Connection filters
are one of the additional security Feature provides by Weblogic. Weblogic
provides
Security for an domain
level, application level and application component level using security roles and
users.
Connection Filter
is another feature provided by weblogic, which is a network layer security. These
connection filters allow unwanted access to resources. For example these can be
used in blocking a IP address in accessing the admin console of a weblogic.
Weblogic has a default connection filter implementation weblogic.security.net.ConnectionFilterImpl which connection filter rules that we configured and based on them it allows/blocks access to resources.
For adding a Connection Filter to a
weblogic domain, Domain Name ->Security -> Filter.
Connection Filter: weblogic.security.net.ConnectionFilterImpl
Connection Filter Rules:
Connection Filter Rules:
IP address * * allow# Apache
IP address * * allow#
Some thing like
173.222.34.54 * * allow#Apache
0.0.0.0/0 * * deny#Deny all
0.0.0.0/0 * 7001 deny
When We check in the
config.xml file we can see,
<connection-filter-rule>173.222.34.54 *
* allow# Apache</connection-filter-rule>
<connection-filter-rule>0.0.0.0/0 * * deny#Deny All</connection-filter-rule>
<connection-filter-rule>0.0.0.0/0 * 7001 deny</connection-filter-rule>
The First line says
to allow access to every thing for the IP address 173.222.34.54.The last line
will deny all traphic (0.0.0.0/0) to all local addresses (*)
on admin port (7001).The Rules in here are validated from top to bottom.
There are some
syntax rules while configuring the filters
- Each rule must be written on a single line.
- Tokens in a rule are separated by white space.
- A pound sign (#) is the comment character.
Everything after a pound sign on a line is ignored.
- Whitespace before or after a rule is ignored.
- Lines
consisting only of whitespace or comments are skipped.
- Filters are activated to all
servers in your domain, so remember you can lockout yourself (admin
console) or even internal weblogic communication between managed servers
and the admin server.
- Filters
are stored in the config.xml file, so if you really locked yourself out
-> Look there
The connection
filter syntax is
targetAddress localAddress
localPort action protocols
targetAddress specifies one or more systems
to filter.
localAddress defines the host address of
the WebLogic Server instance. (If you specify an asterisk (*), the match
returns all local IP addresses.)
localPort defines the port on which the
WebLogic Server instance is listening. (If you specify an asterisk (*), the
match returns all available ports on the server).
action specifies the action to perform. This value must be allow or deny.
protocols is the list of protocol names to
match. The following protocols may be specified: http, https, t3, t3s,ldap, ldaps, iiop, iiops,
and com.
If no protocol is
defined, all protocols will match a rule.
There are cases
where you will see Notices like
####<Nov 27,
2012 4:31:22 AM CST> <Notice> <Socket> <omhq19ea> < admin>
<ExecuteThread: '5' for queue: 'weblogic.socket.Muxer'> <<WLS
Kernel>> <> <> <1354012282145> <BEA-000445> <Connection
rejected, filter blocked Socket[addr=x.x.x.x.x,port=62719,localport=29902],
weblogic.security.net.FilterException: [Security:090220]rule 81>
####<Nov 27,
2012 4:49:25 AM CST> <Notice> <Socket> <omhq19eb> < admin>
<ExecuteThread: '4' for queue: 'weblogic.socket.Muxer'> <<WLS
Kernel>> <> <> <1354013365338> <BEA-000445>
<Connection rejected, filter blocked Socket[addr=x.x.x.x,port=62941,localport=29802],
weblogic.security.net.FilterException: [Security:090220]rule 107>
Just check the
connection filters are according to the syntax.
Happy Learning.
