You can use the protection directives of IBM HTTP Server for i5/OS to secure Web resources. Performance may be better when using this mechanism, but you lose the ability to administer all of your security information in the WebSphere administrative application.
If there are static resources such as images that need no security check to be applied, they may be served up directly by the HTTP server without the performance impact of checking the WebSphere security.
For example, if WebSphere has resources within the URI /webapp/SecureWebApplication/servlet/*, a directive could be specified to allow the serving of images without a WebSphere security check. For example, with the IBM HTTP Server (powered by Apache), you can add this directive to your Web server instance configuration:
Alias /images/ /nonsecure/images/
Because WebSphere security does not apply to these resources, WebSphere Application Server - Express does not either authenticate or deny the request.
Note: The WebSphere administrative console can only be protected using WebSphere security, not Web server protection. However, when WebSphere security is enabled, Web server protection of servlets is not supported. If you are currently using Web server protection and want to enable WebSphere security, first remove the protection directives from the Web server configuration and then configure WebSphere security to protect your Web resources.
Additionally, servlets that are protected by a Web server obtain null when they call the getRemoteUser() or getAuthType() method of the request object if WebSphere security is enabled for the application server and WebSphere protection is not configured for the servlets. For more information, see Using getRemoteUser() and getAuthType() methods.
The WebSphere Application Server - Express product includes an internal HTTP server. The internal HTTP server cannot be configured to protect Web resources. In a production-level environment, you should ensure that the internal HTTP port number is not configured on the virtual host that is associated with the Web module.
To configure an IBM HTTP Server instance (powered by Apache), use the Location directive. The following example shows how to use the Location directive to protect the servlet /webapp/SecureServerWebApp/BasicServlet:
Location /webapp/SecureServerWebApp/BasicServlet AuthName happywas ProfileToken off AuthType Basic order deny,allow require valid-user allow from all deny from all PasswdFile %%SYSTEM%% UserID %%SERVER%% /Location>
For more information about configuring an IBM HTTP Server instance, see the IBM HTTP Server for i5/OS documentation in the iSeries Information Center:
Note: The WebSphere Application Server - Express product contains an internal HTTP server that is used for testing applications and to serve the administration application without the use of an external HTTP server. If you decide to protect your WebSphere resources with IBM HTTP Server (powered by Apache), which is the external HTTP server, you must disable access to the internal HTTP server.
To disable access to the internal HTTP server, perform these steps in the WebSphere administrative console: