Wiley.com
Print this page Share

Professional Oracle WebLogic Server

ISBN: 978-0-470-48430-2
Paperback
816 pages
October 2009
Professional Oracle WebLogic Server (0470484306) cover image
This title is out-of-print and not currently available for purchase from this site.

Do you think you've discovered an error in this book? Please check the list of errata below to see if we've already addressed the error. If not, please submit the error via our Errata Form. We will attempt to verify your error; if you're right, we will post a correction below.

ChapterPageDetailsDatePrint Run
Errata from 1st Printing in PDF Format
Errata from 1st printing is available in PDF format on the downloads page.
2/25/2011 1st
490-491 Error in Text
On pages 490-491, we discuss three features that rely on the SSL transport to work:

<transport-guarantee>
<cookie-secure>
AuthCookie

While the discussion is accurate for WLS 10.3 and 10.3.1, there was a bug (Bug 8254839) that made the product not support these three features when SSL was terminated at the WebLogic Server web server plug-in or a hardware load balancer. WebLogic Server 10.3.2 includes the fix for this bug.

By design, these three features should work because the plug-in adds a WL-Proxy-SSL HTTP header to the request when the web server receives a request over SSL. When a WebLogic Server instance receives a request with WL-Proxy-SSL set to true, it checks to see if its WebLogic Plug-In Enabled attribute is set. If so, it treats the request as coming over SSL even though the request was transmitted over clear text between the plug-in and the WebLogic Server instance. Set this attribute in the Advanced section of the cluster’s General Configuration tab if using a cluster and in the Advanced section of the server’s General Configuration tab if not using a cluster.

Some hardware load balancers also have the ability to add the WL-Proxy-SSL header for requests being sent to WebLogic Server. You should note that enabling the WebLogic Plug-In Enabled attribute makes it possible for rogue clients to set the WL-Proxy-SSL header and gain access to these secure features designed to work over SSL without requiring the clients to actually use SSL. As such, you probably want to make sure that any servers that set the WebLogic Plug-In Enabled attribute are not directly accessible and only allow access through a web server using the WebLogic Server plug-in or a hardware load balancer.

If using a hardware load balancer directly against WebLogic Server instances or clusters, you should configure the load balancer to strip off any WL-Proxy-SSL header it finds on incoming request to block rogue clients from sending this header through the load balancer to the server. You may also want to configure the load balancer to strip off any WebLogic Server-specific headers from the responses so as not to expose internal information the server returns for the plug-in’s benefit to clients. When using the WebLogic Server web server plug-ins, this step is not needed since the plug-in will do that for you.

One additional point to mention is that, by default, WebLogic Server does not allow applications to access the plug-in’s HTTP headers. Since these headers are meant solely to help the plug-in and the server work together, applications usually do not need to concern themselves with these headers. If you find yourself needing access to these headers from within your application, you need to set the Java system property weblogic.http.isWLProxyHeadersAccessible to true on the command line used to start WebLogic Server.
12/15/09
Back to Top