Chapter 4. WebSphere Application Server Security

4.1.  Implement security policies (e.g., authentication and authorization (using different security registries), global security, etc.) Protect WebSphere Application Server Network Deployment V7.0 resources (e.g., Java 2 security, Java EE security roles).

[Note]

Global security and security domains

WebSphere Application Server provides configuration facilities that allow you to secure the administrative applications and services that are used to manage and configure a WebSphere environment and to secure applications running in that environment. These configuration activities are done separately, although, they can share common settings.

Global security settings are the security configuration settings that apply to all administrative functions and provide the default settings for user applications.

New in V7, WebSphere Application Server V7 introduces the ability to create additional security domains to secure user applications and their resources. A security domain is specific to the application servers, clusters, and service integration buses that are assigned to it. A security domain can have attributes that differ from the global security settings. For example, a separate user registry can be used to secure administrative functions and applications.

Global security compared to security domains

The global security domain in WebSphere Application Server V7 defines the administrative security configuration and the default configuration for applications. If no other security domains are configured, and application security is enabled at the global security domain, all of the user applications and administrative applications use the same security configuration.

Although extremely convenient and straightforward, a single-domain configuration might not be the ideal configuration for certain clients that need settings customized for applications. Fortunately, WebSphere Application Server V7 offers the flexibility to override the global security domain configuration with additional security domains that are configured at a different scope. Security domains provide the flexibility to use configuration security settings that differ from those settings that are specified in the global security settings.

Administrative security must be enabled before you can enable application security. However, application security can be disabled at the global security level and enabled at the security domain level.

You define attributes at the security domain level that need to be different from those at the global level. If the information is common, the security domain does not need to have the information duplicated in it. Any attributes that are missing in the domain are obtained from the global configuration.

Table below shows a comparison of the security features that can be specified in the global security settings and those that a security domain can override.

Table 4.1.  Comparison of global and domain security settings

Global security configurationSecurity domain overrides

  • Enablement of application security

  • Java 2 security

  • User realm (registry)

  • Trust Association Interceptor (TAI)

  • SPNEGO Web authentication

  • RMI/IIOP Security (CSIv2 protocol)

  • JAAS

  • Authentication mechanism attributes

  • Authorization provider

  • Custom properties

  • Web attributes (single sign-on)

  • SSL

  • Audit

  • LTPA authentication mechanism

  • Kerberos authentication mechanism

  • Enablement of application security

  • Java 2 security

  • User realm (registry)

  • Trust Association Interceptor (TAI)

  • SPNEGO Web authentication

  • RMI/IIOP Security (CSIv2 protocol)

  • JAAS

  • Authentication mechanism attributes

  • Authorization provider

  • Custom properties


Security domain scope

A security domain can be scoped to an entire cell, or to a specific set of servers, clusters, or service integration buses. Therefore, multiple security domains can be used to allow security settings to vary from one application to another application.

Figure 4.1. Configure a new Security Domain

Configure a new Security Domain


Security settings that apply to an application will be defined by the following scope:

  1. If the application is running on a server or cluster that is within the scope of a security domain, those settings will be used. Security settings that are not defined in this domain will be taken from the global security settings (not a cell-level domain).

  2. If the application is running on a server or cluster that is not within the scope of a security domain, but a security domain has been defined at the cell scope, that domain will be used. Security settings that are not defined in this domain will be taken from the global security settings.

  3. If the previous conditions do not apply, the global domain settings will be used.

Note that you can enable or disable application security at the domain and global level, so just falling within a domain does not necessarily mean that application security is enabled. Also, note that naming operations always use the global security configuration.

Professional hosting         Free 'Oracle Certified Expert Web Services Developer 6' Guide     Free SCDJWS 5.0 Guide