephs WebSphere Library
HTTPOnly for session security Servers WebSphere Application Security Server_name Session Management Enable Cookies
Session Management security integration Servers WebSphere Application Servers server_name session management
-
Security 13
Josephs WebSphere Library
Web authentication behavior
-
Security 14
Josephs WebSphere Library
Security Configuration Report Security global security -> security configuration report
-
Security 15
Josephs WebSphere Library
Audit Log Handling Options Security Security auditing Audit Service provider name
Audit log wrapping: Specifies the wrapping behavior of the binary audit log when the maximum number
of binary audit log files is reached.
WRAP [overwrite oldest] o If you select this option, when the maximum audit logs are reached, the oldest audit log
is rewritten; notification is not sent to the auditor. This is the default option.
NOWRAP [stop server] o This option does not rewrite over the oldest audit log. It stops the audit service, sends a
notification to the SystemOut.log, and quiesces the application server.
SILENT_FAIL [stop logging] This option does not rewrite over the oldest audit log. It also stops the audit service, but does allow the
WebSphere process to continue. Notifications are not posted in the SystemOut.log.
-
Security 16
Josephs WebSphere Library
References IBM WebSphere Application Server 8.0 Network Deployment [beta installed]
IBM websphere Infocenter
-
Security 17
Josephs WebSphere Library
About Author
Joseph Amrith Raj is a technical consultant for multiple WebSphere products. He worked on various
product consulting and support teams including WebSphere Application Server, WebSphere MQ,
WebSphere Message Broker, Enterprise Service Bus and WebSphere Process Server. He has 7 years of
experience in administration, troubleshooting, consulting and he has significant experience in
architecture, strategy and leadership positions. He is IBM certified for WAS, WMQ, WPS , SOA and Cloud
Computing.
-
Security 18
Josephs WebSphere Library
Connect With US
Get notified on upcoming tutorials
Subscribe, to get this WebSphere blog posts directly to your inbox : here
Tell us your feedback and what you want
Please leave your comments in the comments section below the post
Send us suggestions for future topics and improvements about the content at
Be Connected!
Connect with us on Facebook
Connect with us on Twitter
More about us : profile