A while back I’ve spoken with Jacco Landlust and he told me about the Network Connection Filter feature of Oracle Weblogic. I was interested about this feature and decided to look into this.
Network Connection Filters (filters from now on) are a sort of firewall/acl feature that can be used to allow or deny access to servers in your Weblogic domain for certain protocols and network addresses.
The example that Oracle mentions themself in their documentation is to restrict access to the Administrator Server to prevent unauthorized access.But another example could be to allow access to your application/services from only a specific range of addresses in your company network.
You can find the configuration of filters in the left menu of the Weblogic Console under domain.
Then go to Security -> Filter .
Connection Filter: weblogic.security.net.ConnectionFilterImpl
Connection Filter Rules:
127.0.0.1 * 7001 allow #local ipv4 server01 * 7001 allow #local hostname 0:0:0:0:0:0:0:1 * 7001 allow #local ipv6 0.0.0.0/0 * 7001 deny # all other traffic
Rules are validated top -> down, so the 4th line will deny all traphic (0.0.0.0/0) to all local addresses (*) on admin port (7001). So only if the first 3 rules are valid then access is granted, which in the example only applies to access from the local machine.
The following Notice example appears in the log when unauthorised access takes place:
<<em>datetime</em>> <Notice> <Socket> <BEA-000445> <Connection rejected, filter blocked Socket[addr=10.50.30.203,port=54144,localport=7001], weblogic.security.net.FilterException: [Security:090220]rule 4>
- Changing the connection filter type requires a restart of all servers in the domain
- Changing the filter rules are actived instantly
- You can filter ony remoteAdress, localAdress, localPort, Protocol
- Supported protocols are: http, https, t3, t3s, ldap, ldaps, iiop, iiops & com
- Protocols are the last parameter in the filter, if not mentioned (as in the example) all apply
- Filters are activated to all servers in your weblogic domain, so remember you can lockout yourself (admin console) or even internal weblogic communication between managed servers and the admin server.
- Filters are stored in the config.xml file, so if you really locked yourself out -> Look there
Testing with filters i came to the conclusion that it’s actually a very nice feature to easily and quickly upgrade the security of your Weblogic domain. If you have a hardware firewall in place to prevent access from unwanted users in your network that would off course be even better. Otherwise I would probably want to implement such a feature in every production environmen I would be responsible for.
Locking out all traphic to OSB services which are hosted on machine 10.0.0.11 and 10.0.0.12 on port 8011 (line 3), except for http traphic from servers in the 10.0.0.0/24 subnet (line 1+2):
10.0.0.0/24 10.0.0.11 8011 allow http #osb services 10.0.0.0/24 10.0.0.12 8011 allow http #osb services 0.0.0.0/0 * 8011 deny #osb services