Igor Kromin |   Consultant. Coder. Blogger. Tinkerer. Gamer.

I've written earlier about adding basic HTTP authentication to a web service. That example forced the user of the web service to authenticate using basic authentication before a request would be served, however the username and password in this case are prone to sniffing and can be retrieved with relative ease. This is easily addressed by setting up your deployment so that WebLogic forces the use of HTTPS/SSL URLs web making requests.

Making this change is almost trivial. Simply change the transport-guarantee element of your web.xml file. There are three possible values for this, NONE, INTEGRAL and CONFIDENTIAL. Both of the latter force SSL.

Here's more information from WebLogic documentation:
Specifies data security requirements for communications between the client and the server.

Range of values:

NONE—The application does not require any transport guarantees.

INTEGRAL—The application requires that the data be sent between the client and server in such a way that it cannot be changed in transit.

CONFIDENTIAL—The application requires that data be transmitted so as to prevent other entities from observing the contents of the transmission.

WebLogic Server establishes a Secure Sockets Layer (SSL) connection when the user is authenticated using the INTEGRAL or CONFIDENTIAL transport guarantee.


In my case, I change the web.xml to something like this:
 web.xml
...
<user-data-constraint>
<description>The application requires that the data be sent between the client and server in such a way that it cannot be changed in transit.</description>
<transport-guarantee>INTEGRAL</transport-guarantee>
</user-data-constraint>
...




Now even when using basic authentication, since SSL is used, the username and password will be encrypted. It is still possible to send a request to the non-SSL URL for the web service however. In this case, WebLogic will respond with the testing page instead of forwarding the request to the web service.
wlssectestpage.png


-i

Please leave your comments or feedback below!
comments powered by Disqus
Other posts you may like...
Hi! You can search my blog here ⤵
Or browse the recent top tags...

Recent Blog Posts

Mini review of the Sonoff B1 WiFi light bulb

Coherence cache performance optimistic vs replicated schemes

Coherence and weblogic.xml in different types of J2EE web app deployments

Atari Lynx repair - Part 5 - McWill LED screen mod installation

Atari Lynx repair - Part 4 - screen cover replacement

Atari Lynx repair - Part 3 - broken speaker replacement

Atari Lynx repair - Part 2 - re-capping the motherboard

Atari Lynx repair - Part 1 - introduction and case disassembly

jPhotoFrame updated to version 0.3.1 with an image rotation correction utility

iOS 11 pre-GM mini review before it gets revealed next week

Recent Galleries

Atari Lynx repair - Part 5 - McWill LED screen mod installation

Atari Lynx repair - Part 4 - screen cover replacement

Atari Lynx repair - Part 2 - re-capping the motherboard

Atari Lynx repair - Part 3 - broken speaker replacement

Atari Lynx repair - Part 1 - introduction and case disassembly

Building a custom Atari Lynx game box storage shelf unit in a day

Protecting old Atari Lynx game boxes with snug fit plastic sleeves

Monument Valley 2 is released and does not disappoint

Space Food - Chocolate Ice Cream with Chocolate Chips

Legeod Star Wars AT-DP kit

Blogs and Friends

Matt Moores Blog
Georgi's FlatPress Guide
Perplexing Permutations
The Security Sleuth
Ilia Rogatchevski
Travelling Fairy

Blog Activity

Blog Activity