Securing Web Applications http://docs.oracle.com/cd/E14571_01/web.1111/e13711/thin_client.htm#i1044688
How to Set Up X509 Certificate Authentication for Oracle WebLogic Server http://www.oracle.com/technetwork/articles/damo-howto-091164.html
Installing and Configuring the Apache HTTP Server Plug-In
http://docs.oracle.com/cd/E14571_01/web.1111/e14395/apache.htm Certificate is send by Weblogic plugin in WL-Proxy-Client-Cert HTTP header
in weblogic.xml
client-cert-proxy-enabled The element default value is true. When set to true, WebLogic Server passes identity certificates from the clients to the backend servers. Also, WebLogic Server is notified whether to honor or discard the incoming WL-Proxy-Client-Cert header. A proxy-server plugin encodes each identity certification in the WL-Proxy-Client-Cert header and passes it to the backend WebLogic Server instances. Each WebLogic Server instance takes the certificate information from the header, ensures it came from a secure source, and uses that information to authenticate the user. For the background WebLogic Server instances, this parameter must be set to true (either at the cluster/server level or at the Web application level). If you set this element to true, use a weblogic.security.net.ConnectionFilter to ensure that each WebLogic Server instance accepts connections only from the machine on which the proxy-server plugin is running. If you specify true without using a connection filter, a potential security vulnerability is created because the WL-Proxy-Client-Cert header can be spoofed.
How to Set Up X509 Certificate Authentication for Oracle WebLogic Server http://www.oracle.com/technetwork/articles/damo-howto-091164.html
Installing and Configuring the Apache HTTP Server Plug-In
http://docs.oracle.com/cd/E14571_01/web.1111/e14395/apache.htm Certificate is send by Weblogic plugin in WL-Proxy-Client-Cert HTTP header
in weblogic.xml
client-cert-proxy-enabled The
<security-constraint>
<web-resource-collection>
<web-resource-name>Faces Servlet</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>AppUser</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>CLIENT-CERT</auth-method>
<realm-name>NoSuchRealm</realm-name>
</login-config>
<security-role>
<role-name>AppUser</role-name>
</security-role>
</web-app>
<wls:security-role-assignment>
<wls:role-name>AppUser</wls:role-name>
<wls:principal-name>AppUsers</wls:principal-name>
</wls:security-role-assignment>