tags:

views:

237

answers:

1
Q: 

Restrict access to connection pool in Weblogic?

In short, how can I restrict access to connection pool X based on application name or JAR name? A simple use case might help...

A business web-app (call it WEB_APP_A) uses pool Y to do basic look-up SQL. Some users of this web-app have access to also update some sensitive data in the database. This code is provided by a JAR file (call it HR_JAR) that can be dropped in where needed. This JAR uses pool X for all of it's connections.

We don't want developers of WEB_APP_A using pool X. We only want HR_JAR using pool X. This is to keep devs of WEB_APP_A from accidentally or intentionally abusing the access pool X provides.

Some considerations:

  1. This is legacy code so HR_JAR is here to stay
  2. We are running on Weblogic 9.2
  3. We can not keep passwords in any from in the source code
  4. We have researched weblogic user level authn/authz for JDBC resources but then this begs the question; how do we secure the user creds we use to become a user per app/jar?

Ideas? Thoughts? I can elaborate more on what I have tried, but I wanted fresh ideas.

A: 

Haven't ever tried this and don't have access to an instance to play right now, but in your JDBC config you could try adding a <scope> element for the application against pool X, inside the <jdbc-data-source-params> I think... Though that assumes you have a separate application defined for HR.jar, which I'm not sure is the case from your description. I don't know if you can restrict an individual JAR within an application though.

Alex Poole  2010-02-22 22:36:19
HR JAR is shipped with WEB_APP_A. In JBoss the answer seems trivial (see http://www.jboss.org/file-access/default/members/jbossweb/freezone/docs/latest/security-manager-howto.html section "JBoss Web Custom Permissions"). I can't seem to find the equivalent in Weblogic.
Andrew White  2010-02-23 02:59:21
@Andrew I'm not sure to understand how this JBoss stuff would solve your problem.
Pascal Thivent  2010-02-23 08:58:27
Well, in JBoss I could do the following, right?grant codeBase "jar:file:${catalina.home}/webapps/WEB_APP_A/WEB-INF/lib/HR.jar!/-" { org.apache.naming.JndiPermission "jndi://localhost/poolX; };
Andrew White  2010-02-23 15:48:01
@Andrew Ah yes indeed. After a second read, it appears that you're right.
Pascal Thivent  2010-02-23 16:14:04

related questions

Weblogic server: Why response sent prior to post completion
Speed up Weblogic Server startup times
Obtaining an IntialContext from Weblogic without using clear text password
Weblogic wlserver memory setting?
Failure of server APACHE bridge with Weblogic Server
Difference between WebLogic Integration and Oracle Service Bus?
Security of Tomcat versus WebSphere versus WebLogic
How does IIS compare in terms of performance and scalability to weblogic and websphere for enterprise web applications?
Is a process design really declarative programming?
Can NovellAuthenticators (LDAP) be add to Weblogic using WLST Offline?
How to create project in WebLogic Workshop with support for JPA entity beans?
Using maven as build tool for Weblogic 10.3
What hardware changes will affect WebLogic performance the most?
WebLogic plugin within Eclipse
How to Force Thread Dump in Eclipse?
Will Oracle retire 10gAS in favor of WebLogic?
Easiest way to front Weblogic 9.2 with apache 2.x
Multiple instances of a java web application sharing a resource
Deactivating Weblogic Load Balancing Optimization for collocated objects
Weblogic add-on to serialize web service calls
Indirectly referenced from required .class file
Does Weblogic 9.x support the 2.4 Servlet standard?
Can the Weblogic default handler display the list of contexts?
Tomcat vs Weblogic JNDI Lookup
Giant NodeManagerLogs from hibernate in weblogic