ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzatz_5.4.0.1/51/sec/sechttp.htm

68 lines
4.7 KiB
HTML

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<META http-equiv="Content-Type" content="text/html; charset=utf-8">
<LINK rel="stylesheet" type="text/css" href="../../../rzahg/ic.css">
<title>Securing Web resources with IBM HTTP Server for i5/OS</title>
</head>
<BODY>
<!-- Java sync-link -->
<SCRIPT LANGUAGE="Javascript" SRC="../../../rzahg/synch.js" TYPE="text/javascript"></SCRIPT>
<h2><a name="sechttp"></a>Securing Web resources with IBM HTTP Server for i5/OS</h2>
<p>You can use the protection directives of IBM HTTP Server for i5/OS to secure Web resources. Performance may be better when using this mechanism, but you lose the ability to administer all of your security information in the WebSphere administrative application.</p>
<p>If there are static resources such as images that need no security check to be applied, they may be served up directly by the HTTP server without the performance impact of checking the WebSphere security.</p>
<p>For example, if WebSphere has resources within the URI <tt>/webapp/SecureWebApplication/servlet/*</tt>, a directive could be specified to allow the serving of images without a WebSphere security check. For example, with the IBM HTTP Server (powered by Apache), you can add this directive to your Web server instance configuration:</p>
<pre> Alias /images/ /nonsecure/images/</pre>
<p>Because WebSphere security does not apply to these resources, WebSphere Application Server - Express does not either authenticate or deny the request.</p>
<p><strong>Note:</strong> The WebSphere administrative console can only be protected using WebSphere security, not Web server protection. However, when WebSphere security is enabled, Web server protection of servlets is not supported. If you are currently using Web server protection and want to enable WebSphere security, first remove the protection directives from the Web server configuration and then configure WebSphere security to protect your Web resources.</p>
<p>Additionally, servlets that are protected by a Web server obtain null when they call the getRemoteUser() or getAuthType() method of the request object if WebSphere security is enabled for the application server and WebSphere protection is not configured for the servlets. For more information, see <a href="secgetru.htm">Using getRemoteUser() and getAuthType() methods</a>.</p>
<p>The WebSphere Application Server - Express product includes an internal HTTP server. The internal HTTP server cannot be configured to protect Web resources. In a production-level environment, you should ensure that the internal HTTP port number is <strong>not</strong> configured on the virtual host that is associated with the Web module.</p>
<p>To configure an IBM HTTP Server instance (powered by Apache), use the Location directive. The following example shows how to use the Location directive to protect the servlet /webapp/SecureServerWebApp/BasicServlet:</p>
<pre><em>Location</em> /webapp/SecureServerWebApp/BasicServlet
AuthName happywas
ProfileToken off
AuthType Basic
order deny,allow
require valid-user
allow from all
deny from all
PasswdFile %%SYSTEM%%
UserID %%SERVER%%
<em>/Location></em></pre>
<p>For more information about configuring an IBM HTTP Server instance, see the IBM HTTP Server for i5/OS documentation in the iSeries Information Center:</p>
<ul>
<li><a href="../../../icbase/rzaie/v5r2rzaiemain.htm" target="_blank">For V5R2</a></li>
<li><a href="../../../icbase/rzaie/v5r3rzaiemain.htm" target="_blank">For V5R3</a></li>
<li><a href="../../../rzaie/rzaiemain.htm">For V5R4</a></li>
</ul>
<p><strong>Note:</strong> The WebSphere Application Server - Express product contains an internal HTTP server that is used for testing applications and to serve the administration application without the use of an external HTTP server. If you decide to protect your WebSphere resources with IBM HTTP Server (powered by Apache), which is the external HTTP server, you must disable access to the internal HTTP server.</p>
<p>To disable access to the internal HTTP server, perform these steps in the WebSphere administrative console:</p>
<ol>
<li>In the navigation menu, click <strong>Environment --&gt; Virtual Hosts</strong>.</li>
<li>In the Virtual Hosts page, click the name of the virtual host (for example, default_host).</li>
<li>Under <strong>Additional Properties</strong>, click <strong>Host Aliases</strong>.</li>
<li>Select the entry with a Port number that does not correspond to the external HTTP server port. (By default, the external port number is 80. In this case, select the host name with a port other than 80.)</li>
<li>Click <strong>Delete</strong>.</li>
<li>Click <strong>Save</strong> to save your configuration.</li>
</ol>
</body>
</html>