Weblogic remote Security

Question

I have discovered an issue in my security configuration in Weblogic 12c, developers can get resources from production by doing:

InitialContext ic = new InitialContext();
        Hashtable<String, String> h = new Hashtable<String, String>(7);
        h.put(Context.INITIAL_CONTEXT_FACTORY, "weblogic.jndi.WLInitialContextFactory");
        h.put(Context.PROVIDER_URL, "t3://ip_server:7003");

        InitialContext context = new InitialContext(h);
        DataSource dataSource = (javax.sql.DataSource) context.lookup("jdbc/name");

I would like to set a password for those kind of remote lookups, at the same same I don't want to impact the local applications running in the server and injecting jndi resources from the server just by doing:

InitialContext ic = new InitialContext();
Resource r = (Resource) ic.lookup("jndi/name");

score 0 · Answer 1 · answered Oct 09 '15 at 06:26

Since all requests run through the Security Providers of Weblogic, you could implement your own Authorization Provider to restrict this kind of Access.

Article from oracle about developing your own security providers: http://docs.oracle.com/middleware/1213/wls/DEVSP/atz.htm#DEVSP301

Weblogic remote Security

1 Answers1