About this task
WebSphere Application
Server Session
Manager integration with Security (or just session security) is a
feature of the WebSphere Application
Server Session Manager withinWebSphere Portal. When active, this feature marks a session as owned by the
first user that accesses a session that is not already marked as owned.
If a session is already marked as owned, it checks that the owner
is the same as the current user. If not, rather than granting access
to the session, at minimum a message with identifier SESN0008E is logged and access to the session is not
granted. In some cases, an UnauthorizedSessionRequestException is thrown, with message SESN0008E as
the cause. This message indicates the owner of the session and what
identity tried to access it. The identity displays as anonymous if no identity exists. In this way, session
security protects against access to a session owned by user A by either
user B or by an anonymous user. Note: There is also a related extra feature,
which is known in WebSphere Application
Server as Use available authentication. When active, this
feature causes WebSphere Application
Server to set up a security context for a request even if the URL targeted
by that request does not have a security constraint that is configured
on it. This setting prevents spurious instances of messages and exceptions
from the session security code that is caused by applications that
mix authenticated access to both protected URLs (such as the /myportal URL of WebSphere Portal) and unprotected URLs
(such as /portal).
In the base WebSphere Application
Server version 8, this
session security feature was set to be active by default. In prior
releases of WebSphere Application
Server, it was inactive by default. However, WebSphere Portal 8.0.0.0 explicitly
deactivated this feature because it conflicted with a WebSphere Portal function. This conflict
is resolved in WebSphere Portal 8.0.0.1 and later.If you are running WebSphere Portal 8.0.0.1 or later,
including 8.0.0.1 CF07 on WebSphere Application
Server 8.5.5, you can reactivate
this WebSphere Application
Server session
security feature. Generally, this is recommended by the WebSphere Application
Server Security Hardening
documentation.
If you are running WebSphere Portal 8.0.0.0, we strongly recommend
that you upgrade to 8.0.0.1 and the most recent CF level. There are
important fixes, including fixes for security vulnerabilities, that
are included in the newer service levels.
If you are unable
to upgrade from WebSphere Portal 8.0.0.0, you can still reactivate this WebSphere Application
Server session security
feature under most circumstances. You can activate session security
unless you are specifically using the preview Managed Pages
as an anonymous user function. In that case, you should
not activate session security on your authoring environment. If your
authoring and rendering is done on separate servers, you can activate
session security on your rendering server because no preview is done
there.
To use session security and Use Available Authentication, you must enable them on the WebSphere Application
Server admin console.