My Oracle Support Banner

WebLogic Security Constraints Not Working Properly (Doc ID 1362629.1)

Last updated on OCTOBER 11, 2023

Applies to:

Oracle WebLogic Server - Version 10.3 and later
Information in this document applies to any platform.


Problem with the security-constraint implementation on WebLogic server 10.3. Attached a sample application to illustrate the problem.

Assume the following in the web.xml:   

Following this, the resource "NoAccess" above should take precedence and preclude access even though the previous constraint grants access. Unfortunately it does not for the *.pdf pattern, but does for the /doc2/* pattern. 

When you access the application you will be offered the following files to access:

Based on the above rules, all should present the user with a 403 error. However, only the doc2/TestDocument.pdf does.

When the WLS 8.1 application is rewritten with a similar rule set it worked correctly, but when rewritten for 10.3 and deployed it is allowing access to files that should be blocked which is a major security hole.



To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!

In this Document

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.