IBM WebSphere V5.0 Security - CGISecurity

More documents

Recommendations

Info

If the user in role 'A' accesses /helloworld/helloEurope.html he will get an authorization error saying that the user is not in the role of 'B', but we defined that role ‘A’ should be able to access everything under /helloworld. The user in role ‘A’ can still access the /helloworld/helloAfrica.html resource, and the user in role ‘B’ can access /helloworld/helloEurope.html As you see, Constraint ‘Y’ overrules Constraint ‘X’ in this situation. The other approach would be to map roles to resources, and define the authorized roles for each resource. Obviously, this is not a possible solution since an application probably has more resources than we want to set up one by one. A solution, the same that we applied to the ITSOBank sample application, could be to reuse the use cases for the application and follow them to define security constraints. In this approach, each constraint covers a use case, the roles are the identified actors for the use case and the resources are the resources involved in the use case. For example, the ITSOBank sample application has a use case: customer transfer. The actors that can use this use case are manager and clerk. The resources are: transfer/customertransfer.html, servlet/Transfer, transfer/transferresults.jsp. The listed elements can define the appropriate resource collection for the right group of roles. Of course, this is only one approach and it might not be the best in every case. The purpose of this section is to point out the problem with the first two approaches and make you think about this issue. You can also protect your resources based on URL patterns using a security reverse proxy in your infrastructure, for example via Tivoli Access Manager’s WebSEAL. Struts security Struts is a very powerful framework to implement the Model-View-Controller design pattern for a Web application. The framework at this stage does not provide security functions, it leaves the issue to the J2EE Web module to handle security. Struts does not carry any security problems, but there are certain considerations you have to keep in mind. The reason why the security issue arises is because Struts is a single access point under the cover, for multiple application functions. One single servlet handles all actions implementing the command pattern. 70 IBM WebSphere V5.0 Security Handbook
Struts supports multiple mechanisms to map URIs for different actions; there are two common approaches to define the URIs that will be processed by the controller servlet - prefix matching and extension matching. ► ► Prefix matching means that you want all URIs that start with a particular value to be passed to this servlet, for example: http://www.xyz.com/myapp/execute/myaction. Extension mapping, on the other hand, matches request URIs to the action servlet based on the fact that the URI ends with a period followed by a defined set of characters. For example, the JSP processing servlet is mapped to the *.jsp pattern so that it is called to process every JSP page that is requested. In the case of Struts, we can map actions to the .do extension, that implies, “to do something”; the URL looks like the following: http://www.xyz.com/myapp/myaction.do In any case, the actions are differentiated based on URIs, although only one servlet performs the action. You have to make sure that you protect all the required URIs for your application for all the actions with Struts. Just because you will only have only one servlet mapping, this does not mean you only have to set up one constraint. The only difficulty with Struts and with these approaches is that you have to design and administer your security constraints for your Web application very carefully, just as in any other case of security design. It is easy not to secure or to set wrong access control to a sensitive resource and leave a security hole in your application. You can also protect your resources based on URL patterns using a security reverse proxy in your infrastructure, for example via Tivoli Access Manager’s WebSEAL. Page expiration This is a useful tip that you might want to keep in mind. The pages that are served from application servers are cached at least on the client side, regardless of whether the resource was secured or not. It will be a problem in a live system, where sensitive information can be found in the cache. It is definitely a problem during development, when security settings were changed for the Web module but the Web browser is still showing the pages from the cache without going out to the server and getting the latest content, so that no authentication or authorization check is performed. In this case, you can simply set your browser to not cache pages and always send a request. Chapter 4. Securing Web components 71
Page 1:
Front cover IBM WebSphere V5.0 Secu
Page 4 and 5:
Take Note! Before using this inform
Page 6 and 7:
4.2.1 Configuring Web module securi
Page 8 and 9:
10.6 LTPA . . . . . . . . . . . . .
Page 10 and 11:
Lotus Domino . . . . . . . . . . .
