Task overview: Securing resources
WAS supports the Java EE model for creating, assembling, securing, and deploying applications. Applications are often created, assembled, and deployed in different phases and by different teams.
We can secure resources in a Java EE environment by following the required high-level steps. Consult the Java EE specifications for complete details.
- Set up and enable security.
You must address several issues prior to authenticating users, authorizing access to resources, securing applications, and securing communications. These security issues include migration, interoperability, and installation. After installing WAS, determine the proper level of security that is needed for the environment.
- Set multiple domains.
Security domains enable you to define multiple security configurations for use in the environment. For example, we can define different security (such as a different user registry) for user applications than for admin applications. We can also define separate security configurations for user applications deployed to different servers and clusters.
- Authenticate users.
The process of authenticating users involves a user registry and an authentication mechanism. Optionally, we can define trust between WAS and a proxy server, configure single sign-on capability, and specify how to propagate security attributes between appservers.
- Authorize access to resources.
WAS provides many different methods for authorizing accessing resources. For example, we can assign roles to users and configure a built-in or external authorization provider.
- Secure communications.
WAS provides several methods to secure communication between a server and a client.
- Develop extensions to the WebSphere security infrastructure.
WAS provides various plug points so that we can extend the security infrastructure.
- Use the Auditing Facility to track and archive auditable events.
- Secure various types of WebSphere applications.
- Tune, harden, and maintain security configurations.
After we have installed WAS, there are several considerations for tuning, strengthening, and maintaining the security configuration.
- Troubleshoot security configurations.
Set up, enabling and migrating security
Set multiple security domains
Authorizing access to resources
Develop extensions to the WebSphere security infrastructure
Tuning, hardening, and maintaining security configurations
Troubleshooting security configurations
Audit the security infrastructure