10 Security in Websphere Application Server 8

By Joseph Amrith Raj
WebSphere Application Server v8

Primer
Chapter
Security
2

Josephs WebSphere Library

J OS EPH S WEBS PHERE LI BRARY
WebSphere Application Server v8
Primer, part-10: Security

WebSphere Library
http://twitter.com/WebSphere_Lib
http://facebook.com/webspherelibrary

Security
3


Table of Contents
Introduction .................................................................................................................................................. 4
Overview of Security in WAS ........................................................................................................................ 4
Web Security ............................................................................................................................................. 5
Web and EJB Container security for J2EE resources. ................................................................................ 6
EJB Security ............................................................................................................................................... 6
Java 2 Security ........................................................................................................................................... 6
Web Services Security ............................................................................................................................... 7
Whats new in WebSphere Application Server v8 Security .......................................................................... 8
Out of the box security enhancements .................................................................................................... 11
CSI v2 communications ........................................................................................................................... 11
HTTPOnly for web security Single Sign-on ............................................................................................. 11
HTTPOnly for session security ................................................................................................................. 12
Session Management security integration ............................................................................................. 12
Web authentication behavior ................................................................................................................. 13
Security Configuration Report .................................................................................................................... 14
Audit Log Handling Options ........................................................................................................................ 15
References .................................................................................................................................................. 16
About Author .............................................................................................................................................. 17
Connect With US ......................................................................................................................................... 18

Security
4


Introduction
This section gives you an overview of the security in the websphere application server. WebSphere
Application Server [from here on referred as WAS] is a J2EE based application server. Security in WAS is
based on the standard and open architecture. It provides security infrastructure to protect the J2EE
resources. Also, provides the security requirements of
Authentication
Resources Access control
Data Integrity
Confidentiality
Privacy
Secure Interoperability
Overview of Security in WAS

Security in WAS is built on top of the security from the Operating System, Security from Java Technology
followed by WebSphere Application Server security. [as shown in the above diagram]
Security
5


Image taken from IBM Infocenter
The above diagram shows the open architecture paradigm of the WAS. WAS supports Simple
WebSphere Authentication Mechanism [SWAM], Lightweight Third Party Authentication [LTPA] and
Kerberos as the authentication mechanisms. WAS Supports unix, windows and IBM I local OS, LDAP, file
based and JDBC based user registry implementations. Also you can use the combination of these
Authentication mechanisms and user registries.
The security technologies implemented includes: Java 2 security model, Common Security
Interoperability v2 (CSIv2), Java Authentication and Authorization Service (JASS) and Java 2
Connector architecture (JCA).
Trust association enables you to integrate third-party security servers with IBM WebSphere
Application Server security like Access Managers, WebSEAL, and Caching proxy.
Security attribute propagation enables WebSphere Application Server to transport security
attributes from one server to another in your configuration.
The interoperability mode option enables Single Sign-on (SSO) connections between WebSphere
Application Server v6.1.x or later to interoperate with previous versions of the application
server.
Web Security
When a security policy is specified for a web resource and IBM WebSphere Application Server security is
enforced, the web container performs access control when the resource is requested by a web client.
WebSphere Application Server supports the following login methods:
HTTP basic authentication
HTTPS client authentication
Form-based Login
Security
6


Simple and Protected GSS-API Negotiation (SPNEGO) token
Web and EJB Container security for J2EE resources.
Web & EJB container provides two kinds of security
declarative security for which security policies can be conveyed using XML entries in
Deployment Descriptor/using annotations.
Programmatic security way in which EJB code will have calls to the security API.
EJB Security
WebSphere supports EJB 3.0 API [from v7 onwards], which enables the use of the concept of
annotations for conveying security configuration information. When security is enabled, EJB container
enforces access control on EJB method invocation.
A Java application client can provide the authentication data in several ways. Using the
sas.client.props file, a Java client can specify whether to use a user ID and password to
authenticate or to use an SSL client certificate to authenticate.
At run time, the Java client can either perform a programmatic login or perform a lazy
authentication. In lazy authentication when the Java client is accessing a protected
enterprise bean for the first time, the security run time tries to obtain the required
authentication data. Depending on the configuration setting in sas.client.props file the
security runtime either looks up the authentication data from this file or prompts the
user.
A Java client can also use programmatic login. WebSphere Application Server supports
the JAAS programming model and the JAAS login (LoginContext) is the recommended
way of programmatic login.
Java 2 Security
WebSphere Application Server supports the Java 2 security model.
System codes such as the administrative subsystem, the web container, and the EJB container,
are running in the WebSphere Application Server security domain, which in the present
implementation are granted with AllPermission and can access all system resources.
Application code running in the application security domain, which by default is granted with
permissions according to J2EE specifications, can access only a restricted set of system
resources.
WAS run-time classes are protected by the WebSphere Application Server class loader and are
kept invisible to application code.
Security
7


Web Services Security
WebSphere Application Server enables you to secure web services based upon the Organization
for the Advancement of Structured Information Standards (OASIS) Web Services Security
Version 1.1 specification.

