All Examples  All Security Examples

package examples.security.snoopproof

Interface Index

  • Syncer

    • Class Index

  • Client
  • SnoopProofProxy
  • SnoopProofRealm
  • SnoopProofUserInfo
  • SyncerImpl

    • about this package

    This example demonstrates how the classes in weblogic.security.acl can be used to implement a snoop-proof authentication scheme. When you compile and run this example, you'll see a time-trace output indicating successful authentication. If you run the example again within a minute, you'll get a message indicating that authentication was denied.

    Even though the client enters its username and password in clear text in this example, the authentication is snoop-proof. The UserInfo implementation serializes the password as the MD5 of the password and the current time. On the server, the corresponding realm checks the user info by comparing MD5 digests for the current and previous time period. As protection against replay, there can be only one successful authentication per time period.

    Also included in this directory are build scripts for Windows NT or UNIX.

    how to use this package

    1. Set up your development environment as described in Setting your development environment.

    2. Edit Client.java and SnoopProofProxy.java in this directory, and set the correct URL for your WebLogic Server. As distributed, the URL is set to t3://localhost:7001.

      build.bat (Windows NT) or build.sh (UNIX) in this directory.

    3. Register the SnoopProofRealm as an RMI startup class in the weblogic.properties file with this entry: 
        weblogic.rmi.startupClass.snoopProof=examples.security.snoopproof.SnoopProofRealm
  weblogic.rmi.startupArgs.snoopProof=weblogic xxxxxx

      where xxxxxx is the password for the WebLogic administrative user, "system." The startup argument "weblogic" designates the default WebLogic Realm as the realm for snoop proofing.

    4. Register a user in the weblogic.properties class to work with the example, with this entry: 
        weblogic.password.doe=abracadabra

    5. Start the WebLogic Server in your server shell.

    6. Call the Client class in your development shell, with a command like this: 
        $ java examples.security.Client user password

      For example, 

       $ java examples.security.snoopproof.Client doe abracadabra

      Both arguments are optional. They default to "system" and "gumby999."

      You should see a message ending with "Successfully pinged server."

      Execute the Client class again within 60 seconds. You should see a message like "Authentication for user doe denied in realm weblogic.snoopProof."

    there's more . . .

    Read more about WebLogic Security in the Developers Guides, Using WebLogic SSL, and Using WebLogic ACLs.