Page 12 and 13:
Trademarks The following terms are
Page 14 and 15:
The team that wrote this redbook Th
Page 16 and 17:
Stephen Pipes is a WebSphere consul
Page 18 and 19:
xvi IBM WebSphere V5.0 Security Han
Page 20 and 21:
1.1 How to read this book There are
Page 22 and 23:
4 IBM WebSphere V5.0 Security Handb
Page 24 and 25:
2.1 Security As new business practi
Page 26 and 27:
2.2 Security fundamentals 2.2.1 Aut
Page 28 and 29:
For example, in a distributed objec
Page 30 and 31:
► ► ► Users are mapped direct
Page 32 and 33:
If Bob wants to answer, he should u
Page 34 and 35:
identifies the client before issuin
Page 36 and 37:
2.3 Security in use Since security
Page 38 and 39: 20 IBM WebSphere V5.0 Security Hand
Page 40 and 41: 3.1 J2EE application The Java 2 Ent
Page 42 and 43: Principals and Groups Security Role
Page 44 and 45: 3.4 Application deployment descript
Page 46 and 47: 3.5 J2EE application security
Page 48 and 49: Figure 3-4 Application-level Securi
Page 50 and 51: Security role mapping in the Admini
Page 52 and 53: Figure 3-7 Searching for the manage
Page 56 and 57: 4.1 Static components WebSphere App
Page 58 and 59: 1. ldap.prop is an LDAP configurati
Page 60 and 61: Figure 4-2 Defining authentication
Page 62 and 63: A .htaccess file placed in one dire
Page 64 and 65: 4.2 Web module security In a J2EE a
Page 66 and 67: Figure 4-4 Login Method Configurati
Page 68 and 69: higher level of protection. User Da
Page 70 and 71: 8. Next to HTTP Methods click Add.
Page 72 and 73: 8. Add the GET and POST HTTP method
Page 74 and 75: 4.4 Security role reference During
Page 76 and 77: 7. Save and close the web.xml file.
Page 78 and 79: Form login configuration The follow
Page 80 and 81: 4.5.2 Custom login There are situat
Page 82 and 83: employeeType will be stored as a se
Page 84 and 85: 3. From the Filter Type Selection w
Page 86 and 87: As a next step, you have to make su
Page 90 and 91: As a universal solution for the pro
Page 92 and 93: 5.1 Securing EJBs EJBs, or Enterpri
Page 94 and 95: 5.3 Assigning EJB method permission
Page 96 and 97: defined in the EJB module. For info
Page 98 and 99: These unprotected methods can have
Page 100 and 101: Figure 5-6 New Security Role Refere
Page 102 and 103: Important: Although this feature is
Page 104 and 105: 4. The Role Name option menu will c
Page 106 and 107: 5.5.2 Method level delegation In ad
Page 108 and 109: Figure 5-11 Method-level Run-as rol
Page 110 and 111: Figure 5-13 Selecting methods for t
Page 112 and 113: If one or more method-level delegat
Page 116 and 117: 6.1 Java clients A client is a gene
Page 118 and 119: Available functions ActiveX client
Page 120 and 121: Upon receiving the message, the ser
Page 122 and 123: The sas.client.props file The CORBA
Page 124 and 125: The CSIv2 configuration properties
Page 126 and 127: server. For example, if the client
Page 128 and 129: Client01 Java client J Server01 EJB
Page 130 and 131: 2. Configure Server01 for outgoing
Page 132 and 133: Configuring Client02 Client02 requi
Page 134 and 135: 3. Enable SSL for the connection, i
Page 136 and 137: Configuring Client01 Client01 requi
Page 138 and 139:
WebSphere V4 SAS only WebSphere V5
Page 140 and 141:
The ITSOBank application provided w
Page 142 and 143:
► ► ► sas.jar ecutils.jar dir
Page 144 and 145:
7.1 Web Services security Web Servi
Page 146 and 147:
Figure 7-2 Creating a new Web Servi
Page 148 and 149:
Figure 7-4 Web Service Deployment S
