bea.com | products | dev2dev | support | askBEA
 Download Docs   Site Map   Glossary 
Search

Administration Console Online Help

 Previous Next Contents Index  

 


Domain --> Security --> Filter

Tasks     Additional Documentation     Attributes

Overview

Use this tab to enable the use of a connection filter and to define rules for the connection filter.

Tasks

Configuring Connection Filtering

Additional Documentation

(Requires an Internet connection.)

Introduction to WebLogic Security

Managing WebLogic Security

Programmimg WebLogic Security

Developing Security Providers for WebLogic Server

Securing a WebLogic Server Deployment

Upgrading Security in WebLogic Server Version 6.x to WebLogic Server Version 7.0

Security FAQ

The Security page in the WebLogic Server documentation

Attributes

Attribute Label

Description

Value Constraints

Connection Filter

The name of the Java class that implements a connection filter. The connection filter must be an implementation of the weblogic.security.net.ConnectionFilterinterface. WebLogic Server provides a default implementation.

MBean: weblogic.management.
configuration.
SecurityMBean

Attribute: ConnectionFilter

Default: null

Configurable: yes

Readable: yes

Writable: yes

Connection Filter Rules

The list of rules for the system connection filter. If none are specified, all connections are accepted.

The syntax of the rules is as follows:

<ulist>

Each rule must be written on a single line in the source code.

Tokens in a rule are separated by white space.

A pound sign (#) is the comment character. Everything after a pound sign on a line is ignored.

Whitespace before or after a rule is ignored.

Lines consisting only of whitespace or comments are skipped.

All rules have the following format:

targetlocalAddresslocalPortactionprotocols

where

target specifies one or more servers to filter.

localAddress defines the host address of the server. (If you specify an asterisk (*), the match returns all local IP addresses.)

localPort defines the port on which the server is listening. (If you specify an asterisk, the match returna all available ports on the server).

action specifies the action to perform. The value must be allow or deny).

protocols is the list of protocol names to match. (One of the following protocols must be specified http, https, t3, t3s, giop, giops, dcom, or ftp.) If no protocol is defined, all protocols will match a rule.

Two kinds of rules are recognized:

  • A fast rule applies to a hostname or IP address with an optional netmask. If a hostname corresponds to multiple IP addresses, multiple rules are generated (in no particular order). Netmasks can be specified either in numeric or dotted-quad form. For example:

  • dialup-555-1212.pa.example.net 127.0.0.1 7001 deny t3 t3s # http(s) OK 192.168.81.0/255.255.254.0 127.0.0.1 8001 allow # 23-bit netmask 192.168.0.0/16 127.0.0.1 8002 deny # like /255.255.0.0

  • Hostnames for fast rules are looked up once at server startup. While this design greatly reduces overhead at connect time, it can result in the filter obtaining out of date information about what addresses correspond to a host name. BEA Systems recommends using numeric IP addresses instead.

  • A slow rule applies to part of a domain name. Since a rule requires a connect-time DNS lookup on the client-side in order to perform a match, a slow rule may be much slower than the fast rule. Slow rules are also subject to DNS spoofing. Slow rules are specified as follows:

  • *.script-kiddiez.org 127.0.0.1 7001 deny p> An asterisk only matches at the head of a pattern. If you specify an asterisk anywhere else in a rule, it is treated as part of the pattern. Note that the pattern will never match a domain name since an asterisk is not a legal part of a domain name.

When a client connects to WebLogic Server, these rules are evaluated in the order in which they were written. The first rule to match determines how the connection is treated. If no rules match, the connection is permitted.

If you want to further protect your server and only allow connections from certain addresses, you can specify 0.0.0.0/0 denyas your last rule.

MBean: weblogic.management.
configuration.
SecurityMBean

Attribute: ConnectionFilterRules

Default: null

Configurable: yes

Dynamic: yes

Readable: yes

Writable: yes



 

Back to Top Previous Next