+

Search Tips   |   Advanced Search

Web authentication settings

Use this page to specify the Web authentication settings that are associated with a Web client. To view this console page...

  1. Click Security > Secure administration and applications.

  2. Under Authentication, expand Web security and click General settings.

You can override the global Web authentication setting that you select on this panel by specifying a system property on the server level. To specify the system property...

  1. Click Servers > Application servers > server.

  2. Under Server infrastructure, click Java and Process Management > Process definition.

  3. Under Additional properties, click Java Virtual Machine > Custom properties > New

You can specify the following system properties on the server level for Web authentication.

Table 1. Web authentication system property values
Property name Value Explanation
com.ibm.wsspi.security.web.webAuthReq lazy This value is equivalent to the Authenticate only when the URI is protected option.
com.ibm.wsspi.security.web.webAuthReq persisting This value is equivalent to the Use available authentication data when an unprotected URI is accessed option.
com.ibm.wsspi.security.web.webAuthReq always This value is equivalent to the Authenticate when any URI is accessed option.
com.ibm.wsspi.security.web.failOverToBasicAuth true This value is equivalent to the Default to basic authentication when certificate authentication for the HTTPS client fails option.

 

Configuration tab

Authenticate only when the URI is protected

The appserver challenges the Web client to provide authentication data when the Web client accesses a URI that is protected by a J2EE role. The authenticated identity is available only when the Web client accesses a protected URI.

This option is the default J2EE Web authentication behavior that is also available in previous releases of WAS.

Default: Enabled

Use available authentication data when an unprotected URI is accessed

The Web client can access validated authenticated data that it previously could not access. This option enables the Web client to call the getRemoteUser, isUserInRole, and getUserPrincipal methods to retrieve an authenticated identity from an unprotected URI.

When you select this option with the Authenticate only when the URI is protected option, the Web client can use authenticated data when the URI is protected or not protected.

This option does not challenge the Web client to provide authenticated data if the Web client accesses an unprotected URI without authenticated data.

Default: Disabled

Authenticate when any URI is accessed

The Web client must provide authentication data regardless of whether the URI is protected.

Default: Disabled

Default to basic authentication when certificate authentication for the HTTPS client fails

When the required HTTPS client certificate authentication fails, the appserver uses the basic authentication method to challenge the Web client to provide a user ID and password. The HTTP client certification authentication that is performed by the appserver security is different from the client authentication that is performed by the Web server plug-in. If you configure the Web server plug-in for mutual authentication and client authentication fails, the following situations will occur:

  • The Web server produces a error and the Web request is not processed by appserver security.

  • The appserver cannot fail over to basic authentication.

Default: Disabled




 

Related tasks


Developing with programmatic security APIs for Web applications

 

Related Reference


getRemoteUser and getAuthType methods
Secure administration, applications, and infrastructure settings

 

Reference topic