Weblogic Security Constraints Not Working Properly
(Doc ID 1362629.1)
Last updated on APRIL 15, 2020
Applies to:
Oracle WebLogic Server - Version 10.3 and laterInformation in this document applies to any platform.
Symptoms
Problem with the security-constraint implementation on Weblogic server 10.3. Attached a sample application to illustrate the problem.
Essentially the problem is -
Assume the following in the web.xml:
Following this, the resource "NoAccess" above should take precedence and preclude access even though the previous constraint grants access. Unfortunately it does not for the *.pdf pattern, but does for the /doc2/* pattern.
When you access the application you will be offered the following files to access:
readme.pdf
doc1/readme.pdf
doc2/readme.pdf
Based on the above rules, all should present the user with a 403 error. However, only the doc2/readme.pdf does.
When the WLS 8.1 application is rewritten with a similar rule set it worked correctly, but when rewritten for 10.3 and deployed it is allowing access to files that should be blocked which is a major security hole.
Reference:
http://download.oracle.com/otndocs/jcp/servlet-2.4-fr-spec-oth-JSpec/
Changes
Cause
To view full details, sign in with your My Oracle Support account. |
|
Don't have a My Oracle Support account? Click to get started! |
In this Document
| Symptoms |
| Changes |
| Cause |
| Solution |
| Changing /* to / in the <url-pattern> </url-pattern> of the web.xml solves the problem |
| References |