Websphere Security Overview

sweetleafapartInternet και Εφαρμογές Web

7 Αυγ 2012 (πριν από 8 χρόνια και 11 μήνες)

366 εμφανίσεις



Jonathan Yip


Websphere Application Developer(WSAD)


It is a By
product of Eclipse


Eclipse is an Open Source Development Tool

J2EE 1.2


It is a Platform Enables Developers to Create Different parts of their

Applications as Reusable Components.

Application Assembly Tool (AAT)


A Utility to Assist the J2EE Provider or J2E Deployer with the Generation

of J2EE
compliant Deployment Descriptors and Binding Attributes.

Security Architecture

J2EE 1.2 compliant Java application


Security Server

Security Collaborator

Security Policy

Security Information

Security Architecture (2)

Security server


Authentication; Authorization; Delegation Policies

Security Collaborator


Web Collaborator

Checks the authentication if not provided

Performs the authorization check

Logs security tracing information

EJB (Enterprise JavaBeans) Collaborator

Check authorization.

Support user registries.

Log security tracing information.

Security Architecture (3)

Security Policies

Attributes to Record:

Role and method permission

as mode or delegation policy

Login configuration or challenge type

Data protection (confidentiality and integrity) settings

Security Information


Global security (All applications)


Application security (Can specify on each application)

Security Architecture (4)


Overview of the Security Architecture:

Websphere Security

How to Secure an Application

The WebSphere Authentication Model

User Registry

Security Center

Securing Application

Application Assembly Tool (AAT)

Create an Application

Create an EJB Module

Create a Web Module

Create an Application Client

Securing Application (2)

Define Business Role

2.) Create Security Constraints for Web Resources

3.) Define the Web Component Authentication for the Web Module

4.) Define Security Constraints and Assign them to Roles.

5.) Configure Delegation Role Policy

6.) Relate Roles to Users

Table Showing some Role and the Description


Authentication Model

HTTP Basic authentication


Acquired Password from Users and Validate; Not secured.

HTTPS Client Certificate authentication


Requres Public Key Certificate; HTTPS is Used to Transmit

Based authentication


Permits a Site
specific Login Through an HTML Page or a JSP form.

The password is not encrypted and the target server is not authenticated,

(SSL should be added)

User Registry

It is a Repository that Contains Users and Groups.

The Administrator can have Users or Groups Authenticated
against the Local Operating System User Registry

Security Center

It is Part of the Administrator’s Console (AC) Focusing on
Configuration in Security Matters

Websphere Security

and the


WebSphere security
relies on and enhances all of the above security levels.

Other Security Features of

Encoded Passwords

WebSphere Stores Passwords for:

Accessing the Administration Repository

The Administration ID to Access the Administrator’s Console

Accessing Key Stores and Trust Stores

Security interoperability with z/OS


Allows Application Servers on the UNIX or NT Side to Authenticate

to the Application Server on the z/OS Side and Communicate securely.

Programmatic Security

Use to Secure Artifacts and Resources Beyond Checking the
Role of an Authenticated User

Implemented by Creating a Generic Login Page Once User
logs in, FormLoginServlet Authenticates and Place a SSO
(Single Sign On) Token in a Cookie


Limiting the Number of Invalid Password Attempts

Checking that the User’s Subscription has not Expired

Logging Information about a User’s Visit


IBM Redbook

Websphere Application Server Bible