Security best practices
Review these security-related tips, tricks, and best practices for WebSphere Portlet Factory WebApp model-based publishing and exporting.
Security trick: encourage closing the browser
Closing the browser window would not be acceptable behavior for most public web sites, as users typically browse from one site to another.
Custom login pages
When using J2EE/Servlet-based Declarative Security with security constraints in the web.xml deployment descriptor, there are certain limitations in the current version of the J2EE/Servlet specs that you need to work within.
Security trick: dummy JSP page
There is no standard way for a J2EE application to decide itself when to forward the user to a login page.
Using dynamic cookies
All of your session and security related cookies should be dynamic cookies associated with a single browser session, and not persistent cookies (with a >0 lifetime) stored on disk.
Gathering user information
WebSphere Portlet Factory allows you to use whatever custom user information you need (such as the full power of the user registry in use for each deployment scenario) rather than try to force use of a least common denominator by trying to map every possible third party user security/registration system into a common user profile.
Logout – session cleanup
It is always a good idea to put a Logout button in an obvious place in your application to encourage users to log out when they are done, rather than just closing their browser and allowing their session data to persist until their session times out.
Example application server security scenario
This is an application server security scenario.
Security example – J2EE
The following example illustrates security implemented for a IBM WebSphere Portlet Factory web application composed of several WebApp models.
Configuration Example – Login/Role
For requests to models under the above protected models, where a user is not already authenticated, the application server's servlet container will itself force the request to perform a login before sending the request on to the original URL destination (if authenticated and authorized based on the specified role(s)).
Example WEB.XML security components
The following configuration information represents the security portions of the WEB-INF/web.xml
J2EE Web Application Deployment Descriptor that ships with IBM WebSphere Portlet Factory.