Several Weblogic components like EJBs, Datasources and Queues are accessed using JNDI-lookups. In default Weblogic configurations, the JNDI-Tree can be accessed without any kind of authentication. This is far from ideal, because any process, inside or outside the Weblogic container is capable of invoking these components. Only Datasources have an extra layer of security and can only be used remotely by activating the property “weblogic.jdbc.remoteEnabled”.

In this blog entry I will not only show how to secure the JNDI-Tree but also what this means to the development of components such as Session EJBs, Message Driven Beans and external frameworks.

1. Securing the JNDI-Tree lookups

In Weblogic it is possible to secure single JNDI addresses, a group of addresses and the whole JNDI-Tree. There are two ways to do this: the administration console and with WLST

1.1 Administration Console

  • In Environment->Servers-> admin_server-> View JNDI Tree
  • Security-> Policies-> AddConditions
  • User -> Next
  • Add User -> Add -> Finish
  • Select everyone > Remove
  • Save
*Always add the weblogic user to the condition. Otherwise the weblogic console won’t work

1.2 WLST

WLST follows the same principle. First the default rule hast to be deleted and the new one with the user hast to be added.

2. Developing with JNDI Security

As mentioned above, this kind of security has to be taken into account when Session EJB’s and Message Driven Beans are implemented. External frameworks and deployments can also be affected.

2.1 Session EJB’s

Securing the JNDI only affects the external consumer of the Session EJB. He will have to provide his credentials (normally username and password) when invoking the EJB. Any subsequent calls that the EJB makes will be inside a JAAS context and Weblogic will propagate the authenticated Subject automatically . In other words, Session EJB’s don’t have to be modified to provide the credentials for any JNDI invocation, only the external clients.

2.2 Message Driven Beans (MDB)

Message driven EJB’s don’t have a Subject that can be automatically propagated, because an authenticated client didn’t invoke them. Message Driven Beans will create the Subject based on the information provided by the weblogic-ejb-jar.xml and ejb-jar.xml the deployment descriptors. Annotations can be used instead of the ejb-jar.xml the deployment descriptor.

weblogic-ejb-jar.xml

ejb-jar.xml

Annotations

2.3 External Frameworks (MDB)

Several external frameworks and applications also make JNDI invocations. For this cases, it is possible to generate the weblogic-ejb-jar.xml using the Weblogic Plan Generator  and to adapt it similar as with the Message Driven Beans.

Conclusion

JNDI Tree security is a very important feature that shouldn’t be overlooked in production environments. It is easy to configure and it provides great flexibility by allowing single or multiple entries to be secured by a given expression. Nevertheless, implementing it has repercussions on the components that are going to be deployed to the container. Fortunately JEE provides several mechanisms that can be used in this case like deployment descriptors and annotations.