Thursday, August 2, 2012

WebLogic X509 Certificate Authentication

Securing Web Applications http://docs.oracle.com/cd/E14571_01/web.1111/e13711/thin_client.htm#i1044688

How to Set Up X509 Certificate Authentication for Oracle WebLogic Server http://www.oracle.com/technetwork/articles/damo-howto-091164.html

Installing and Configuring the Apache HTTP Server Plug-In
http://docs.oracle.com/cd/E14571_01/web.1111/e14395/apache.htm Certificate is send by Weblogic plugin in WL-Proxy-Client-Cert HTTP header

in weblogic.xml
client-cert-proxy-enabled The element default value is true. When set to true, WebLogic Server passes identity certificates from the clients to the backend servers. Also, WebLogic Server is notified whether to honor or discard the incoming WL-Proxy-Client-Cert header. A proxy-server plugin encodes each identity certification in the WL-Proxy-Client-Cert header and passes it to the backend WebLogic Server instances. Each WebLogic Server instance takes the certificate information from the header, ensures it came from a secure source, and uses that information to authenticate the user. For the background WebLogic Server instances, this parameter must be set to true (either at the cluster/server level or at the Web application level). If you set this element to true, use a weblogic.security.net.ConnectionFilter to ensure that each WebLogic Server instance accepts connections only from the machine on which the proxy-server plugin is running. If you specify true without using a connection filter, a potential security vulnerability is created because the WL-Proxy-Client-Cert header can be spoofed.

web.xml http://docs.oracle.com/cd/E23943_01/web.1111/e13712/web_xml.htm
  
  <security-constraint>
    <web-resource-collection>
      <web-resource-name>Faces Servlet</web-resource-name>
      <url-pattern>/*</url-pattern>
      <http-method>GET</http-method>
      <http-method>POST</http-method>
    </web-resource-collection>
    <auth-constraint>
      <role-name>AppUser</role-name>
    </auth-constraint>
    <user-data-constraint>
      <transport-guarantee>NONE</transport-guarantee>
    </user-data-constraint>
  </security-constraint>
  <login-config>
    <auth-method>CLIENT-CERT</auth-method> 
    <realm-name>NoSuchRealm</realm-name> 
  </login-config>
  <security-role>
        <role-name>AppUser</role-name>
  </security-role>
  
</web-app>
weblogic.xml http://docs.oracle.com/cd/E14571_01/web.1111/e13712/weblogic_xml.htm

    <wls:security-role-assignment>
        <wls:role-name>AppUser</wls:role-name>
        <wls:principal-name>AppUsers</wls:principal-name>
    </wls:security-role-assignment>

5 comments:

  1. Hi,
    Great information. As a person starting out, I find this information very useful, glad I stumbled upon your site. Great stuff, would love it if you created a whole course on this subject.


    Certificate Authentication

    ReplyDelete
  2. Hi,
    This post is really nice and informative. The explanation given is really comprehensive and informative. I am feeling happy to comment on this post.
    Authentication Certificate

    ReplyDelete
  3. Excellent blog you’ve got here.It’s difficult to find high-quality writing like yours nowadays. I really appreciate individuals like you! Take care!! Please check out my site.
    unblock web proxy

    ReplyDelete