Chapter 4. Configuration and customization 113
4.2 WebSEAL customization
Different approaches are needed to provide different types of user access (for
example, unrestricted access or restricted access with passwords, SecurID
tokens, or PKI certificates) to a variety of back-end applications. This flexibility
should be provided within one security solution, and the management of this
security solution must support both centralized and distributed security
administration groups, while maintenance of the Web applications can be done
by other individual groups.
WebSEAL can enforce a high degree of security in a secure domain by requiring
users to provide proof of their identity. The following conditions apply to the
WebSEAL authentication process:
WebSEAL supports several authentication methods by default, and can be
customized to use other methods.
When both server and client require authentication, the exchange is known as
The WebSEAL server process is independent of the authentication method.
The result of successful authentication to WebSEAL is a Tivoli Access
Manager user identity.
WebSEAL uses this identity to build a credential for that user.
The authorization service uses this credential to permit or deny access to
protected objects after evaluating the ACL permissions, POP conditions, and
authorization rules governing the policy for each requested resource.
This flexible approach to authentication allows the security policy to be based on
business requirements and not physical network topology.
Here are some of the technical requirements for authentication that WebSEAL
has to address:
Enforce authentication of users, where the type of authentication depends on
the resources they want to access. Sometimes all users need to be
authenticated, sometimes only users that want to access some protected
URLs or applications need to identity themselves.
Perform an initial user-based authorization check (such as, decide whether a
user should be allowed to initially contact any of the Web applications). This
step prevents certain users from accessing the system at all.