Package examples.security.net

The weblogic.security.net package provides a way to restrict client connections to WebLogic Server based on the client's origin and protocol.

See:
Description

Class Summary

FastFilterEntry	Fast filter rule.
FilterEntry	Abstract filter rule.
SimpleConnectionFilter	Simple rules-based connection filter example.
SimpleConnectionFilter2	Simple rules-based connection filter example.
SlowFilterEntry	Slow filter rule.

Package examples.security.net Description

The weblogic.security.net package provides a way to restrict client connections to WebLogic Server based on the client's origin and protocol. The net code example provides an implementation of two weblogic.security.net interfaces:

• ConnectionFilter
  This interface defines the accept() method which is used to implement connection filtering. Implementing this interface alone does not permit the use of the Administration Console to enter filtering rules to restrict client connections, rather some other form (such as a flat file, which is defined in the console) must be used for that purpose.

• ConnectionFilterRulesListener
  This interface defines two methods which are used to implement connection filtering: setRules() and checkRules(). Implementing this interface allows the use of the Administration Console to enter filtering rules to restrict client connections.

  Note: To be able to enter and edit connection filtering rules on the Administration Console, you must implement the ConnectionFilterRulesListener interface; otherwise some other form must be used. For example, a flat file could be used.

The SimpleConnectionFilter class implements the ConnectionFilter interface. The SimpleConnectionFilter2 class implements the ConnectionFilter interface and the ConnectionFilterRulesListener interface. Both classes call the accept() method after gathering information about the client connection. The SimpleConnectionFilter includes the remote IP address and the connection protocol (HTTP, HTTPS, T3, T3S, IIOP, or IIOPS). The SimpleConnectionFilter2 includes the remote IP address, remote port number, local IP address, local port number and the connection protocol. This information is passed to the ConnectionFilter.accept() method in a ConnectionEvent. Based on the information, the ConnectionFilter.accept() method either allows or denies the client connection. If the client connection is denied, a FilterException is thrown.

Perform the following steps in order to build and run the example:

1. Build the example
2. Configure the server
3. Run the example

Build the Example

1. Set up your development shell as described in Setting up your environment.

2. Compile the example by executing an ant build script or a command.
   • An ant build script is available in the %SAMPLES_HOME%\server\src\examples\security\net directory. Enter the following command to execute the build script:

     ant

   • Enter the following command to compile the example:

     javac -d %SERVER_CLASSES% *.java

3. Copy the filter file from the SAMPLES_HOME\server\src\examples\security\net directory to the SAMPLES_HOME\server\stage\examples\serverclasses\examples\security\net directory.

4. Edit the filter file in the %SAMPLES_HOME%\server\stage\examples\serverclasses\examples\security\net directory to set up the filters for the net example. For more information about the filter file format, see examples.security.net.SimpleConnectionFilter.

Configure the Server

1. Bring up the Administration Console in a browser.

2. Configure the desired connection filter class (configure only one class at a time).
   • To configure the SimpleConnectionFilter class, install SimpleConnectionFilter.
     1. Select the examples node or the 6.x Security node in the left pane.
     2. Click on the Security Tab.
     3. Click on the Filter tab.
     4. Enter examples.security.net.SimpleConnectionFilter in the Connection Filter field.
     5. Click Apply.

   • To configure the SimpleConnectionFilter2 class, install SimpleConnectionFilter2 and enter the connection filter rules.
     1. Select the examples node or the 6.x Security node in the left pane.
     2. Click on the Security Tab.
     3. Click on the Filter tab.
     4. Enter examples.security.net.SimpleConnectionFilter2 in the Connection Filter field.
     5. Enter the filtering rules in the Connection Filter Rules field. For an example of filtering rules, see the filter file.
     6. Click Apply.

Run the Example

Restart the server.

Note: Restarting the server is only necessary when switching filter classes. If the SimpleConnectionFilter2 class is used, rules can be dynamically changed in the Administration Console as needed.

Check the WebLogic Server log file located at %SAMPLES_HOME%\server\config\examples\logs\wl-domain.log for messages about denied connections.

Additional Information About Using Connection Filters on Microsoft Windows Systems

Question: On Microsoft Windows systems, how does WebLogic Server respond when you set up connection filters that deny requests made from your local machine, that is, your local machine is the client?

Answer: On Windows machines, after failing with localhost (that is, IP address 127.0.0.1), it automatically tries IP address 127.127.127.127. As a result, you will see some type of message in your myserver.log for one of the first rules being blocked, but then the request is allowed because of the 127.127.127.127 not matching.

For example, if you try this client on your machine with WebLogic Server running on your machine:

java weblogic.Admin -url t3://spoz:7001 -username system -password password PING 1 1

And you have these filtering rules only:

localhost 127.0.0.1 7001 deny t3
spoz spoz 7001 deny t3

Then the above client will pass because you did not include the filtering rule:

spoz 127.127.127.127 7001 deny t3

However if you specify the following client on your machine with WebLogic Server running on your machine (specifying localhost:7001 instead of spoz:7001):

java weblogic.Admin -url t3://localhost:7001 -username system -password password PING 1 1

And you specified the following filtering rules:

localhost 127.0.0.1 7001 deny t3
spoz spoz 7001 deny t3

Then the client will fail to connect because it matches the first rule.

NOTE: Normally you would not deny HTTP requests from your own machine to your own machine if that machine was the admin server. Why? Because this would prevent you from accessing the Administration Console and making changes to the connection filter rules or anything else.

There's More...

Read more about connection filters and security in Programming WebLogic Security.