Web authentication settings
To specify the Web authentication settings associated with a Web client...
Security | Global security | Authentication | Web and SIP security | General settings.
To override the global Web authentication setting by specifying a system property on the server level...
Servers | Server Types | WebSphere application servers | myserver | Server infrastructure | Java and Process Management | Process definition | Additional properties Java Virtual Machine | Custom properties | New
We can specify the following system properties on the server level for Web authentication.
Property name Value Explanation com.ibm.wsspi.security.web.webAuthReq lazy Equivalent to the Authenticate only when the URI is protected option. com.ibm.wsspi.security.web.webAuthReq persisting Equivalent to the Use available authentication data when an unprotected URI is accessed option. com.ibm.wsspi.security.web.webAuthReq always Equivalent to the Authenticate when any URI is accessed option. com.ibm.wsspi.security.web.failOverToBasicAuth true Equivalent to the Default to basic authentication when certificate authentication for the HTTPS client fails option.
- Authenticate only when the URI is protected
The appserver challenges the Web client to provide authentication data when the Web client accesses a URI that is protected by a J2EE role. The authenticated identity is available only when the Web client accesses a protected URI.
This option is the default J2EE Web authentication behavior that is also available in previous releases of WAS.
When you select this option, the admin console login page is missing images. We might encounter the following error in the admin console: "CWLAA6003: Could not display the portlet, the portlet may not be started. Check the error logs".
The missing images and the error message are a side-effect of this option. The images do not display because the URIs for the images now need authentication, which requires you to log in. You can ignore this error message.
- Use available authentication data when an unprotected URI is accessed
The Web client can access validated authenticated data that it previously could not access. This option enables the Web client to call the getRemoteUser, isUserInRole, and getUserPrincipal methods to retrieve an authenticated identity from an unprotected URI.
When you select this option with the Authenticate only when the URI is protected option, the Web client can use authenticated data when the URI is protected or not protected.
This option does not challenge the Web client to provide authenticated data if the Web client accesses an unprotected URI without authenticated data.
- Authenticate when any URI is accessed
The Web client must provide authentication data regardless of whether the URI is protected.
- Default to basic authentication when certificate authentication for the HTTPS client fails
When the required HTTPS client certificate authentication fails, the appserver uses the basic authentication method to challenge the Web client to provide a user ID and password.
The HTTP client certification authentication that is performed by the application server security is different from the client authentication that is performed by the Web server plug-in. If we configure the Web server plug-in for mutual authentication and client authentication fails, the following situations will occur:
- The Web server produces a error and the Web request is not processed by application server security.
- The appserver cannot fail over to basic authentication.
Develop with programmatic security APIs for Web apps
getRemoteUser and getAuthType methods
Global security settings