• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

access control on jndi lookup

 
Ranch Hand
Posts: 354
Eclipse IDE Oracle Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
while accessing EJBs or DataSources using InitialContext and JNDI Names, we have the option of supplying Context.SECURITY_PRINCIPAL and Context.SECURITY_CREDENTIALS

I am able to access when I don't provide any principal or credential, or when I provide the right values but not when i provide wrong values. How do I disable access when no values are provided.
 
Ranch Hand
Posts: 1683
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
The default values for Context.SECURITY_PRINCIPAL and Context.SECURITY_CREDENTIALS depend on whether the current thread is already associated with a user defined in the WebLogic security realm. If they are, then the values default to the current user. If not, these properties default to guest user.

You can set these properties in a jndi.properties file which has been placed where the application classloader can find it. Once the properties have been set, you can simply instanciate InitialContext by using the no-arg constructor.
 
Abhinav Srivastava
Ranch Hand
Posts: 354
Eclipse IDE Oracle Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
where does the "guest" user come from? what do i have to do in order to disable this user? its like having all the security and still being able to access the server without passing any credentials!
 
Roger Chung-Wee
Ranch Hand
Posts: 1683
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
The guest user may not be enabled by default - this depends on the version of WebLogic Server which you are running. In any case, you should never default to guest user if your user is defined in the WebLogic security realm.

To disable the guest user, do the following.

Go to the Change Center of the Administration Console, click Lock & Edit. Select your domain and select Compatibility Security > General. Now select the Guest Disable checkbox. You will need to reboot your server for this change to take effect.
 
reply
    Bookmark Topic Watch Topic
  • New Topic