Web component security

A web module consists of servlets, JavaServer Pages (JSP) files, server-side utility classes, static web content, which includes HTML, images, sound files, cascading style sheets (CSS), and client-side classes or applets. You can use development tools such as Rational® Application Developer to develop a web module and enforce security at the method level of each web resource.

You can identify a web resource by its URI pattern. A web resource method can be any HTTP method (GET, POST, DELETE, PUT, for example). You can group a set of URI patterns and a set of HTTP methods together and assign this grouping a set of roles. When a web resource method is secured by associating a set of roles, grant a user at least one role in that set to access that method. You can exclude anyone from accessing a set of web resources by assigning an empty set of roles. A servlet or a JavaServer Pages (JSP) file can run as different identities before invoking another enterprise bean component. All the secured web resources require the user to log in by using a configured login mechanism. Three types of web login authentication mechanisms are available: basic authentication, form-based authentication and client certificate-based authentication.

In WebSphere® Application Server Version 6.1, a portlet resource that is part of a web module can also be protected when it is accessed directly through URL. The protection is similar to other web based resources.

For more detailed information on web security, see the product architectural overview topic.