Page 150 and 151:
Figure 7-7 Web Service Java Bean Me
Page 152 and 153:
12.As shown in Figure 7-10 on page
Page 154 and 155:
Follow the steps below to use the g
Page 156 and 157:
Using the ITSOBank Web Service clie
Page 158 and 159:
Example 7-1 SOAP request with certi
Page 160 and 161:
oVD/QxRYXFg02v6rK53DZKntq
Page 162 and 163:
3. In that window, under Security -
Page 164 and 165:
Example 7-4 Secured and non-secured
Page 166 and 167:
WS-Policy will be fully extensible
Page 168 and 169:
Policy Requester Security Token Ser
Page 170 and 171:
Direct Trust using Security Tokens
Page 172 and 173:
6. The service fetches the certific
Page 174 and 175:
Security can be applied at two leve
Page 176 and 177:
ii. Browse to select the file /scri
Page 178 and 179:
► Messages sent and received can
Page 180 and 181:
Important: Message Driven Bean is a
Page 182 and 183:
quser01 read write
Page 184 and 185:
- Container-managed Authentication
Page 186 and 187:
The authority service component pro
Page 188 and 189:
J2EE Connector architecture establi
Page 190 and 191:
As a next step, the following list
Page 192 and 193:
CMP EJB 2.0 Persistence Manager Dat
Page 194 and 195:
J2EE 1.3 Application EJB Container
Page 196 and 197:
2. Configure each resource adapter
Page 198 and 199:
8.1 Programmatic security J2EE secu
Page 200 and 201:
8.2.2 Servlet security methods The
Page 202 and 203:
There is one point worth noting in
Page 204 and 205:
Figure 8-3 Custom Registry properti
Page 206 and 207:
Method signature String getUserSecu
Page 208 and 209:
also ask for a X.509 certificate fi
Page 210 and 211:
Required libraries from WebSphere f
Page 212 and 213:
Testing the custom Trust Associatio
Page 214 and 215:
local or remote code (signed or not
Page 216 and 217:
To call a piece of trusted code to
Page 218 and 219:
► ► ► ► ► java.net.NetPer
Page 220 and 221:
► It is also possible to specify
Page 222 and 223:
Java 2 security can be enabled on t
Page 224 and 225:
► The following callbacks are pro
Page 226 and 227:
application LoginContext LoginModul
Page 228 and 229:
lc=new LoginContext("ClientContaine
Page 230 and 231:
Note: Without initializing the ORB,
Page 232 and 233:
8.8 Where to find more information
Page 234 and 235:
9.1 WebSphere security model The IB
Page 236 and 237:
Deployment Manager Cell-wide config
Page 238 and 239:
From a security point of view, each
Page 240 and 241:
► Application Security determines
Page 242 and 243:
9.2.2 WebSphere Application Server
Page 244 and 245:
LTPA requires that the configured U
Page 246 and 247:
HTTP / HTTPS HTTP Server WebSphere
Page 248 and 249:
9.3 Performance considerations From
Page 250 and 251:
232 IBM WebSphere V5.0 Security Han
Page 252 and 253:
10.1 Administration tools WebSphere
Page 254 and 255:
A Web browser, for instance, must b
Page 256 and 257:
the two types of registry provided
Page 258 and 259:
Role configurator operator administ
Page 260 and 261:
Figure 10-4 Mapping a group to an A
Page 262 and 263:
Mapping a group to a CosNaming role
Page 264 and 265:
1. In the Admin Console, select Sec
Page 266 and 267:
6. In the Configuration tab provide
Page 268 and 269:
8. The changes will need to be save
Page 270 and 271:
In a scenario presented in this cha
Page 272 and 273:
2. Save the configuration for WebSp
Page 274 and 275:
Figure 10-16 Application Login Conf
Page 276 and 277:
Figure 10-18 J2C Authentication ent
Page 278 and 279:
Figure 10-19 An SSL configuration w
Page 280 and 281:
