关闭Weblogic的基本认证
来源:互联网 发布:java工程师的简历模板 编辑:程序博客网 时间:2024/05/29 14:00
在Weblogic发布Web service,如果Web service需要通过基本认证功能来校验用户名和密码,那么Weblogic会自动截获基本认证,启用自身内置的逻辑进行校验,不会传递到Web service中,在这种情况下,我们需要关闭weblogic内置的基本认证功能。方法如下:
转自:http://hovenko.no/blog/2008/10/28/howto-bypass-weblogic-security-model/
28. oktober 2008 · 2 Kommentar
Oracle Weblogic (former BEA Weblogic) enforces a security model by default that is unhealthy for developers writing REST web services or other kinds of web applications using HTTP Authentication for security.
By default, when sending an HTTP Authentication header, Weblogic will check its own security realms for users matching the username and password. If there is no match, a 401 UNAUTHORIZED response is sent directly back to the client, without ever hitting your web application code. That takes care of the security, i guess…
This might sound like a good idea, except for those cases when your application is able to handle its own authentication. How can your application handle security when the request never hits your code?
Another problem, as i see it, is that Weblogic enforces this security model even for web application that are configured with no security at all. You can use your web application as much as you like, as long as you don’t send any HTTP Authentication headers. But when you decide to send an HTTP Authentication header like that, just for fun or when navigating from another website after being authenticated, Weblogic decides on your applications behalf that you are no longer worthy enough to use your application. That sucks…
The solution
The solution? Yes, you can bypass the security model of Weblogic, at least for those applications that does not rely on the web containers security. It took me many weeks of frustration before I found a solution to my problem, but I got there…
Shutdown your admin server and open the config/config.xml file for editing. Add the following XML code into the <security -configuration> node:
<enforce-valid-basic-auth-credentials>
false
</enforce-valid-basic-auth-credentials>
Start the admin server again. Then you need to restart all the application servers to make the change take effect. Restart them one by one to avoid downtime… you are of course running a cluster right?
- 关闭Weblogic的基本认证
- 正确、优雅的关闭weblogic 8
- weblogic无法关闭的处理方式.kill
- WEBLOGIC SERVER的关闭和启动
- HTTP的基本认证和摘要认证
- 使用SSH连接Unix服务器上的weblogic,关闭SSH后,weblogic自动关闭
- Oracle Weblogic Docker认证
- Spring与WebLogic Portal的基本交互
- tomcat及weblogic的一些基本配置
- Weblogic server关闭脚本。。。
- Linux操作系统中,重启/关闭Weblogic服务器的方法
- weblogic启动与关闭的自动登陆总结
- 神奇的weblogic,Connection关闭与Result set already closed!
- weblogic 服务莫名其妙的关闭 报段错误
- linux下重启weblogic(关闭和启动)nohup的使用
- Oracle 认证基本的知识介绍
- apache 口令认证的基本配置
- jaas的认证和授权基本理解
- android中设置AlertDialog的大小 .
- Data URI explained, URI 不是URL啊?
- struct 定义
- div 内容溢出 不换行处理
- GSM 03.38 from Wikipedia
- 关闭Weblogic的基本认证
- ssh 搭建
- elasticsearch中概念
- 完美解决多应用服务器负载均衡环境下spring quartz同一定时任务重复执行问题
- iOS 多线程 锁 互斥 同步
- ios 国际化(项目名和内容)
- 探索Android 下拉刷新效果的实现
- Silverlight5在Tomcat上的部署
- MotionEvent事件在onInterceptTouchEvent()、onTouchEvent()中的传递顺序