Several Weblogic components like EJBs, Datasources and Queues are accessed using JNDI-lookups. In default Weblogic configurations, the JNDI-Tree can be accessed without any kind of authentication. This is far from ideal, because any process, inside or outside the Weblogic container is capable of invoking these components. Only Datasources have an extra layer of security and can only be used remotely by activating the property “weblogic.jdbc.remoteEnabled”.
In this blog entry I will not only show how to secure the JNDI-Tree but also what this means to the development of components such as Session EJBs, Message Driven Beans and external frameworks.
1. Securing the JNDI-Tree lookups
In Weblogic it is possible to secure single JNDI addresses, a group of addresses and the whole JNDI-Tree. There are two ways to do this: the administration console and with WLST
1.1 Administration Console
- In Environment->Servers-> admin_server-> View JNDI Tree
- Security-> Policies-> AddConditions
- User -> Next
- Add User -> Add -> Finish
- Select everyone > Remove
- Read the complete article here.
For regular information become a member in the WebLogic Partner Community please visit: http://www.oracle.com/partners/goto/wls-emea ( OPN account required). If you need support with your account please contact the Oracle Partner Business Center.