WebLogic Connection Filters

This post depicts a sample usage of Connection Filters in webLogic Server.

A connection filter allows the server to reject unwanted connections based on some filter criteria. For example, a connection filter would allow you to configure WebLogic to permit T3 or IIOP connections only from within your intranet, and reject any T3 or IIOP connection request from outside the intranet. So, connection filtering provides network-level access control.

WebLogic comes equipped with a default connection filter called  weblogic.security.net.ConnectionFilterImpl that examines one or more connection filter rules defined in the Administration Console. Alternatively, you can create your own custom connection filter that evaluates the basis that incoming connections are accepted by the server.

Please follow the steps to configure the Connection Filter.

1.  Login into to the console. Click on the Domain Name  –> Security –> Filter .

2. Define the ConnectionFilter class.

You can use the default class :  weblogic.security.net.ConnectionFilterImpl

3. Specify “Connection Filter Rules”.

You can specify any number of rules; each rule should be on a single line. The syntax for a connection filter rule is shown here:

target localAddress localPort action protocolList

Here are the definitions for the parameters of a connection filter rule:

• The target parameter specifies the client hosts that the rule must examine. We discuss its syntax later.
• The localAddress parameter refers to the server’s host address to which the client connects. If you specify an asterisk (*), this matches all local IP addresses.
• The localPort parameter indicates the server port to which the client connects. If you specify an asterisk (*), this matches all available ports.
• The action parameter indicates whether the rule should allow or reject the incoming connection request. It can take two possible values: allow or deny.
• Use the protocolList parameter to define a space-separated list of protocol names that should be matched. The protocol names can be: http, https, t3, t3s etc. If no protocols are listed, the rule checks for all protocols.

For Example:

www.abc.com 127.0.0.1 7001 deny t3 t3s http https

If you want to deny t3 t3s http https protocol access  from www.abc.com to the local server.

Note: Restart the servers.

4. Testing the connection.

Open a command prompt, set the environment by running the setDomainEnv script.

Try to connect to the server from the machine that is denied the access to.

You would see the below exception on the client side.

javax.naming.CommunicationException [Root exception is java.net.ConnectException: t3://localhost:7001: Destination unreachable; nested exception is:

java.io.IOException: Login failed: Failed: [Socket:000445]Connection rejected, filter blocked Socket, weblogic.security.net.FilterException: [Security:090220]rule 1; No available router to destination]

The Connection Filter is properly configured now.

An entry in the config.xml file would like below.

 

<connection-filter>weblogic.security.net.ConnectionFilterImpl</connection-filter>

<connection-filter-rule>localhost 127.0.0.1 7001 deny t3 t3s http https</connection-filter-rule>

 

 

For further reading:

http://download.oracle.com/docs/cd/E13222_01/wls/docs103/secmanage/domain.html#wp1174122

 

Cheers,

Wonders Team. 🙂