Security
8


Whats new in WebSphere Application Server v8 Security
There are new customizable options available when specifying the default audit log wrapping
behavior.
WAS v8 supports the JSR 196: Java Authentication SPI for Containers (JASPI, or sometimes called
JASPIC) specification, which enables third-party security providers to handle the Java Platform,
Enterprise Edition (Java EE) authentication of HTTP request and response messages destined for
web applications
WAS v8 supports all security updates as defined in the Java Servlet 3.0 specification (JSR-315),
including the new servlet security annotations, use of new programmatic security APIs and the
dynamic updating of the servlet security configuration.
In WAS v8, you can configure a unique instance of a federated repository at the domain level in
a multiple security domain environment.
The security configuration report now includes information about session security, web
Attributes, and the HttpOnly setting to enable you to get a more complete view of your server
security settings.
When you install WAS, it comes with some default security settings which are known as out of
box security. There were some enhancements/changes made to these out of the box settings
Common Security Interoperability Version 2 [CSIv2] connections now require SSL.
inbound and outbound connections to WebSphere Application Server are set to
require SSL to provide stronger transport level security
New HttpOnly settings on LTPA and session cookies guard against cross-site scripting
attacks.
When HttpOnly settings are enabled, cross-site scripting attacks are mitigated
by permitting only HTTP elements in cookies.
Session security is enabled to restrict access to the user who created the session.
When a session is created for a user, only that user can access the session.
Web authentication is set to make login information available to unprotected resources.
This enables those resources to access information in a secure session without
failing and can also be used to determine the login under which unprotected
resources were accessed.

Ive highlighted the changes in the next two screenshots
In Global security panel
Security
9


In Server container settings

Security auditing service provider
Security
10


Security
11


Out of the box security enhancements
CSI v2 communications
Go to Security Gloabal security RMI/IIOP security CSIv2 inbound/outbound

HTTPOnly for web security Single Sign-on

Security
12


HTTPOnly for session security
Servers WebSphere Application Security Server_name Session Management Enable Cookies

Session Management security integration
Servers WebSphere Application Servers server_name session management
Security
13


Web authentication behavior

Security
14


Security Configuration Report
Security global security -> security configuration report

Security
15


Audit Log Handling Options
Security Security auditing Audit Service provider name

Audit log wrapping: Specifies the wrapping behavior of the binary audit log when the maximum number
of binary audit log files is reached.
WRAP [overwrite oldest]
o If you select this option, when the maximum audit logs are reached, the oldest audit log
is rewritten; notification is not sent to the auditor. This is the default option.
NOWRAP [stop server]
o This option does not rewrite over the oldest audit log. It stops the audit service, sends a
notification to the SystemOut.log, and quiesces the application server.
SILENT_FAIL [stop logging]
This option does not rewrite over the oldest audit log. It also stops the audit service, but does allow the
WebSphere process to continue. Notifications are not posted in the SystemOut.log.
Security
16


References
IBM WebSphere Application Server 8.0 Network Deployment [beta installed]
IBM websphere Infocenter

Security
17


About Author

Joseph Amrith Raj is a technical consultant for multiple WebSphere products. He worked on various
product consulting and support teams including WebSphere Application Server, WebSphere MQ,
WebSphere Message Broker, Enterprise Service Bus and WebSphere Process Server. He has 7 years of
experience in administration, troubleshooting, consulting and he has significant experience in
architecture, strategy and leadership positions. He is IBM certified for WAS, WMQ, WPS , SOA and Cloud
Computing.

Security
18


Connect With US

Get notified on upcoming tutorials
Subscribe, to get this WebSphere blog posts directly to your inbox : here

Tell us your feedback and what you want
Please leave your comments in the comments section below the post
Send us suggestions for future topics and improvements about the content at
webspherelibrary@live.com

Be Connected!
Connect with us on Facebook
Connect with us on Twitter
More about us : profile

10 Security in Websphere Application Server 8

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

10 Security in Websphere Application Server 8

Uploaded by

Copyright:

Available Formats

By Joseph Amrith Raj

WebSphere Application Server v8

You might also like