Win a copy of The Java Performance Companion this week in the Performance forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

WebSphere and J2EE security

 
JeanLouis Marechaux
Ranch Hand
Posts: 906
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi all.
I plan to recommand WebSphere Security mechanisms for a J2EE application.
It means I would like to check the "EnableSecurity" box in my WAS 4.
One of my colleague told me.
1) this will decrease performance (10 to 20 %). I know this is true, it is written in Was documentation
2) most of the time, companies prefer to use third party products to handle security, because the IBM one is too slow...

Is that second point correct ???
What about you, websphere users ???
 
Simon Song
Ranch Hand
Posts: 217
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
2nd point is questionable,...I only see IBM WebSphere support Tivoli Policy Director(WebSeal) for enterprise security infrastructure.
In enterprise, you'd want to have Single Sign On capability cross your AppServer and other applications. That's probably what your colleague is pointing out.
WAS supports Tivoli/Domino for SSO options, no idea of other products(for example CA's product).
IBM security is long long time ago implemented base on CORBA, specifically WAS5.0 is CSIv2 level 0 compliant ready(which is required by EJB2.0 Spec). I wonder how BEA's performance will drop in their WLS 7.0 product, if it is enabled with CSIv2.
 
Kyle Brown
author
Ranch Hand
Posts: 3892
5
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Yes, you will see a decrease in performance. However 5-10% is more the range than 15-20%. WebSphere 4.0 is much faster in this regard than was WebSphere 3.5
Horsehockey on the second point. No one goes with another security system like Entrust or Netegrity because WebSphere is too slow -- the person who made that up is blowing smoke out of his ***. People use external security systems like Tivoli PD or Nettegrity because either:
(a) They want to secure content outside the app server (like static HTML) or
(b) They want features like single-signon that cross multiple products (multiple app servers like WebSphere and WebLogic, or WebSphere and IIS).
Kyle
 
JeanLouis Marechaux
Ranch Hand
Posts: 906
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks guys. That's also my point of view.
can I had just one more question.
It's about security settings in WAS 4.
If the box "Enable Security" is uncheck, can I use J2EE authentication and authorization .
My understanding is that these setting are global to the AppServer. So I cannot have an EAR using Security and another not using it deployed in the same WAS instance.
It seems also I can't have one using a LTPA (let's say a DB Sybase)and the other another LTPA (DB Oracle) in the same instance
Is that correct ?
 
Simon Song
Ranch Hand
Posts: 217
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
If the box "Enable Security" is uncheck, can I use J2EE authentication and authorization .
--I don't think so, unless you can wait WAS supports JAAS in 5.0, you will have more fine control.
My understanding is that these setting are global to the AppServer. So I cannot have an EAR using Security and another not using it deployed in the same WAS instance.
--Yeah, my understanding is it is global to the whole domain. So SSO is available in this case.
It seems also I can't have one using a LTPA (let's say a DB Sybase)and the other another LTPA (DB Oracle) in the same instance
--You should consider install them with different AdminServer on the same box or different box then. Kind of two seperate WAS instances.
Is that correct ?
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic