文档详细内容(约15页)
IBM Software Group I WebSphere Software IBM WebSphere Application Server v6 WebSphere V6 Security DE: 1-=v. Agenda Web Sphere Security model Java Authorization Contract for Containers(JACC) specification Tivoli Access Manager(TAM) Client integration in Web Sphere
1 ® IBM Software Group | WebSphere Software Product Introduction + Exploration IBM WebSphere Application Server v6 WebSphere V6 Security IBM Software Group 2 WebSphere Security © 2004 IBM Corporation Agenda WebSphere Security model Java Authorization Contract for Containers (JACC) specification Tivoli Access Manager (TAM) Client integration in WebSphere
Section Security Basics Authentication Authentication involves validating a client's identity Client can be either an end user, a machine, or an application An authentication mechanism defines b Rules about security information b How security information is stored in both credentials and b Whether a credential can be forwarded to another process May use an Authentication Registry Registry stores userid, password and other user informatio Certificate provides alternative way to establish identity
2 IBM Software Group 3 WebSphere Security © 2004 IBM Corporation Security Basics Security Basics Section IBM Software Group 4 WebSphere Security © 2004 IBM Corporation Authentication Authentication involves validating a client’s identity �Client can be either an end user, a machine, or an application An authentication mechanism defines �Rules about security information �How security information is stored in both credentials and tokens �Whether a credential can be forwarded to another process May use an Authentication Registry �Registry stores userid, password and other user information �Certificate provides alternative way to establish identity
Authorization Authorization is the process that verifies a client has the ppropriate privileges to perform an operation b Information can be stored many ways J2EE uses role based authorization During assembly, permissions to call methods are given to b Roles define a set of permissions within an application During deployment users and groups are assigned to these Access Decision Example Calling Methodo J2EE Server 2. Check the credentials-if successful, create a Subject with the user information including the groups that the user belongs to 3. Get the required roles for the method from the deployment descriptor 4. Get the assigned roles for the user from the binding file 5. If the required roles match any assigned roles, access is permitted Otherwise denied
3 IBM Software Group 5 WebSphere Security © 2004 IBM Corporation Authorization Authorization is the process that verifies a client has the appropriate privileges to perform an operation �Information can be stored many ways Access-control list, capability lists J2EE uses role based authorization �During assembly, permissions to call methods are given to various roles �Roles define a set of permissions within an application �During deployment users and groups are assigned to these roles IBM Software Group 6 WebSphere Security © 2004 IBM Corporation Access Decision Example 1. Challenge the requester to provide credentials (name/password) 2. Check the credentials - if successful, create a Subject with the user information including the groups that the user belongs to 3. Get the required roles for the method from the deployment descriptor 4. Get the assigned roles for the user from the binding file 5. If the required roles match any assigned roles, access is permitted � Otherwise denied Request Calling Method() J2EE Server
Section WebSphere Security Model Security Layers WebSphere/Application Naming, HTML, Admin rvlet/JSP ↓ Access Contro WebSphere Security WebSphere Security J2EE Security API CORBA Security /CSIv2 Java Securit Java 2 Security JVM 1.4 Security atform Security Operating System Security
4 IBM Software Group 7 WebSphere Security © 2004 IBM Corporation WebSphere Security Model WebSphere Security Model Section IBM Software Group 8 WebSphere Security © 2004 IBM Corporation Security Layers Platform Security Java Security WebSphere Security WebSphere/Application Resources Operating System Security JVM 1.4 Security Java 2 Security CORBA Security / CSIv2 J2EE Security API WebSphere Security HTML, Servlet/JSPs, EJBs Naming, Admin Access Control
Security Feature Comparison Java2 Security-Access to System Resources Enforce access control, based on the location of the code and who signed it Not based on the prind Defined in Policy files Enforced at runtime Java Authentication and Authorization Service(JAAS) b Enforce access control based on the current Principal/Subject b Defined in Application Code Enforced programmatically J2EE Security-Authorization b Role based security b Defined in configuration settings or within Application Code b Enforced by runtime and/or programmatically Java Authorization Contract for Containers(JACC) Java 2 Security JVM Provides an access control mechanism class to manage the applications access to 2 Security system level resources > File I/o. Network Connections (Sockets), Property files, etc Policies define a set of permissions available from various signers and/or certain System Resources code locations b Stored in Policy files Java code will need to get the ermission from java 2 Access All Java code runs under a security Control Access Control looks at the java b Grants access to certain resources 2 Policy file(s )to determine if the requesting Java code has the appropriate permission 5
5 IBM Software Group 9 WebSphere Security © 2004 IBM Corporation Security Feature Comparison Java2 Security – Access to System Resources � Enforce access control, based on the location of the code and who signed it – Not based on the principal � Defined in Policy files � Enforced at runtime Java Authentication and Authorization Service (JAAS) � Enforce access control based on the current Principal/Subject � Defined in Application Code � Enforced programmatically J2EE Security - Authorization � Role based security � Defined in configuration settings or within Application Code � Enforced by runtime and/or programmatically Java Authorization Contract for Containers (JACC) IBM Software Group 10 WebSphere Security © 2004 IBM Corporation Java 2 Security Provides an access control mechanism to manage the application’s access to system level resources �File I/O, Network Connections (Sockets), Property files, etc… �Policy-based Policies define a set of permissions available from various signers and/or code locations �Stored in Policy files All Java code runs under a security policy �Grants access to certain resources Java code needs access to certain System Resources Java code will need to get the permission from Java 2 Access Control Access Control looks at the Java 2 Policy file(s) to determine if the requesting Java code has the appropriate permission Java Class System Resource Protection Domain Java 2 Security Permissions Security Manager Access Controller Java 2 Policy Files JVM
