All Examples  All Security Examples

package examples.security.acl

Frobable

about this package

This package demonstrates how to restrict access to a WebLogic object -- in this case, an RMI object -- with an access control list (Acl). The user-defined Acl is added to the default WebLogic realm, and the RMI object checks the list for authorization before allowing a user to execute it.

Two clients are provided. Client.java connects to WebLogic Server, either on the standard or SSL port, specifying the username and password defined for the user in the weblogic.properties file. AltClient.java shows how to connect to WebLogic Server using two-way authentication, specifying private key and certificate file names on the command line.

how to use this package

Set up your development shell as described in Setting your development environment.
Edit the weblogic.properties file and make the following changes:
- Create user "joeuser" by adding this property:
```
weblogic.password.joeuser=joespass
```
- Create an Acl called "aclexample" that grants the permission "frob" for user "joeuser" by adding this property:
```
weblogic.allow.frob.aclexample=joeuser
```
- Register a FrobImpl instance as an RMI startup class by adding this property:
```
weblogic.system.startupClass.frob=examples.security.acl.FrobImpl
```
Compile the Frobable interface in this directory with a command like this:
```
  $ javac -d  %SERVER_CLASSES% Frobable.java
```
Compile the FrobImpl class in this directory with a command like this:
```
  $ javac -d  %SERVER_CLASSES% FrobImpl.java
```
Compile the Client and AltClient classes with a command like this:
```
  $ javac -d %CLIENT_CLASSES% Client.java AltClient.java
```
Run the WebLogic RMI compiler to generate a stub and skeleton for the FrobImpl interface with a command like this:
```
 $ java weblogic.rmic -d %SERVER_CLASSES% examples.security.acl.FrobImpl
```
Note to Microsoft SDK for Java users
If you are running Microsoft SDK for Java, you must specify JVC as the Java compiler on the weblogic.rmic command line. Use this command to execute the WebLogic RMI compiler under JView:
```
  $ jview weblogic.rmic -d %SERVER_CLASSES% -compiler jvc examples.security.acl.FrobImpl
```
Start WebLogic Server in your server shell.

Run the standard client with a command like:

 $ java examples.security.acl.Client url user password

For example,

 $ java examples.security.acl.Client t3://localhost:7001 joeuser joespass

To try the two-way authentication client, AltClient, you can use the demonstration certificates included with WebLogic Server. Follow these steps:

Copy the demonstration certificate and key from the myserver directory of your WebLogic installation to this directory. The filenames are demokey.pem and democert.pem. For example, use this command for Windows NT:
```
  $ copy %WL_HOME%\myserver\demo*.pem
```

Edit the weblogic.properties file and set the server certificate properties as follows:

  weblogic.security.clientRootCA=ca.pem
  weblogic.security.certificate.server=democert.pem
  weblogic.security.key.server=demokey.pem
  weblogic.security.certificate.authority=ca.pem

Restart WebLogic Server.
AltClient has a different command line syntax than Client and can be used in two ways.
WebLogic user authentication, no SSL
```
  $  java examples.security.acl.AltClient url [-user user] [-pass password]
```
This is the same as using Client. url specifies the T3 protocol and WebLogic Server's standard port, 7701 by default. If the -user and -pass options are not provided, JNDI defaults to user "guest", password "guest" (which should fail for this example, since the "aclexample" Acl does not assign permissions to the "guest" user. For example:
```
  $  java examples.security.acl.AtlClient t3://localhost:7001
          -user joeuser -pass joespass
```
Using SSL with two-way authentication
```
  $  java examples.security.acl.AltClient url [-user user -pass password] 
          -sslCert private_key:public_key[:cert_chain]
```
This format uses two-way authentication. url specifies the T3S or HTTPS protocol and the WebLogic Server SSL port, 7702 by default. If the -user and -pass options are not supplied, JNDI defaults to user "guest", password "guest" (which should fail for this example). The -sslCert option supplies file names for the private key, public key, and an optional certificate chain, separated by the default path separator on your platform. For example, on Windows NT:
```
 $  java examples.security.acl.AltClient t3s://localhost:7002 -user joeuser
         -pass joespass -sslCert demokey.pem;democert.pem
```
Using a certificate as a credential (not SSL)

there's more . . .

For more information on ACLs and security, read the Developers Guides, Using WebLogic SSL and Using WebLogic ACLs.