RSS

Using Weblogic Network Connection Filters

12 Jul

A while back I’ve spoken with Jacco Landlust and he told me about the Network Connection Filter feature of Oracle Weblogic. I was interested about this feature and decided to look into this.

Network Connection Filters (filters from now on) are a sort of firewall/acl feature that can be used to allow or deny access to servers in your Weblogic domain for certain protocols and network addresses.

The example that Oracle mentions themself in their documentation is to restrict access to the Administrator Server to prevent unauthorized access.But another example could be to allow access to your application/services from only a specific range of addresses in your company network.

You can find the configuration of filters in the left menu of the Weblogic Console under domain.
Then go to Security -> Filter .

Connection Filter: weblogic.security.net.ConnectionFilterImpl
Connection Filter Rules:

127.0.0.1 * 7001 allow #local ipv4
server01 * 7001 allow #local hostname
0:0:0:0:0:0:0:1 * 7001 allow #local ipv6
0.0.0.0/0 * 7001 deny # all other traffic

Weblogic Console

Rules are validated top -> down, so the 4th line will deny all traphic (0.0.0.0/0) to all local addresses (*) on admin port (7001). So only if the first 3 rules are valid then access is granted, which in the example only applies to access from the local machine.

The following Notice example appears in the log when unauthorised access takes place:

<<em>datetime</em>> <Notice> <Socket> <BEA-000445> <Connection rejected, filter blocked Socket[addr=10.50.30.203,port=54144,localport=7001], weblogic.security.net.FilterException: [Security:090220]rule 4>
  • Changing the connection filter type requires a restart of all servers in the domain
  • Changing the filter rules are actived instantly
  • You can filter ony remoteAdress, localAdress, localPort, Protocol
  • Supported protocols are: http, https, t3, t3s, ldap, ldaps, iiop, iiops & com
  • Protocols are the last parameter in the filter, if not mentioned (as in the example) all apply
  • Filters are activated to all servers in your weblogic domain, so remember you can lockout yourself (admin console) or even internal weblogic communication between managed servers and the admin server.
  • Filters are stored in the config.xml file, so if you really locked yourself out -> Look there

Conclusion:
Testing with filters i came to the conclusion that it’s actually a very nice feature to easily and quickly upgrade the security of your Weblogic domain. If you have a hardware firewall in place to prevent access from unwanted users in your network that would off course be even better. Otherwise I would probably want to implement such a feature in every production environmen I would be responsible for.

Quick Example2:
Locking out all traphic to OSB services which are hosted on machine 10.0.0.11 and 10.0.0.12 on port 8011 (line 3), except for http traphic from servers in the 10.0.0.0/24 subnet (line 1+2):

10.0.0.0/24 10.0.0.11 8011 allow http #osb services
10.0.0.0/24 10.0.0.12 8011 allow http #osb services
0.0.0.0/0 * 8011 deny #osb services

Reference: http://download.oracle.com/docs/cd/E12840_01/wls/docs103/security/con_filtr.html

About these ads
 
3 Comments

Posted by on 12-07-2011 in Oracle, Weblogic

 

Tags: ,

3 responses to “Using Weblogic Network Connection Filters

  1. karthi premakumari

    28-07-2011 at 22:24

    You said “Filters are stored in the config.xml file, so if you really locked yourself out -> Look there”

    I got locked out and WLS won’t even start…where is this config file where the connection filter information is stored?

    Thank you!

     
    • jvzoggel

      28-07-2011 at 22:34

      Hello Karthi,

      The weblogic config.xml is located in your domain folder.
      There should be a folder: ../../domains/%domainname%/config/config.xml

      p.s. By default this folder is located in your /%WLHOME%/user_projects/ folder but you can alter this during install.

      regards,

      Jan

       

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
Follow

Get every new post delivered to your Inbox.

Join 335 other followers

%d bloggers like this: