Sunday, March 28, 2010

WebLogic SAML tutorial

This video is very good to introduce the basic SAML concepts of IDP and SP

One can use this

as a starting point, and then this

A brief summary:

- enable SSL between the 2 domains. For this you need keystores with a key alias.
- add a SAML source in the Federation tab

Work in progress...

Saturday, March 27, 2010

More on Security of Web Applications

You can apply BASIC Authentication (the browser will request username and password).

In the web.xml, declare a security-constraint which defines a web-resource-collection and a auth-constraint with a role-name.
You shall also define which security realm will authenticate the user.
Specify a login-config/auth-method=BASIC.

In weblogic.xml, you create  a security-role-assignment where you map a role-name to a principal-name.

At the end of the story, your  principal-name is authorized to access a web-resource-collection.

To have a FORM based authentication, you define a login-config/auth-method=FORM, and you provide a form-login-config to tell which jsp page to use for login.

You can have CLIENT-CERT based authentication using 2 way SSL. (TODO find more about this)
It seems that this is supported only with JNDI login, and not with the JAAS login.

The user-data-constraint-transport-guarantee clause determines the level of encryption/signature of the data.

SAML is a remote, or perimeter, login method.

Friday, March 26, 2010

Struggling with Hyperic and WebLogic autodiscovery

This is an OLD post... this NEW post reports SUCCESS on the Hyperic-WebLogic front.

I have been fighting for hours to setup WebLogic management with Hyperic.
Following the instructions here

I thought I am a man with average intelligence, so it would take not more than 5 minutes to setup Hyperic to monitor one of the most popular application server. It turns out to be a great challenge. The HQ Agent simply refuses to discover a running instance of WebLogic 10, and instead discovers everything about himself, showing a certain degree of self-referential behavior.

Now, if I had to design a component who should autodiscover installed software, the LAST thing that would occur to me is asking the user to manually edit a file and enter the installation directory of the product.

Because, I should be able to do a "find / -name something" and automatically discover which instances of a given software are installed on the server.

Excuse me if we are in 2010 so we assume that by now computers should be a bit more self-aware and independent from human intervention.

So, I try this:

java -jar /home/weblogic/hyperic/agent-4.2.0/bundles/agent-4.2.0-1260/pdk/lib/hq-product.jar -Dplugins.include=weblogic -Dadmin.username=weblogic -Dadmin.password=weblogic -m discover

and I get 0 servers discovered - yet the server is up and running.

Of course I have edited the file to include

I have the following values:

 You can now start your HQ agent by running this command:

  /home/weblogic/hyperic/agent-4.2.0/bin/ start

 You can now start your HQ server by running this command:

  /home/weblogic/hyperic/server-4.2.0/bin/ start

 Once the HQ server reports that it has successfully started, you can log in
 to your HQ server at:
  username: hqadmin
  password: hqadmin

IT asset management with VISIO

I have discovered that in VISIO you can link your shapes to a Datasource (eg Excel), and link each shape to a row in the datasource.

So you can write things like CPU, RAM, IP Address in the datasource, link the row to a Server Shape, display this info in the diagram and update all diagrams just by changing the excel file.

Now, it would be great if VISIO had some more specialized templates to model WebLogic domains etc... I will keep searching for CAD tools, I can't believe we are still confined to very generic tools like VISIO to model IT infrastructure...

Tuesday, March 23, 2010

How to switch from Sun JDK to JRockit?

JRockit is a lot better in development environment, because of the wonderful jrcmd utility and JRA.

If you have installed WebLogic with Sun JDK, you can switch to JRockit by editing the
C:\_yourbeahome_\user_projects\domains\_yourdomain_\bin\setWLEnd.cmd (sh) file, 


set BEA_JAVA_HOME=C:\_yourbeahome_\jrockit_160_05

I am not sure this covers all scenarios, but at least it's a good starting point...

Monday, March 22, 2010

Why it makes sense to timestamp SOAP requests

and to reject them if they are outside a certain interval...

