Connection Filters allow you to deny access to UNWANTED Connections at the network level. Connection Filters can be used to protect server resources on individual servers, server clusters, or an entire internal network or Intranet. Connection filters are particularly useful when using the Administration port. Depending on your network firewall configuration, you may be able to use a connection filter to further restrict administration access. A typical use might be to restrict access to the Administration port to only the servers and machines in the domain.
WebLogic Server provides a default connection filter called
weblogic.security.net.ConnectionFilterImpl.
This default connection filter accepts all incoming connections except
the ones defined in your Administration Console as a Connection filter
rule. You can write your own custom connection filter by implementing
the classes in the weblogic.security.net package. This post will
demonstrate the steps to configure Weblogic Connection Filters.- If you have not already done so, in the Change Center of the Administration Console, click
Lock & Edit.
- In the left pane, click on the domain name.
- In the right pane, select the Security -> Filter tab.
- Click the Connection Logger Enabled attribute to enable the logging of accepted connections.
- Specify the Connection Filter to be used with the domain. This example uses the default connection filter
weblogic.security.net.ConnectionFilterImpl - Specify the Connection Filter Rules. Make sure that you use the syntax below while writing the rules.
Syntax:target localAddress localPort action protocols
wheretargetspecifies the client hosts that can connect to the Weblogic Server instancelocalAddressdefines the host address of the Weblogic Server instance to which any client can connect. If you specify an asterisk (*), the match returns all local IP addresses.localPortdefines the port on which the WebLogic Server instance is listening to which any client can connect. If you specify an asterisk (*), the match returns all available ports on the server.actionspecifies the action to perform. This value must be onlyallowordeny.protocols specifies the list of protocol names to match. The following protocols may be specified: http, https, t3, t3s, giop, giops, dcom, ftp, ldap. If no protocol is defined, all protocols will match a rule.
- Click Save and in the Change Center of the Administration Console, click Activate Changes.
Once saved an entry is made in the config.xml file for these settings as below:<connection-filter>weblogic.security.net.ConnectionFilterImpl</connection-filter>
<connection-filter-rule>10.1.xx.xx 10.1.xx.xx 7001 deny http</connection-filter-rule>
<connection-logger-enabled>true</connection-logger-enabled>
- Restart all the WebLogic Server instances for changes to take effect.
- Test the Connection Filter rules: Try to access
the WebLogic Server instance with the port from the target server
mentioned in the rule. This connection will be rejected because the rule
says to deny the connection.
####<May 24, 2011 1:34:50 PM MDT> <Notice> <Socket> <NAND-S77> <AdminServer> <ExecuteThread: '2' for queue: 'weblogic.socket.Muxer'> <<WLS Kernel>> <> <> <1306265690809> <BEA-000445> <Connection rejected, filter blocked Socket[addr=10.1.xx.xx,port=48316,localport=7001], weblogic.security.net.FilterException: [Security:090220]rule 1>
Try to access the WebLogic Server instance with the port from the target server which is not mentioned in the rule. This connection will be accepted because it is not denied by the rule:####<May 24, 2011 1:34:23 PM MDT> <Info> <Socket> <NAND-S77> <AdminServer> <ExecuteThread: '2' for queue: 'weblogic.socket.Muxer'> <<WLS Kernel>> <> <> <1306265663662> <BEA-000431> <Accepted Connection: Filtering is set to: "true" Remote Address: "/0:0:0:0:0:0:0:1" Remote Port: "51655" Local Address: "0.0.0.0/0.0.0.0" Local Port: "7001" Protocol: "http">
http://download.oracle.com/docs/cd/E13222_01/wls/docs81/security/con_filtr.html#1029299
No comments:
Post a Comment