Package examples.security.acl

This package demonstrates how to restrict access to a WebLogic Server resource (in this case, an RMI object) with an access control list (ACL).

See:
Description

Interface Summary

Frobable

Remote interface used to illustrate access control on an RMI object.

Class Summary

AltClient	This simple client connects as a specific user and attempts an RMI invocation.
Client	This simple client connects as a specific user and attempts an RMI invocation.
FrobImpl	Class FrobImpl illustrates how to use an ACL to protect an RMI object's method.

Package examples.security.acl Description

This package demonstrates how to restrict access to a WebLogic Server resource (in this case, an RMI object) with an access control list (ACL). The ACL is added to the File realm in WebLogic Server. The File realm checks the permissions for the RMI object before allowing a client to execute it.

Two clients are provided:

• Client.java connects to WebLogic Server on the listen port defined for the SSL protocol specifying the username and password defined for the joeuser User in the Administration Console. In this case, the SSL protocol is used to provide link-level encryption for the connection between WebLogic Server and the client. The Client Certificate Enforced attribute is used so that the client will provide its certificate chain as part of the SSL handshake thus enabling two-way SSL.
• AltClient.java connects to WebLogic Server using certificate authentication specifying the filenames of the private key and digital certificate on the command line. The AltClient.java client uses a JNDI Environment object to pass its security credentials. Note that this technique for passing security credentials is deprecated. Use the JAAS technique for passing security credentials. For more information, see the JAAS code example.

Perform the following steps in order to build, compile, and run the examples:

1. Build the example
2. Configure the server
3. Run the example

Build the Example

1. Set up your development shell as described in Setting up your environment.

2. Compile the example by executing an ant build script or by executing a set of commands.
   • An ant build script is available in the samples/examples/security/acl directory. Enter the following command to execute the build script:

     ant

   • Enter the following commands to compile the example:
     1. Compile the Frobable interface and implementation classes as follows:

           javac -d  %SERVER_CLASSES% Frobable.java FrobImpl.java

     2. Run the WebLogic RMI compiler to generate a client stub and skeleton for the FrobImpl interface as follows:

         java weblogic.rmic -d %SERVER_CLASSES% examples.security.acl.FrobImpl

     3. Compile the Client and AltClient classes as follows:

          javac -d %CLIENT_CLASSES% Client.java AltClient.java

3. Copy the demonstration digital certificate and private key for WebLogic Server and the digital certificate for the certificate authority from the \wlserver6.1\config\examples directory to the directory in which you are running the ACL code example.
   • The name of the digital certificate is democert.pem.
   • The name of the digital certificate for the certificate authority is ca.pem.
   • The name of the private key file is demokey.pem.

   When using mutual authentication with the AltClient client, you can use the the demonstration digital certificate and private key for both the client and the server.

   You can also use digital certificate and private key you obtain with the acl code example. Copy the digital certificates and the private key file into the directory in which you are running the acl code example.

Configure the Server

1. Bring up the Administration Console in a browser.

2. Register the FrobImpl instance as a RMI startup class:
   1. Click to expand the Deployments node in the left pane.
   2. Click to expand the Startup & Shutdown node in the left pane.
   3. Select the frob node.
   4. Deploy the frob startup class on the examplesServer.

3. If not already defined, define joeuser as a User in the File realm:
   1. Click to expand the Security node in the left pane.
   2. Select the Users node.
   3. Click the Create a New User link.
   4. Add a User named joeuser with the password joepass.

   Note: The Examples WebLogic Server comes pre-configured with users and groups; the preceding procedure is provided mostly for informational purposes.

4. If not already there, add joeuser to the Everyone Group.
   1. Click to expand the Group node in the left pane.
   2. Enter everyone in the Name attribute.
   3. Click on the Users attribute and select joeuser
   4. Click on the Apply button.

5. Verify that an ACL called aclexample that grants the permission frob for User joeuser exists:
   1. Select the Access Control Lists node in the left pane.
   2. Select the aclexample ACL in the right pane.
   3. Verify that frob is listed in the Permission column and joeuser is listed in the Grantees column.

6. Verify the SSL protocol is enabled.
   1. On the SSL tab in the Server Configuration window for the examplesServer verify that the Enabled checkbox is checked.
   2. Enter 7002 in the Listen Port field.

7. Define the following information about the digital certificate and private key for examplesServer on the SSL tab in the Server Configuration window:
   1. In the Server Key File Name field, enter the full directory location and name of the private key file for examplesServer (for example, ./config/examples/demokey.pem).
   2. In the Server Certificate File Name field, enter the full directory location and name of the digital certificate for examplesServer (for example, ./config/examples/democert.pem).
   3. If you are using two-way SSL with the AltClient client, check the Client Certificate Enforced checkbox to enable two-way SSL.
   4. In the Trusted CA File Name field, enter the full directory location and name of the digital certificate for the certificate authority trusted by examplesServer (for example, ./config/examples/ca.pem).
   5. If you are using a PKCS-8 password protected private key, check the Key Encrypted checkbox. The demonstration private key is not password protected.

Run the Example

1. Restart the Server.

   If you are using a PKCS-8 password protected private key, add the following command line option when starting WebLogic Server:

    -Dweblogic.management.pkpassword=password

   where password specifies the password used to protect the private key.

2. Run the Client client as follows:

    java -Dweblogic.security.SSL.ignoreHostnameVerification=true examples.security.acl.Client url user password

   where url specifies the T3S or HTTPS protocol and the default port (7002) on which WebLogic Server listens for SSL communications.

   user and password are the username and password for joeuser.

   If you are using the demonstration digital certificates supplied with WebLogic Server, you must specify the IgnoreHostNameVerifier argument to over ride the default HostNameVerifier.

   For example:

     java -Dweblogic.security.SSL.ignoreHostnameVerification=true examples.security.acl.Client t3s://localhost:7002 joeuser joepass

3. Run the AltClient client as follows:

      java -Dweblogic.security.SSL.ignoreHostnameVerification=true examples.security.acl.AltClient url -user user -pass password 
             -sslCert private_key:public_key[:cert_chain] [-password] [-servername]

   If you are using the demonstration digital certificates supplied with WebLogic Server, you must specify the IgnoreHostNameVerifier argument to over ride the default HostNameVerifier.

   url specifies the T3S or HTTPS protocol and the default port (7002) on which WebLogic Server listens for SSL communications.

   user and password are the username and password for joeuser. If the -user and -pass command line options are not specified, the JNDI Initial_Context defaults to the User guest with the password guest. In this case, the Altclient client will fail because the aclexample ACL does not assign permissions to the guest User.

   -sslCert specifies the name of the private key file and digital certificate separated by the default path separator on your platform.

   If you are using a PKCS-8 password encrypted private key, password is the password used to encrypt the private key. If you are using the demonstration digital certificate and private key, you do not have to specify this command line option.

   -servername is the name of the WebLogic Server to which you expect to connect.

   For example:

    $  java -Dweblogic.security.SSL.ignoreHostnameVerification=true examples.security.acl.AltClient t3s://localhost:7002 -user joeuser
            -pass joepass -sslCert demokey.pem;democert.pem -servername weblogic.bea.com

There's More...

Read more about ACLs and security in the Programming WebLogic Security and Managing Security.