Security 'hole' in weblogic domain trust ? - Weblogic

This is a discussion on Security 'hole' in weblogic domain trust ? - Weblogic ; Hi, sure hope anyone can shed any light on this matter for me. For me it looks like i've just found a small but yet present security hole in the domain trust model. A short summary; It looks like the ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: Security 'hole' in weblogic domain trust ?

  1. Security 'hole' in weblogic domain trust ?

    Hi, sure hope anyone can shed any light on this matter for me. For me
    it looks like i've just found a small but yet present security hole in
    the domain trust model.

    A short summary; It looks like the EJB container accepts incoming
    method invocations from clients in a trusted domain, even if the role
    that gives the client access to the EJB methods is revoked!

    More complex description, hope I can make myself clear enough...

    - I have two weblogic domains, let's call them Domain A and Domain B.
    - Both domains have the same "domain credential", hence they "trust"
    eachother
    - Domain A has a web application, domain B hosts an EJB component.
    - The struts Controller Servlet in the web application looks up the
    EJB using ejb-references with a t3://serverort/jndi/name/goes/here
    reference declared in weblogic.xml
    - The struts controller servlet has a tag that tells the
    container that the web app is running as a role-name called "webapp"
    - This rolename "webapp" is mapped to a physical user, that I create,
    in the Embeded LDAP for Domain A.
    - The same user, "webapp" is created with the same password in domain
    B.
    - The user "webapp" is assigned roles, in domain B that lets the user
    execute certain methods on certain compoennts deployed in domain B.

    Hope you still follow .-) My goal here is to never hard code password
    or usernames anywhere, even If I have to do "inter-domain" calls. Now
    the "problem"
    begins

    - I test the web application in domain A, it looks up the EJB in
    domain B and authenticates and invokes the methods fine.
    - I revoke the roles thats grants access to the EJB components, for
    the user "webapp" in domain B.
    - The web application still executes code on the EJB in domain B!
    - I restart domain A
    - I redeploy the Webapp in domain A
    - The web application still executes code on the EJB in domain B!
    - I code a small command line application that looks up the EJB in
    domain B, and authenticates as the user "webapp". This command line
    application fails with a security exception.
    - The web application still executes code on the EJB in domain B!

    Is this a known feature/bug of WLS 8.1 ? Or have I misunderstood
    somehting about domains and trust ?

  2. Re: Security 'hole' in weblogic domain trust ?

    It looks like I had misunderstood a basic concept of domain trust. In
    case someone encounter the problem, I post the solution here.

    When Domain A is a client to Domain B, and they trust eachother, users
    and groups be created in Domain A. The group, protecting the Bean(s)
    must exist in Domain B, but the user from domain A should not be
    created in Domain B!

    It looks like Domain A just forwards a Subject to domain B, where
    domain B just trusts that everything is okay with it...

    Stupid mistake .-)

+ Reply to Thread