WebSphere Portal - Security Concepts and Considerations

Thanks to Rainier Varilla for alerting me to a rather useful article on the WebSphere Portal Wiki: -

Web security concepts and considerations for IBM WebSphere Portal administrators

BM WebSphere Portal can be leveraged to enforce security, an important requirement for many Web applications. It relies on underlying technologies in delivering certain security functionality and provides integration points for other security-related technologies.

This article is intended to inform WebSphere Portal administrators on how to leverage these capabilities to deliver secure Web applications. It provides examples, including configuration excerpts, but is not intended to replace product documentation as the primary reference for enablement.

This document focuses on WebSphere Portal versions 7.0 and 6.1. Most of these concepts also apply to earlier versions, although WebSphere Portal employed a different member manager in versions prior to 6.1.

The ToC is impressive: -

    * 1 Introduction
    * 2 WebSphere Portal and authentication
          o 2.1 Authentication against a user registry
          o 2.2 External security manager (ESM)
          o 2.3 Single sign-on (SSO)
    * 3 WebSphere Portal and authorization
          o 3.1 Authorization and the user repository
          o 3.2 Portal access control & external identifiers
    * 4 Virtual portals and realms
    * 5 Sessions
    * 6 Other LDAP considerations
    * 7 Users' passwords
    * 8 Remember Me and Step-up Authentication
    * 9 Impersonation
    * 10 SSL
    * 11 Cross-site scripting
    * 12 Securing the operating system
    * 13 Conclusion
    * 14 Resources and Glossary
    * 15 About the author

so the article covers a lot of very useful ground.

Worth a read ...