bea.com | products | dev2dev | support | askBEA
 Download Docs   Site Map   Glossary 
Search
e-docs > WebLogic Server > WebLogic Server Configuration Reference > Security

WebLogic Server Configuration Reference

 Previous Next Contents Index View as PDF  

Security

Description

Specifies the security properties of a WebLogic domain.

Syntax

<!ELEMENT Security EMPTY >
<!ATTLIST Security
   AuditProviderClassName     CDATA                    #IMPLIED
   CompatibilityMode          (true | false)           "false"
   ConnectionFilter           CDATA                    #IMPLIED
   ConnectionFilterRules      CDATA                    #IMPLIED
   ConnectionLoggerEnabled    (true | false)           "false"
   GuestDisabled              (true | false)           "true"
   Name                       CDATA                    #REQUIRED
   Notes                      CDATA                    #IMPLIED
   PasswordPolicy             CDATA                    #IMPLIED
   Realm                      CDATA                    #IMPLIED
   SystemUser                 CDATA                    "system"
>

Parent Elements

The Security element is a child of the Domain element.

Attributes

Table 60-1 SecurityMBean Element Attributes

Attribute

Description

Range of Values and Default

Console Label

Audit-Provider-Class-Name


Audit Provider Class

Compatibility-Mode

Specifies whether migration from a WebLogic Server 6.x security configuration is enabled.

Default: false

Compatibility Mode

Connection-Filter

The name of the Java class that implements a connection filter. The connection filter must be an implementation of the weblogic.security.net.ConnectionFilterinterface. WebLogic Server provides a default implementation.

Default: null

Connection Filter

Connection-Filter-Rules

The list of rules for the system connection filter. If none are specified, all connections are accepted.

The syntax of the rules is as follows:

<ulist>

Each rule must be written on a single line in the source code.

Tokens in a rule are separated by white space.

A pound sign (#) is the comment character. Everything after a pound sign on a line is ignored.

Whitespace before or after a rule is ignored.

Lines consisting only of whitespace or comments are skipped.

All rules have the following format:

targetlocalAddresslocalPortactionprotocols

where

target specifies one or more servers to filter.

localAddress defines the host address of the server. (If you specify an asterisk (*), the match returns all local IP addresses.)

localPort defines the port on which the server is listening. (If you specify an asterisk, the match returna all available ports on the server).

action specifies the action to perform. The value must be allow or deny).

protocols is the list of protocol names to match. (One of the following protocols must be specified http, https, t3, t3s, giop, giops, dcom, or ftp.) If no protocol is defined, all protocols will match a rule.

Two kinds of rules are recognized:

  • A fast rule applies to a hostname or IP address with an optional netmask. If a hostname corresponds to multiple IP addresses, multiple rules are generated (in no particular order). Netmasks can be specified either in numeric or dotted-quad form. For example:

  • dialup-555-1212.pa.example.net 127.0.0.1 7001 deny t3 t3s # http(s) OK 192.168.81.0/255.255.254.0 127.0.0.1 8001 allow # 23-bit netmask 192.168.0.0/16 127.0.0.1 8002 deny # like /255.255.0.0

  • Hostnames for fast rules are looked up once at server startup. While this design greatly reduces overhead at connect time, it can result in the filter obtaining out of date information about what addresses correspond to a host name. BEA Systems recommends using numeric IP addresses instead.

  • A slow rule applies to part of a domain name. Since a rule requires a connect-time DNS lookup on the client-side in order to perform a match, a slow rule may be much slower than the fast rule. Slow rules are also subject to DNS spoofing. Slow rules are specified as follows:

  • *.script-kiddiez.org 127.0.0.1 7001 deny p> An asterisk only matches at the head of a pattern. If you specify an asterisk anywhere else in a rule, it is treated as part of the pattern. Note that the pattern will never match a domain name since an asterisk is not a legal part of a domain name.

When a client connects to WebLogic Server, these rules are evaluated in the order in which they were written. The first rule to match determines how the connection is treated. If no rules match, the connection is permitted.

If you want to further protect your server and only allow connections from certain addresses, you can specify 0.0.0.0/0 denyas your last rule.

Default: null

Connection Filter Rules

Connection-Logger-Enabled

Enables the logging of accepted connections. This attribute can be used by a system administrator to dynamically check the incoming connections in the log file to determine if filtering needs to be performed.

Default: false

Connection Logger Enabled

Guest-Disabled

Specifies whether or not guest logins can be used to access WebLogic Server resources.

Default: true

Guest Disabled

Name

The name of the MBean.


Name

Notes

Optional information that you can include to describe this configuration.


Notes

Password-Policy

The password policy.


Password Policy

Realm

The realm policies.


Realm

System-User

The name of the systemuser. This attribute must be specified.

Default: "system"

System User

 

 

Back to Top Previous Next