WSS4J is an Apache implementation of the OASIS WSS standards
and it's incorporated in Spring

work in progress...

Saturday, March 20, 2010

WebLogic Security, a complex world

Just trying to summarize all the options / tabs existing in WebLogic and covering the security topic.

At Domain level, there is a "Security" tab:

"general": features cross-domain security settings, node manager credentials, default realm

"filter" : you can specify a class to prevent connections based on their IP etc (the default implementation is On how to set the Connection Filter, see

"unlock user": just to unlock a user

"embedded LDAP" : various parameters (cache and startup sync) for the Embedded LDAP

"roles" : defines domain security roles (you can map the role with the XACMLRoleMapper)

"policies" : they concern "User Lockout" (based e.g. on roles defined in previous tab - they will be saved in XACMLAuthorizer)  ; "configuration", "file upload", "file download", "view log", "identity assertion"

Still at Domain level, we have "Web Service security":

credential providers
token handler

At Server level, there is only:
roles and policies to be able to restart the server

In the "security realms" page, you can create new security realms.

General tab: choose Security Model (DD only), protects JMX access
RDBMS Security Store tab: allows to use a DB as security store

User Lockout: to block hackers
Performance: defines cache
Users and Groups: you can define new Users and Groups

Roles and Policies:
Realm Roles: lets you view and edit all roles and policies for Deployments, EJB Modules and EJB, JMS Destinations and Modules, JDBC Datasources, Domain and Server level roles.

Credential mappings: let you map WebLogic Server users to remote users

Role Mapping
Credential Mapping
Certification Path

Migration: import and export

Wednesday, March 17, 2010

Vista is the biggest failure in the history of computing

 I am just taking a small revenge against the operating system which has made my life miserable for the past 1.5 months.
It's slow, it's ugly, it's unreliable.
It gives you features that you don't need and doesn't give you feature you need.
It still forces you to upgrade to a new 64bits version if you want to manage 4GB RAM...
It hangs trying to resume from sleep mode and I had to reboot countless times crashing my running applications.
Its default security configuration is simply paranoid.
Its default file view settings treats all files as Music files even if you have a single MP3 in a directory.
To change an environment variable you have to click on 4 different dialogs.
To reach a reasonable speed on a monster computer I had to disable all visual effects - and still XP was a lot faster with all the visual effects.
The OS alone hogs 1.2 GB RAM... WTF!!!
It starts automatically a lot of services you will never need - I had to make them start manually in an attempt to bring startup time below 10 minutes!

If I were his Project Manager I would consider learning agriculture, fishing and hunting and hide in the Amazon Forest for the rest of my life.

I might even join him because using Vista makes me very pessimistic about the future of computing and willing to quit this job. Instead of getting better, we are getting worse and worse.

If you try to upgrade to Vista  64 bits, you get all the time this error:

1067 - There is a technical issue that we are actively working on. Please try again later. If the problem persists after 24 hours, please contact our support team and reference error code 1067 for assistance. 
 I have tried so many times...this is obscene...

Running JUnit tests to generate load on the system

JUnitTester1,2 etc are all our Test classes.
This code will create 5 threads running each all tests forever, with 500 ms pause at the end of each test sequence.
With this we can create load on the system.

package com.pierre.testall;

import com.pierre.junittester.JUnitTester1;
import com.pierre.junittester.JUnitTester2;

public class TestCatalog {
    public static Class[] ALL_TESTS = new Class[] {JUnitTester1.class, JUnitTester2.class};

package com.pierre.testall;

import junit.textui.TestRunner;

public class AllTests implements Runnable {
    public static void main(String[] args) {
        AllTests allTests = new AllTests();
        for (int i = 0; i < 5; i++) {
            Thread thread = new Thread(allTests);

    public void run() {
        while (true) {
            for (Class clazz : TestCatalog.ALL_TESTS) {

    public void sleep(int ms) {
        try {
        catch (Exception e) {

is also a good source of inspiration.

