Using Weblogic Network Connection Filters

12 Jul

A while back I’ve spoken with Jacco Landlust and he told me about the Network Connection Filter feature of Oracle Weblogic. I was interested about this feature and decided to look into this.

Network Connection Filters (filters from now on) are a sort of firewall/acl feature that can be used to allow or deny access to servers in your Weblogic domain for certain protocols and network addresses.

The example that Oracle mentions themself in their documentation is to restrict access to the Administrator Server to prevent unauthorized access.But another example could be to allow access to your application/services from only a specific range of addresses in your company network.

You can find the configuration of filters in the left menu of the Weblogic Console under domain.
Then go to Security -> Filter .

Connection Filter:
Connection Filter Rules: * 7001 allow #local ipv4
server01 * 7001 allow #local hostname
0:0:0:0:0:0:0:1 * 7001 allow #local ipv6 * 7001 deny # all other traffic

Weblogic Console

Rules are validated top -> down, so the 4th line will deny all traphic ( to all local addresses (*) on admin port (7001). So only if the first 3 rules are valid then access is granted, which in the example only applies to access from the local machine.

The following Notice example appears in the log when unauthorised access takes place:

<<em>datetime</em>> <Notice> <Socket> <BEA-000445> <Connection rejected, filter blocked Socket[addr=,port=54144,localport=7001], [Security:090220]rule 4>
  • Changing the connection filter type requires a restart of all servers in the domain
  • Changing the filter rules are actived instantly
  • You can filter ony remoteAdress, localAdress, localPort, Protocol
  • Supported protocols are: http, https, t3, t3s, ldap, ldaps, iiop, iiops & com
  • Protocols are the last parameter in the filter, if not mentioned (as in the example) all apply
  • Filters are activated to all servers in your weblogic domain, so remember you can lockout yourself (admin console) or even internal weblogic communication between managed servers and the admin server.
  • Filters are stored in the config.xml file, so if you really locked yourself out -> Look there

Testing with filters i came to the conclusion that it’s actually a very nice feature to easily and quickly upgrade the security of your Weblogic domain. If you have a hardware firewall in place to prevent access from unwanted users in your network that would off course be even better. Otherwise I would probably want to implement such a feature in every production environmen I would be responsible for.

Quick Example2:
Locking out all traphic to OSB services which are hosted on machine and on port 8011 (line 3), except for http traphic from servers in the subnet (line 1+2): 8011 allow http #osb services 8011 allow http #osb services * 8011 deny #osb services



Posted by on 12-07-2011 in Oracle, Weblogic


Tags: ,

5 responses to “Using Weblogic Network Connection Filters

  1. karthi premakumari

    28-07-2011 at 22:24

    You said “Filters are stored in the config.xml file, so if you really locked yourself out -> Look there”

    I got locked out and WLS won’t even start…where is this config file where the connection filter information is stored?

    Thank you!

    • jvzoggel

      28-07-2011 at 22:34

      Hello Karthi,

      The weblogic config.xml is located in your domain folder.
      There should be a folder: ../../domains/%domainname%/config/config.xml

      p.s. By default this folder is located in your /%WLHOME%/user_projects/ folder but you can alter this during install.



  2. Jonathan

    06-02-2015 at 16:06

    Does filtering also work for outgoing connections? If not, how could I restrict Weblogic from accessing a certain host or IP?

    Thank you!

    • jvzoggel

      10-02-2015 at 08:22

      Hi Jonathan,

      It’s been a while, but I believe filtering only works for incoming communication to your admin/managed servers.
      Simply working as a sort of ACL. For outgoing connections you might have to look to your (operating system) firewall ?




Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: