Date Created: Wed 15-Dec-2010

Related Document Categories:

Get my WebSphere Application Server course here >>

WebSphere 8 Overview and new features for securing applications and their environment

Below is a summary of the information I found located at:

Audit service provider settings. In this release of WebSphere® Application Server, there are new customizable options available when specifying the default audit log wrapping behavior.

Generic security token login modules. For JAX-WS web services that use Web Services Security, the generic security token login modules generate and consume tokens using WS-Trust Issue and WS-Trust Validate requests.

Implementing a custom authentication provider using JASPI. This release of WebSphere Application Server supports the JSR 196: Java™ Authentication SPI for Containers (JASPI) specification, which enables third-party security providers to handle the Java Platform, Enterprise Edition (Java EE) authentication of HTTP request and response messages destined for web applications.

Java Servlet 3.0 support for security. This release of WebSphere Application Server supports all security updates as defined in the Java Servlet 3.0 specification (JSR-315), including the new servlet security annotations, use of new programmatic security APIs and the dynamic updating of the servlet security configuration.

Multiple security domains. In WebSphere Application Server Version 7.0, the federated repositories user registry can only be configured at the global level, but any domain can use it by configuring it as the active registry. In WebSphere Application Server Version 8.0, you can configure federated repositories at the domain level in a multiple security domain environment.

Security configuration report now includes information about session security, web Attributes, and the HttpOnly setting to enable you to get a more complete view of your server security settings.

Security hardening features enablement and migration. The recently added security hardening features for this release include:
- Enablement of Secure Sockets Layer (SSL)-required on Common Secure Interoperability version 2 (CSIv2) transport by default
- Enablement of the HttpOnly attribute on LTPA cookies by default
- Enablement of session security integration by default

Single sign-on settings. The Set security cookies as HTTPOnly to resist cross-site scripting attacks check box has been added to the Single sign-on settings page for this release. The HttpOnly attribute is a browser attribute created to prevent client side applications (such as Java scripts) from accessing cookies to prevent some cross-site scripting vulnerabilities. The attribute specifies that LTPA and WASReqURL cookies include the HTTPOnly field.

Using a WebSphere Application Server API to achieve downstream web single sign-on with an LtpaToken2 cookie. Web applications running in mid-tier WebSphere servers might need to propagate LtpaToken2 cookies on downstream web invocations. In this release of WebSphere Application Server, a new Application Programming Interface (API) is provided for application developers to programmatically perform downstream SSO without the need for an application to store and send user credentials.

Get my WebSphere Application Server course here >>

Steve Robinson - IBM Champion 2013

About Me

Steve Robinson has been working in IT for over 20 years and has provided solutions for many large-enterprise corporate companies across the world. Steve specialises in Java and Middleware.

In January 2013, I was awarded the prestigous 'IBM Champion' accolade.

  • Linked In
  • Twitter
  • About Me
  • My Blog
  • Contact Me

Read my books?

IBM WebSphere Application Server 8.0 Administration Guide

IBM WebSphere Application Server 8.0 Administration Guide

WebSphere Application Server 7.0 Administration Guide

WebSphere Application Server 7.0 Administration Guide

WebSphere Categories

Other Categories