date
2005
year
8
month
1
day
Author
gauss
Types of
safety certificate
content
Safety mode design of electronic platform
Safety mode design of electronic platform
1.
Foreword
Due to the sensitivity of the office information of the electronic platform and the virtuality and openness of the network, it is determined that the electronic platform system needs strong users to access security, network security, system security, application security, database, and transaction manager security. The security of the electronic platform system. System adopts
J2EE
The frame is to meet the above needs, but not only some of the contents of the security task to the container, but also provide the application of the application to complete the security task.
2.
Overall design of the program
In the security system of the electronic platform system, we mainly applied to centralized certification, system password encryption,
Web
Module character configuration and
EJB
The character configuration of the module. Below is the design schematic of the entire security system of the system:
Electronic platform security system diagram
2.1
Centralized certification:
Centralized certification is adopted
CA
Institutional authentication server and
Web
Applications, the verification process of the client digital certificate is the same as ordinary authentication.
HTTPS
transmit information. After the verification is completed
CA
Institutional
Web
The application will forward the configuration file to the specified location, here we can set the top page of the electronic platform system while putting some information about the authentication to the client.
Cookie
In this way, we only need to call when the user of our electronic platform system is logged in.
CA
The authentication interface provided by the agency is verified, this process is adopted
HTTP
Method, there will be great improvements, while ensuring security, and less impact on electronic platform systems, which is conducive to the development, integration, and update of the system. In order to better illustrate the difference between the centralized certification and the ordinary certification, I did the following comparison: as shown
Centralized certification
VS
Ordinary certification
Below we focus on the application of centralized certification in the electronic platform system, below is the electronic platform system application set
A network flow diagram of a network process and a centralized certification program flow chart
:
Flowchart for electronic platform application centralized certification
System application centralized certification login registration procedure:
Some concepts mentioned above on centralized certification can be referred to
CA
Some basic concepts "and" public key infrastructure
PKI
technology". Specific service certificate and
CA
Certification body
Auth.war
How to deploy and how to apply the "Centralized Certification Applicable" document in the electronic platform. Call
CA
The authentication interface provided by the agency is
LoginAction / regacion
During the end. Specifically, how to implement it in the following "Matters noticed during the system development process" will be specifically discussed.
2.2
J2EE
Safety system:
Electronic platform adopts advanced, popular
MVC
three
(
many
)
Layer technical architecture, respectively:
View
,
CONTROLLER
,
MODEL
,As shown below:
This will separate the business logic layer and the view not only facilitate development but also to ensure the security of the data.
J2EE
Application security.
J2EE
The application is safe to use role-based security mechanisms. During development, we should determine the application's security policy by assigning secure resources and methods for specific security roles. During application assembly, the security role is imaged as a real user and group. This two-stage safety management method gives a large flexibility and portability of the application, during operation,
J2EE
The container is responsible for forcing resources and methods for performing access control security.
J2EE
Container supports two types of security
:
· Illustrative security:
· Programmable security:
Illustrative security, according to the name, the illustrative security is mainly defined in the deployed description file, the programmable security requires the programmer to guarantee
J2EE
Safety. No need to code implementation, it mainly
J2EE
The container is defined for security policies. Programmable security, we use illustrative security in this system. Between the advantages and disadvantages: name
advantage
Disadvantage
Illustrative security
No code is required, reducing programmers' coding workload; Changing the role is convenient.
Poor flexibility; more troublesome when deploying
can
Programming security
Good flexibility, can customize security according to the needs of the business;
Requires coding, adding programmers' workload; changing the role is inconvenient, need to modify the code
In electronic platform projects, we try to use illustrative security. If the illustrative security cannot meet the business
Programmable security is used in the case of demand. Below we are divided into
Web
Module and
EJB
Module discussion:
2.21
:
Web
Module:
in
Web
The role used in the module is read as follows:
Public user
EVERYONE
Business users
Enterprise
Quality inspection user
Organ
Municipal Supervision Bureau
City_
SURVEILLANCE
Provincial Supervision Bureau
Province_ surveillance
State supervision bureau
Country_ Surveillance
Platform administrator
Plat _Manager
When developing deployment, you can change and add it according to what you need.
