Global security and security domains
WebSphere Application Server provides configuration facilities that allow you to secure the administrative applications and services that are used to manage and configure a WebSphere environment and to secure applications running in that environment. These configuration activities are done separately, although, they can share common settings.
Global security settings are the security configuration settings that apply to all administrative functions and provide the default settings for user applications.
New in V7, WebSphere Application Server V7 introduces the ability to create additional security domains to secure user applications and their resources. A security domain is specific to the application servers, clusters, and service integration buses that are assigned to it. A security domain can have attributes that differ from the global security settings. For example, a separate user registry can be used to secure administrative functions and applications.
Global security compared to security domains
The global security domain in WebSphere Application Server V7 defines the administrative security configuration and the default configuration for applications. If no other security domains are configured, and application security is enabled at the global security domain, all of the user applications and administrative applications use the same security configuration.
Although extremely convenient and straightforward, a single-domain configuration might not be the ideal configuration for certain clients that need settings customized for applications. Fortunately, WebSphere Application Server V7 offers the flexibility to override the global security domain configuration with additional security domains that are configured at a different scope. Security domains provide the flexibility to use configuration security settings that differ from those settings that are specified in the global security settings.
Administrative security must be enabled before you can enable application security. However, application security can be disabled at the global security level and enabled at the security domain level.
You define attributes at the security domain level that need to be different from those at the global level. If the information is common, the security domain does not need to have the information duplicated in it. Any attributes that are missing in the domain are obtained from the global configuration.
Table below shows a comparison of the security features that can be specified in the global security settings and those that a security domain can override.
Table 4.1. Comparison of global and domain security settings
|Global security configuration||Security domain overrides|
Security domain scope
A security domain can be scoped to an entire cell, or to a specific set of servers, clusters, or service integration buses. Therefore, multiple security domains can be used to allow security settings to vary from one application to another application.
Security settings that apply to an application will be defined by the following scope:
If the application is running on a server or cluster that is within the scope of a security domain, those settings will be used. Security settings that are not defined in this domain will be taken from the global security settings (not a cell-level domain).
If the application is running on a server or cluster that is not within the scope of a security domain, but a security domain has been defined at the cell scope, that domain will be used. Security settings that are not defined in this domain will be taken from the global security settings.
If the previous conditions do not apply, the global domain settings will be used.
Note that you can enable or disable application security at the domain and global level, so just falling within a domain does not necessarily mean that application security is enabled. Also, note that naming operations always use the global security configuration.