HTTP input filter like mod_security for WebSphere?

Question

Does WebSphere offer an HTTP input filter / firewall like mod_security?

I know that it's possible to have Apache be the HTTP server front-end to WebSphere, but that type of configuration is beyond my influence. We're stuck using just what WebSphere itself can do.

EDIT - To clarify, I am not looking for authentication, authorization, or non-repudiation aspects of security here. I want a rule-based HTTP firewall like mod_security that works on WebSphere.

Also, I know that in version 1.x, there was a partial implementation of mod_security in Java. We currently have a custom, in-house solution that is a work-alike, but less arbitrarily configurable. Thanks!

Answer 1

Have a look at webcastellum http://sourceforge.net/projects/webcastellum/ It is an Java Opensource WAF. Sadly the Wesbsite of the maintainers is in German only but they seem to have some english documentation.

They say in their Documentation WebCastellum is compatibel to all common J2EE-Servers: WebCastellum ist kompatibel zu allen gängigen JavaEE-Servern Bei der Implementierung von WebCastellum wurde auf Kompatibilität zu allen gängigen JavaEE-Servern, wie Tomcat, BEA Weblogic, JBoss oder WebSphere Wert gelegt.

Answer 2

There are many attacks that target the web server in front of your application server, so you should get control of the configuration of that web server too.

Answer 3

J2EE has a standard way of securing it's apps. I recommend using this. If what you are trying to do is oddball, you could look at Custom User Registries (IBM specific), or implement a custom system all together with Servlet Filters.