Session security (security integration)

Session security (security integration)

We can integrate HTTP sessions and security in WebSphere Application Server. When security integration is enabled in the session management facility, and a session is accessed in a protected resource, we can access that session only in protected resources from then on. Session security (security integration) is enabled by default.
We cannot mix secured and unsecured resources accessing sessions when security integration is turned on.
Only authenticated users can access sessions created in secured pages and created under the identity of the authenticated user. Only this authenticated user can access these sessions in other secured pages. To protect these sessions from unauthorized users, we cannot access them from an unsecured page.

Programmatic details and scenarios

WebSphere Application Server maintains the security of individual sessions.
An identity or user name, readable by the interface...
com.ibm.websphere.servlet.session.IBMSession

...is associated with a session. An unauthenticated identity is denoted by the user name anonymous. WebSphere Application Server includes the class...
com.ibm.websphere.servlet.session.UnauthorizedSessionRequestException

...which is used when a session is requested without the necessary credentials.
The session management facility uses the WAS security infrastructure to determine the authenticated identity associated with a client HTTP request that either retrieves or creates a session. WAS security determines identity using certificates, LTPA, and other methods.
After obtaining the identity of the current request, the session management facility determines whether to return the session by comparing the identity of the request with the identity of the session.

Type of session ID Unauthenticated HTTP request is used to retrieve a session HTTP request is authenticated, with an identity of "FRED"used to retrieve a session

No session ID was passed in for this request
The ID is for a session that is no longer valid A new session is created. User name is anonymous A new session is created. User name is FRED
A session ID for a valid session is passed in.
The current session user name is "anonymous" The session is returned. The session is returned. Session management changes the user name to FRED
A session ID for a valid session is passed in.
The current session user name is FRED The session is not returned.
An UnauthorizedSessionRequestException error is created The session is returned.
A session ID for a valid session is passed in.
The current session user name is BOB The session is not returned.
An UnauthorizedSessionRequestException error is created The session is not returned.
An UnauthorizedSessionRequestException error is created

Related concepts
Session management support
Task overview: Managing HTTP sessions

Type of session ID	Unauthenticated HTTP request is used to retrieve a session	HTTP request is authenticated, with an identity of "FRED"used to retrieve a session
No session ID was passed in for this request The ID is for a session that is no longer valid	A new session is created. User name is anonymous	A new session is created. User name is FRED
A session ID for a valid session is passed in. The current session user name is "anonymous"	The session is returned.	The session is returned. Session management changes the user name to FRED
A session ID for a valid session is passed in. The current session user name is FRED	The session is not returned. An UnauthorizedSessionRequestException error is created	The session is returned.
A session ID for a valid session is passed in. The current session user name is BOB	The session is not returned. An UnauthorizedSessionRequestException error is created	The session is not returned. An UnauthorizedSessionRequestException error is created