Global security and server security
The term global security refers to the security configuration that is effective for the entire security domain, where a security domain consists of all servers configured with the same user registry realm name.
The realm can be the machine name of an LDAP user registry, which, because it is a distributed user registry, allows for a multiple node configuration in a Network Deployment environment.
The basic requirement for a security domain is that the access ID returned by the registry from one server within the security domain is the same access ID that is returned from the registry on any other server within the same security domain. The access ID is the unique identitification of a user and is used during authorization to determine if access is permitted to the resource.
Configuration of global security for a security domain consists of configuring the common user registry, the authentication mechanism, and other security information that defines the behavior of a security domain. Other configurable security attributes include:
- Java 2 Security Manager
- Java Authentication and Authorization Service
- Java 2 Connector authentication data entries
- CSIv2 and (SAS) authentication protocol (RMI/IIOP security)
The global security configuration generally applies to every server within the security domain. One can override some portions of the configuration at the server level.
In a Network Deployment environment, where multiple nodes and multiple servers within a node are possible, you can configure certain attributes at a server level. The attributes that are configurable at a server level include:
- Security enablement for the server
- Java 2 Security Manager enablement
- CSIv2/SAS authentication protocol (RMI/IIOP security).
One can disable security on individual appservers while global security is enabled, however, you cannot enable security on an individual application server while global security is disabled.
While appserver security is disabled for user requests, administrative and naming security is still enabled for that application server so that the administrative and naming infrastructure remains secure. If cell security is enabled, but security for individual server (or servers) is disabled, J2EE applications are not authenticated or authorized. However, naming and administrative security is still enforced. Consequently, because Naming Services can be called from user applications you will need to grant "Everyone" access to the Naming functions required so they will accept unauthenticated requests. User code does not directly access administrative security except through the supported scripting tools.