Tuesday, February 24, 2026

WebLogic Admin Console access issue: Connection rejected, filter blocked Socket, weblogic.security.net.FilterException: [Security:090220] rule 2 (Oracle EBS 12.2)

Fixing WebLogic FilterException [Security:090220] rule 2 in Oracle EBS 12.2

Fixing WebLogic Admin Console Access Error in Oracle EBS 12.2

Error Message

The Server is not able to service this request:
[Socket:000445] Connection rejected, filter blocked Socket
weblogic.security.net.FilterException: [Security:090220] rule 2

Root Cause

In Oracle E-Business Suite 12.2, WebLogic connection filtering is enabled as part of security hardening. If your client IP is not allow-listed, WebLogic blocks the request using a deny rule.

Typical deny rule inside config.xml:

<connection-filter-rule>0.0.0.0/0 * * deny</connection-filter-rule>

If your IP does not match an allow rule, WebLogic applies the deny rule (often rule 2), which results in the error: 

[Security:090220] rule 2

Quick Verification Steps

  1. Check AdminServer log: 
    cd $EBS_DOMAIN_HOME/servers/AdminServer/logs
tail -200 AdminServer.log
  2. Identify the blocked client IP address.
  3. Verify whether your IP exists in the trusted host configuration.

Emergency Recovery (If Completely Locked Out)

Important: This should be used only temporarily to regain access.

Step 1 – Stop Application Tier

adstpall.sh apps/APPS_PASSWORD

Step 2 – Backup and Edit config.xml

cd $EBS_DOMAIN_HOME/config
cp -p config.xml config.xml.bak
vi config.xml

Locate this line:

<connection-filter-rule>0.0.0.0/0 * * deny</connection-filter-rule>

Add allow to it:

<connection-filter-rule>0.0.0.0/0 * * allow</connection-filter-rule>

Temporarily comment or remove it:

<!-- <connection-filter-rule>0.0.0.0/0 * * deny</connection-filter-rule> -->

Step 3 – Start Application Tier

adstrtal.sh apps/APPS_PASSWORD

Now try accessing the WebLogic Admin Console again.

Permanent Fix (Recommended Solution)

  1. Update the EBS context variable for trusted admin nodes (for example: s_wls_admin_console_access_nodes).
  2. Add only approved IP addresses (such as bastion host or corporate VPN egress IP).
  3. Run AutoConfig: 
    adautocfg.sh
  4. Restart services: 
    adstpall.sh apps/APPS_PASSWORD
adstrtal.sh apps/APPS_PASSWORD

Best Practice

  • Use a Bastion or Jump Host with a fixed IP.
  • Allow only trusted admin IPs.
  • Keep the global deny rule enabled.
  • Avoid permanent manual edits in config.xml.

Conclusion

The error "[Security:090220] rule 2" is not a WebLogic failure. It is a security configuration blocking unauthorized access. Properly maintaining trusted host configuration ensures both security and availability.

Posted by at
Labels: ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)