This week's book giveaway is in the Servlets forum.
We're giving away four copies of Murach's Java Servlets and JSP and have Joel Murach on-line!
See this thread for details.
The moose likes Websphere and the fly likes WebSphere and J2EE security Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Murach's Java Servlets and JSP this week in the Servlets forum!
JavaRanch » Java Forums » Products » Websphere
Bookmark "WebSphere and J2EE security" Watch "WebSphere and J2EE security" New topic
Author

WebSphere and J2EE security

JeanLouis Marechaux
Ranch Hand

Joined: Nov 12, 2001
Posts: 906
Hi all.
I plan to recommand WebSphere Security mechanisms for a J2EE application.
It means I would like to check the "EnableSecurity" box in my WAS 4.
One of my colleague told me.
1) this will decrease performance (10 to 20 %). I know this is true, it is written in Was documentation
2) most of the time, companies prefer to use third party products to handle security, because the IBM one is too slow...

Is that second point correct ???
What about you, websphere users ???


/ JeanLouis<br /><i>"software development has been, is, and will remain fundamentally hard" (Grady Booch)</i><br /> <br />Take a look at <a href="http://www.epfwiki.net/wikis/openup/" target="_blank" rel="nofollow">Agile OpenUP</a> in the Eclipse community
Simon Song
Ranch Hand

Joined: Feb 01, 2002
Posts: 217
2nd point is questionable,...I only see IBM WebSphere support Tivoli Policy Director(WebSeal) for enterprise security infrastructure.
In enterprise, you'd want to have Single Sign On capability cross your AppServer and other applications. That's probably what your colleague is pointing out.
WAS supports Tivoli/Domino for SSO options, no idea of other products(for example CA's product).
IBM security is long long time ago implemented base on CORBA, specifically WAS5.0 is CSIv2 level 0 compliant ready(which is required by EJB2.0 Spec). I wonder how BEA's performance will drop in their WLS 7.0 product, if it is enabled with CSIv2.


Simon Song
Certified Entperise Developer of Websphere
Kyle Brown
author
Ranch Hand

Joined: Aug 10, 2001
Posts: 3892
    
    5
Yes, you will see a decrease in performance. However 5-10% is more the range than 15-20%. WebSphere 4.0 is much faster in this regard than was WebSphere 3.5
Horsehockey on the second point. No one goes with another security system like Entrust or Netegrity because WebSphere is too slow -- the person who made that up is blowing smoke out of his ***. People use external security systems like Tivoli PD or Nettegrity because either:
(a) They want to secure content outside the app server (like static HTML) or
(b) They want features like single-signon that cross multiple products (multiple app servers like WebSphere and WebLogic, or WebSphere and IIS).
Kyle


Kyle Brown, Author of Persistence in the Enterprise and Enterprise Java Programming with IBM Websphere, 2nd Edition
See my homepage at http://www.kyle-brown.com/ for other WebSphere information.
JeanLouis Marechaux
Ranch Hand

Joined: Nov 12, 2001
Posts: 906
Thanks guys. That's also my point of view.
can I had just one more question.
It's about security settings in WAS 4.
If the box "Enable Security" is uncheck, can I use J2EE authentication and authorization .
My understanding is that these setting are global to the AppServer. So I cannot have an EAR using Security and another not using it deployed in the same WAS instance.
It seems also I can't have one using a LTPA (let's say a DB Sybase)and the other another LTPA (DB Oracle) in the same instance
Is that correct ?
Simon Song
Ranch Hand

Joined: Feb 01, 2002
Posts: 217
If the box "Enable Security" is uncheck, can I use J2EE authentication and authorization .
--I don't think so, unless you can wait WAS supports JAAS in 5.0, you will have more fine control.
My understanding is that these setting are global to the AppServer. So I cannot have an EAR using Security and another not using it deployed in the same WAS instance.
--Yeah, my understanding is it is global to the whole domain. So SSO is available in this case.
It seems also I can't have one using a LTPA (let's say a DB Sybase)and the other another LTPA (DB Oracle) in the same instance
--You should consider install them with different AdminServer on the same box or different box then. Kind of two seperate WAS instances.
Is that correct ?
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: WebSphere and J2EE security
 
Similar Threads
JSEE unknown protocol: https
Security in Websphere 5.1.2
Static Content in WAR
j2ee application security with ldap in websphere
The role of the Application Server in a project