(
A
Define the verification method:
Verification mechanism defines how customers are
Web
Application verification. Before applying any validation constraint, the user needs to use a set mechanism to pass the verification process.
Servlet
Specification is defined
4
Verify the mechanism of the user. Basic verification, summary verification, customer certificate verification, based on form verification. The electronic platform system mainly adopts client certificate verification and form-based verification. Among them, the centralized certification mode of the certificate is used.
(
B
Define security roles:
in
Web
Deployment description file
Web.xml
Medium, used
Web
The security role used in the module and an optional description text must be named. A placeholder when a role is a real user and user group when the placeholder is mapped to a real user and user group during the deployment of the application.
(
C
Define security constraints:
in
Web
Multiple security constraints can be defined in the module. Safety constraints declare how the application is protected. We define for a given security constraint
2
Features:
·
Web
Resource collection: one
Web
Resource collection is a group
URL
Mode and the resource represented by this mode
HTTP
method. A security constraint can have multiple
Web
Resource collection.
· Authorized constraint: A authorized constraint defines which roles authorized under safety constraints
Web
Resource collection.
(
Di
)
Servlet / JSP
Define security roles references (optional):
This part of the content can define a security role reference to a pages that are relatively high and secure levels as needed.
(
E
) Password encryption:
The password encryption is the most commonly used
MD5, MD5
The full name is
Message-Digest ALGORITHM 5
,in
90
In the beginning of the year
Mit
Computer Science Laboratory and
RSA Data Security Inc
Evolving
MD2
,
MD3
with
MD4
Development coming.
Message-digest
Pan-byte string
(Message)
of
Hash
The transformation is to convert an arbitrary length byte string into a large integer. Please note that I am using it.
"
Byte string
"
Instead of
"
String
"
This word is because this transformation is only related to the value of the byte, and is independent of the character set or encoding.
MD5
Arbitrate
"
Byte string
"
Transform into one
The large integer of 128bit, and it is an irreversible string transform algorithm. In other words, even if you see the source program and algorithm description, it cannot be
MD5
The value turns back to the original string, from the principle of math, because the original string has endless, this is a bit like a mathematical function that does not exist.
MD5
Typical application is a paragraph
Message
Byte string
)
produce
Fingerprint
fingerprint
)
To prevent being
"
tamper
"
. For example, you will write a word in a call
Readme.txt
In the file, and this
Readme.txt
formed one
MD5
The value is recorded, then you can spread this file to others, if others modify anything in the file, you recalculate this file
MD5
It will be found when it is. If there is another third party certification body, use
MD5
You can also prevent file author
"
deny
"
This is the so-called digital signature application.
2.22
:
Web service
Module
This part of the content is still to be improved.
2.23
:
EJB
Module:
EJB
Is the business logic of the implementation application
J2EE
Component. It is generally used to access sensitive data. In this way,
EJB
It is very important to assign an appropriate strategy.
Access control is applied to separate sessions and entities
bean
Method, so these methods are only included in a particular security role. Session, entity and message driver
bean
Method in the caller (
EJB
Under the identity of the server or under a specific security role. This is called a delegate strategy.
Delegation Policy
) Or becomes a mode mapping according to others (
Run-as mode mapping
). The following is mainly our electronic platform
EJB
Module
WSAD
Set security process.
(
1
) Illustrative security:
J2EE
Deployment description file
ejb-jar.xml
Contain
EJB
Safety view, also included
Bean
The structured and reference information of the class. A security view contains a collection of logical security roles. Authorization for performing declarations generally divided into two steps
,
First state
Bean
Security strategy, that is, statement
Bean
Method's license, then declare security roles for deployers.
(
2
) Programmable security: Because not all security policies can be expressed in a declaration,
EJB
Architecture allows for use
Javax.ejb.entityContext
Interface
IscallerinRole (String Rolename)
with
getCaller-Principal ()
The method provides a way to programmable access to a caller security context. The role of the security context makes all security checks, the security context environment encapsulates the current caller's security status, can't see the security context environment in the application code, by
EJB
The container uses them directly in the background, by implied
STUB
with
Skeleton
The security context environment is transmitted, and the security information spread out.
(
A
Define security roles
Used in
EJB
The safety roles used in the used must be
EJB
Module deployment description file
ejb-jar.xml
Named. Each name can have an optional description text. One role is a placeholder and is deployed
When the program is mapped to a real user and user group.
(
B
) Assignment method license
Session and entity
bean
The method can assign appropriate license by assigning appropriate licenses to a particular role. square
Law license
EJB
Deployment description file
EJB-jar.xml definition
(
C
) Assign role for unprotected methods
During the application installation, for sessions and entities that are explicitly protected in the deployment description file
EJB
Method can be used
IBM WebSphere
Application Server Management Control is too specified for its method license. These unprotected
The method can use one of the following licenses:
· No choice (
Uncheck
: This permission is the default option. This indicates that anyone can call these methods.
· Reversation
Exclude
: No one can call these unprotected methods.
·Character(
Role
: These unprotected methods can only be called only if members of the specified security role can be called.
(
Di
) Management commission strategy
As one
EJB
Call another
EJB
When the method, by default, the first one
EJB
Caller's identity
Broadcast to the second
EJB
. In this way, all of the calling chain
EJB
Methods can see the same basic letter
interest. However, in some cases, one
EJB
Need to use a pre-defined identity, such as a given angle
Color member calls another
EJB
method. An example is a message driver
bean
of
OnMessage ()
Method, this method calls a session
bean
of
protected
method. Message driver
bean
of
OnMessage ()
square
The method is called by the container without the caller character, so that this method cannot call the session.
bean
of
protected
square
law. Entrust
OnMessage ()
Method is run as a specific role, then add this role to the insured
Conversation
bean
This way, this way, this
OnMessage ()
Methods will access to protected methods.
(
E
)
bean
Level commission
EJB2.0
Definition in the specification
Element can be
EJB Bean
Level delegation, this will allow
Probate a program assembly to entrust a given
bean
All methods run as a member of a specified security role. At the part
At the time of the department, a real user as a specified security role must pass a one
Run-as
Role mapping process
Shoot this role. Entrusted
bean
Call the identity of the mapping user
EJB
.
(
Fly
) Method level commission
apart from
EJB2.0
Defined in the specification
bean
Outside of the delegation strategy,
IBM WebSphere
Application service
The device also provides the implementation method level
EJB
Entrusted ability. This with
bean
The level delegation is the same, but he can apply
Specified
EJB
Method, not as a whole
bean
. This entrusted particle size is thinner, it allows applications
Program assembler (integral) is the same
EJB
Different methods commission different security roles.
In addition, the client's entrustment provides an additional delegate option: runs as a server. This option indicates that
Methods Use the identity of the application server to call other
EJB
.
(
G
Define security role references (optional)
Safety role reference
EJB
of
Java
Safety roles named in the code and scheduled during application assembly
The indirect layer between the safety roles. This indirect layer allows you to change the name of the security role without changing any application
The order of the order.
3.
Matters notice during system development
3.1
How to invoke the verification interface provided by Xinhe
Since there are still some problems in the configuration of the authentication server, we use a variety of ways, or the application of Xinhe
Web
Application, but in this basis, it modifies it, which is changed to verify the legality of the certificate by the authentication server to verify the certificate. Using the code to verify whether the certificate is signed by Xin Cheng Tong, if the validity is exposed, this method is only applying, specifically to the delivery project and formally released in our testing phase, and uses their certification server. To verify the certificate. There are 2 places where the electronic platform system is applied to the interface provided by Xinchengtong.
Local:
3.11
Login
Action
in
Specific implementation code reference
Qiyeloginaction
with
JigouloginAction
.
3.12
Registered
Action
in
Specific implementation code reference
QiyegegAction
.
3.2
How to develop
Web
Module illustrative security
Safety role map
3.21
Development method based on form verification
This part is in use
Struts
Front desk
Validator
Verification and background
Action
Verify the legality of the user.
Validator
Whether the username and password are fully input, whether the length is legal, etc.
Validator
After the verification, the data is submitted to
Action
Make the background processing. It not only prevents the client's malicious submission, but also guarantees the legality of the data, which is conducive to improving the performance of the server. This part of the development method is the same as we often log in to the verification method, but pay attention to it.
Action
Inside the username and password verification, the client is
Tokenid
Verify, that is, to call
CA
The agency provides us with a centralized certified interface. We use the following verification logic when developing: First
REQUEST
Get it
cookie
Array object, get it through loop
Tokenid
Value, then call
Authzprn.authzprnpriVilege (Tokenid, ", Request.getRemoteAddr ())
get
PRNPROPERTY
Object. Among them
cookie
,
Tokenid
,
PRNPROPERTY
Whether it is
NULL
, Make judgment only
PRNPROPERTY
Not
NULL
At the time, it is to verify the username and password when the authentication is passed. This part of the code can refer to the tag two
Qiyeloginaction ()
with
JIGOULOGINACTION ()
. I can be responsible for login and registration part when I have developed. This interface is not called elsewhere.
3.32
for
Web
Components define the development of security roles
in
2.21
Part we have initially
Web
Components define several roles, which requires us to correspond
Web
The components are placed in the corresponding folder. The user will determine whether to have access to the page in a folder when the user has different characters. So this requires us to put it within its respective files based on the object of the page service during the reception, and cannot be placed casually. At the same time
Web
Component modular, no special needs need to be accessed across blocks.
Here mainly introduces how
WASD
with
WAS
In place
Web
Safety role:
(A)
Security role definition
turn on
Web
Deployment descriptor: as shown
Click "Security" Click Add to add a safe role. Name the name of this role, we are named "
Manager
", Add some illustrative characters in the described basket. The same method can add other roles in accordance with the needs of the business.
(B)
Set security constraints
After the "security role" is defined, save. Enter the "Safety Constraint" setting, click the "Secure Constraint" option, enter the "Security Constraint" interface, as shown in the figure:
Click "Add" to enter a real name, in "
Web
Resource Collection section, click Added Added Window, enter the corresponding text, choose
HTTP
Method, you can choose
get
with
POST
Click to add,
URL
Mode can have the following wildcard "
/ *
","
/*.jsp
","
/
"Wait. Determine. A safety constraint can be multiple
Web
Resource collection. Click on the editor of "Authorization Role".
Check the role of the user to authorize, the role that appears is the role we just defined. determine. The same method can add additional constraints.
After completing, save!
Web
The definition and configuration of the security role has been completed, the following work is to map these roles to the actual user of the system when we deploy.
Poured into the project
XX.EAR
Form, discuss how
WAS
Deploy the project, and
Web
Safety role to map to actual users:
1,
start up
WAS
server
2,
Login management console
3,
Install enterprise application
The above last step is no longer described, it can be carried out according to the relevant prompt. Several places you need to pay attention to,
Web
The security role defined in the statement file is the actual user, as shown:
You can add and modify it by finding a user or user group. As shown below:
Below we mainly discuss settings
Web
Security
4,
Start global security
Before conducting global security settings, let's first know a few terms and their significance:
(1)
User registry
·
Localos
:
WebSphere
The authentication mechanism can use the user account database of the local operating system.
WebSphere Application Server
provide
Windows NT
with
WINDOWS 2000
The implementation of the local account registry and the domain registry, and
Linux
,
Solaris
with
AIX
Implementation of User Account Registry. Claim:
·
For stand-alone machines, users should:
o
Is a member of the management group.
o
It should have a partial operational privilege as a operating system.
o
You should have logged in to service privileges (if the server is running as a service).
·
For the machine of the domain member, only the user can start the server process and must be:
o
Members of the domain controller.
o
The partial operation privilege as an operating system should be posted in the domain security policy on the domain controller.
o
The local security policy should be used as a component operation privilege as an operating system on the local security policy on the local machine.
o
You should have login as a service privilege on the local machine (if the server is running as a service run).
Note
:
The user is a domain user rather than a local user, which suggests that when the machine is part of the domain, only the user can start the server.
·
For domain controller machines, users should be:
o
Members of the domain controller.
o
The partial operation privilege as an operating system should be posted in the domain security policy on the domain controller.
o
You should have logged in to serve privilege on the domain controller (if the server is running as a service run).
Since the machines we have developed are not domain users, we use a single-machine local when doing development.
OS
·
LDAP
:
Lightweight Directory Access Protocol (
LDAP
) Is a user registry, it is used
LDAP
Binding execution authentication.
WebSphere Application Server
Safety provides and supports most main
LDAP
The directory server is implemented, which can be used as a library of user and group information. Product process (server) calls
LDAP
The server is a security for authenticating users and other related tasks (eg, get user or group information). This support is provided by using different users and group filters to obtain user and group information. These filters have some default values, you can modify these defaults to adapt to your needs. In addition, custom LDAP
Functional components allow you to use any other use by using the appropriate filter for their user registry
LDAP
Server (it's not
LDAP
Server's product support list).
Be
LDAP
Used as a user registry, you need to know the valid username (ID), user password, server host, and port, basic list (
DN
) And if necessary to bind
DN
And bind passwords. You can select any valid users in the registry. In certain
LDAP
In the server, the management user is unsearched and cannot be used (for example,
SECUREWAY
middle
CN = root
). This user refers to the documentation.
WebSphere Application Server
Security server identity, server identity, or server user ID. As a server identity means having special privileges when calling some protected internal methods. Usually, once security is turned on, this identity and password are used to log in to the management console. If those users are part of the management role, you can use other users.
When security is enabled in the product, this server identity and password are authenticated by the registry. If the authentication fails, the server cannot start. It is important to choose an identity and password that has not been expired or frequently changed. If you need to change the product server user ID or password in the registry, make sure the changes are performed when all product servers are started and running. Once the changes are completed in the registry, use
Configure LDAP user registry
The steps described in it are described. Change the logo, password, and other configuration information, save, stop and restart all servers, which is supplied to the product uses new identity or password. If you encounter any problems when you start the product, you can disable security before the server can start (to avoid this situation, make sure any changes in this panel are
"
Global security
"
Confirmation in the panel). Once the server starts, you can change the identity, password, and other configuration information and enable security.
· Customized: This system does not use this solution
(2)
Certification mechanism
·
Swam
:
simple
WebSphere
Authentication mechanism (
Swam
) For simple, non-distributed, single application server runtime environments. Single application server restriction is due to
Swam
not support
FORWARDABLE
The credentials are caused. If the application server process
1
middle
servlet
Organic
bean
Call another application server process
2
In the enterprise
bean
The remote method, the process
1
The caller identity is not sent to the server process
2
. Sending unauthenticated credentials, according to
EJB
The security permissions configured on the method may result in failure of the authorization.
due to
Swam
Used for single application server processes, therefore does not support single registration (
SSO
).
Swam
The certification mechanism is suitable for simple environments, software development environments, or other environments that do not require distributed security solutions. We use this solution when doing development.
·
LTPA
:
Lightweight third party certification (
LTPA
) For distributed, multi-application servers, and machine environments. It supports forward credentials and single registration (
SSO
).
LTPA
Security can support security in a distributed environment via cryptography. This support allows
LTPA
Encryption, digital signing, and securely send authentication related data, and decrypt and verify the signature later.
Lightweight third party certification (
LTPA
) Agreement allows
WebSphere Application Server provides security in a distributed environment using a password. The application server distributed in multiple nodes and units can be securely communicated with this protocol. It also provides single registration (
SSO
) Features, only in the domain name system there
DNS
) The authentication user is once again, and the user can access others.
WebSphere
Resources in the unit do not have to get prompts. This protocol uses an encryption key (
LTPA
Key) Encrypt and decrypt user data delivered between servers. These keys need to be shared between different units, which is for the resources in one unit to access resources in other cells (this assumptions all the units involved in the same)
LDAP
Or custom registry).
Use
LTPA
Create a token with user information and its arrival time, and sign it by the key.
LTPA
The token is sensitive to time. All product servers involved in the protected domain must have their time, date, and synchronous time zones. If not, then
LTPA
The token expires too early and causing authentication or confirmation failure. Then this token is passed to other servers (in the same unit or different units), through
cookie
(For enabling
SSO
Time
Web
Resource) or pass the certification layer (enterprise
bean
Safety certification service (
SAS
) Or public safety interoperability
V2
(
CSIV2
))). If a single or multiple receiving servers are sharing the same key as the source server, you can decrypt the token to get user information, then verify the user information to ensure that it does not expire and the user information in the token is in its registration. Table is effective. After successful verification, the resources in the receiving server can be accessed after the authorization check.
