BEA Weblogic Question:
Download Questions PDF

How do I protect WebLogic Server from security attacks from bogus clients using the WL-Proxy-Client-Cert header?

Answer:

The WL-Proxy-Client-Cert header can be spoofed (used) by any client which has direct access to WebLogic Server. WebLogic Server takes the certificate information from that header, trusting that is came from a secure source (the plug-in) and use that information to authenticate the user. In previous releases of WebLogic Server, the default behavior was to always trust that header. Now you need to explicitly define trust of the WL-Proxy-Client-Cert header. A new parameter clientCertProxy allows WebLogic Server to on the implicit trust of the certificate header. If you need an additional level of security, use a connection filter to limit all connections into WebLogic Server (therefore allowing WebLogic Server to only accept connections from the machine on which the plug-in is running).
The clientCertProxy parameter has been added to the HTTPClusterServlet and Web applications.
For the HTTPClusterServlet, add the parameter to the web.xml file as follows:
<context-param>
<param-name>clientCertProxy</param-name>
<param-value>true</param-value>
</context-param>

For Web applications, add the parameter to the web.xml file as follows:

ServletRequestImpl context-param
<context-param>
<param-name>weblogic.http.clientCertProxy</param-name>
<param-value>true</param-value>
</context-param>

You can also use this parameter in a cluster as follows:
<Cluster ClusterAddress="127.0.0.1" Name="MyCluster"
ClientCertProxyHeader="true"/>

Download BEA Weblogic Interview Questions And Answers PDF

Previous QuestionNext Question
How can I run multiple instances of the same servlet class in the same WebLogic Server instance?Can I use the getAttribute() and setAttribute() methods of Version 2.2 of the Java Servlet API to parse XML documents?