BEA Weblogic Interview Question:

How do I protect WebLogic Server from security attacks from bogus clients using the WL-Proxy-Client-Cert header?

Submitted by: Administrator

The WL-Proxy-Client-Cert header can be spoofed (used) by any client which has direct access to WebLogic Server. WebLogic Server takes the certificate information from that header, trusting that is came from a secure source (the plug-in) and use that information to authenticate the user. In previous releases of WebLogic Server, the default behavior was to always trust that header. Now you need to explicitly define trust of the WL-Proxy-Client-Cert header. A new parameter clientCertProxy allows WebLogic Server to on the implicit trust of the certificate header. If you need an additional level of security, use a connection filter to limit all connections into WebLogic Server (therefore allowing WebLogic Server to only accept connections from the machine on which the plug-in is running).
The clientCertProxy parameter has been added to the HTTPClusterServlet and Web applications.
For the HTTPClusterServlet, add the parameter to the web.xml file as follows:
<context-param>
<param-name>clientCertProxy</param-name>
<param-value>true</param-value>
</context-param>

For Web applications, add the parameter to the web.xml file as follows:

ServletRequestImpl context-param
<context-param>
<param-name>weblogic.http.clientCertProxy</param-name>
<param-value>true</param-value>
</context-param>

You can also use this parameter in a cluster as follows:
<Cluster ClusterAddress="127.0.0.1" Name="MyCluster"
ClientCertProxyHeader="true"/>
Submitted by: Administrator