Managing WebLogic Security
Note: Enabling trust between WebLogic Server domains opens the servers up to man-in-the-middle attacks. Great care should be taken when enabling trust in a production environment. BEA recommends having strong network security such as a dedicated communication channel or protection by a strong firewall.
Trust between domains is established so that principals in a Subject from one WebLogic Server domain are accepted as principals in another domain. When this feature is enabled, identity is passed between WebLogic Server domains over an RMI connection without requiring authentication in the second domain (for example: login to Domain 1 as Joe, make an RMI call to Domain 2 and Joe is still authenticated). When inter-domain trust is enabled, transactions can commit across domains. A trust relationship is established when the Domain Credential attribute for one domain matches the Domain Credential attribute for another domain.
The domain credential is randomly created the first time a WebLogic Server domain is started. This process ensures that by default no two WebLogic Server domains have the same credential. To enable trust between two WebLogic Server domains, you must explicitly specify the same value for the credential in both WebLogic Server domains.
By default, when you boot an Administration Server for the first time, the Domain Credential attribute is not defined. As the Administration Server boots, it notices that the Domain Credential attribute is not defined and generates a random credential.
WebLogic Server signs Principals with the Domain Credential as Principals are created. When a Subject is received from a remote source, its Principals are validated (the signature is recreated and if it matches, the remote domain has the same Domain Credential attribute). If validation fails, an error is generated. If validation succeeds, the Principals are trusted as if they were created locally.
If you want a WebLogic Server 6.x domain to interoperate with a WebLogic Server domain, change the Domain Credential attribute in the WebLogic Server domain to the password of the
system user in the WebLogic Server 6.x domain.
If you are enabling this feature in a managed server environment, you must stop the Administration server and all the Managed Servers in both domains and then restart them. If this step is not performed, servers that were not rebooted will not trust the servers that were rebooted.
Connection filters allow you to deny access at the network level. They can be used to protect server resources on individual servers, server clusters, or an entire internal network or Intranet. For example, you can deny any non-SSL connections originating outside of your corporate network. Network connection filters are a type of firewall in that they can be configured to filter on protocols, IP addresses, and DNS node names.
Connection filters are particularly useful when using the Administration port. Depending on your network firewall configuration, you may be able to use a connection filter to further restrict administration access. A typical use might be to restrict access to the Administration port to only the servers and machines in the domain. An attacker who gets access to a machine inside the firewall, still cannot perform administration operations unless the attacker is on one of the permitted machines.
WebLogic Server provides a default connection filter called
weblogic.security.net.ConnectionFilterImpl. This connection filter accepts all incoming connections and also provides static factory methods that allow the server to obtain the current connection filter. To configure this connection filter to deny access, simply enter the connection filters rules in the WebLogic Server Administration Console.
You can also use a custom connection filter by implementing the classes in the
weblogic.security.net package. For information about writing a connection filter, see Using Network Connection Filters in Programming WebLogic Security. Like the default connection filter, custom connection filters are configured in the WebLogic Server Administration Console.
weblogic.security.net.ConnectionFilterImplin the Connection Filter attribute field.
The Anonymous Admin Lookup Enabled attribute specifies whether anonymous, read-only access to WebLogic Server MBeans should be allowed from the
MBeanHome API. With this anonymous access, you can see the value of any MBean attribute that is not explicitly marked as protected by the Weblogic Server MBean authorization process. This attribute is checked by default to sure backward compatibility.