How do I protect WebLogic Server from security attacks from bogus clients using the WL-Proxy-Client-Cert header?

BEA WebLogic Questions and Answers

(Continued from previous question...)

How do I protect WebLogic Server from security attacks from bogus clients using the WL-Proxy-Client-Cert header?

The WL-Proxy-Client-Cert header can be spoofed (used) by any client which has direct access to WebLogic Server. WebLogic Server takes the certificate information from that header, trusting that is came from a secure source (the plug-in) and use that information to authenticate the user. In previous releases of WebLogic Server, the default behavior was to always trust that header. Now you need to explicitly define trust of the WL-Proxy-Client-Cert header. A new parameter clientCertProxy allows WebLogic Server to on the implicit trust of the certificate header. If you need an additional level of security, use a connection filter to limit all connections into WebLogic Server (therefore allowing WebLogic Server to only accept connections from the machine on which the plug-in is running).
The clientCertProxy parameter has been added to the HTTPClusterServlet and Web applications.
For the HTTPClusterServlet, add the parameter to the web.xml file as follows:
<context-param>
<param-name>clientCertProxy</param-name>
<param-value>true</param-value>
</context-param>

For Web applications, add the parameter to the web.xml file as follows:

ServletRequestImpl context-param
<context-param>
<param-name>weblogic.http.clientCertProxy</param-name>
<param-value>true</param-value>
</context-param>

You can also use this parameter in a cluster as follows:
<Cluster ClusterAddress="127.0.0.1" Name="MyCluster"
ClientCertProxyHeader="true"/>

(Continued on next question...)

