This discussion is archived
2 Replies Latest reply: Sep 9, 2013 7:23 PM by 947696 RSS

Prevent direct access to WSDL

947696 Newbie
Currently Being Moderated

Our ERP Application allows for us to create and expose webservices on weblogic.

 

This webservice is now deployed on Weblogic Server 12c as a url http://servername01:7009/webservices/ournameWS?WSDL

Our ERP Appplication allows the user to bring up https://ourapplication or if wanting to use a webservice type in http://servername01:7009/webservices/ournameWS?WSDL or go to one of the other servers http://servername02:7009/webservices/ournameWS?WSDL or even use the DNS name of http://ourapplication/webservices/ournameWS?WSDL

 

Prevention, I am trying to prevent any user going directly to a cluster node for both the application of webservice.  They must come through the F5 first.

We don't wish to use firewall on our windows 2008 R2 servers but see if we can disable this through weblogic.

 

I researched Connection Filters, and I am wondering if this is the option I should take.

 

If anyone of you know of the way to prevent any access to Weblogic from clients and only allow connections through F5 server please advise.

 

Our SSL Certificates are installed at the F5 so between the client and the weblogic this is secured and the traffic is routed from https to http.  I don't think adding SSL on weblogic will prevent the above either the user could still use https://servername01:7009/webservices/ournameWS?WSDL.   Do you guys agree here too?

 

Any direction would be appreciated, if anyone has used connection filters or another way please provide any direction.

  • 1. Re: Prevent direct access to WSDL
    Faisal Khan Expert
    Currently Being Moderated

    If the clients are coming from outsite the network then obviously the firewall rules will stop it accessing any other ports.

    Now, for internal clients who know the port number and hostname, connection filters are the best option.

     

    You can find step by step instructions here

     

     

    http://weblogic-wonders.com/weblogic/2011/03/03/weblogic-connection-filters/

     

     

    Thanks,

    Faisal

  • 2. Re: Prevent direct access to WSDL
    947696 Newbie
    Currently Being Moderated

    I tried this and my weblogic decided not to like it and not actually come up so I couldn't log into my console.  I had to remove the lines in config.xml and then I could log into weblogic console.

     

    Any ideas what I configured incorrectly.  I access my weblogic admin http://16.XXX:7009/console    (The IP is longer just put XXX) for an example here.

     

      In the config.xml I see everything saved correctly, the 10.XXXX are my F5 servers and 16. is my Weblogic Server Admin

    <credential-encrypted>{AES}X61nMYXwJkSSSSSSSvqB9ceqh7ZOU5pdNesoY=</credential-encrypted>

     

    <web-app-files-case-insensitive>true</web-app-files-case-insensitive>

     

    <connection-filter>weblogic.security.net.connectionfilterimpl</connection-filter>

     

    <connection-filter-rule>10.XXXX.01 16.XXXX 7009 allow</connection-filter-rule>

     

    <connection-filter-rule>10.XXXX.02 16.XXXX 7009 allow</connection-filter-rule>

     

    <connection-filter-rule>10.XX.XX03 16.XXXX 7009 allow</connection-filter-rule>

     

    <connection-filter-rule>* 16.XXXX 7009 deny</connection-filter-rule>

     

    <connection-logger-enabled>true</connection-logger-enabled>

     

    <node-manager-password-encrypted>{AES}1h6QMgZ5z4VBCx9B0TwhIdSSSSSSSSSSSSSEyI=</node-manager-password-encrypted>

     

    </security-configuration>

     

    >

     

    ####<Sep 9, 2013 10:48:20 AM PDT> <Critical> <WebLogicServer> <XXXXXXXXE> <DEServer> <main> <<WLS Kernel>> <> <> <1378748900270> <BEA-000386> <Server subsystem failed. Reason: weblogic.utils.NestedRuntimeException: [Security:090467]problem with connection filter

     

    weblogic.utils.NestedRuntimeException: [Security:090467]problem with connection filter

     

    at weblogic.security.SecurityService.initializeConnectionFilter(SecurityService.java:356)

     

    at weblogic.security.SecurityService.start(SecurityService.java:137)

     

    at weblogic.t3.srvr.SubsystemRequest.run(SubsystemRequest.java:64)

     

    at weblogic.work.ExecuteThread.execute(ExecuteThread.java:256)

     

    at weblogic.work.ExecuteThread.run(ExecuteThread.java:221)

     

    Caused By: java.lang.ClassNotFoundException: weblogic.security.net.connectionfilterimpl

     

    at java.net.URLClassLoader$1.run(URLClassLoader.java:366)

     

    at java.net.URLClassLoader$1.run(URLClassLoader.java:355)

     

    at java.security.AccessController.doPrivileged(Native Method)

     

    at java.net.URLClassLoader.findClass(URLClassLoader.java:354)

     

    at java.lang.ClassLoader.loadClass(ClassLoader.java:423)

     

    at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:308)

     

    at java.lang.ClassLoader.loadClass(ClassLoader.java:356)

     

    at java.lang.Class.forName0(Native Method)

     

    at java.lang.Class.forName(Class.java:186)

     

    at weblogic.security.SecurityService.initializeConnectionFilter(SecurityService.java:351)

     

    at weblogic.security.SecurityService.start(SecurityService.java:137)

     

    at weblogic.t3.srvr.SubsystemRequest.run(SubsystemRequest.java:64)

     

    at weblogic.work.ExecuteThread.execute(ExecuteThread.java:256)

     

    at weblogic.work.ExecuteThread.run(ExecuteThread.java:221)

     

    >

     

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points