Tuesday, March 16, 2010


keytool usage:

-certreq     [-v] [-protected]
             [-alias ] [-sigalg ]
             [-file ] [-keypass ]
             [-keystore ] [-storepass ]
             [-storetype ] [-providername ]
             [-providerclass [-providerarg ]] ...
             [-providerpath ]

-changealias [-v] [-protected] -alias -destalias
             [-keypass ]
             [-keystore ] [-storepass ]
             [-storetype ] [-providername ]
             [-providerclass [-providerarg ]] ...
             [-providerpath ]

-delete      [-v] [-protected] -alias
             [-keystore ] [-storepass ]
             [-storetype ] [-providername ]
             [-providerclass [-providerarg ]] ...
             [-providerpath ]

-exportcert  [-v] [-rfc] [-protected]
             [-alias ] [-file ]
             [-keystore ] [-storepass ]
             [-storetype ] [-providername ]
             [-providerclass [-providerarg ]] ...
             [-providerpath ]

-genkeypair  [-v] [-protected]
             [-alias ]
             [-keyalg ] [-keysize ]
             [-sigalg ] [-dname ]
             [-validity ] [-keypass ]
             [-keystore ] [-storepass ]
             [-storetype ] [-providername ]
             [-providerclass [-providerarg ]] ...
             [-providerpath ]

-genseckey   [-v] [-protected]
             [-alias ] [-keypass ]
             [-keyalg ] [-keysize ]
             [-keystore ] [-storepass ]
             [-storetype ] [-providername ]
             [-providerclass [-providerarg ]] ...
             [-providerpath ]


-importcert  [-v] [-noprompt] [-trustcacerts] [-protected]
             [-alias ]
             [-file ] [-keypass ]
             [-keystore ] [-storepass ]
             [-storetype ] [-providername ]
             [-providerclass [-providerarg ]] ...
             [-providerpath ]

-importkeystore [-v]
             [-srckeystore ] [-destkeystore ]
             [-srcstoretype ] [-deststoretype ]
             [-srcstorepass ] [-deststorepass ]
             [-srcprotected] [-destprotected]
             [-srcprovidername ]
             [-destprovidername ]
             [-srcalias [-destalias ]
               [-srckeypass ] [-destkeypass ]]
             [-providerclass [-providerarg ]] ...
             [-providerpath ]

-keypasswd   [-v] [-alias ]
             [-keypass ] [-new ]
             [-keystore ] [-storepass ]
             [-storetype ] [-providername ]
             [-providerclass [-providerarg ]] ...
             [-providerpath ]

-list        [-v | -rfc] [-protected]
             [-alias ]
             [-keystore ] [-storepass ]
             [-storetype ] [-providername ]
             [-providerclass [-providerarg ]] ...
             [-providerpath ]

-printcert   [-v] [-file ]

-storepasswd [-v] [-new ]
             [-keystore ] [-storepass ]
             [-storetype ] [-providername ]
             [-providerclass [-providerarg ]] ...
             [-providerpath ]

More info here

to create a keystore:

C:\beawli\jrockit_160_05\bin>keytool -genkeypair -alias acme -keysize 1024 -storetype jks -keystore longkeys.jks -storepass weblogic -keypass weblogic  

Web Service Security: basic concepts

Message-level security: it enhances transport-level security (SSL) by allowing to specify which part of the message should be encrypted

Transport-level security: can be HTTP-Basic and SSL

Access control security: it doesn't encrypt the message, it simply checks that a given user is allowed to invoke a service

WS-Security is available for both JAX-RPC and JAX-WS.
A message can be signed, encrypted or both. It provides integrity, confidentiality and authentication.

These OASIS standards are supported:

WS-Security 1.0 and 1.1
Username Token Profile 1.0 and 1.1
X.509 Token Profile 1.0 and 1.1
SAML Token Profile 1.0 and 1.1

Other standards covered only for JAX-RPC: WS-Trust and WS-SecureConversation.
WS-Policy  and WS-SecurityPolicy.

