This topic applies to WebSphere Application Server Liberty V8.5.5.9 and earlier. For the latest Liberty topics, see the WebSphere Application Server Liberty documentation.
Web Container Application Security (webAppSecurity)
Configures web container application security.
Attribute name | Data type | Default value | Description |
---|---|---|---|
allowAuthenticationFailOverToAuthMethod |
|
Specifies the authentication fail over method that will be used when the certificate authentication fails. Valid values are BASIC and FORM.
|
|
allowFailOverToBasicAuth | boolean | false | Specifies whether to fail over to basic authentication when certificate authentication fails. The equivalent custom property in the full application server profile is com.ibm.wsspi.security.web.failOverToBasicAuth. |
allowLogoutPageRedirectToAnyHost | boolean | false | Warning, security risk: Setting this property to true may open your systems to potential URL redirect attacks. If set to true, any host can be specified for the logout page redirect. If set to false, and the logout page points to a different host, or one not listed in the logout page redirect domain list, then a generic logout page is displayed. The equivalent custom property in the full application server profile is com.ibm.websphere.security.allowAnyLogoutExitPageHost. |
displayAuthenticationRealm | boolean | false | Warning, security risk: if this property is set to true, and the user registry's realm name contains sensitive information, it is displayed to the user. For example, if an LDAP configuration is used, the LDAP server hostname and port are displayed. This configuration controls what the HTTP basic authentication login window displays when the realm name is not defined in the application web.xml. If the realm name is defined in the application web.xml file, this property is ignored. If set to true, the realm name displayed will be the user registry realm name for the LTPA authentication mechanism. If set to false, the realm name displayed will be "Default Realm". The equivalent custom property in the full application server profile is com.ibm.websphere.security.displayRealm. |
httpOnlyCookies | boolean | true | Specifies whether the HTTP only (HttpOnly) cookies option is enabled. |
includePathInWASReqURL | boolean | false | Setting the Path parameter can allow the client/browser to manage multiple WASReqURL cookies during multiple concurrent logins on the same user agent. The equivalent custom property in the full application server profile is com.ibm.websphere.security.setContextRootForFormLogin. |
loginFormURL | string | Specifies the global URL of a form login page including the root context. The form login page must be part of the WAR file. If a form login application does not specify the form login page in the web.xml file, it uses the global form login URL. | |
logoutOnHttpSessionExpire | boolean | false | Specifies whether users will be logged out after the HTTP session timer expires. If set to false, the user credential will stay active until the Single Sign-On token timeout occurs. The equivalent custom property in the full application server profile is com.ibm.ws.security.web.logoutOnHTTPSessionExpire. |
logoutPageRedirectDomainNames | string | A pipe (|) separated list of domain names that are allowed for the logout page redirect (localhost is implied). The equivalent custom property in the full application server profile is com.ibm.websphere.security.logoutExitPageDomainList. | |
postParamCookieSize | int | 16384 | Size of the POST parameter cookie. If the size of the cookie is larger than the browser limit, unexpected behavior may occur. The value of this property must be a positive integer and represents the maximum size of the cookie in bytes. The equivalent custom property in the full application server profile is com.ibm.websphere.security.util.postParamMaxCookieSize. |
postParamSaveMethod |
|
Cookie | Specifies where POST parameters are stored upon redirect. Valid values are cookie (POST parameters are stored in a cookie), session (POST parameters are stored in the HTTP Session) and none (POST parameters are not preserved). The equivalent custom property in the full application server profile is com.ibm.websphere.security.util.postParamSaveMethod.
|
preserveFullyQualifiedReferrerUrl | boolean | false | Warning, security risk: Setting this to true may open your systems to potential URL redirect attacks. This property specifies whether the fully qualified referrer URL for form login redirects is preserved. If false, the host for the referrer URL is removed and the redirect is to localhost. The equivalent custom property in the full application server profile is com.ibm.websphere.security.util.fullyQualifiedURL |
singleSignonEnabled | boolean | true | Specifies whether single sign-on is enabled. |
ssoCookieName | string | LtpaToken2 | Customizes the SSO cookie name. A custom cookie name allows you to logically separate authentication between SSO domains and to enable customized authentication to a particular environment. Before setting this value, consider that setting a custom cookie name can cause an authentication failure. For example, a connection to a server that has a custom cookie property set sends this custom cookie to the browser. A subsequent connection to a server that uses either the default cookie name or a different cookie name, is not able to authenticate the request via a validation of the in-bound cookie. The equivalent custom property in the full application server profile is com.ibm.websphere.security.customSSOCookieName. |
ssoDomainNames | string | A pipe (|) separated list of domain names that SSO Cookies should be presented. The equivalent custom property in the full application server profile is com.ibm.ws.security.config.SingleSignonConfig | |
ssoRequiresSSL | boolean | false | Specifies whether a SSO cookie is sent over SSL. The equivalent property in the full application server profile is requiresSSL. |
ssoUseDomainFromURL | boolean | false | Specifies whether to use the domain name from the request URL for the cookie domain. |
trackLoggedOutSSOCookies | boolean | false | Specifies whether to track LTPA single signon tokens that are logged out on a server so that it can not be reused on the same server. |
useAuthenticationDataForUnprotectedResource | boolean | true | Specifies whether authentication data can be used when accessing an unprotected resource. The unprotected resource can access validated authenticated data that it previously could not access. This option enables the unprotected resource to call the getRemoteUser, isUserInRole, and getUserPrincipal methods to retrieve an authenticated identity. The equivalent custom property in the full application server profile is com.ibm.wsspi.security.web.webAuthReq=persisting. |
useOnlyCustomCookieName | boolean | false | Specifies whether to use only the custom cookie name. |
wasReqURLRedirectDomainNames | string | A pipe (|) separated list of domain names that are allowed for the WASReqURL page redirect. The hostname found on the form login request is implied. | |
webAlwaysLogin | boolean | false | Specifies whether the login() method will throw an exception when an identity has already been authenticated. |