Home > Default > Weblogic security: coping URL into other tab

Weblogic security: coping URL into other tab

November 30Hits:0
Advertisement
Hi,
We have two Weblogic servers on two phisically different locations.
First of them, WLS A, have perfect security. When you login into any application that is deployed on it, and try:
- copy URL into another tab or browser window, you are getting returned at login page
- when you close browser (without logout), and try to start application from history, you are getting login page, again
So, URL that you have when you enter the application is absolutely useless. Closing the browser, or tab with application have practicaly same meaning as logout.
Second of them, WLS B, have not that security. When you login into any application that is deployed on it, and:
- copy URL into another tab or browser window, you are getting application without need to login! So that URL can be very dangerous, because it is possible to misuse it, if the user don't make logout
- closing browser without logout: it is possible to find out the URL in history and go back into application without login!
It is obvious that the problem is some setting on weblogic server. We tried to compare the settings on WLS A and WLS B but we have not found the setting that we have search for. The programmer that have found and set that property on WLS A working not more in our company.
Can anybody help, we will be very greatful!
Thanks,

Answers

Hi,
The authenticate method would take the user and the password details from the environment
(env) that is passed and after successful authentication would populate the subject with
the principals (i.e user, group the user belongs to ..)
It should work with any user that is defined in the WLS not just weblogic/weblogic.
Do you have any other users defined and which group do they belong to?
Vimala
Khalid Rizvi wrote:
I am playing (learning) with weblogic.security.auth.login.UsernamePasswordLoginModule
as a LoginModule using JAAS based authentication. Surprisingly, the only userid
and password combination acceptable is uid=weblogic, pw=weblogic combination.
I went through and looked at the example code under
http://e-docs.bea.com/wls/docs70/security/cli_apps.html#1042212. I found that
the UsernamePasswordLoginModule.login calls into
if (url != null) {
Environment env = new Environment();
env.setProviderUrl(url);
env.setSecurityPrincipal(username);
env.setSecurityCredentials(password);
try {
Authenticate.authenticate(env, subject);
Seems like UsernamePasswordLoginModule only is a router, as it instantiates an
instance of Environemt using the userid and password and passes this Environemtn
instance (env) to Authenticate.authenticate along with the empty Subject instance.
I read about that the Subject instance will be filled in with Principals by the
WL Server.
My question is that firstly,
1. As Authenticate.authenticate is not passed in the uid and pw, will it pick
those from the env?
2. Secondly, why does it only accept uid=weblogic & pw=weblogic.
I will appreciate if some one can put me in the right direction.
Khalid R. Rizvi
508-641-1192
[email protected]

Read other 2 answers

Tags:

Related Articles

  • Weblogic security: coping URL into other tabNovember 30

    Hi, We have two Weblogic servers on two phisically different locations. First of them, WLS A, have perfect security. When you login into any application that is deployed on it, and try: - copy URL into another tab or browser window, you are getting r

  • Weblogic.security.SecurityInitializationException: Authentication for user system deniedNovember 30

    Reason: weblogic.security.SecurityInitializationException: Authentication for user system denied I tried my user name.But server didn't start.PLz help me and tell me what i have to do. ThanksHi, The admin server is also able to start the managed serv

  • [Weblogic Security In Action]November 30

    摘要 本文将探讨Weblogic Platform中的安全框架以及在该框架下如何实现企业安全(Weblogic Enterprise Security,简称WLES). 本文分为上中下三篇. 上篇主要阐述WLES的概念,将按照如下的思路,让读者对Weblogic安全框架有一个明晰的理解,并在此基础上明白Weblogic基本安全要素如User,Group,Role,Resource.并探讨在WLES下实现认证和授权的方法. 中篇主要阐述WLES的配置,重点讲述如何在WLS中配置SSL和证书,如何配

  • Weblogic security - acegiNovember 30

    Hi, My application was using acegi security for basic authentication and now I am trying to deploy it under weblogic9.2. I am facing a problem that I need to define the users in weblogic security also to get it authenticated and so browser asks user/

  • Weblogic.security.auth.login.UsernamePasswordLoginModule only accepts uid=weblogic & pw=weblogic (Why?)November 30

    I am playing (learning) with weblogic.security.auth.login.UsernamePasswordLoginModule as a LoginModule using JAAS based authentication. Surprisingly, the only userid and password combination acceptable is uid=weblogic, pw=weblogic combination. I went

  • Weblogic.security.service.NotYetInitializedException using JMXNovember 30

    Hi there, I'm trying to use JMX to add a notification listener to listen for attribute changes to a WLS 8.1 MBean. My code when setting up the listener is as so: String url = "t3://localhost:7001"; String serverName = "Server1"; String

  • Bug in weblogic 8.1 SP6 at weblogic.security.SSL.SSLCertificate.verify()November 30

    Hi, I got an java.lang.NullPointerException at weblogic.security.SSL.SSLCertificate.verify(SSLCertificate.java:235) at weblogic.security.SSL.SSLCertificate.input(SSLCertificate.java:116) at weblogic.security.SSL.Handshake.input(Handshake.java:121) at

  • Heap Problem with weblogic.security.auth.login.PasswordCredentialNovember 30

    Hello, I am calling EJB's from a Tomcat 6.0.20. The EJB's are contained on a Weblogic 10 mp2. For getting EJBHome, I'm using the following InitialContext-Call: EJBHome home = null; try Properties initialContextProperties = new Properties(); initialCo

  • Error:- weblogic.security.SecurityInitializationException: AuthenticationOctober 11

    Hi, I am getting below error when ever i am trying to start the Managed server in cluster environment(unix). I am able to start the server on local machine but in case of remote machine its not gettig started. I have tried most of the steps as mentio

  • Weblogic.security.internal.SerializedSystemIniExceptionOctober 11

    While starting weblogic server, I am getting the following error, Exception raised: weblogic.security.internal.SerializedSystemIniException: Version mismatch. have 0, expected 1      at weblogic.security.internal.SerializedSystemIni.<init>(Serialize

Copyright (C) 2019 wisumpire.com, All Rights Reserved. webmaster#wisumpire.com 14 q. 0.785 s.