For a list of pre-packaged WebLogic policy files, see


You should create a default_wss Web Services Security configuration (domain tab)

 here they explain you what to enter in this page (Oracle is very good at sending you around to 20 different documents before you can get anything done)


class name =
token type = x509
property IntegrityKeyAlias
property IntegrityKeyPassword
property IntegrityKeyStore
property IntegrityKeyStorePassword

this will generate this entry in config.xml


Some built-in JWS policies are: Auth.xml , Sign.xml, Encode.xml
They can be specified together - a message can be subject to ANY of these 3.

Web Services Monitoring

I am investigating on existing open source products to monitor web services, at a minimum to detect if there are changes in their WSDL, being able to navigate in their data type schemas, ping them to check if they are available...

given the high number of Web Services we are going to deal with, it's worth to have some sort of registry.

I am testing this

Hyperic  this seems to be excellent, but it seems not specific to Web Service (still investigating)


and of course more in general NAGIOS for IT infrastructure monitoring:

I know of Amberpoint, which seems to be quite good, but it's not opensource.

Please shout if you have already done some investigation on this topic


Monday, March 15, 2010

WLST easeSyntax

great tip that I have found on another blog (in fact I hate WLST strict syntax, it's such a pain in the neck):

In WLST (WebLogic Scripting Tool), how many times have you wished you didn’t have to type the parentheses or quotes when navigating MBeans? For me, I wished for that every time. ;-)
Fortunately, WLST designer Satya Ghattu lets us in on a little secret. Simply enter easeSyntax() while in online mode and you can drop the parentheses and quotes when navigating. Using Satya’s examples:
turns into the friendlier
cd /Servers/testServer
Thanks for the tip, Satya!
Posted in Quick Tips, WebLogic December 14th, 2008 by Mike Fleming | No comments

SOAP UI and WS-Security

in SOAPUI, right click on project, and "show project view"

"security configurations" tab


add your keystore and specify keystore password, default alias and alias password (should match store password)

then go to "Outgoing WS-Security Configurations" and create a profile (e.g. "signed") putting the default alias and password.
Then in the same tab add "WSS entry" for signature (I know, the UI really sucks), select keystore, alias etc

Now CLOSE AND REOPEN SOAPUI (little bug here), then open the Request and look for a tiny "Aut" tab on the bottom (as I said, the UI really sucks). In "outgoing WSS" choose the configuration you have created.

If you get this:

Unable to decode certificate: Unable to initialize, DerInputStream.getLength(): lengthTag=127, too big

then it means you have survived so far to this terrible horrible mess which is WS-Security.

Monitoring SOAP requests

The easiest way is to use TCP-Monitor (either the Eclipse plugin or the standalone application );

this entails pointing your test suite to a different port, and with WLI test client (Web) this doesn't work because they hardcode the portnumber in the HTTP Response (smart!).

Perhaps using this trick of pointing the JVM to use the TCP mon as a proxy (-Dhttp.proxyHost=localhost -Dhttp.proxyPort=8080) you can make it work...

I have tried this PortPeeker port traffic monitoring tool:
but it cannot examine an already opened port.... pretty useless for a sniffer tool...

Let's try then Wireshark
or tcpdump / windump
(both Wireshark and WinDumo use WinpCap libraries to capture traffic)

Securing WLI processes using the WLIConsole and Method Authorization Policy

Log into WLIConsole, go to process configuration and search for Method Authorization Policy.

Find your clientRequestwithReturn method (or whatever is called the public entry method of your process) and configure.
If you add the Anonymous user to the list of Authorized Roles, anybody can call your process.
If you set any other Role, the test console will stop working and you get this error:


<faultstring>EJB Exception: ; nested exception is: java.lang.SecurityException: Access method: clientRequestwithReturn in application: PVHelloEAR, webapp: PVHelloWebjpd: hello.PVHelloSync1 not allowed for subject: principals=[]</faultstring>


Sunday, March 14, 2010

Securing WLI processes and Web Services

add this annotation to your process:


and the file contains:

