WebSphere(R) Application Server - Express is an Internet technology, and it is very crucial that you have a good Internet security policy in place before implementing WebSphere Application Server - Express. Even if your application runs only on your company's intranet, dangers still exist and your system needs to be protected.
While no system can ever be completely secured, you can implement certain security measures to discourage attacks. Before you deploy your WebSphere Application Server - Express solution, make sure you have studied and understand how your implementation affects your system security policy, and adjust your plan accordingly. See iSeries security resources for links to information about creating a system-wide security plan.
This topic covers two areas of security concerns for WebSphere Application Server - Express: protecting your WebSphere resources (such as servlets, JSP files, and HTML files) and protecting the WebSphere product itself (its files, directories, and user profiles).
Protect your WebSphere resources
To secure WebSphere Application Server - Express and your WebSphere resources, you have these options:
Securing Web resources with IBM HTTP Server for i5/OS
You can use Web server directives to limit access to your servlets and JSP files. Web server directive-based security is typically easier to configure than WebSphere security and may provide better performance.Securing Web resources with WebSphere security
WebSphere Application Server - Express provides a layered, role-based security architecture. WebSphere security supports Java(TM) 2 security, J2EE, and CORBA security. See this topic for information about developing, assembling, and deploying secured applications, as well as how to configure WebSphere security with the administrative console.
Protect the WebSphere product
See these topics for additional security information:
Run application servers under specific user profiles
By default, application servers run under the QEJBSVR user profile. If you want to use a different user profile, see this topic for instructions.Securing iSeries objects and files
This topic describes iSeries objects and files that need to be secured with i5/OS(R) security.Password encoding
This topic provides information about encoding passwords that are in configuration and properties files.