WebSphere supports the concept of t
Page 282 and 283:
The file used by a Java client to r
Page 284 and 285:
Figure 10-22 Saving the new key sto
Page 286 and 287:
Figure 10-25 Provide details for th
Page 288 and 289:
24.From the menu bar, select Key Da
Page 290 and 291:
10.Enter a Key Label which will ide
Page 292 and 293:
Figure 10-30 A personal certificate
Page 294 and 295:
10.9.3 Using the Java keytool Anoth
Page 296 and 297:
SSL connection #1 SSL connection #2
Page 298 and 299:
Figure 10-33 The IBM HTTP Server ik
Page 300 and 301:
The IBM HTTP Server Administration
Page 302 and 303:
15.Select Basic Settings -> Module
Page 304 and 305:
In the case of a self-signed certif
Page 306 and 307:
Note: If the Cipher Specification l
Page 308 and 309:
Make sure that the certificate is i
Page 310 and 311:
Figure 10-41 Certificate details Th
Page 312 and 313:
Configuring WebSphere to use certif
Page 314 and 315:
3. If you decide the use the IBM HT
Page 316 and 317:
Example 10-5 trace.log ... [10/14/0
Page 318 and 319:
Configuring WebSphere to use exact
Page 320 and 321:
[10/14/02 19:39:38:358 EDT] 7a37602
Page 322 and 323:
publicly circulating root certifica
Page 324 and 325:
Exchanging public certificates The
Page 326 and 327:
Modifying the Web Container to supp
Page 328 and 329:
The new certificate should appear u
Page 330 and 331:
3. Client Certificate Authenticatio
Page 332 and 333:
Figure 10-47 CSIv2 transport config
Page 334 and 335:
Table 10-5 sas.client.props configu
Page 336 and 337:
10.13.1 IBM SecureWay Directory Ser
Page 338 and 339:
2. Click the Add Server button. The
Page 340 and 341:
8. Click OK; a new window appears f
Page 342 and 343:
Figure 10-56 LDAP directory with us
Page 344 and 345:
Figure 10-57 WebSphere LDAP Configu
Page 346 and 347:
Configuring the secure LDAP (LDAPS)
Page 348 and 349:
Figure 10-59 Configuring SSL for Se
Page 350 and 351:
Figure 10-60 SSL encryption setting
Page 352 and 353:
choose not to differentiate between
Page 354 and 355:
- Port: specify 636 which correspon
Page 356 and 357:
A sample scenario is depicted next.
Page 358 and 359:
Item Cell Node Server Appl. CosNami
Page 360 and 361:
JAAS configuration The JAAS configu
Page 362 and 363:
Individual CSI and SAS settings The
Page 364 and 365:
The server security settings availa
Page 366 and 367:
Page 368 and 369:
11.1 Patterns for e-business Patter
Page 370 and 371:
► ► ► Buy-Side Hub Sell-Side
Page 372 and 373:
Client Tier Synchronous Application
Page 374 and 375:
► Application tier: may represent
Page 376 and 377:
► certificates, access groups, et
Page 378 and 379:
Figure 11-6 presents the Runtime pa
Page 380 and 381:
11.4 Product mappings This section
Page 382 and 383:
- Authorization Server The Authoriz
Page 384 and 385:
The following secure communications
Page 386 and 387:
Page 388 and 389:
This chapter covers four different
Page 390 and 391:
andwidth to and from the server unt
Page 392 and 393:
All of these benefits contribute to
Page 394 and 395:
The Policy Server replicates this d
Page 396 and 397:
Server Tivoli Access Manager WebSEA
Page 398 and 399:
Server Name appsrv01, appsrv02 Appl
Page 400 and 401:
1. First, log in with your favorite
Page 402 and 403:
1. In the Administrative Console, n
Page 404 and 405:
12.4.1 Single Sign-On with WebSEAL
Page 406 and 407:
correct. Then it trusts that the id
Page 408 and 409:
8. In the Single Sign-On (SSO) pane
Page 410 and 411:
User Registry Client 1. Request 2.
