Using the HTTP Publish-Subscribe Server 12-19 ■ Section 12.5.4.2, Locking Down the Pub-Sub Server

12.5.4.1 Use AuthCookieEnabled to Access Resources

WebLogic Server allows a user to securely access HTTPS resources in a session that was initiated using HTTP, without loss of session data. To enable this feature, add AuthCookieEnabled=true to the WebServer element in config.xml: WebServer Name=myserver AuthCookieEnabled=true Setting AuthCookieEnabled to true, which is the default setting, causes the WebLogic Server instance to send a new secure cookie, _WL_AUTHCOOKIE_JSESSIONID, to the browser when authenticating via an HTTPS connection. Once the secure cookie is set, the session is allowed to access other security-constrained HTTPS resources only if the cookie is sent from the browser.

12.5.4.2 Locking Down the Pub-Sub Server

This section describes how to lock down the pub-sub server to prevent unauthorized access. The steps described here offer additional security at the cost of reduced access. It is up to you to decide which level of security is appropriate for your environment. To lock down the pub-sub server, perform the following steps: 1. Configure SSL for pub-sub communication, as described in Section 12.5.3, Configure SSL for Pub-Sub Communication . 2. Require authentication BASIC, FORM, and so forth. WebLogic Server sets the required authentication method for the Web application in the web.xml file. In the following example, HTTP BASIC authentication is required: login-config auth-methodBASICauth-method realm-namedefaultrealm-name login-config 3. Ensure auth-cookie is enabled for the Web applications, as described in Section 12.5.4.1, Use AuthCookieEnabled to Access Resources . 4. Ensure that all the channels are constrained in the weblogic-pubsub.xml file. 5. Lock subscribe operations, which are allowed by default. wlps:channel-constraint wlps:channel-resource-collection wlps:channel-resource-namepublishwlps:channel-resource-name wlps:descriptionpublish channel constraintwlps:description wlps:channel-patternstockwlps:channel-pattern wlps:channel-patternmanagementpublisherwlps:channel-pattern wlps:channel-operationpublishwlps:channel-operation wlps:channel-resource-collection wlps:auth-constraint Note: This feature will work even when cookies are disabled because WebLogic Server will use URL rewriting over secure connections to rewrite secure URLs in order to encode the authCookieID in the URL along with the JSESSIONID. 12-20 Developing Web Applications, Servlets, and JSPs for Oracle WebLogic Server wlps:descriptionpublisherwlps:description wlps:role-namepublisherwlps:role-name wlps:auth-constraint wlps:channel-constraint wlps:channel-constraint wlps:channel-resource-collection wlps:channel-resource-namesubscribewlps:channel-resource-name wlps:descriptionsubscribe channel constraintwlps:description wlps:channel-patternstockwlps:channel-pattern wlps:channel-operationsubscribewlps:channel-operation wlps:channel-resource-collection wlps:auth-constraint wlps:descriptionsubscriberwlps:description wlps:role-namesubscriberwlps:role-name wlps:auth-constraint wlps:channel-constraint

12.6 Advanced Topic: Using JMS as a Provider to Enable Cluster Support

Pub-sub server applications can run in a WebLogic Server clustered environment so as to provide scalability and server failover. However, pub-sub applications behave differently depending on the message handler pub-sub server itself or a JMS provider that is handling the published messages. In the default non-JMS case, the pub-sub server handles all messages and each instance of the pub-sub server on each node of the cluster is independent and isolated. This means that event messages cannot be shared between different server instances. For example, if a client subscribes to channel chat on node A of the cluster, it cannot receive messages published to channel chat on node B of the cluster. If, for a given channel, you want all messages published to all nodes of a cluster to be shareable by all clients subscribed to the channel, then you must configure the channel for JMS. You do this by updating the appropriate wlps:channel element in the weblogic-pubsub.xml deployment descriptor of your application. When a client publishes a message to a JMS-configured channel, the pub-sub server re-sends the message to a JMS topic. JMS message listeners running on each node of the cluster retrieve the messages from the JMS topics and then deliver them to the subscribed clients on their node.

12.6.1 Configuring JMS as a Handler

You configure the JMS as the message handler for an application in the weblogic-pubsub.xml deployment descriptor of the pub-sub server. First, you declare the configuration of the JMS handler using the wlps:jms-handler-mapping child element of the root wlps:weblogic-pubsub element. This is where you specify the URL of the JMS provider, the connection factory JNDI name, and the JMS topic JNDI name. Then you configure a specific channel to be a JMS channel by adding a wlps:jms-handler-name child element. The following example shows how to configure a JMS handler and channel in the weblogic-pubsub.xml deployment descriptor; only relevant information is shown in bold. See the text after the example for an explanation.