HTTP session security support
If Security integration is enabled, after creating a session as an authenticated user, from that point forward we cannot mix secured and unsecured resources. Only authenticated users can access sessions created in secured pages under the identity of the authenticated user. These sessions cannot be accessed from an unsecured page. WAS maintains the security of individual sessions.
Application Server > appserver > Session management
- An identity or user name, readable by the interface...
com.ibm.websphere.servlet.session.IBMSession
...is associated with a session. Unauthenticated identities are denoted by the user name anonymous.
- The class...
com.ibm.websphere.servlet.session.UnauthorizedSessionRequestException
...is used when a session is requested without the necessary credentials.
- The session management facility determines the authenticated identity associated with a client HTTP request. Identity can be asserted using certificates, LTPA, and other methods.
- The facility compares the identity of the request with the identity of the session.
Scenarios
Session ID type Unauthenticated user retrieves session Authenticated user retrieves session Authenticated request retrieves session New session is created. User name is anonymous. New session is created. User name is staff01. Session is passed in. User name is "anonymous" Session is returned. Session is returned. Session management changes user name to staff01 Session is passed in. User name is staff01 UnauthorizedSessionRequestException error is thrown 1 The session is returned. Session ID passed in. User name is staff02 UnauthorizedSessionRequestException error is thrown 1 UnauthorizedSessionRequestException error is thrown 1 1 A com.ibm.websphere.servlet.session.UnauthorizedSessionRequestException error is created to the servlet.
[SESN0008E: A user authenticated as anonymous has attempted to access a session owned by user foo
Related:
Session management support Task overview: Managing HTTP sessions