154 Certification Study Guide: IBM Tivoli Access Manager for e-business 6.0
The –w option on a junction provides the following measures of protection:
򐂰 Prevents the use of the 8.3 file name format. When the junction is configured
with the –w option, a user cannot avoid an explicit ACL on a long file name by
using the short (8.3) form of the file name. The server returns a 403
Forbidden error on any short form file name entered.
򐂰 Disallows trailing dots in directory and file names. If a file or directory contains
trailing dots, a 403 Forbidden error is returned.
򐂰 The –w option automatically invokes the –i option (meaning it enforces
4.9 WebSEAL single sign-on mechanisms
After a user has been authenticated by WebSEAL and an authorization decision
has been made, WebSEAL has to forward the user’s request to a back-end Web
application server. If needed, WebSEAL can include information about the user,
such as X.509 distinguished name, group memberships, or any other value.
The mechanisms to forward that information can vary. You can use standard
protocols such as the HTTP basic authentication header, or proprietary
mechanisms, when talking to specific server products. WebSEAL supports
several mechanisms for forwarding requests to Web application servers.
This section presents alternatives on how to pass information about the user and
the user’s request to the back-end application.
When a protected resource is located on a junctioned Web application server, a
client requesting that resource can be required to perform multiple logins: one for
the WebSEAL server and one for the back-end server. Each login may require a
different login identity. Often, the problem of administering and maintaining
multiple login identities can be solved with a single sign-on mechanism.
The Open Group defines single sign-on as a mechanism whereby a single action
of user authentication and authorization can permit a user to access all
computers and systems where that user has access permission, without the
need to enter multiple passwords
. WebSEALs realm is to provide this single
sign-on functionality for Web infrastructures. Acting as a Web reverse proxy to
the company’s Web environment, WebSEAL communicates with the junctioned
servers on behalf of the users. It enables the user to access a resource,
regardless of the resource’s location, using only one initial login. Any more login
requirements from back-end application servers are handled so that they are
transparent to the user.
From the security section of the Open Group Web site (http://www.opengroup.org/security/sso/).

Get Certification Study Guide: IBM Tivoli Access Manager for e-business 6.0 now with the O’Reilly learning platform.

O’Reilly members experience live online training, plus books, videos, and digital content from nearly 200 publishers.