Application Security 2.0
This feature enables support for securing the server runtime environment and applications; it includes a basic user registry. This feature supersedes appSecurity-1.0 and does not include servlet-3.0 or support for the LDAP user registry. To secure web applications, add the servlet-3.0 feature. To secure EJB applications, add the ejbLite-3.1 feature. To use LDAP, add the ldapRegistry-3.0 feature. When we add the appSecurity-2.0 feature to the server, we need to configure a user registry, such as the basic user registry or the LDAP user registry.
Enable this feature
To enable the Application Security 2.0 feature, add the following element declaration inside the featureManager element in the server.xml file:
<feature>appSecurity-2.0</feature>
Developing a feature that depends on this feature
If we are developing a feature that depends on the Application Security 2.0 feature, include the following item in the Subsystem-Content header in the feature manifest file for the new feature:
com.ibm.websphere.appserver.appSecurity-2.0; type="osgi.subsystem.feature"
Features that this feature enables
Features that enable this feature
Feature configuration elements
We can use the following elements in the server.xml file to configure the Application Security 2.0 feature:
- administrator-role
- authCache
- authentication
- basicRegistry
- classloading
- jaasLoginContextEntry
- jaasLoginModule
- library
- ltpa
- quickStartSecurity
- administrator-role
- A collection of users and/or groups assigned the server administrator role.
- administrator-role > group
Description: Group assigned a role.
Required: false
Data type: string
- administrator-role > user
Description: User assigned a role.
Required: false
Data type: string
- authCache
- Controls the operation of the authentication cache.
Attribute name Data type Default value Description allowBasicAuthLookup boolean true Allow lookup by user ID and hashed password. initialSize int Minimum: 1
50 Initial number of entries supported by the authentication cache. maxSize int Minimum: 1
25000 Maximum number of entries supported by the authentication cache. timeout A period of time with millisecond precision 600s Amount of time after which an entry in the cache will be removed. Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), seconds (s), or milliseconds (ms). For example, specify 500 milliseconds as 500ms. We can include multiple values in a single entry. For example, 1s500ms is equivalent to 1.5 seconds.
- authentication
- Controls the built-in authentication service configuration.
Attribute name Data type Default value Description allowHashtableLoginWithIdOnly boolean false Allow an application to login with just an identity in the hashtable properties. Use this option only when we have applications that require this and have other means to validate the identity. cacheEnabled boolean true Enables the authentication cache.
- basicRegistry
- A simple XML-based user registry.
Attribute name Data type Default value Description id string A unique configuration ID. ignoreCaseForAuthentication boolean false Allow case-insensitive user name authentication. realm string BasicRegistry The realm name represents the user registry.
- basicRegistry > group
Description: A group in a Basic User Registry.
Required: false
Data type:
Attribute name Data type Default value Description name string Name of a group in a Basic User Registry.
- basicRegistry > group > member
Description: A member of a Basic User Registry group.
Required: false
Data type:
Attribute name Data type Default value Description name string Name of a user in a Basic User Registry group.
- basicRegistry > user
Description: A user in a Basic User Registry.
Required: false
Data type:
Attribute name Data type Default value Description name string Name of a user in a Basic User Registry. password One way hashable, or reversably encoded password (string) Password of a user in a Basic User Registry. Stored in clear text or encoded form. It is recommended that you encode the password. To do so, use the securityUtility tool with the encode option.
- classloading
- Global classloading
Attribute name Data type Default value Description useJarUrls boolean false Whether to use jar: or wsjar: URLs for referencing files in archives
- jaasLoginContextEntry
- The JAAS login context entry configuration.
Attribute name Data type Default value Description id string A unique configuration ID. loginModuleRef List of references to top level jaasLoginModule elements (comma-separated string). hashtable,userNameAndPassword,certificate,token A reference to the ID of a JAAS login module. name string Name of a JAAS configuration entry.
- jaasLoginModule
- A login module in the JAAS configuration.
Attribute name Data type Default value Description className string Fully-qualified package name of the JAAS login module class. controlFlag
- SUFFICIENT
- REQUISITE
- REQUIRED
- OPTIONAL
REQUIRED The login module's control flag. Valid values are REQUIRED, REQUISITE, SUFFICIENT, and OPTIONAL.
- SUFFICIENT
- This LoginModule is SUFFICIENT as per the JAAS specification. The LoginModule is not required to succeed. If authentication is successful, no other LoginModules will be called and control is returned to the caller.
- REQUISITE
- This LoginModule is REQUISITE as per the JAAS specification. The LoginModule is required to succeed. If authentication fails, no other LoginModules will be called and control is returned to the caller.
- REQUIRED
- This LoginModule is REQUIRED as per the JAAS specification. The LoginModule is required to succeed.
- OPTIONAL
- This LoginModule is OPTIONAL as per the JAAS specification. The LoginModule is not required to succeed.
id string A unique configuration ID. libraryRef A reference to top level library element (string). A reference to the ID of the shared library configuration.
