Secure Web applications during assembly

There are three types Web login (authentication) mechanisms that can be configured on a Web application: basic authentication, form-based authentication, and client certificate-based authentication. Web resources in a Web application can be protected by assigning security roles to those resources. So, you need to know in advance which Web resources need protecting and how to protect them.

Perform these steps to secure your Web application with the Application Assembly Tool:

1. Open the Web application file.
   The application file can be a WAR file or an application EAR file that contains one or more Web modules. To open the Web application file, click File --> Open. Click Browse, and select the Web application file.

2. Create security roles.
   You can create security roles at the application level or at Web module level. If a security role is created at Web module level, the role also displays in the application level. If a security role is created at the application level, the role does not display in all the Web modules. You can copy and paste a security role at the application level to one or more Web module security roles.

   Perform these steps to create security roles:

   1. To create a role at the application level, right-click Security Roles under the application. Click New.
   2. Type the role name.
   3. If the role that is created for the application is required for a Web module, select that role from the application. Right click the role and select Copy. Open the tree for the Web module to which you want to add this role. Right-click the Web module security role, and click Paste.
   4. Create a role at Web module level by opening the corresponding Web module folder. Right-click Security Roles under the Web module and click New. Type the role name.

3. Create security constraints.
   Security constraints are a mapping of one or more Web resources to a set of roles.

   1. Create new security constraints by opening the Web module folder and right-click Security Constraints. Click New. A new panel displays.
   2. Type the security constraints name and description.
   3. Add the required roles by clicking Add under Roles. Browse and click the required roles. The asterisk (*) indicates all roles. An empty role list indicates that no user can have access to the Web resources that are specified under these security constraints.
   4. Set user data constraints by selecting Transport Guarantee from the drop-down list. A transport guarantee of NONE indicates that the communication between the Web client (browser) and the server (Web server) is transported over HTTP. A transport guarantee of CONFIDENTIAL or INTEGRAL guarantees that the communication between the Web client and the Web server is secured and is transported over HTTPS.
   5. Click OK when you are done. This creates a new Security Constraints folder for the Web module.
   6. Open the security constraints that were created in previous steps and right-click Web Resources Collection. Click New. A new panel displays.
   7. Type a Web resource collection name and description.
   8. Next to HTTP Methods, click Add and select the HTTP method to add. Click OK. Repeat this step until you have added all necessary HTTP methods.
   9. Next to URLs, click Add. Type the URL pattern (for example: /*, *.jsp, /hello). Consult the Servlet 2.3 Specification for more information about mapping URL patterns to servlets. The security run time uses the first exact match to map the incoming URL with URL patterns. If the exact match is not present, the security run time uses the longest match. The wild card URL pattern (such as *.* or *.jsp is used last. Click OK.
   10. Click OK when you are done.
   11. Repeat the previous steps to create multiple security constraints.

4. Map security-role-ref and role-name to the role-link.
   During development of the Web application, you can create the security-role-ref element using development tools such as WebSphere Studio Application Developer. The security-role-ref element contains only the role-name field at this stage. The role-name field contains the name of the role that is referenced in the servlet or JSP code to determine if the caller is in a specified role (if the isUserInRole() method returns true). Because security roles are created during the assembly stage, the developer uses a logical role name in the role-name field and provides enough description in the description field for the assembler to map the role actual (role-link). The Security-role-ref element is at the servlet level. A servlet or JSP file can have zero or more security-role-ref elements.

   To map the elements to role-link, perform these steps:

   1. Map the role-name to the role-link for a security-role-ref element by opening the required servlet folder. Click Security Role References.
   2. Select each role-name on the right navigation panel and click the actual role to be mapped to that role-name. Select a role from the drop-down list for the link.
   3. If the security-role-ref is not created already during development, right-click Security Role References. Click New. A new panel displays.
   4. Enter the role-name in the Name field and role-link in the Link field by selecting a proper role from the drop-down list. Add a description in the Description field.
   5. Repeat the previous steps to map every role-name to the actual role (role-link).

5. Specify RunAs identity for servlets and JSP files.
   The RunAs identity of a servlet is used to invoke enterprise beans from within the servlet code. When enterprise beans are invoked, the RunAs identity is passed to the enterprise beans for performing an authorization check on the enterprise beans. If the RunAs identity is not specified, the client identity is propagated to the enterprise beans. The RunAs identity is assigned at the servlet level.

   To specify the RunAs identities for a servlet, click the servlet folder. Select the Security tab on the right navigation panel.

6. Configure the login mechanism.
   Configure the login mechanism only at the Web module level. This configured login mechanism applies to all the servlets, JSP files, and HTML resources in the Web module.

   Perform these steps:

   1. Configure the login mechanism for the Web module by clicking the Web Module folder.
   2. Click the Advanced tab on the right navigation panel.
   3. Select Login Configuration.
   4. Select the required authentication method from the drop-down list.
   5. If you select form-based authentication, enter the Login page and Error page URLs (for example: /login.jsp and /error.jsp). The specified login and error pages must be included in the WAR file.
   6. If you select client certificate authentication, install the client certificate on the browser (Web client) and place the client certificate in the server trust keyring file.