2 Replies Latest reply: Sep 9, 2013 9:23 PM by 947696 RSS

    Prevent direct access to WSDL

    947696

      Our ERP Application allows for us to create and expose webservices on weblogic.

       

      This webservice is now deployed on Weblogic Server 12c as a url http://servername01:7009/webservices/ournameWS?WSDL

      Our ERP Appplication allows the user to bring up https://ourapplication or if wanting to use a webservice type in http://servername01:7009/webservices/ournameWS?WSDL or go to one of the other servers http://servername02:7009/webservices/ournameWS?WSDL or even use the DNS name of http://ourapplication/webservices/ournameWS?WSDL

       

      Prevention, I am trying to prevent any user going directly to a cluster node for both the application of webservice.  They must come through the F5 first.

      We don't wish to use firewall on our windows 2008 R2 servers but see if we can disable this through weblogic.

       

      I researched Connection Filters, and I am wondering if this is the option I should take.

       

      If anyone of you know of the way to prevent any access to Weblogic from clients and only allow connections through F5 server please advise.

       

      Our SSL Certificates are installed at the F5 so between the client and the weblogic this is secured and the traffic is routed from https to http.  I don't think adding SSL on weblogic will prevent the above either the user could still use https://servername01:7009/webservices/ournameWS?WSDL.   Do you guys agree here too?

       

      Any direction would be appreciated, if anyone has used connection filters or another way please provide any direction.

        • 1. Re: Prevent direct access to WSDL
          Faisal Khan

          If the clients are coming from outsite the network then obviously the firewall rules will stop it accessing any other ports.

          Now, for internal clients who know the port number and hostname, connection filters are the best option.

           

          You can find step by step instructions here

           

           

          http://weblogic-wonders.com/weblogic/2011/03/03/weblogic-connection-filters/

           

           

          Thanks,

          Faisal

          • 2. Re: Prevent direct access to WSDL
            947696

            I tried this and my weblogic decided not to like it and not actually come up so I couldn't log into my console.  I had to remove the lines in config.xml and then I could log into weblogic console.

             

            Any ideas what I configured incorrectly.  I access my weblogic admin http://16.XXX:7009/console    (The IP is longer just put XXX) for an example here.

             

              In the config.xml I see everything saved correctly, the 10.XXXX are my F5 servers and 16. is my Weblogic Server Admin

            <credential-encrypted>{AES}X61nMYXwJkSSSSSSSvqB9ceqh7ZOU5pdNesoY=</credential-encrypted>

             

            <web-app-files-case-insensitive>true</web-app-files-case-insensitive>

             

            <connection-filter>weblogic.security.net.connectionfilterimpl</connection-filter>

             

            <connection-filter-rule>10.XXXX.01 16.XXXX 7009 allow</connection-filter-rule>

             

            <connection-filter-rule>10.XXXX.02 16.XXXX 7009 allow</connection-filter-rule>

             

            <connection-filter-rule>10.XX.XX03 16.XXXX 7009 allow</connection-filter-rule>

             

            <connection-filter-rule>* 16.XXXX 7009 deny</connection-filter-rule>

             

            <connection-logger-enabled>true</connection-logger-enabled>

             

            <node-manager-password-encrypted>{AES}1h6QMgZ5z4VBCx9B0TwhIdSSSSSSSSSSSSSEyI=</node-manager-password-encrypted>

             

            </security-configuration>

             

            >

             

            ####<Sep 9, 2013 10:48:20 AM PDT> <Critical> <WebLogicServer> <XXXXXXXXE> <DEServer> <main> <<WLS Kernel>> <> <> <1378748900270> <BEA-000386> <Server subsystem failed. Reason: weblogic.utils.NestedRuntimeException: [Security:090467]problem with connection filter

             

            weblogic.utils.NestedRuntimeException: [Security:090467]problem with connection filter

             

            at weblogic.security.SecurityService.initializeConnectionFilter(SecurityService.java:356)

             

            at weblogic.security.SecurityService.start(SecurityService.java:137)

             

            at weblogic.t3.srvr.SubsystemRequest.run(SubsystemRequest.java:64)

             

            at weblogic.work.ExecuteThread.execute(ExecuteThread.java:256)

             

            at weblogic.work.ExecuteThread.run(ExecuteThread.java:221)

             

            Caused By: java.lang.ClassNotFoundException: weblogic.security.net.connectionfilterimpl

             

            at java.net.URLClassLoader$1.run(URLClassLoader.java:366)

             

            at java.net.URLClassLoader$1.run(URLClassLoader.java:355)

             

            at java.security.AccessController.doPrivileged(Native Method)

             

            at java.net.URLClassLoader.findClass(URLClassLoader.java:354)

             

            at java.lang.ClassLoader.loadClass(ClassLoader.java:423)

             

            at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:308)

             

            at java.lang.ClassLoader.loadClass(ClassLoader.java:356)

             

            at java.lang.Class.forName0(Native Method)

             

            at java.lang.Class.forName(Class.java:186)

             

            at weblogic.security.SecurityService.initializeConnectionFilter(SecurityService.java:351)

             

            at weblogic.security.SecurityService.start(SecurityService.java:137)

             

            at weblogic.t3.srvr.SubsystemRequest.run(SubsystemRequest.java:64)

             

            at weblogic.work.ExecuteThread.execute(ExecuteThread.java:256)

             

            at weblogic.work.ExecuteThread.run(ExecuteThread.java:221)

             

            >