- jaasLoginModule > library
Description: A reference to the ID of the shared library configuration.
Required: false
Data type:
Attribute name Data type Default value Description apiTypeVisibility string spec,ibm-api,api The types of API package this library's class loader will be able to see, as a comma-separated list of any combination of the following: spec, ibm-api, api, third-party. description string Description of shared library for administrators filesetRef List of references to top level fileset elements (comma-separated string). Id of referenced Fileset name string Name of shared library for administrators
- jaasLoginModule > library > file
Description: Id of referenced File
Required: false
Data type:
Attribute name Data type Default value Description name Path to a file Fully qualified filename
- jaasLoginModule > library > fileset
Description: Id of referenced Fileset
Required: false
Data type:
Attribute name Data type Default value Description caseSensitive boolean true Boolean to indicate whether or not the search should be case sensitive (default: true). dir Path to a directory ${server.config.dir} The base directory to search for files. excludes string The comma or space separated list of file name patterns to exclude from the search results, by default no files are excluded. includes string * The comma or space separated list of file name patterns to include in the search results (default: *). scanInterval A period of time with millisecond precision 0 Scanning interval to check the fileset for changes as a long with a time unit suffix h-hour, m-minute, s-second, ms-millisecond (e.g. 2ms or 5s). Disabled (scanInterval=0) by default. Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), seconds (s), or milliseconds (ms). For example, specify 500 milliseconds as 500ms. We can include multiple values in a single entry. For example, 1s500ms is equivalent to 1.5 seconds.
- jaasLoginModule > library > folder
Description: Id of referenced folder
Required: false
Data type:
Attribute name Data type Default value Description dir Path to a directory Directory or folder to be included in the library classpath for locating resource files
- jaasLoginModule > options
Description: A collection of JAAS Login module options
Required: false
Data type:
- library
- Shared Library
Attribute name Data type Default value Description apiTypeVisibility string spec,ibm-api,api The types of API package this library's class loader will be able to see, as a comma-separated list of any combination of the following: spec, ibm-api, api, third-party. description string Description of shared library for administrators filesetRef List of references to top level fileset elements (comma-separated string). Id of referenced Fileset id string A unique configuration ID. name string Name of shared library for administrators
- library > file
Description: Id of referenced File
Required: false
Data type:
Attribute name Data type Default value Description name Path to a file Fully qualified filename
- library > fileset
Description: Id of referenced Fileset
Required: false
Data type:
Attribute name Data type Default value Description caseSensitive boolean true Boolean to indicate whether or not the search should be case sensitive (default: true). dir Path to a directory ${server.config.dir} The base directory to search for files. excludes string The comma or space separated list of file name patterns to exclude from the search results, by default no files are excluded. includes string * The comma or space separated list of file name patterns to include in the search results (default: *). scanInterval A period of time with millisecond precision 0 Scanning interval to check the fileset for changes as a long with a time unit suffix h-hour, m-minute, s-second, ms-millisecond (e.g. 2ms or 5s). Disabled (scanInterval=0) by default. Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), seconds (s), or milliseconds (ms). For example, specify 500 milliseconds as 500ms. We can include multiple values in a single entry. For example, 1s500ms is equivalent to 1.5 seconds.
- library > folder
Description: Id of referenced folder
Required: false
Data type:
Attribute name Data type Default value Description dir Path to a directory Directory or folder to be included in the library classpath for locating resource files
- ltpa
- Lightweight Third Party Authentication (LTPA) token configuration.
Attribute name Data type Default value Description expiration A period of time with minute precision 120m Amount of time after which a token expires in minutes. Specify a positive integer followed by a unit of time, which can be hours (h) or minutes (m). For example, specify 30 minutes as 30m. We can include multiple values in a single entry. For example, 1h30m is equivalent to 90 minutes. keysFileName Path to a file ${server.output.dir}/resources/security/ltpa.keys Path of the file containing the token keys. keysPassword Reversably encoded password (string) {xor}CDo9Hgw= Password for the token keys. Stored in clear text or encoded form. It is recommended to encode the password, use the securityUtility tool with the encode option. monitorInterval A period of time with millisecond precision 0ms Rate at which the server checks for updates to the LTPA token keys file. Specify a positive integer followed by a unit of time, which can be hours (h), minutes (m), seconds (s), or milliseconds (ms). For example, specify 500 milliseconds as 500ms. We can include multiple values in a single entry. For example, 1s500ms is equivalent to 1.5 seconds.
- quickStartSecurity
- Simple administrative security configuration.
Attribute name Data type Default value Description userName string Single user defined as part of the quick start security configuration. This user is granted the Administrator role. userPassword Reversably encoded password (string) Password for the single user defined as part of the quick start security configuration. It is recommended that you encode this password. To do so, use the securityUtility tool with the encode option.