Covering J2EE Security and WebLogic Topics

check-auth-on-forward

Permanent Article Link

What happens when a servlet (or JSP) forwards the user to a protected resource for which the user does not have authorization? According to the servlet specification, the user will see the protected resource. Surprise!

I checked the servlet specifications on this subject. Servlet 2.2 has no explicit mention of what happens during forwards or includes from a security perspective. Starting with Servlet 2.3, however, section SRV.12.2 explicitly states that declarative security does not apply to forwards and includes.

I’d prefer it to default the other way such that the container checks security for forwards and includes. Too bad for me, I guess. Fortunately, WebLogic meets the specification’s requirement by default but provides a way to check security if you want to enable it. To use it, add the following stanza to weblogic.xml:

<container-descriptor>
   <check-auth-on-forward/>
</container-descriptor>

Now, authorization will be checked for the target forward or include.

Posted in J2EE, Security, WebLogic, Quick Tips May 8th, 2007 by Mike Fleming |

Bookmark this post on del.icio.us

3 Comments

  1. Hi Mike,

    Came across your blog and found it very useful. For
    our current project, we need user authentication from one data source(Oracle). And user profile(UUP) from another data source(MySQL).

    My plan is to develop an Custom authenticator and UUP. Is it possible to do in my case as both of the sources are different?. Is there any relationship between Custom Authenticator and UUP?

    Thanks for the blog.

    Ram

    Comment by Ram — May 26, 2007 @ 1:27 am

  2. Ram,

    I don’t do much work with the portal but I believe that the authenticator and UUP are unrelated. As a result, you should be able to handle two data sources (one for authentication and one for extra data) assuming that the user names are the same in each DB.

    You may not need a custom authenticator, though. If you are using WLS 9.x or greater, RDBMS authenticators are available out-of-the-box. With WLS 8.1, you would need a custom authenticator to go against your Oracle database but there is an example on the BEA site.

    Good luck!

    Comment by Mike Fleming — May 27, 2007 @ 8:38 pm

  3. Thanks for the response.

    Even though we are authenticating against DB, we can’t access DB directly, we are doing it through an API.

    I have prepared one Custom authenticator (Data from DB) and UUP from a different data source and it works now. Thanks for the response.

    Comment by Ram — May 28, 2007 @ 3:28 am

Sorry, the comment form is closed at this time.

 

Bookmark this page on del.icio.us