Websphere - Security Overview - PowerPoint PPT Presentation

Loading...

PPT – Websphere - Security Overview PowerPoint presentation | free to download - id: 172d8d-ZDc1Z



Loading


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation
Title:

Websphere - Security Overview

Description:

Checks the authentication if not provided. Performs the authorization check ... The Administration ID to Access the Administrator's Console ... – PowerPoint PPT presentation

Number of Views:31
Avg rating:3.0/5.0
Slides: 18
Provided by: paull91
Learn more at: http://gkmc.utah.edu
Category:

less

Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: Websphere - Security Overview


1
Websphere - Security Overview
  • Jonathan Yip

2
Terms
Websphere Application Developer(WSAD) -- It is a
By-product of Eclipse -- Eclipse is an Open
Source Development Tool J2EE 1.2 -- It is a
Platform Enables Developers to Create Different
parts of their Applications as Reusable
Components. Application Assembly Tool (AAT) -- A
Utility to Assist the J2EE Provider or J2E
Deployer with the Generation of
J2EE-compliant Deployment Descriptors and Binding
Attributes.
3
Security Architecture
  • J2EE 1.2 compliant Java application server
  • Security Server
  • Security Collaborator
  • Security Policy
  • Security Information

4
Security Architecture (2)
  • Security server
  • -- Authentication Authorization Delegation
    Policies
  • Security Collaborator
  • -- Web Collaborator
  • ? Checks the authentication if not
    provided
  • ? Performs the authorization check
  • ? Logs security tracing information
  • EJB (Enterprise JavaBeans) Collaborator
  • ? Check authorization.
  • ? Support user registries.
  • ? Log security tracing information.

5
Security Architecture (3)
  • Security Policies
  • Attributes to Record
  • ? Role and method permission
  • ? Run-as mode or delegation policy
  • ? Login configuration or challenge type
  • ? Data protection (confidentiality and
    integrity) settings
  • Security Information
  • -- Global security (All applications)
  • -- Application security (Can specify on each
    application)

6
Security Architecture (4)
Overview of the Security Architecture
PlugIn
7
Websphere Security Implementation
  • How to Secure an Application
  • The WebSphere Authentication Model
  • User Registry
  • Security Center

8
Securing Application
  • Application Assembly Tool (AAT)
  • Create an Application
  • Create an EJB Module
  • Create a Web Module
  • Create an Application Client

9
Securing Application (2)
  • 1.) Define Business Role
  • 2.) Create Security Constraints for Web Resources
  • 3.) Define the Web Component Authentication for
    the Web Module
  • 4.) Define Security Constraints and Assign them
    to Roles.
  • 5.) Configure Delegation Role Policy
  • 6.) Relate Roles to Users
  • Table Showing some Role and the Description

10
Websphere Authentication Model
  • HTTP Basic authentication
  • -- Acquired Password from Users and Validate
    Not secured.
  • HTTPS Client Certificate authentication
  • -- Requres Public Key Certificate HTTPS is
    Used to Transmit
  • Form-Based authentication
  • -- Permits a Site-specific Login Through an
    HTML Page or a JSP form.
  • The password is not encrypted and the
    target server is not authenticated,
  • (SSL should be added)

11
User Registry
  • It is a Repository that Contains Users and
    Groups.
  • The Administrator can have Users or Groups
    Authenticated
    against the Local Operating System
    User Registry

12
Security Center
  • It is Part of the Administrators Console (AC)
    Focusing on Configuration in Security Matters

13
Websphere Security and the Operating Environment
WebSphere security relies on and enhances all of
the above security levels.
14
Other Security Features of Websphere
  • Encoded Passwords
  • WebSphere Stores Passwords for
  • ? Accessing the Administration Repository
  • ? The Administration ID to Access the
    Administrators Console
  • ? Accessing Key Stores and Trust Stores
  • Security interoperability with z/OS
  • -- Allows Application Servers on the UNIX or NT
    Side to Authenticate
  • to the Application Server on the z/OS Side
    and Communicate securely.

15
Programmatic Security
  • Use to Secure Artifacts and Resources Beyond
    Checking the Role of an Authenticated User
  • Implemented by Creating a Generic Login Page Once
    User logs in, FormLoginServlet Authenticates and
    Place a SSO (Single Sign On) Token in a Cookie.
  • Advantages
  • Limiting the Number of Invalid Password Attempts
  • Checking that the Users Subscription has not
    Expired
  • Logging Information about a Users Visit

16
  • References
  • IBM Redbook
  • Websphere Application Server Bible

17
  • End
About PowerShow.com