Archive for the ‘Java’ Category

The Datasource Strikes Back

by on Wednesday, August 3rd, 2011

A long time ago, in a galaxy far far away … the datasources were under attack by the visitors across the 8th dimension. Thanks to our plucky hero, Buckaroo Banzai, we were able to advert total disaster at the hands of Zinglon and his endless level of Beer … I mean what?

In reference to my earlier blog about Weblogic datasources (check it out, it is made of win) I have a short blurb that Weblogic’s implementation seems incomplete. Well, it still is (it still does not appear to correctly identify the the deployed application nor module in that one error message), but as of 10.3.2 there is a database flag that quite succinctly solves the problem.

I can’t quite find the documentation at the moment. I imagine it is on Metalink. My system admin found this handy startup flag. Add the argument to the server start arguments for each managed server (adding it to just one seemed to work okay; I didn’t really try to break it but I soooo should).

-Dweblogic.jdbc.remoteEnabled=false

That’s all there is to it. Attempting to access the datasource returns a nice error message stating remote access is disabled. Seems easy. Almost too easy. So easy that they should make it a freaking setting on the datasource or managed server. But I’m not bitter.

Future topic along these lines, locking down the JNDI tree in general (cause it needs it, unless you like someone binding a few thousand values to your tree). By the way, if you can guess all the references in paragraph one, you get a cookie. No foolin’.

Save the datasources, save the world.

by on Tuesday, April 5th, 2011

The Problem


While going about a routine hey, what’s that do at work, we discovered that, by default, Weblogic is configured to allow remote access to all JNDI resources. These resources include JDBC datasources. Datasources are defined to connect to a database as a specific user (this can be a proxy user, but not necessarily). What this means, is some intelligent person could gain access to the datasources configured on a Weblogic server and have all the powers allowed by the user defined in that datasource. This takes various levels of knowledge to be able to gain the correct host and port, and to be able to pass the right SQL to perform malicious operations. However difficult it may be, it is still a possibility.

With that in mind, Weblogic does provide a way to lock this down via security constraints. In fact, you can lock down many resources via these security policies which appear to be pretty open by default. However, enabling constraints can cause problems. Stack traces like the following can appear:

Cannot open connection; uncategorized SQLException for SQL [???]; SQL state [null];
error code [0]; weblogic.common.resourcepool.ResourcePermissionsException: User ""
does not have permission to perform operation "reserve" on resource "jdbc/xyz" of
module "null" of application "null" of type "ConnectionPool";

This presents us with the heart of the problem, how do we go about limiting access to these datasources and still allow the applications we maintain to function.

(more…)