What is new for security specialists

What is new for security specialists

This topic highlights what is new or changed in v6.x, and is aimed at those who are responsible for securing applications and the application serving environment.
The biggest improvement in security involves the set of supported specifications.

External JACC provider support
The Java Authorization Contract for Containers specification (JACC) version 1.0, introduced in WAS v6.x and defined by J2EE V1.4, defines a contract between J2EE containers and external authorization providers. Based on this specification, WAS enables you to plug in an external provider to make authorization decisions when you are accessing J2EE resources. When you use this feature, WAS supports Tivoli Access Manager as the default JACC provider.
For more information, see JACC providers.

Java 2 security manager
WebSphere Application Server v6.x provides you with greater control over the permissions granted to applications for manipulating non-system threads. We can permit applications to manipulate non-system threads using the was.policy file. However, these thread control permissions are disabled, by default.
For more information, see Configuring the was.policy file.

JCA 1.5 support
WebSphere Application Server v6.x supports the J2EE Connector Architecture (JCA) V1.5 specification, which provides new features such as the inbound resource adapter. For more information, see J2EE Connector Architecture resource adapters.
From a security perspective, WebSphere Application Server v6.x provides an enhanced custom principal and credential mapping programming interface and custom mapping properties at the resource reference level. The custom JAAS LoginModule, which was developed for JCA principal and credential mapping for WAS Version 5.x, continues to be supported.

SSL channel framework
The Secure Sockets Layer channel framework incorporates the new IBMJSSE2 implementation and separates the security function of Java Secure Sockets Extension (JSSE) from the network communication function.

Web authentication using the Java Authentication and Authorization Service programming model
WebSphere Application Server v6.x enables you to use the JAAS programming model to perform Web authentication in your application code. To use this function, create your own JAAS login configuration by cloning the WEB_INBOUND login configuration and define a cookie=true login option. After a successful login using your login configuration, the Web login session is tracked by single signon (SSO) token cookies. This option replaces the SSOAuthenticator interface, which was deprecated in WAS V4.
For more information, see Java Authentication and Authorization Service authorization.

Web services security
WebSphere Application Server v6.x increases the extensibility of Web services security by providing a pluggable architecture. The implementation in WAS includes many of the features described in the Organization for the Advancement of Structured Information Standards (OASIS) Web Services Security V1 standard. As part of this standard, WAS supports custom, pluggable tokens that are used for signing and encryption; pluggable signing and encryption algorithms; pluggable key locators for locating a key that is used for digital signature or encryption; signing or encrypting elements in a SOAP message; and specifying the order of the signing or encryption processes.

External JACC provider support	The Java Authorization Contract for Containers specification (JACC) version 1.0, introduced in WAS v6.x and defined by J2EE V1.4, defines a contract between J2EE containers and external authorization providers. Based on this specification, WAS enables you to plug in an external provider to make authorization decisions when you are accessing J2EE resources. When you use this feature, WAS supports Tivoli Access Manager as the default JACC provider. For more information, see JACC providers.

Java 2 security manager	WebSphere Application Server v6.x provides you with greater control over the permissions granted to applications for manipulating non-system threads. We can permit applications to manipulate non-system threads using the was.policy file. However, these thread control permissions are disabled, by default. For more information, see Configuring the was.policy file.

JCA 1.5 support	WebSphere Application Server v6.x supports the J2EE Connector Architecture (JCA) V1.5 specification, which provides new features such as the inbound resource adapter. For more information, see J2EE Connector Architecture resource adapters. From a security perspective, WebSphere Application Server v6.x provides an enhanced custom principal and credential mapping programming interface and custom mapping properties at the resource reference level. The custom JAAS LoginModule, which was developed for JCA principal and credential mapping for WAS Version 5.x, continues to be supported.

SSL channel framework	The Secure Sockets Layer channel framework incorporates the new IBMJSSE2 implementation and separates the security function of Java Secure Sockets Extension (JSSE) from the network communication function.

Web authentication using the Java Authentication and Authorization Service programming model	WebSphere Application Server v6.x enables you to use the JAAS programming model to perform Web authentication in your application code. To use this function, create your own JAAS login configuration by cloning the WEB_INBOUND login configuration and define a cookie=true login option. After a successful login using your login configuration, the Web login session is tracked by single signon (SSO) token cookies. This option replaces the SSOAuthenticator interface, which was deprecated in WAS V4. For more information, see Java Authentication and Authorization Service authorization.

Web services security	WebSphere Application Server v6.x increases the extensibility of Web services security by providing a pluggable architecture. The implementation in WAS includes many of the features described in the Organization for the Advancement of Structured Information Standards (OASIS) Web Services Security V1 standard. As part of this standard, WAS supports custom, pluggable tokens that are used for signing and encryption; pluggable signing and encryption algorithms; pluggable key locators for locating a key that is used for digital signature or encryption; signing or encrypting elements in a SOAP message; and specifying the order of the signing or encryption processes.