All units (units, nodes, application servers)
WebSphere Application Server
The process shares the same key set. If a key sharing is required between different units, they export them from one unit and import them into another unit. For security, the exported key uses the user-defined password encryption. This is required when the key is imported into another unit.
LTPA
Be in
WebSphere Application Server
of
NetWork Deployment
The only supported mechanism in the version. in
WebSphere Application Server
of
Base
In the version,
LTPA
And simple
WebSphere
Authentication mechanism (
Swam
) Is supported. With
LTPA
of
WebSphere Application Server Network Deployment
or
Base
When security is first enabled in the product,
LTPA
Usually the initialization step is performed.
LTPA
The user registration form that is required is the library that is shared by the central shared.
LDAP
or
Windows
Domain type registry, so that users and groups are the same without considering mechanism issues.
The following table summarizes the capacity of the certification mechanism and
LTPA
User registry can be used.
Reproductive credentials
SSO
Localos
User registry
LDAP
User registry
Custom user registry
Swam
NO
NO
YES
YES
YES
LTPA
YES
YES
YES
YES
YES
In the future, it is actually deployed.
LTPA
.
Here is how the user registry and authentication mechanism discussed above
WebSphere
How to set up discussion:
(1)
User registry
·
Localos
:
Steps for this task
1.
Click Security in the Regional Davigation panel of the management console
>
User registry
>
local
OS
.
2.
Enter a valid user name in the Server User Identification field. 3.
Enter a user password in the Server User Password field.
4.
Click OK. Restart the server.
Verification of users and passwords did not occur in this panel. Just when you are
"
Global security
"
Click OK or Apply when you click OK or Apply. If you are in the process of enabling security, complete other steps and go to
"
Global security
"
Panel to ensure local
OS
Yes
"
Active user registry
"
. If security is enabled, and you have changed users or password information in this panel, make sure to
"
Global security
"
Panel, and click OK or App to verify changes. If your changes are not verified, the server may not be able to start.
·
LDAP
:
Steps for this task
1.
In the management console, click Security on the left navigation panel
>
User registry
> LDAP
.
2.
Enter a valid user name in the Server User Identification field. According to advanced
LDAP
Set the user filter definition in the panel, you can enter your user's full proprietary name (
DN
) Or user's abbreviation name. For example, for
Netscape
Enter the user ID.
3.
Enter the user's password in the Server User Password field.
4.
Select in the type list
LDAP
Server type.
LDAP
Server type determination
WebSphere Application Server
The default filter used. When these default filters change, the type field changes to customization, which indicates the use of custom filters. Once you click Advanced
LDAP
This action occurs after the determination or application in the panel. Select customization from the list, modify the user and group filter if needed to use other
LDAP
server. If you choose
IBM DIRECTORY SERVER
or
Iplanet Directory Server
Also choose Ignore the uppercase and write field.
5.
Enter in the host field
LDAP
The server's full-limited host name.
6.
Enter in the port field
LDAP
Server port number. Host name and port number
WebSphere Application Server
Unit
LDAP
The server of the server. Therefore, if the server in different units uses a lightweight third party certification (
LTPA
The token communicate with each other, and these domains must be fully matched in all units.
7.
Enter the basic proprietary name in the basic proprietary name field (
DN
). Basic
DN
Indicate here
LDAP
The start point for searching in the directory server. For example, for
DN
for
CN = john doe, ou = rochester, o = IBM, c = us
User, specified basic
DN
For any of the following (assuming suffix
C = US
):
OU = Rochester, o = IBM, c = US
or
o = IBM C = US
or
C = US
. This field can be case sensitive and it is recommended that they match largerings in the directory server. This field is divided
Domino Directory
All
LDAP
The catalog is required.
"
Basic
DN "
Field for
Domino
The server is optional.
8.
