This post depicts a sample usage of Connection Filters in webLogic Server.
A connection filter allows the server to reject unwanted connections based on some filter criteria. For example, a connection filter would allow you to configure WebLogic to permit T3 or IIOP connections only from within your intranet, and reject any T3 or IIOP connection request from outside the intranet. So, connection filtering provides network-level access control.
WebLogic comes equipped with a default connection filter called
weblogic.security.net.ConnectionFilterImpl
that examines one or more connection filter rules defined in the Administration Console. Alternatively, you can create your own custom connection filter that evaluates the basis that incoming connections are accepted by the server.
Please follow the steps to configure the Connection Filter.
1. Login into to the console. Click on the Domain Name –> Security –> Filter .
2. Define the ConnectionFilter class.
You can use the default class : weblogic.security.net.ConnectionFilterImpl
3. Specify “Connection Filter Rules”.
You can specify any number of rules; each rule should be on a single line. The syntax for a connection filter rule is shown here:
target localAddress localPort action protocolList
Here are the definitions for the parameters of a connection filter rule:
- The target parameter specifies the client hosts that the rule must examine. We discuss its syntax later.
- The localAddress parameter refers to the server’s host address to which the client connects. If you specify an asterisk (*), this matches all local IP addresses.
- The localPort parameter indicates the server port to which the client connects. If you specify an asterisk (*), this matches all available ports.
- The action parameter indicates whether the rule should allow or reject the incoming connection request. It can take two possible values: allow or deny.
- Use the protocolList parameter to define a space-separated list of protocol names that should be matched. The protocol names can be: http, https, t3, t3s etc. If no protocols are listed, the rule checks for all protocols.
For Example:
www.abc.com 127.0.0.1 7001 deny t3 t3s http https
If you want to deny t3 t3s http https protocol access from www.abc.com to the local server.
Note: Restart the servers.
4. Testing the connection.
Open a command prompt, set the environment by running the setDomainEnv script.
Try to connect to the server from the machine that is denied the access to.
You would see the below exception on the client side.
javax.naming.CommunicationException [Root exception is java.net.ConnectException: t3://localhost:7001: Destination unreachable; nested exception is:
java.io.IOException: Login failed: Failed: [Socket:000445]Connection rejected, filter blocked Socket, weblogic.security.net.FilterException: [Security:090220]rule 1; No available router to destination]
The Connection Filter is properly configured now.
An entry in the config.xml file would like below.
<connection-filter>weblogic.security.net.ConnectionFilterImpl</connection-filter> <connection-filter-rule>localhost 127.0.0.1 7001 deny t3 t3s http https</connection-filter-rule>
For further reading:
http://download.oracle.com/docs/cd/E13222_01/wls/docs103/secmanage/domain.html#wp1174122
Cheers,
Wonders Team. 🙂
All this is related at domain level i.e. ip address get filtered at domain level and applicabel to all application hosted at this domain.
BUT how we can do ip address at application level so that all application will be accessible and ip filtering will be applicable for single application hosted at the same domain.
Let me know your thought. How we can do that. Is there any setting required at the server side.
we don’t have such a setting on WLS….
Thanks a lot!
I want to collaborate with some rules example.
========================================================
10.204.199.174 10.167.10.75 8001 deny t3 t3s http https
10.204.199.0/24 10.167.10.75 8001 allow t3 t3s http https
10.167.10.75 * * allow t3 t3s http https # Admin and Managed server 01
10.167.10.76 * * allow t3 t3s http https # Managed server 02
10.0.21.146 10.167.10.75 8001 allow t3 t3s http https # Allow request form Terminal server
0.0.0.0/0 * * deny # Deny all
========================================================
thanks for sharing alexis