13-6 Securing Oracle WebLogic Server deny access, simply enter the connection filters rules in the WebLogic Administration Console. You can also use a custom connection filter by implementing the classes in the weblogic.security.net package. For information about writing a connection filter, see Using Network Connection Filters in Programming Security for Oracle WebLogic Server. Like the default connection filter, custom connection filters are configured in the WebLogic Administration Console. To configure a connection filter: 1. Enable the logging of accepted messages. This Connection Logger Enabled option logs successful connections and connection data in the server. This information can be used to debug problems relating to server connections. 2. Choose which connection filter is to be used in the domain. ■ To configure the default connection filter, specify weblogic.security.net.ConnectionFilterImpl in Connection Filter. ■ To configure a custom connection filter, specify the class that implements the network connection filter in Connection Filter. This class must also be specified in the CLASSPATH for WebLogic Server. 3. Enter the syntax for the connection filter rules. For more information: ■ See Configure connection filtering in the Oracle WebLogic Server Administration Console Help. ■ For information about connection filter rules and writing a custom connection filter, see Using Network Connection Filters and Developing Custom Connection Filters in Programming Security for Oracle WebLogic Server. ■ You can also use the WebLogic Scripting Tool or Java Management Extensions JMX APIs to create a new security configuration.

13.4 Using the Java Authorization Contract for Containers

The Java Authorization Contract for Containers JACC Standard can replace the EJB and Servlet container deployment and authorization provided by WebLogic Server. When you configure a WebLogic domain to use JACC, EJB and servlet authorization decisions are made by the classes in the JACC framework. All other authorization decisions within WebLogic Server are still determined by the WebLogic Security Framework. For information about the WebLogic JACC provider, see Using the Java Authorization Contract for Containers in Programming Security for Oracle WebLogic Server. You configure WebLogic Server to use JACC with a command line start option. For more information, see the description of the -Djava.security.manager option in the weblogic.Server Command-Line Reference in Command Reference for Oracle WebLogic Server. Note that an Administration Server and all Managed Servers in a domain need to have the same JACC configuration. If you change the JACC setting on the Administration Server, you should shut down the Managed Server and reboot them with the same settings as the Administration Server to avoid creating a security vulnerability. Otherwise, it may appear that EJBs and servlets in your domain are protected by WebLogic Security Framework roles and policies, when in fact the Managed Servers are still operating under JACC. Configuring Security for a WebLogic Domain 13-7

13.5 Viewing MBean Attributes

The Anonymous Admin Lookup Enabled option specifies whether anonymous, read-only access to WebLogic Server MBeans should be allowed from the MBean API. With this anonymous access, you can see the value of any MBean attribute that is not explicitly marked as protected by the WebLogic Server MBean authorization process. This option is enabled by default to assure backward compatibility. For greater security, you should disable this anonymous access. To verify the setting of the Anonymous Admin Lookup Enabled option in the WebLogic Server Administration Console, select Domain Security General, or view the SecurityConfigurationMBean.AnonymousAdminLookupEnabled attribute.

13.6 How Passwords Are Protected in WebLogic Server