Other Interview Questions

• What is BEA Weblogic?
• Which of the following statements are true regarding MDBs (Message Driven Beans) on version 6.0 of WebLogic App Server?
• Can I use a "native" two-tier driver for a browser applet?
• I'm using a WebLogic multitier driver in an applet as an interface to a DBMS ...
• I tried to run two of the applets in the examples directory of the distribution ...
• The two primary cluster services provided by WebLogic Server are?
• How do stubs work in a WebLogic Server cluster?
• What happens when a failure occurs and the stub cannot connect to a WebLogic Server instance?
• Why did my JDBC code throw a rollback SQLException?
• Must my bean-managed persistence mechanism use the WebLogic JTS driver?
• Why is there no polymorphic-type response from a create() or find() method?
• Must EJBs be homogeneously deployed across a cluster? Why?
• Which of the following are recommended practices to be performed in the ejbPassivate() method of a stateful session bean?
• While packaging the Web Application DefaultWebApp for deployment into the WebLogic server ...
• How do I set up my CLASSPATH?
• Why do I get the following exception when viewing the JNDI tree?
• When deploying a resource adapter (.rar) to WebLogic Server, are its classes placed in the WebLogic classpath?
• How is security handled in the WebLogic J2EE Connector Architecture?
• Can I enable requests to a JDBC connection pool for a database connection to wait until a connection is available?
• How do I use multibyte character sets with WebLogic jDriver for Informix?
• How do I connect to an SQL Server instance that is running on a machine with multiple instances of SQL Server 2000?
• Why does FOR UPDATE in Oracle 8 cause an ORA-01002 error?
• What causes an OCIW32.dll error?
• How do I use OS Authentication with WebLogic jDriver for Oracle and Connection Pools?
• What type of object is returned by ResultSet.getObject()?
• How do I limit the number of Oracle database connections generated by WebLogic Server?
• How do I call Oracle stored procedures that take no parameters?
• Why do I get unexpected characters from 8-bit character sets in WebLogic jDriver for Oracle?
• How do I learn what codesets are available in Oracle?
• How many deployment descriptor files does a CMP entity bean deployed on the WebLogic Server have?
• Why do I get an error while trying to retrieve the text for ORA-12705?
• Why do I run out of resources during updates with Oracle's database link?
• How do I prevent errors when running t3dbping?
• Why does executing the PreparedStatement class cause a "TRUNC fails: ORA-00932: inconsistent datatypes" error?
• Why am I getting an "ORA-01000: maximum open cursors exceeded" error, even though I closed all ResultSet, Statement, and Connection objects?
• An instance of stateful session EJB when accessed simultaneously from more than one clients on same VM results in RemoteException ...
• Are there C/C++ interfaces to WLS JMS?
• How do I start WLS and configure JMS?
• How do I configure JMS security?
• Can I still use the default connection factories supported in WebLogic Release 5.1?
• Why does JMSSession.createTopic or JMSSession.createQueue fail to create a destination in WLS JMS 6.1 (it worked in 5.1)?
• How do I programmatically get a list of Queues or Topics?
• How do I use a temporary destination?
• Can two JMS servers share the same persistent store?
• Which types of JDBC databases does WebLogic JMS support?
• How do I use a third-party JDBC driver with JMS?
• The Multicast TTL setting for a cluster in the WebLogic Admin console sets which of the following values?
• Which of the following algorithms is used by the WebLogic Server as the default load balancing strategy for ...
• How do I use persistence?
• How does a file store compare with a JDBC store?
• How do the WLS JMS 6.1 server/destination message maximum and threshold values work?
• How do I configure JDBC so that the JMS JDBC Store recovers automatically?
• Does WebLogic JMS support clustering?
• How do I do HTTP tunneling?
• Which of the following statements are true regarding the identity of two EJBs
• Why is my JMS work not part of a user transaction ....
• In the WebLogic server, if stateless session bean instances are getting frequently created and removed ...
• How can an application do a JMS operation and have it succeed, independent of the result of the transaction?
• What happens if acknowledge() is called within a transaction?
• Is it possible to set aside a message and acknowledge it later?
• How should I use sorted queues?
• Which of the following attributes in the Monitoring tab for a JDBC connection pool in the Administrative console ...
• The MaxPostTimeSecs attribute set in the Administration console under Servers or virtual hosts section corresponds ...
• How does sorting on message priority work?
• How do I get a thread dump to help track down a problem?
• How do I manage a queue to view and delete specific messages?
• Why do I get an exception when trying to find a connection factory?
• What precautions should I take when I use blocking receive() calls?
• What is the NO_ACKNOWLEDGE acknowledge mode used for?
• When should I use multicast subscribers?
• When should I use server session pools and connection consumers?
• How do I issue the close() method within an onMessage() method call and what are the semantics of the close() method?
• How do I publish an XML message?
• A client wants to preserve the reference to the EJBHome object of an enterprise bean instance ...
• Is it possible to send or receive a message from within a message listener?
• How do I create a producer pool?
• What are pending messages in the console?
• How do I use a less than or greater than on a message selector in ejb-jar.xml?
• Is it better to have more or fewer sessions for a given number of subscribers?
• Match the EJB functions given below with the functionality equivalent in SQL ...
• A client invokes a method on a stateful session bean instance deployed in the WebLogic Server ...
• Are foreign destinations handled within foreign JMS messages?
• What is the standard way to create threads, do initialization, etc. within the application server?
• How many messages are sent across the network for processing topic messages?
• What should an XPATH selector look like?
• How do I handle request/response using JMS?
• How do I put a message back on the queue for processing?
• Is it OK to add new sessions and subscribers to a Queue or Topic Connection once it has been started?
• What can I do when I get java.lang.OutOfMemoryError because producers are faster than consumers?
• Which of the following is NOT true about deploying EJBs in the WebLogic Server?
• How do I debug WebLogic Server using Visual Cafe 4.1?
• How can I avoid asynchronous message deadlocks?
• How does concurrency work for message-driven beans?
• Which of the following are valid relationships between JMS objects in the WebLogic Server?
• Can an MDB be a message producer or both a producer and consumer?
• Can you use a foreign JMS provider to drive an MDB transactionally?
• How do I use JTA transactions within an MDB?
• Why did the messaging bridge fail to connect to the source bridge destination?
• Can the messaging bridge handle two-phase or global transactions between separate WebLogic Server domains or between different releases?
• I configured the messaging bridge to use the Exactly-once quality of service for two-phase transactions. So why am I getting a "quality of service is unreachable" error?
• Can I configure the messaging bridge to automatically downgrade the quality of service ...
• When configuring a source or target messaging bridge destination, do I need to set the Adapter Classpath field?
• Can the messaging bridge forward durable subscription messages between separate WebLogic Server 6.1 and release 7.0 or later domains?
• How do I enable debugging for the messaging bridge?
• Which of the following is NOT true about the security implementation in the WebLogic Server?
• For EJB applications with bean-managed transaction demarcations ...
• Which of the following are true about the transaction support in the WebLogic server
• Which of the following programs can be created using the ZAC Publish Wizard tool?
• What do the messaging bridge monitoring states indicate on the Server -> Services ->Monitor -> Messaging Bridge Administration Console page?
• How do I configure WebLogic to use a SOCKS proxy?
• How does WebLogic support CORBA and client communication via IIOP?
• Can WebLogic Server start with a UNIX boot?
• Why do I get "NoClassDefFound"/"Too Many Open files"messages on Solaris? ...
• A stateful session bean implementing the SessionSynchronization interface is deployed on the WebLogic server ...
• The home of a Product CMP entity bean has a finder method, which returns an Enumeration of all the products ...
• Which is the only method defined in the javax.ejb.Handle interface?
• In CORBA, which of the following files generated by the "idltojava" compiler must be compiled before running the server application?
• Considering the code below, which of the lines of code...
• How do I increase WebLogic Server memory?
• What causes Java.io exceptions in the log file?
• Java-CORBA integration: RMI-IIOP or Java IDL?
• How do an RMI-IIOP application and an existing CORBA object interoperate?
• What is the function of T3 in WebLogic Server?
• How can I debug the Java code that I have running in WebLogic Server?
• How do I call a servlet with parameters in the URL?
• Which of the following are the benefits of MDB (Message Driven Beans) over standard JMS consumers?
• Which of the statements below is true for a web application using session management?
• How do I identify the document type of an XML document?
• Why can't I boot WebLogic Server when using the LDAP Security Realm?
• How can I run multiple instances of the same servlet class in the same WebLogic Server instance?
• How do I restrict access to servlets and JSPs?
• How do I protect WebLogic Server from security attacks from bogus clients using the WL-Proxy-Client-Cert header?
• Which XML parser comes with WebLogic Server 6.1?
• Can I use the getAttribute() and setAttribute() methods of Version 2.2 of the Java Servlet API to parse XML documents?
• How can I avoid ResourceExceptions when sending more requests for database connections from the pool than are currently available?
• How do I use Unicode codesets with the WebLogic jDriver for Oracle driver?
• How do I bind string values in a PreparedStatement?
• How do I look up an "ORA" SQLException?
• What is error "ORA-6502?"
• How can I control on which WebLogic Server(s) my application will run?
• How do I use a startup class to initialize and later reference JMS objects?