NOTE: This article is 3 years or older so its information may no longer be relevant. Read on at your own discretion! Comments for this article have automatically been locked, refer to the FAQ
for more details.
I've written earlier about adding basic HTTP authentication to a web service. That example forced the user of the web service to authenticate using basic authentication before a request would be served, however the username and password in this case are prone to sniffing and can be retrieved with relative ease. This is easily addressed by setting up your deployment so that WebLogic forces the use of HTTPS/SSL URLs web making requests.
Making this change is almost trivial. Simply change the transport-guarantee
element of your web.xml
file. There are three possible values for this, NONE, INTEGRAL and CONFIDENTIAL. Both of the latter force SSL.
Here's more information from WebLogic documentation
Specifies data security requirements for communications between the client and the server.
Range of values:
NONE—The application does not require any transport guarantees.
INTEGRAL—The application requires that the data be sent between the client and server in such a way that it cannot be changed in transit.
CONFIDENTIAL—The application requires that data be transmitted so as to prevent other entities from observing the contents of the transmission.
WebLogic Server establishes a Secure Sockets Layer (SSL) connection when the user is authenticated using the INTEGRAL or CONFIDENTIAL transport guarantee.
In my case, I change the web.xml
to something like this:
Now even when using basic authentication, since SSL is used, the username and password will be encrypted. It is still possible to send a request to the non-SSL URL for the web service however. In this case, WebLogic will respond with the testing page instead of forwarding the request to the web service.
A quick disclaimer...
Although I put in a great effort into researching all the topics I cover, mistakes can happen.
If you spot something out of place, please do let me know.
All content and opinions expressed on this Blog are my own and do not represent the opinions of my employer (Oracle).
Use of any information contained in this blog post/article is subject to this disclaimer
Other posts you may like...