ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzatz_5.4.0.1/51/program/sessec.htm

78 lines
4.9 KiB
HTML
Raw Permalink Normal View History

2024-04-02 14:02:31 +00:00
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<META http-equiv="Content-Type" content="text/html; charset=utf-8">
<LINK rel="stylesheet" type="text/css" href="../../../rzahg/ic.css">
<title>Sessions security</title>
</head>
<BODY>
<!-- Java sync-link -->
<SCRIPT LANGUAGE="Javascript" SRC="../../../rzahg/synch.js" TYPE="text/javascript"></SCRIPT>
<h4><a name="sessec"></a>Sessions security</h4>
<p>HTTP sessions and security can be integrated in WebSphere Application Server - Express for iSeries. When security integration is enabled in Session Manager and a session is accessed in a protected resource, every resource from then on must be secured. You cannot mix secured and unsecured resources, otherwise you may incur an UnauthorizedSessionRequest exception when the unsecured resource attempts to access an authenticated session (see chart below). Security integration in Session Manager is supported only through the Lightweight Third-Party Authentication (LTPA) authentication mechanism. If you are using Simple WebSphere Authentication Mechanism (SWAM) as your authentication mechanism, you cannot integrate security with the Session Manager.</p>
<p><strong>Security integration rules for HTTP sessions</strong></p>
<ul>
<li>Sessions in unsecured pages are treated as accesses by anonymous users.</li>
<li>Sessions created in unsecured pages are created under the identity of that anonymous user.</li>
<li>Sessions in secured pages are treated as accesses by the authenticated user.</li>
<li>Sessions created in secured pages are created under the identity of the authenticated user. They can only be accessed in other secured pages by the same user. To protect these sessions from use by unauthorized users, they cannot be accessed from an insecure page.</li>
</ul>
<p><strong>Programmatic details and scenarios</strong></p>
<p>WebSphere Application Server - Express maintains the security of individual sessions.</p>
<p> An identity or user name, readable by the com.ibm.websphere.servlet.session.IBMSession interface, is associated with a session. An unauthenticated identity is denoted by the user name <tt>anonymous</tt>. WebSphere Application Server - Express includes the com.ibm.webSphere.servlet.session.UnauthorizedSessionRequestException interface, which is used when a session is requested without the necessary credentials. For more information on these interfaces, see <a href="apidocs/ae/com/ibm/websphere/servlet/session/package-summary.html">Package com.ibm.websphere.servlet.session</a>. <img src="api.gif" width="18" height="15" align="bottom" alt="Go to API documentation"></p>
<p>The Session Manager uses the WebSphere Application Server - Express security infrastructure to determine the authenticated identity associated with a client HTTP request that either retrieves or creates a session. WebSphere Application Server - Express security determines identity using certificates, LTPA, and other methods.</p>
<p>After obtaining the identity of the current request, the Session Manager determines whether the session requested using a getSession() call should be returned.</p>
<p>The table lists possible scenarios in which security integration is enabled. The security integration outcomes depend on whether the HTTP request was authenticated and whether a valid session ID and user name was passed to the Session Manager. </p>
<table border="1" cellpadding="3" width="680">
<!-- cols="25 40 35" width="page" -->
<tr>
<th width="100">Scenario</th>
<th width="280">Unauthenticated HTTP request is used to retrieve a session</th>
<th width="300">HTTP request is authenticated, with an identity of <tt>FRED</tt> used to retrieve a session</th>
</tr>
<tr valign="top">
<td width="100">No session ID was passed in for this request, or the ID is for a session that is no longer valid</td>
<td width="280">A new session is created. The user name is <tt>anonymous</tt></td>
<td>A new session is created and the user name is marked as <tt>FRED</tt></td>
</tr>
<tr valign="top">
<td width="100">A session ID for a valid session is passed in. The current session user name is <tt>anonymous</tt></td>
<td width="280">The session is returned</td>
<td width="300">The session is returned. The Session Manager changes the user name to <tt>FRED</tt></td>
</tr>
<tr valign="top">
<td width="100">A session ID for a valid session is passed in. The current session user name is <tt>FRED</tt></td>
<td width="280">The session is not returned. UnauthorizedSessionRequestException is thrown</td>
<td width="300">The session is returned.</td>
</tr>
<tr valign="top">
<td width="100">A session ID for a valid session is passed in. The current session user name is <tt>BOB</tt></td>
<td width="280">The session is not returned.
<br>UnauthorizedSessionRequestException is thrown.</td>
<td width="300">The session is not returned.
<br>UnauthorizedSessionRequestException is thrown.</td>
</tr>
</table>
</body>
</html>