WebSphere Application Server Security
Overview
There are many security topologies. A typical corporate enterprise topoloy would include LDAP for the user registry, JAAS for authentication and authorization, with role-based access control, using security policies found in a deployment descriptor.
Behind the scenes, after a successful authentication and authorization, LTPA generates a security token for authenticated users, which propagates to other servers in a distributed environment. LTPA supports setting up a trust association relationship with reverse secure proxy servers such as SiteMinder.
It is possible to use SWAM instead of LTPA in a distributed environment if identity assertion (part of the CSIv2 security protocol) is enabled.
For mapping authenticated user credentials to 3rd-party EIS password credentials WAS supports J2EE Connector architecture resource adapters and provides a default J2C principal and credential mapping module.
Web security
Web containers challenge Web clients for authentication data based on the specified authentication method.
WAS supports the following login methods:
Mapping a client certificate to a product security credential uses the UserRegistry implementation to perform the mapping. The LDAP UserRegistry supports the mapping function while LocalOS UserRegistry does not.
When the LTPA authentication mechanism is configured and single signon is enabled, an authenticated client is issued a security cookie, which can represent the user within the specified security domain. It is recommended that you use SSL to protect the security cookie from being intercepted and replayed. When a trust association is configured, the product can map an authenticated user identity to security credentials based on the trust relationship established with the secure reverse proxy server.
An access manager makes authorization decisions based on the security policy derived from the deployment descriptor. An authenticated user principal can access the requested Servlet or JSP file if it has one of the required security roles.
Servlets and JSP files can use the HttpServletRequest methods: isUserInRole and getUserPrincipal.
EJB security
EJB security uses role-based access control, using security policies found in a deployment descriptor. Users and groups can be assigned to roles during application deployment.
A Java client can use a programmatic login such the JAAS login (LoginContext).
For coding, use the EJBContext methods isCallerInRole and getCallerPrincipal, and WSSubject methods doAs and doAsPrivileged.
The code in the doAs and doAsPrivileged PrivilegedAction block executes under the Subject identity. Otherwise, the EJB method executes under either the RunAs identity or the caller identity, depending on the RunAs configuration.
When security is enabled, the EJB container enforces access control on EJB method invocation. The authentication takes place regardless of whether a method permission is defined for the specific EJB method.
Java application clients can provide authentication data using the sas.client.props file, user ID and passwords, or SSL client certificates.
The client certificate is stored in the key file or in the hardware cryptographic card.
The user ID and password can be optionally defined in the sas.client.props file. At run time, the Java client can either perform a programmatic login or perform a lazy authentication. Depending on the configuration setting in sas.client.props file the security runtime either looks up the authentication data from this file or prompts the user.
Federal Information Processing Standards-approved
Federal Information Processing Standards (FIPS) are standards and guidelines issued by the National Institute of Standards and Technology (NIST) for federal computer systems.
WAS integrates custom cryptographic modules for Java Secure Socket Extension and Java Cryptography Extension, named IBMJSSEFIPS and IBMJCEFIPS respectively.
The IBMJSSEFIPS module supports the FIPS-approved TLS cipher suites including...
The IBMJSSEFIPS module supports the following algorithms...
- RSA public key algorithm
- ANSI X9.31
- IBM Random Number Generator
The IBMJCEFIPS module supports the following symmetric cipher suites...
- AES (FIPS 197)
- DES and TripleDES (FIPS 46-3)
- SHA1 Message Digest algorithm (FIPS 180-1)
The IBMJCEFIPS module supports the following algorithms...
- Digital Signature DSA and RSA algorithms (FIPS 186-2)
- ANSI X 9.31 (FIPS 186-2)
- IBM Random Number Generator
See Also
J2EE specification Version 1.3.1 Java Authentication and Authorization Service (JAAS) Java 2 security Java Secure Socket Extension (JSSE) Java Cryptographic Extension (JCE) Common Secure Interoperability Version 2 (CSIv2) J2EE Connector architecture (JCA) AccessControlException
Authentication mechanisms
Authentication protocol for EJB security
CSIv2 features
Delegations
Enterprise bean component security
Global security
Java Authentication and Authorization Service
Java 2 Connector security
LDAP
Local operating system user registries
SWAM LTPA authentication mechanisms. Programmatic login
User registries
Java 2 security policy files
Trust Associations
Configuring Federal Information Processing Standard Java Secure Socket Extension files
single signon
Java 2 security
Cryptographic Module Validation Program FIPS 140-1 and FIPS 140-2 Pre-validation List