4 Replies Latest reply on Nov 1, 2012 10:20 AM by 523238

    WebLogic 10.3.x security problem

      I'm fascinated by possible security problem in WLS 10.3 in one realm with more then one provider.
      In my realm exists DefaultAuthenticator provider and own custom provider (based on database, but it doesn't matter).

      Now, I have one secured application with is supposed to be authenticated by custom provider. Both providers are set as OPTIONAL / SUFFICIENT.
      So, user / hacker can try some combination till he found user/password which can authenticate him, but the application don't let him go inside. So he can find user and password from another application or worst, even from weblogic console, because he knows that this user exists somewhere on the server.

      I know, I can (or must) set locking user after few bad tries, but here still exist chance to find out password to another application and for me, it looks like "security by obscurity" instead of real securing.
      My question is: Is there any chance to avoid compromise password by this way or not? At least separate weblogic console login from the others or better somehow assign one provider to one app (as was possible on OC4J)

      Thanks for your answers.
        • 1. Re: WebLogic 10.3.x security problem
          Faisal WebLogic Wonders
          Security doesnt mean authentication only. There is authorization/rolemapping and adjudication involved as well.
          You can secure your application by defining policies and role mapping either in the deployment descriptors or through console

          One example


          But yes like other application servers Weblogic doesnt provide a way to target your application to a specific provider.
          But you have the option to reorder your providers....
          • 2. Re: WebLogic 10.3.x security problem
            Thanks for your reply,
            I know that security doesn't mean just a authentication, but what I'm trying to say is that after a while throw each application on web server I can be authenticated by same provider like the admin is.
            I'm pretty sure our app will be secured enough but what about the admin console?

            You said I had the option reorder ours providers, you are right.

            For simplicity: Our customer have server with two apps. One is in our hand and second belong to another compeny. Both apps are secured by custom security provider (for example two indipendent e-shops, so we can't use same database for users, neither ldap)
            On the server are three providers in this order:
            MyCustomProvider, SecondsCompenyProvider, DefaultAuthenticator (for admin).

            None of them can be REQUIRED => OPTIONAL / SUFFICIENT.

            Now three scenarios can occure (we are trying to login to our app):
            1) user fills in correct values for corresponding app => he is authenticated and pass role check. Everything is fine

            2) user fills in incorrect values, he jumps back to login screen. Everything is fine again.

            3) user fills in correct values but not for corresponding app.
            what will happen in this case?
            a) MyCustomProvider will fail => jump to next provider
            b) SecondsCompenyProvider will fail => jump to next provider
            c) DefaultAuthenticator - success but wrong roles => Error 403--Forbidden. Now user now, that somewhere on this server exist app with this values. In this case is just a question of time when the user will figure out which app belongs this user/pass, right?

            Console isn't accesible from internet, but hacker still has almost unlimited time to figure out admin login and password (or just realy few possibilities) using previous scenario.

            Am I right or Am I missing something?
            • 3. Re: WebLogic 10.3.x security problem
              Faisal WebLogic Wonders
              I think your concerns are valid, please create an Oracle support request for this and share with us what Oracle has to say in this regards.

              • 4. Re: WebLogic 10.3.x security problem
                I've met with guys from oracle and they told me that only chance was to had another server before this one who would care about security ...