Best practicies for authentication/authorization using WAS 6 - Websphere

This is a discussion on Best practicies for authentication/authorization using WAS 6 - Websphere ; I want to secure my J2EE apps using the standard J2EE security infrastructure, using security roles and principals, however doing this in WAS is not easy.... All applications I have been involved with has user information (userid, password) stored in ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: Best practicies for authentication/authorization using WAS 6

  1. Best practicies for authentication/authorization using WAS 6

    I want to secure my J2EE apps using the standard J2EE security infrastructure, using security roles and principals, however doing this in WAS is not easy....

    All applications I have been involved with has user information (userid, password) stored in a database so you want to make the authentication/authorization process use this information.

    If I look into the WAS documentation regarding these issues I see the following alternatives: Local OS, LDAP, Custom Registry, Federated registries.

    Since "Federated registries" using a database implies using special tables etc the only option left is implementing a "Custom Registry".

    Implementng a "Custom Registry" is not a simple task, from other postings I can see that many users have troubles with this. Many restricions apply e.g you can not use datasources etc.

    Why has IBM implemented the security framework in Websphere so that the most common use case (authenticating a use against a custom databasetable) is not directly supported ??

    My experience is that due to the complexity of the security model and the fact that all J2EE containers have different ways of assigning users to roles etc, most apps do not use the security framework at all. Instead each application uses custom authentication/authorization mechanisms.

    Anyone has any input on these issues ?? Whats the best way to integrate an existing database with user informatione into the J2EE security framework ??

    /Mikael

  2. Re: Best practicies for authentication/authorization using WAS 6

    mikael.lindkvist@infodata.se wrote:
    > I want to secure my J2EE apps using the standard J2EE security
    > infrastructure, using security roles and principals, however doing
    > this in WAS is not easy....
    >
    > All applications I have been involved with has user information
    > (userid, password) stored in a database so you want to make the
    > authentication/authorization process use this information.


    That's typical when a company has no security strategy and every project
    does their own thing. It's a very immature approach, from an IT
    governance perspective.

    >
    > If I look into the WAS documentation regarding these issues I see the
    > following alternatives: Local OS, LDAP, Custom Registry, Federated
    > registries.
    >
    > Since "Federated registries" using a database implies using special
    > tables etc the only option left is implementing a "Custom Registry".


    Yes, a CUR is the right approach if you intend to keep your users in a
    database. However, a better approach is to get your user information out
    of the database and into a directory. You;re going to have a hard time
    getting single signon across applications if every project manages
    their own users.

    > Implementng a "Custom Registry" is not a simple task, from other
    > postings I can see that many users have troubles with this. Many
    > restricions apply e.g you can not use datasources etc.


    If you need assistance, we have people who have done this for other
    customers and can help you.
    http://www-128.ibm.com/developerwork...here/services/
    >
    > Why has IBM implemented the security framework in Websphere so that
    > the most common use case (authenticating a use against a custom
    > databasetable) is not directly supported ??


    Actually, the most common use case, and the recommended approach, is to
    authenticate against an LDAP directory.

    >
    > My experience is that due to the complexity of the security model and
    > the fact that all J2EE containers have different ways of assigning
    > users to roles etc, most apps do not use the security framework at
    > all. Instead each application uses custom
    > authentication/authorization mechanisms.


    >
    > Anyone has any input on these issues ?? Whats the best way to
    > integrate an existing database with user informatione into the J2EE
    > security framework ??


    See my paper on this topic. The recommended approach is to use the
    container capabilities where they are useful, and extend where they are
    not.

    http://www-128.ibm.com/developerwork...7_ilechko.html


+ Reply to Thread