WebLogic Server 6.0 Code Examples, BEA Systems, Inc.

Package examples.security.acl

This package demonstrates how to restrict access to a WebLogic Server resource (in this case, an RMI object) with an access control list (ACL).

See:
          Description

Interface Summary
Frobable Remote interface used to illustrate access control on an RMI object.
 

Class Summary
AltClient This simple client connects as a specific user and attempts an RMI invocation.
Client This simple client connects as a specific user and attempts an RMI invocation.
FrobImpl Class FrobImpl illustrates how to use an ACL to protect an RMI object's method.
 

Package examples.security.acl Description

This package demonstrates how to restrict access to a WebLogic Server resource (in this case, an RMI object) with an access control list (ACL). The ACL is added to the fileRealm security realm in WebLogic Server. The fileRealm security realm checks the permissions for the RMI object before allowing a client to execute it.

Two clients are provided:

Perform the following steps in order to build, compile, and run the examples:

  1. Build the example
  2. Configure the server
  3. Run the example

Build the Example

  1. Set up your development shell as described in Setting up your environment.

  2. Compile the example by executing the following commands or by executing the build script provided for this example in the samples/examples/security/acl directory:

    1. Compile the Frobable interface and implementation classes as follows:
         javac -d  %SERVER_CLASSES% Frobable.java FrobImpl.java

    2. Run the WebLogic RMI compiler to generate a client stub and skeleton for the FrobImpl interface as follows:
       java weblogic.rmic -d %SERVER_CLASSES% examples.security.acl.FrobImpl

    3. Compile the Client and AltClient classes as follows:
        javac -d %CLIENT_CLASSES% Client.java AltClient.java

  3. Copy the demonstration digital certificate and private key for WebLogic Server and the digital certificate for the certificate authority from the \weblogic600\config\examples directory to the directory in which you are running the ACL code example.

    When using mutual authentication with the AltClient client, you can use the the demonstration digital certificate and private key for both the client and the server.

    You can also use digital certificate and private key you obtaine with the acl code example. Copy the digital certificates and the private key file into the directory in which you are running the acl code example.

Configure the Server

  1. Bring up the Administration Console in a browser.

  2. Register the FrobImpl instance as a RMI startup class:
    1. Click to expand the Deployments node in the left pane.
    2. Click to expand the Startup & Shutdown node in the left pane.
    3. Select the frob node.
    4. Deploy the frob startup class on the examplesServer.

  3. Verify that joeuser is a User in the filerealm security realm:
    1. Click to expand the Security node in the left pane.
    2. Select the Users node.
    3. Verify that the user joeuser exists. The password for joeuser is joepass.

  4. Verify that an ACL called aclexample that grants the permission frob for User joeuser exists:
    1. Select the Access Control Lists node in the left pane.
    2. Select the aclexample ACL in the right pane.
    3. Verify that frob is listed in the Permission column and joeuser is listed in the Grantees column.

  5. Verify the SSL protocol is enabled.
    1. On the SSL tab in the Server Configuration window for the examplesServer verify that the Enabled checkbox is checked.
    2. Enter 7002 in the Listen Port field.

  6. Define the following information about the digital certificate and private key for examplesServer on the SSL tab in the Server Configuration window:
    1. In the Server Key File Name field, enter the full directory location and name of the private key file for examplesServer (for example, ./config/examples/demokey.pem).
    2. In the Server Certificate File Name field, enter the full directory location and name of the digital certificate for examplesServer (for example, ./config/examples/democert.pem).
    3. If you are using mutual authentication with the AltClient client, check the Client Certificate Enforced checkbox to enable mutual authentication.
    4. In the Trusted CA File Name field, enter the full directory location and name of the digital certificate for the certificate authority trusted by examplesServer (for example, ./config/examples/ca.pem).
    5. If you are using a PKCS-8 password protected private key, check the Key Encrypted checkbox. The demonstration private key is not password protected.

Run the Example

  1. Restart the Server.

    If you are using a PKCS-8 password protected private key, add the following command line option when starting WebLogic Server:

     -Dweblogic.management.pkpassword=password

    where password specifies the password used to protect the private key.

  2. Run the Client client as follows:
     java examples.security.acl.Client url user password

    where url specifies the T3S or HTTPS protocol and the default port (7002) on which WebLogic Server listens for SSL communications.

    user and password are the username and password for joeuser.

    For example:

      java examples.security.acl.Client t3://localhost:7002 joeuser joepass

  3. Run the AltClient client as follows:

       java examples.security.acl.AltClient url -user user -pass password 
              -sslCert private_key:public_key[:cert_chain] [-password] [-servername]

    where url specifies the T3S or HTTPS protocol and the default port (7002) on which WebLogic Server listens for SSL communications.

    user and password are the username and password for joeuser. If the -user and -pass command line options are not specified, the JNDI Initial_Context defaults to the User guest with the password guest. In this case, the Altclient client will fail because the aclexample ACL does not assign permissions to the guest User.

    -sslCert specifies the name of the private key file and digital certificate separated by the default path separator on your platform.

    If you are using a PKCS-8 password encrypted private key, password is the password used to encrypt the private key. If you are using the demonstration digital certificate and private key, you do not have to specify this command line option.

    -servername is the name of the WebLogic Server to which you expect to connect.

    For example:

     $  java examples.security.acl.AltClient t3s://localhost:7002 -user joeuser
             -pass joepass -sslCert demokey.pem;democert.pem

There's More...

Read more about ACLs and security in the Programming WebLogic Security and Managing Security.


Documentation is available at
http://e-docs.bea.com/wls/docs60

Copyright © 2000 BEA Systems, Inc. All Rights Reserved.