If you need, enter the binding in the binding proprietary name field
DN
name. If
LDAP
If you can't perform anonymous binding on the server, you need to bind
DN
To get user and group information. in case
LDAP
The server is set to use anonymous binding, retain this field is blank.
9.
If necessary, enter the input password field to the binding
DN
Password.
10.
Modify the search timeout value if needed. This timeout value is
LDAP
The server waits for the maximum time to send to the product client before giving up the request. The default is 120
second.
11.
Only when you use the router to disable the request to multiple
LDAP
The server is disabled when the server is not supported by the server. For all other requests, keep this field to enable.
12.
Enable ignore the uppercase signage if needed. When enabled, the authorization check is not case sensitive. Typically, authorization testing involves checking the complete user
DN
(Its
LDAP
The server is unique) and is case sensitive. However, when used
IBM DIRECTORY SERVER
or
Iplanet Directory Server LDAP
This flag needs to be enabled when the server is
LDAP
The group information acquired by the server is inconsistent in case. This inconsistency only affects the authorization check.
13.
If with
LDAP
The server's communication is passed
SSL
If you enable a single socket layer (
SSL
). To get
SSL
Set
LDAP
For more information, see
Configuring SSL for LDAP clients
.
14.
If enabled
SSL
,From
SSL
The list in the configuration field is selected
SSL
Alias configuration.
15.
Click OK.
The verification of the user, password, and settings are not generated in this panel. Terms only when you click OK or Apply in the global security panel. If you are the first time you enable security, complete the remaining steps and go to the global security panel. select
LDAP
As an active user registry. If security is enabled, the information on this panel has been changed, then go to the global security panel, and click OK or App to verify your changes. If your changes are not verified, the server may not be able to start.
(2)
Certification mechanism
·
Swam
:
As mentioned earlier,
Swam
It is designed for simple non-distributed individual application servers. The reason why it can only be a single application server, mainly because
Swam
Can't pass the credentials.
in
IBM WebSphere
Used on the application server
Swam
There is no special configuration. Just choose on the global security page
Swam
As a verification mechanism.
·
LTPA
:
When security is set for the first time, the initial execution This task requires the following steps.
Steps for this task
1.
Click Security in the navigation panel on the left
>
Certification mechanism
> LTPA
.
2.
Enter your password in the password field and confirm it. This password is used to encrypt during the export and import key
Reconcile
LTPA
Key. Remember this password, because when you export your key from this unit to another, you will need to enter it again.
3.
Enter the positive integer value in the timeout field. This timeout value is
LTPA
Time (in minutes). The token contains this expiration time to receive any servers of this token to ensure that this token is valid before further processing. When the token expires, the user is prompted to log in. The ideal value of this field depends on your configuration. Default
30
minute.
4.
Click Apply or OK. Now, already set
LTPA
Configuration. You should not be generated in this step
LTPA
Key because they are automatically generated later. The processing of the remaining steps requires security, from
SSO
Start (if needed
SSO
).
This system does not need!
5.
carry out
"
Global security
"
Information in the panel, and press
"
determine
"
. In
"
Global security
"
When you click OK or Apply in the panel,
LTPA
The key is automatically generated for the key, so you should not manually generate a key.
3.3
How to develop
Web
Module programming security
This part of the indicative security model cannot meet the needs of the needs, first or not! 3.4
How to develop
EJB
Module illustrative security
This part of the content needs to be increased!
3.5
How to develop
EJB
Module programming security
This part of the indicative security model cannot meet the needs of the needs, first or not!
4.
to sum up
The above is my preliminary design, and some content is to be supplemented. Since I haven't participated before
J2EE
The design work of the security system, and the electronic platform is relatively high, and there is certainly a lot of shortcomings and mistakes in this design, so please colleagues to criticize the finger system, with more comprehensive system security system. Promote a good pavement for our later development work.
5.
references
The main reference is as follows:
"
IBM WebSphere Studio J2EE
Application development
Howard kushner
Editor
"
WebSphere V5.0
Safety manual
(IBM
Red book
)
"
WebSphere Application Server V5.0
System management and configuration
(IBM
Red book
)
"
WebSphere V6.0
Safety manual
(IBM
Red book
)
IBM WebSphere
information Center
IBM
China Technical Forum