Page 412 and 413:
Property key com.ibm.Websphere.secu
Page 414 and 415:
Figure 12-8 Trust Association Panel
Page 416 and 417:
2. We will first configure LTPA aut
Page 418 and 419:
e prompted for the keyfile password
Page 420 and 421:
Example 12-2 WebSphere Security ini
Page 422 and 423:
[8/22/02 7:42:44:163 CDT] 277a2e5c
Page 424 and 425:
[8/22/02 7:42:47:449 CDT] 277a2e5c
Page 426 and 427:
[8/22/02 7:42:51:655 CDT] 277a2e5c
Page 428 and 429:
In this example, we have configured
Page 430 and 431:
► ► ► WebSEAL can forward mod
Page 432 and 433:
LDAP Server Policy/Authorization Se
Page 434 and 435:
of inetOrg.Person as each junction
Page 436 and 437:
Figure 12-13 Web Portal Manager Men
Page 438 and 439:
Select the boxes Is Account Valid,
Page 440 and 441:
Creating Access Manager Junctions A
Page 442 and 443:
Figure 12-18 Protected Object Prope
Page 444 and 445:
Figure 12-20 Create an ACL Entry 4.
Page 446 and 447:
Testing the junctions The following
Page 448 and 449:
Figure 12-22 Successful access to i
Page 450 and 451:
WebSEAL Authenticated Users before
Page 452 and 453:
At the same time, the tool creates
Page 454 and 455:
- pdacld_port: the port number of t
Page 456 and 457:
8. The next application migrated wa
Page 458 and 459:
Do not make changes to the deployme
Page 460 and 461:
Page 462 and 463:
Page 464 and 465:
Sample application The purpose of t
Page 466 and 467:
5. The Transfer EJB uses two entity
Page 468 and 469:
The process flows as described belo
Page 470 and 471:
You can download the clients from h
Page 472 and 473:
Configuring WebSphere Application S
Page 474 and 475:
Use this DataSource in container ma
Page 476 and 477:
e. On the Map RunAs roles to users
Page 478 and 479:
Page 480 and 481:
SecureWay Directory Server The conf
Page 482 and 483:
Ensure that Domino is using the LDA
Page 484 and 485:
Figure B-3 Domino LDAP settings in
Page 486 and 487:
Figure B-4 Domino CA application 2.
Page 488 and 489:
Enable SSL on Domino Server Enable
Page 490 and 491:
1. Open the ikeyman tool that comes
Page 492 and 493:
3. WebSphere will validate your ent
Page 494 and 495:
Figure B-9 iPlanet Directory Server
Page 496 and 497:
Figure B-13 iPlanet Certificate Req
Page 498 and 499:
Figure B-16 Certificate Install Wiz
Page 500 and 501:
Figure B-19 iPlanet Encryption sett
Page 502 and 503:
Tip from a battle scarred veteran p
Page 504 and 505:
Figure B-21 Active Directory Users
Page 506 and 507:
Figure B-24 New User password panel
Page 508 and 509:
group membership, and other group a
Page 510 and 511:
WebSphere-Domino SSO scenarios In t
Page 512 and 513:
7. Once the user is authenticated a
Page 514 and 515:
6. Click OK to create a database. 7
Page 516 and 517:
- On the Rules tab, specify the fol
Page 518 and 519:
3. A new Document will be displayed
Page 520 and 521:
Figure C-7 TCP/IP port status setti
Page 522 and 523:
1. To add new user names or groups
Page 524 and 525:
Figure C-10 Default Domino server l
Page 526 and 527:
Figure C-13 Successful submission o
Page 528 and 529:
Using Domino LDAP for user registry
Page 530 and 531:
Enabling Single Sign-On for WebSphe
Page 532 and 533:
wsadmin scripting WebSphere Applica
Page 534 and 535:
3. In the line com.ibm.SOAP.loginUs
Page 536 and 537:
You can also set the user registry
Page 538 and 539:
Page 540 and 541:
Using the Web material The addition
Page 542 and 543:
SPI SSL SSO SWAM UDDI URI URL VPN W
Page 544 and 545:
Referenced Web sites These Web site
Page 546 and 547:
Page 548 and 549:
Application pattern Directly Integr
Page 550 and 551:
EJB permissions Exclude 80 Role 80
Page 552 and 553:
L launchclient 122 LDAP Advanced se
Page 554 and 555:
ORB 102 System 366 Unprotected meth
Page 556 and 557:
Gateway Security 155 Gateway-level
Page 558 and 559:
Page 562:
Back cover IBM WebSphere V5.0 Secur
show all

IBM WebSphere V5.0 Security - CGISecurity

Create successful ePaper yourself

Delete template?

Save as template?