<?xml version="1.0" ?>
<wsSecurityPolicy xsi:schemaLocation="WSSecurity-policy.xsd"
<token tokenType="username" />

The entire XSD is here:

you will get this exception when invoking your process from SOAP client:

weblogic.webservice.server.ConfigException: Key for alias 'client1' does not exist in server key store (C:\beawli\WLSERV~1.3\server\lib\DemoIdentity.jks)
    at weblogic.webservice.util.ServerKeyStore.getPrivateKeyInternal(
    at weblogic.webservice.util.ServerKeyStore.getPrivateKey(
    at com.bea.wli.knex.runtime.jws.wssecurity.inbound.WLWInboundWSSEImpl.initDecryptionKey(

Let's check which keys are in the DemoIdentity keystore:

cd C:\beawli\jrockit_160_05\bin

C:\beawli\jrockit_160_05\bin>keytool -list -keystore c:\beawli\wlserver_10.3\server\lib\DemoIdentity.jks
Enter keystore password:  (enter DemoIdentityKeyStorePassPhrase)

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entry

demoidentity, Feb 24, 2010, PrivateKeyEntry,
Certificate fingerprint (MD5): 7B:C7:C0:7C:91:13:6C:CB:8B:EA:AD:C4:4E:1D:A8:0E

I find the password here

At this point I change mypolicy.xml file this way:

<?xml version="1.0" ?>
<wsSecurityPolicy xsi:schemaLocation="WSSecurity-policy.xsd"
        <token tokenType="username" />

and I  get this new error:

java.rmi.RemoteException: EJB Exception: ; nested exception is:
    com.bea.wli.knex.runtime.jws.wssecurity.exception.WLWWSSEException: weblogic.webservice.server.ConfigException: Failed to load key for alias demoidentity
Caused by: com.bea.wli.knex.runtime.jws.wssecurity.exception.WLWWSSEException: weblogic.webservice.server.ConfigException: Failed to load key for alias demoidentity
    ... 19 more
Caused by: weblogic.webservice.server.ConfigException: Failed to load key for alias demoidentity
    ... 27 more
Caused by: Cannot recover key
    ... 29 more

and we learn that :

The error “ Cannot recover key” occurs when the keystore and keyEntry passwords are different. To resolve this issue, you must remove all traces of the past certificate and request file.
You must generate a new keystore, keyEntry and CSR and specify the same password for the keystore and the keyEntry.

 WTF ?????!!!! I think this is simply insane.

Incidentally, the keystore configuration is located under server/configuration/keystores

At this point, I don't give up and I create a new KeyStore with a custom Identity Key, giving same password for keystore and key:

keytool -genkeypair -alias acme -keystore acmeks.jks -storepass weblogic -keypass weblogic

I set the keystore to "Custom Identity and Command Line Trust" (CustomIdentityAndCommandLineTrust)

and when I restart the server I get:

java.lang.RuntimeException: Trust KeyStore is not configured!

At this point I read this documentation

The default password for the Java default keystore file $JAVA_HOME/lib/security/cacerts is ‘changeit’

 keytool -list -keystore c:\beawli\jrockit_160_05\jre\lib\security\cacerts
Enter keystore password: (enter changeit)

