Securing the JNDI with Admin Role in 11g

We need to go to the server and access the link for the jndi. The jndi tree will show up in a new window.

Check the default roles and policies
By default, everyone has access to the JNDI

Remove the role

And then add the admin role. This will enable only the Admin user to have access to the JNDI

If we try to access the JNDI now without the Admin credentails, we get the following exceptions

javax.naming.NoPermissionException: User <anonymous> does not have permission on
StringJndiName to perform modify operation. [Root exception is javax.naming.NoP
ermissionException: User <anonymous> does not have permission on StringJndiName
to perform modify operation.]
at weblogic.rjvm.ResponseImpl.unmarshalReturn(ResponseImpl.java:234)
at weblogic.rmi.cluster.ClusterableRemoteRef.invoke(ClusterableRemoteRef
.java:348)

4 comments

  1. Thanks for this post. We are trying something similar and we have some issues that we would appreciate whatever help you can provide.

    The problem is that even the admin credentials are provided, we are still unable to do the jndi lookup and gives the same error that you get for an anonymous user. We invoke JNDI from a standalone POJO class (which in turn is invoked by a Servlet) to lookup a JMS Queue. We have not propogated the Subject to weblogic i.e no call to weblogic.security.Security.runAs() has been made since we do not use the weblogic Security framework.

    Under these constraints is it still possible to protect the jndi tree?

    Thanks,
    Ram.

    1. Hi Ram,

      If you dont use the Weblogic Security Framework, then securing the JNDI from the weblogic console is not going to help.
      You will have to secure from the application code itself.

      Thanks,
      -Faisal

Leave a Reply