Domain: Security: Filter
Configuration Options Related Tasks Related Topics
This page allows you to define connection filter settings for this WebLogic Server domain.
Connection filters add an additional layer of security by filtering unwanted network connections. For example, you can deny any non-SSL connections originating outside of your corporate network.
Configuration Options
Name Description Connection Logger Enabled Specifies whether this WebLogic Server domain should log accepted connections.
MBean Attribute:
SecurityMBean.ConnectionLoggerEnabled
Connection Filter The name of the Java class that implements a connection filter (that is, the
weblogic.security.net.ConnectionFilter
interface). If no class name is specified, no connection filter will be used.MBean Attribute:
SecurityMBean.ConnectionFilter
Changes take effect after you redeploy the module or restart the server.
Connection Filter Rules The rules used by any connection filter that implements the
ConnectionFilterRulesListener
interface. When using the default implementation and when no rules are specified, all connections are accepted. The default implementation rules are in the format:target localAddress localPort
action protocol
s
.The syntax of the rules is as follows:
- Each rule must be written on a single line in the source code.
- Tokens in a rule are separated by white space.
- A pound sign (#) is the comment character. Everything after a pound sign on a line is ignored.
- Whitespace before or after a rule is ignored.
- Lines consisting only of whitespace or comments are skipped
All rules have the following format:
t
a
rget localAddress localPort action protocols
where
target
specifies one or more servers to filter.
localAddress
defines the host address of the server. (If you specify an asterisk (*), the match returns all local IP addresses.)
localPort
defines the port on which the server is listening. (If you specify an asterisk, the match returns all available ports on the server).
action
specifies the action to perform. (The value must be allow or deny).
protocols
is the list of protocol names to match. (One of the following protocols must be specified: http, https, t3, t3s, giop, giops, dcom, or ftp.) If no protocol is defined, all protocols will match a rule.Two kinds of rules are recognized:
- A fast rule applies to a host name or IP address with optional netmask. If a host name corresponds to multiple IP addresses, multiple rules are generated.
- A slow rule applies to part of a domain name. Since a rule requires a connect-time DNS lookup to perform a match, slow rules impact performance.
MBean Attribute:
SecurityMBean.ConnectionFilterRules