Thursday, May 26, 2016

Hacking users in WebLogic

vi $DOMAIN_HOME/security/DefaultAuthenticatorInit.ldift
insert this:

dn: uid=PIPPO,ou=people,ou=@realm@, dc=@domain@
description: Test generated user
objectclass: inetOrgPerson
objectclass: organizationalPerson
objectclass: person
objectclass: top
cn: S107077
sn: S107077
userpassword: {ssha}blablabla
uid: PIPPO
objectclass: wlsUser
wlsMemberOf: cn=Administrators,ou=groups,ou=@realm@,dc=@domain@

PIPPO should become an Administrative user

ssha passwords (ssha being a variant of SHA1) can be generated with openssh or with Python/WLST

Wednesday, May 25, 2016

WebLogic network-access-point

If you need to invoke operations (EJB, WS...) on a specific IP different from the main listen address / port of WLS, you can create inside config.xml a network-access-point and give it a mnemonic name like "INT-Channel" :

and configure your component in your weblogic-ejb-jar.xml with a clause:


Tuesday, May 24, 2016

Apache http-client, customizing SSLSocketFactory

Here the general documentation on Apache HTTP client

    HttpContext context...
    SchemeRegistry registry = getSchemeRegistry(context);
    Scheme schm = registry.getScheme(target.getSchemeName());
    SchemeSocketFactory sf = schm.getSchemeSocketFactory();

This example shows

Specifically, it's interesting to look at their default implementation of which is the org.apache.http.conn.ssl.BrowserCompatHostnameVerifier ( extends org.apache.http.conn.ssl.AbstractVerifier implements org.apache.http.conn.ssl.X509HostnameVerifier extends )

The extra methods added by org.apache.http.conn.ssl.X509HostnameVerifier are:

  public abstract void verify(String host, SSLSocket ssl)
    throws IOException;
  public abstract void verify(String host, X509Certificate cert)
    throws SSLException;
  public abstract void verify(String host, String[] cns, String[] subjectAlts)
    throws SSLException;

while the basic contains only
verify(String hostname, SSLSession session)

Remember! is an ABSTRACT class.

For use within WebLogic, see, but the property HTTPClient.defaultHostnameVerifier doesn't seem to work with Apache HTTPClient.

Also another interface exists