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 51 entries

aolrootca1, Jan 17, 2008, trustedCertEntry,
Certificate fingerprint (MD5): 14:F1:08:AD:9D:FA:64:E2:89:E7:1C:CF:A8:AD:7D:5E
verisignclass3g2ca, Mar 25, 2004, trustedCertEntry,
Certificate fingerprint (MD5): A2:33:9B:4C:74:78:73:D4:6C:E7:C1:F3:8D:CB:5C:E9
entrustclientca, Jan 9, 2003, trustedCertEntry,
Certificate fingerprint (MD5): 0C:41:2F:13:5B:A0:54:F5:96:66:2D:7E:CD:0E:03:F4
thawtepersonalbasicca, Feb 12, 1999, trustedCertEntry,
Certificate fingerprint (MD5): E6:0B:D2:C9:CA:2D:88:DB:1A:71:0E:4B:78:EB:02:41
globalsignca, Aug 1, 2007, trustedCertEntry,
Certificate fingerprint (MD5): AB:BF:EA:E3:6B:29:A6:CC:A6:78:35:99:EF:AD:2B:80
addtrustclass1ca, May 2, 2006, trustedCertEntry,
Certificate fingerprint (MD5): 1E:42:95:02:33:92:6B:B9:5F:C0:7F:DA:D6:B2:4B:FC
digicertassuredidrootca, Jan 7, 2008, trustedCertEntry,
Certificate fingerprint (MD5): 87:CE:0B:7B:2A:0E:49:00:E1:58:71:9B:37:A8:93:72
verisignclass2g3ca, Mar 25, 2004, trustedCertEntry,
Certificate fingerprint (MD5): F8:BE:C4:63:22:C9:A8:46:74:8B:B8:1D:1E:4A:2B:F6

After having configured the Keystore as "custom identity and custom trust"

and AT LAST I get an expected error - since the SOAP message was not encrypted:

ava.rmi.RemoteException: EJB Exception: ; nested exception is:
    com.bea.wli.knex.runtime.jws.wssecurity.exception.WLWWSSEException: Policy requires Message to be encrypted, Message was not encrypted.
Caused by: com.bea.wli.knex.runtime.jws.wssecurity.exception.WLWWSSEException: Policy requires Message to be encrypted, Message was not encrypted.
    ... 19 more

Thursday, March 4, 2010

WLI WebLogic Integration

WLI doesn't handle very well a refactoring process.
Thus, if you move a Processs to a different package or project, you will face trouble because some configuraiton files are not automatically updated.
Such as wli-config.xml.
So in the WliWebAppListener you will get a ClassNotFoundException.
To recover from this situation, delete the wli-config.xml  and let WLI rebuild it from scratch.

How to become an expert in Web Service security in 30 seconds

First read this:

you will learn that there are .WSSE files containing security policies for a WS.

You attach it to the WS with
You might need a WSSE file also for callbacks (not needed if Synchronous).

Very interesting also this article:

which goes over security.
In a nutshell we need to:
- identify and authenticate the client (security token)
- ensure the integrity of the message (digital signature)
- prevent unauthorized parties from eavedropping our message (encryption)

It turns out that JPD files (WLI) cannot be secured:

WS-Security policy (WSSE) files are not supported for business processes (JPDs). Therefore, the following annotations are not supported for JPD files: com.bea.wli.common.WSSecurityCallback and com.bea.wli.common.WSSecurityService.
If you want to use WS-Security, then you must front-end the JPD with a JWS. The client would invoke a JWS using WS-Security, then the JWS would locally invoke the JPD via a Process Control.

If you use the annotation com.bea.wli.common.WSSecurityService you might get an error:
Exception trying to load wsse policy definition error: The document is not a wsSecurityPolicy@

More info on WS-SecurityPolicy

sample empty policy file:


 (see )

One can secure at web.xml level:

This is a sample security-constraint xml:

Monday, March 1, 2010

EJB 3.0 super fast tutorial

Create an EJB project PVEJB30Test.

Create an Interface- this will be the remote interface of your Stateless EJB:

package com.pierre;

public interface Messenger {
    String getMessage(String name);

Create the Implementation:

package com.pierre;

import javax.ejb.Remote;
import javax.ejb.Stateless;

public class MessengerSB implements Messenger {
    public String getMessage(String name) {
        return "Ciao " + name;

Deploy your project to the WebLogic Server:

You will magically get this:

Application Name: PVEJB30Test
EJB Module Name:PVEJB30Test
Bean Name: MessengerSB

Easy. It could be easier (for instance, not having to create the Interface) but it's easy.

In the JNDI tree you will get:

PVEJB30TestPVEJB30TestMessengerSB_Home (=
PVEJB30TestPVEJB30TestMessengerSB_Messenger (=
If you specify
you will get this binding: