The document provides an overview of security in WebSphere Application Server v8. It discusses the security architecture including web security, EJB security, Java 2 security, and web services security. It also outlines some new security features in WAS v8 such as support for the JASPI specification, servlet 3.0 security updates, and enhancements to out-of-the-box security settings including HTTPOnly session security and security configuration reporting.
The document provides an overview of security in WebSphere Application Server v8. It discusses the security architecture including web security, EJB security, Java 2 security, and web services security. It also outlines some new security features in WAS v8 such as support for the JASPI specification, servlet 3.0 security updates, and enhancements to out-of-the-box security settings including HTTPOnly session security and security configuration reporting.
The document provides an overview of security in WebSphere Application Server v8. It discusses the security architecture including web security, EJB security, Java 2 security, and web services security. It also outlines some new security features in WAS v8 such as support for the JASPI specification, servlet 3.0 security updates, and enhancements to out-of-the-box security settings including HTTPOnly session security and security configuration reporting.
Table of Contents Introduction .................................................................................................................................................. 4 Overview of Security in WAS ........................................................................................................................ 4 Web Security ............................................................................................................................................. 5 Web and EJB Container security for J2EE resources. ................................................................................ 6 EJB Security ............................................................................................................................................... 6 Java 2 Security ........................................................................................................................................... 6 Web Services Security ............................................................................................................................... 7 Whats new in WebSphere Application Server v8 Security .......................................................................... 8 Out of the box security enhancements .................................................................................................... 11 CSI v2 communications ........................................................................................................................... 11 HTTPOnly for web security Single Sign-on ............................................................................................. 11 HTTPOnly for session security ................................................................................................................. 12 Session Management security integration ............................................................................................. 12 Web authentication behavior ................................................................................................................. 13 Security Configuration Report .................................................................................................................... 14 Audit Log Handling Options ........................................................................................................................ 15 References .................................................................................................................................................. 16 About Author .............................................................................................................................................. 17 Connect With US ......................................................................................................................................... 18
Security 4
Josephs WebSphere Library
Introduction This section gives you an overview of the security in the websphere application server. WebSphere Application Server [from here on referred as WAS] is a J2EE based application server. Security in WAS is based on the standard and open architecture. It provides security infrastructure to protect the J2EE resources. Also, provides the security requirements of Authentication Resources Access control Data Integrity Confidentiality Privacy Secure Interoperability Overview of Security in WAS
Security in WAS is built on top of the security from the Operating System, Security from Java Technology followed by WebSphere Application Server security. [as shown in the above diagram] Security 5
Josephs WebSphere Library
Image taken from IBM Infocenter The above diagram shows the open architecture paradigm of the WAS. WAS supports Simple WebSphere Authentication Mechanism [SWAM], Lightweight Third Party Authentication [LTPA] and Kerberos as the authentication mechanisms. WAS Supports unix, windows and IBM I local OS, LDAP, file based and JDBC based user registry implementations. Also you can use the combination of these Authentication mechanisms and user registries. The security technologies implemented includes: Java 2 security model, Common Security Interoperability v2 (CSIv2), Java Authentication and Authorization Service (JASS) and Java 2 Connector architecture (JCA). Trust association enables you to integrate third-party security servers with IBM WebSphere Application Server security like Access Managers, WebSEAL, and Caching proxy. Security attribute propagation enables WebSphere Application Server to transport security attributes from one server to another in your configuration. The interoperability mode option enables Single Sign-on (SSO) connections between WebSphere Application Server v6.1.x or later to interoperate with previous versions of the application server. Web Security When a security policy is specified for a web resource and IBM WebSphere Application Server security is enforced, the web container performs access control when the resource is requested by a web client. WebSphere Application Server supports the following login methods: HTTP basic authentication HTTPS client authentication Form-based Login Security 6
Josephs WebSphere Library
Simple and Protected GSS-API Negotiation (SPNEGO) token Web and EJB Container security for J2EE resources. Web & EJB container provides two kinds of security declarative security for which security policies can be conveyed using XML entries in Deployment Descriptor/using annotations. Programmatic security way in which EJB code will have calls to the security API. EJB Security WebSphere supports EJB 3.0 API [from v7 onwards], which enables the use of the concept of annotations for conveying security configuration information. When security is enabled, EJB container enforces access control on EJB method invocation. A Java application client can provide the authentication data in several ways. Using the sas.client.props file, a Java client can specify whether to use a user ID and password to authenticate or to use an SSL client certificate to authenticate. At run time, the Java client can either perform a programmatic login or perform a lazy authentication. In lazy authentication when the Java client is accessing a protected enterprise bean for the first time, the security run time tries to obtain the required authentication data. Depending on the configuration setting in sas.client.props file the security runtime either looks up the authentication data from this file or prompts the user. A Java client can also use programmatic login. WebSphere Application Server supports the JAAS programming model and the JAAS login (LoginContext) is the recommended way of programmatic login. Java 2 Security WebSphere Application Server supports the Java 2 security model. System codes such as the administrative subsystem, the web container, and the EJB container, are running in the WebSphere Application Server security domain, which in the present implementation are granted with AllPermission and can access all system resources. Application code running in the application security domain, which by default is granted with permissions according to J2EE specifications, can access only a restricted set of system resources. WAS run-time classes are protected by the WebSphere Application Server class loader and are kept invisible to application code. Security 7
Josephs WebSphere Library
Web Services Security WebSphere Application Server enables you to secure web services based upon the Organization for the Advancement of Structured Information Standards (OASIS) Web Services Security Version 1.1 specification.
Security 8
Josephs WebSphere Library
Whats new in WebSphere Application Server v8 Security There are new customizable options available when specifying the default audit log wrapping behavior. WAS v8 supports the JSR 196: Java Authentication SPI for Containers (JASPI, or sometimes called JASPIC) specification, which enables third-party security providers to handle the Java Platform, Enterprise Edition (Java EE) authentication of HTTP request and response messages destined for web applications WAS v8 supports all security updates as defined in the Java Servlet 3.0 specification (JSR-315), including the new servlet security annotations, use of new programmatic security APIs and the dynamic updating of the servlet security configuration. In WAS v8, you can configure a unique instance of a federated repository at the domain level in a multiple security domain environment. The security configuration report now includes information about session security, web Attributes, and the HttpOnly setting to enable you to get a more complete view of your server security settings. When you install WAS, it comes with some default security settings which are known as out of box security. There were some enhancements/changes made to these out of the box settings Common Security Interoperability Version 2 [CSIv2] connections now require SSL. inbound and outbound connections to WebSphere Application Server are set to require SSL to provide stronger transport level security New HttpOnly settings on LTPA and session cookies guard against cross-site scripting attacks. When HttpOnly settings are enabled, cross-site scripting attacks are mitigated by permitting only HTTP elements in cookies. Session security is enabled to restrict access to the user who created the session. When a session is created for a user, only that user can access the session. Web authentication is set to make login information available to unprotected resources. This enables those resources to access information in a secure session without failing and can also be used to determine the login under which unprotected resources were accessed.
Ive highlighted the changes in the next two screenshots In Global security panel Security 9
Josephs WebSphere Library
In Server container settings
Security auditing service provider Security 10
Josephs WebSphere Library
Security 11
Josephs WebSphere Library
Out of the box security enhancements CSI v2 communications Go to Security Gloabal security RMI/IIOP security CSIv2 inbound/outbound
HTTPOnly for web security Single Sign-on
Security 12
Josephs WebSphere Library
HTTPOnly for session security Servers WebSphere Application Security Server_name Session Management Enable Cookies
Security Configuration Report Security global security -> security configuration report
Security 15
Josephs WebSphere Library
Audit Log Handling Options Security Security auditing Audit Service provider name
Audit log wrapping: Specifies the wrapping behavior of the binary audit log when the maximum number of binary audit log files is reached. WRAP [overwrite oldest] o If you select this option, when the maximum audit logs are reached, the oldest audit log is rewritten; notification is not sent to the auditor. This is the default option. NOWRAP [stop server] o This option does not rewrite over the oldest audit log. It stops the audit service, sends a notification to the SystemOut.log, and quiesces the application server. SILENT_FAIL [stop logging] This option does not rewrite over the oldest audit log. It also stops the audit service, but does allow the WebSphere process to continue. Notifications are not posted in the SystemOut.log. Security 16
Josephs WebSphere Library
References IBM WebSphere Application Server 8.0 Network Deployment [beta installed] IBM websphere Infocenter
Security 17
Josephs WebSphere Library
About Author
Joseph Amrith Raj is a technical consultant for multiple WebSphere products. He worked on various product consulting and support teams including WebSphere Application Server, WebSphere MQ, WebSphere Message Broker, Enterprise Service Bus and WebSphere Process Server. He has 7 years of experience in administration, troubleshooting, consulting and he has significant experience in architecture, strategy and leadership positions. He is IBM certified for WAS, WMQ, WPS , SOA and Cloud Computing.
Security 18
Josephs WebSphere Library
Connect With US
Get notified on upcoming tutorials Subscribe, to get this WebSphere blog posts directly to your inbox : here
Tell us your feedback and what you want Please leave your comments in the comments section below the post Send us suggestions for future topics and improvements about the content at webspherelibrary@live.com
Be Connected! Connect with us on Facebook Connect with us on Twitter More about us : profile