Web authentication settings

Use this page to specify the web authentication settings that are associated with a web client.

To view this administrative console page, complete the following steps:
  1. Click Security > Global security.
  2. Under Authentication, expand Web and SIP security and click General settings.
[AIX Solaris HP-UX Linux Windows][IBM i]You can override the global Web authentication settings that you select on this panel by specifying one or more of the following system properties on the server level. Complete the following steps to specify one of these system properties:
  1. Click Servers > Server Types > WebSphere application servers > server_name.
  2. Under Server infrastructure, click Java and Process Management > Process definition.
  3. Under Additional properties, click Java Virtual Machine > Custom Properties > New.
[z/OS]You can override the global Web authentication settings that you select on this panel by specifying one or more of the following system properties for the controller and the servant. Complete the following steps to specify one of these system properties for the controller:
  1. Click Servers > Server Types > WebSphere application servers > server_name.
  2. Under Server infrastructure, click Java and Process Management > Process definition.
  3. Under Additional properties, click Java Virtual Machine > Custom properties > New
[z/OS]Complete the following steps to specify one of these system properties for the servant:
  1. Click Servers > Server Types > WebSphere application servers > server_name.
  2. Under Server infrastructure, click Java and Process Management > Process definition.
  3. Under Additional properties, click Java Virtual Machine > Custom properties > New
Table 1. Web authentication system property values . This table lists the web authentication system property values.
Property name Value Explanation
com.ibm.wsspi.security.web.webAuthReq lazy This value is equivalent to the Authenticate only when the URI is protected option.
Note: You can set webAuthReq differently through the administrative console or scripting when using a global or a security domain, but the global level always takes precedence.
com.ibm.wsspi.security.web.webAuthReq persisting This value is equivalent to the Use available authentication data when an unprotected URI is accessed option.
com.ibm.wsspi.security.web.webAuthReq always This value is equivalent to the Authenticate when any URI is accessed option.
com.ibm.wsspi.security.web.failOverToBasicAuth true This value is equivalent to the Default to basic authentication when certificate authentication for the HTTPS client fails option.

Authenticate only when the URI is protected

The application server challenges the web client to provide authentication data when the web client accesses a Uniform Resource Identifier (URI) that is protected by a Java™ Platform, Enterprise Edition (Java EE) role. The authenticated identity is available only when the web client accesses a protected URI.

This option is the default Java EE web authentication behavior that is also available in previous releases of WebSphere® Application Server.

Note: When you select this option, the administrative console login page is missing images. You might encounter the following error in the administrative console: CWLAA6003: Could not display the portlet, the portlet may not be started. Check the error logs.

The missing images and the error message are a side-effect of this option. The images do not display because the URIs for the images now need authentication, which requires you to log in. You can ignore this error message.

Information Value
Default: Enabled

Use available authentication data when an unprotected URI is accessed

The web client can access validated authenticated data that it previously could not access. This option enables the web client to call the getRemoteUser, isUserInRole, and getUserPrincipal methods to retrieve an authenticated identity from an unprotected URI.

When you select this option with the Authenticate only when the URI is protected option, the web client can use authenticated data when the URI is protected or not protected.

Note: When this option is NOT selected and the Authenticate only when the URI is protected option is selected, the administrative console user interface can display several non-functional items that can be made functional by setting the enableSecurityIntegration flag to false. Follow these steps to correct this condition:
  1. Save the following commands to a python file (for example, updateDeployment.py ) under the profile bin directory. The following commands set the enableSecurityIntegration flag to false: 
    isclite = AdminConfig.getid("/Deployment:isclite/")
iscliteDepObject = AdminConfig.showAttribute(isclite, "deployedObject")
attr1 = ['enableSecurityIntegration', 'false']
attrs = [attr1]
configs = AdminConfig.showAttribute (iscliteDepObject, "configs")
appConfig = configs[1:len(configs)-1] 
SM = AdminConfig.showAttribute (appConfig, 'sessionManagement') 
AdminConfig.modify (SM, attrs)
AdminConfig.save()
  2. Run wsadmin.bat -f your_script_name.py from the same profile bin directory.
  3. Restart the server and verify that the administrative console displays correctly.

When this option is selected and Form-based authentication is being used, a WASPostParam cookie is generated during the authentication procedure of the HTTP POST request even if the target URL is unprotected. A WASPOSTParam cookie is a temporary cookie used to store HTTP POST parameters. This results in the Web client being sent the unnecessary cookie with an HTTP response. This might cause unexpected behavior when the size of the cookie is larger than the browser limit. To avoid this behavior, a custom property, com.ibm.websphere.security.util.postParamMaxCookieSize can be set to cause the security code to stop generating the cookie if the maximum size is reached.

Important: This option does not challenge the web client to provide authenticated data if the web client accesses an unprotected URI without authenticated data.
Information Value
Default: Enabled

Authenticate when any URI is accessed

The web client must provide authentication data regardless of whether the URI is protected.

Information Value
Default: Disabled

Default to basic authentication when certificate authentication for the HTTPS client fails

When the required HTTPS client certificate authentication fails, the application server uses the basic authentication method to challenge the web client to provide a user ID and password.

The HTTP client certification authentication that is performed by the application server security is different from the client authentication that is performed by the web server plug-in. If you configure the web server plug-in for mutual authentication and client authentication fails, the following situations will occur:
  • The web server produces a error and the web request is not processed by application server security.
  • The application server cannot fail over to basic authentication.
Information Value
Default: Disabled