How do I secure applications and their environments?

Follow these shortcuts to get started quickly with popular tasks.

Most of the security for an application is configured during the assembly stage. The security you configure during the assembly stage is called declarative security because the security is declared or defined in the deployment descriptors.Secure HTTP sessions

Most of the security for an application is configured during the assembly stage. The security you configure during the assembly stage is called declarative security because the security is declared or defined in the deployment descriptors. The declarative security is enforced by the security run time.Develop applications that use programmatic security

Most of the security for an application is configured during the assembly stage. The security you configure during the assembly stage is called declarative security because the security is declared or defined in the deployment descriptors. The declarative security is enforced by the security run time.Configure declarative security for EJB applications that use J2EE authorization

Most of the security for an application is configured during the assembly stage. The security you configure during the assembly stage is called declarative security because the security is declared or defined in the deployment descriptors. The declarative security is enforced by the security run time.Develop programmatic security for EJB applications that use J2EE authorization

Use any of the available methods to integrate message-level security into an application serving environment. Web Services Security for WebSphere Application Server is based on a set of standards that are included in the Web Services Security (WS-Security) specification. These standards address how to provide protection for messages that are exchanged in a web services environment. The set of specification defines the core facilities for protecting the integrity and confidentiality of a message and provides mechanisms for associating security-related claims with the message.Apply Web Services Security (WS-Security) to applications

Use any of the available methods to integrate message-level security into an application serving environment. Web Services Security for WebSphere Application Server is based on a set of standards that are included in the Web Services Security (WS-Security) specification. These standards address how to provide protection for messages that are exchanged in a web services environment. The set of specification defines the core facilities for protecting the integrity and confidentiality of a message and provides mechanisms for associating security-related claims with the message.Enable Java™ 2 security with the console

Use any of the available methods to integrate message-level security into an application serving environment. Web Services Security for WebSphere Application Server is based on a set of standards that are included in the Web Services Security (WS-Security) specification. These standards address how to provide protection for messages that are exchanged in a web services environment. The set of specification defines the core facilities for protecting the integrity and confidentiality of a message and provides mechanisms for associating security-related claims with the message.Enable Java 2 security with scripting

If you plan to write a login module that adds information to the Subject of a system login, refer to this topic for the main Java Authentication and Authorization Service (JAAS) plug-in points for configuring system logins.Developing custom login modules

Secure the Java DataBase Connectivity (JDBC) data sources and Java 2 Connector (J2C) resources that are used by applications to access data. Enable resource security for J2C and JDBC data sources

Secure the Java DataBase Connectivity (JDBC) data sources and Java 2 Connector (J2C) resources that are used by applications to access data.Enable resource security for JavaMail

Implement a custom authentication provider using JASPIImplement a custom authentication provider using JASPI

Secure the application hosting environment. The counterpart of securing your applications before and after deployment is to secure the server hosting environment into which the applications are deployed.

[AIX Solaris HP-UX Linux Windows]Use the administrative console to assign users to administrative roles.Secure the administrative environment before installation

[AIX Solaris HP-UX Linux Windows]Use the administrative console to assign users to administrative roles.Secure the administrative environment after installation

Use the administrative console to assign users to administrative roles.Assign users to roles

Scripting is a non-graphical alternative that you can use to configure and manage WebSphere Application Server. Use the WebSphere Application Server wsadmin tool to run scripts. The wsadmin tool supports a full range of product administrative activities.Configure security with wsadmin scripting

By default, security is enabled out of box. You have an opportunity to modify the default whenever you create a profile, at installation time or any other time. If you do not deselect it, administrative security will be enabled for a profile. Out of box security authenticates users against the file-based federated repository powered by virtual member manager.

Enable security to protect your server from unauthorized users and are then able to provide application isolation and requirements for authenticating application users.Enable and configure administrative security with the console

Use scripting to enable or disable application security, global security, administrative security based on the LocalOS registry, and authentication mechanisms.Enable and configure administrative security with scripting

Configure the product to authenticate users against the local operating system user registry. The respective operating system APIs are called by the product processes or servers for authenticating a user and other security-related tasks.Authenticate users with the local operating system user registry

Configure the product to authenticate users against a Lightweight Directory Access Protocol (LDAP) user registry. The product provides and supports implementation of most major LDAP directory servers, which can act as the repository for user and group information. These LDAP servers are called by the product processes or servers for authenticating a user and other security-related tasks, for example, getting user or group information. This support is provided by using different user and group filters to obtain the user and group information. These filters have default values that you can modify to fit your needs. The custom LDAP feature enables you to use any other LDAP server, which is not in the product-supported list of LDAP servers, for its user registry by using the appropriate filters.Authenticate users with an LDAP user registry

After you implement the UserRegistry interface, you can configure the product to use your custom user registry to authenticate users. Your custom user registry can be supplied by a external security provider to enable the provider's solution, or you can write your own customer user registry.Authenticate with a custom user registry

The realm can consist of identities in the file-based repository that is built into the system, in one or more external repositories, or in both the built-in, file-based repository and in one or more external repositories.Authenticate with the file-based federated repository

With single sign-on (SSO) support, web users can authenticate once when accessing web resources across multiple WebSphere Application Servers. Form login mechanisms for web applications require that SSO is enabled.Set up single sign-on (SSO)

Secure Sockets Layer (SSL) is used by multiple components within WebSphere Application Server to provide trust and privacy. Users of the SSL include the built-in HTTP transport, the Object Request Broker (ORB), and the secure LDAP client.Access secure resources using SSL and applet clients

This task shows you how to define SSL configurations, including quality of protection and trust and key manager settings.Set up Secure Sockets Layer (SSL) between remote servers or clients and servers

Configure Common Secure Interoperability Version 2 (CSIv2) features including SSL client certificate authentication, message layer authentication, identity assertion, and security attribute propagation.Set up CSIv2

Configure the product to use an external security provider you have set up to work with WebSphere Application Server that can support J2EE authorization based on the Java Authorization Contract for Containers (JACC) specification.Configure an authorization provider

Troubleshoot several types of problems that are related to enabling or configuring security.Troubleshoot security