This content has been marked as final. Show 4 replies
Security doesnt mean authentication only. There is authorization/rolemapping and adjudication involved as well.
You can secure your application by defining policies and role mapping either in the deployment descriptors or through console
But yes like other application servers Weblogic doesnt provide a way to target your application to a specific provider.
But you have the option to reorder your providers....
Thanks for your reply,
I know that security doesn't mean just a authentication, but what I'm trying to say is that after a while throw each application on web server I can be authenticated by same provider like the admin is.
I'm pretty sure our app will be secured enough but what about the admin console?
You said I had the option reorder ours providers, you are right.
For simplicity: Our customer have server with two apps. One is in our hand and second belong to another compeny. Both apps are secured by custom security provider (for example two indipendent e-shops, so we can't use same database for users, neither ldap)
On the server are three providers in this order:
MyCustomProvider, SecondsCompenyProvider, DefaultAuthenticator (for admin).
None of them can be REQUIRED => OPTIONAL / SUFFICIENT.
Now three scenarios can occure (we are trying to login to our app):
1) user fills in correct values for corresponding app => he is authenticated and pass role check. Everything is fine
2) user fills in incorrect values, he jumps back to login screen. Everything is fine again.
3) user fills in correct values but not for corresponding app.
what will happen in this case?
a) MyCustomProvider will fail => jump to next provider
b) SecondsCompenyProvider will fail => jump to next provider
c) DefaultAuthenticator - success but wrong roles => Error 403--Forbidden. Now user now, that somewhere on this server exist app with this values. In this case is just a question of time when the user will figure out which app belongs this user/pass, right?
Console isn't accesible from internet, but hacker still has almost unlimited time to figure out admin login and password (or just realy few possibilities) using previous scenario.
Am I right or Am I missing something?
I think your concerns are valid, please create an Oracle support request for this and share with us what Oracle has to say in this regards.
I've met with guys from oracle and they told me that only chance was to had another server before this one who would care about security ...