Securing Web resources with IBM HTTP Server for iSeries

Use the protection directives of IBM HTTP Server for iSeries to secure Web resources. Performance may be better when using this mechanism, but you lose the ability to administer all of your security information in the WebSphere administration repository.

If there are static resources such as images that need no security check to be applied, they may be served up directly by the HTTP server without the performance impact of checking the WebSphere security.

For example, if WebSphere has resources within the URI /webapp/SecureWebApplication/servlet/*, a directive could be specified to allow the serving of images without a WebSphere security check. For example, with the IBM HTTP Server (powered by Apache), you can add this directive to your Web server instance configuration:

  Alias /images/ /nonsecure/images/

Because WebSphere security does not apply to these resources, WebSphere Application Server does not either authenticate or deny the request.

There is another way you may choose to secure your Web resources. It is possible to use the protection directives of IBM HTTP Server for iSeries to secure these resources. Performance may be better when using this mechanism, but you lose the ability to administer all of your security information with WebSphere Application Server.

Note:You may wish to enable WebSphere security just for the purpose of securing the administrative console. However, if you are using a Web server to protect your servlets, remove that protection from the Web server configuration and configure WebSphere protection for the servlets prior to enabling WebSphere security. Servlets that are protected by a Web server obtain null when they call the getRemoteUser() or getAuthType() method of the request object if WebSphere security is enabled for the application server and WebSphere protection is not configured for the servlets. However, security can be disabled at the server level (Network Deployment product only). For more information, see Use getRemoteUser() and getAuthType() methods.

To configure an IBM HTTP Server instance (powered by Apache), use the Location directive. The following example shows how to use the Location directive to protect the servlet /webapp/SecureServerWebApp/BasicServlet:

Location /webapp/SecureServerWebApp/BasicServlet
   AllowOverride None
   AuthName happywas
   ProfileToken off
   AuthType Basic
   order deny,allow
   require valid-user
   allow from all
   deny from all
   PasswdFile %%SYSTEM%%
   UserID %%SERVER%%
/Location

For more information about configuring an IBM HTTP Server instance, see the IBM HTTP Server for iSeries documentation in the iSeries Information Center:

• For V5R1
• For V5R2

Note: The WebSphere Application Server product contains an internal HTTP server that is used for testing applications and to serve the administration application without the use of an external HTTP server. If you decide to protect your WebSphere resources with IBM HTTP Server (powered by Apache), which is the external HTTP server, disable access to the internal HTTP server.

To disable access to the internal HTTP server, perform these steps in the WebSphere administrative console:

1. In the navigation menu, click Environment --> Virtual Hosts.
2. In the Virtual Hosts page, click the name of the virtual host (for example, default_host).
3. Under Additional Properties, click Host Aliases.
4. Select the entry with a Port number that does not correspond to the external HTTP server port. (By default, the external port number is 80. In this case, select the host name with a port other than 80.)
5. Click Delete.
6. Click Save to save your configuration.