Friday, November 13, 2009

Fixed - eZShare app and Infinite loop in the browser

With the latest version of the App, this issue is fixed.





If you run into an infinite loop running eZShare sample app with JDev 11.1.1.2.0, a workaround is to remove the AdfFacesFilter from your app's web.xml.

ie. remove the following

AdfFacesFilter & the Filter mapping for it.

Friday, August 21, 2009

JDev 11gR1 & WebLogic

Did you know JDev 11gR1 embeds WLS 11gR1 (10.3.1) . When you develop an application in JDev and run it, JDev deploys the application automatically in the embedded WLS and launches the application's start page.

A less obvious fact is that this embedded WLS also comes with WLS Admin Console that is accessible from http://localhost:7101/console with weblogic/weblogic1 as the administrative account.

Friday, August 14, 2009

Deleting Application Policies with WLST

OPSS can automatically delete application policies when the application is undeployed. This is controlled by flags I talked about in my previous posts.

Now there are occasions where you might want to delete application policies manually. Here is a WLST command sample.

  1. Launch WLST command as /common/bin/wlst.sh
  2. Connect to Admins server, connect('weblogic','welcome1',"localhost:7001")
    Sample Output
    Connecting to t3://localhost:7001 with userid weblogic ...
    Successfully connected to Admin Server 'AdminServer' that belongs to domain 'domain1'.

    Warning: An insecure protocol was used to connect to the
    server. To ensure on-the-wire security, the SSL port or
    Admin port should be used instead.

  3. Delete the authZ policy for a an application, deleteAppPolicies(appStripe="TB#V1.0#9")
    Sample Output
wls:/domain1/serverConfig> deleteAppPolicies(appStripe="TB#V1.0#9")
{appStripe=TB#V1.0#9}
Location changed to domainRuntime tree. This is a read-only tree with DomainMBean as the root.
For more help, use help(domainRuntime)

Note the application stripe is a fully qualified name and include the application + the version.

Friday, August 7, 2009

Application policy and App un-deployment

You can deploy an ADF application with EM to a WebLogicServer Domain. Lets say the ADF app is secured. When the app is deployed, the security policies are also deployed with the app to the the target server. This happens automatically within JDeveloper. But when the app is deployed to a remote WLS this is exposed as configuration choice that the application deployer (Administrator by another name) will have to make.

This is controlled with the flags I blogged in my last post.

What about undeploying application security policies, when the corresponding application is undeployed. Turns out this does not happen automatically in 11gR1, and requires the application to be packaged(EAR file) with an "Weblogic-Application-Version" entry in its manifest file.

JDev automatically creates a MANIFEST file for the application when the application is packaged(deploy to an EAR). Here is an example manifest file.


Manifest-Version: 1.0
Created-By: 1.6.0_07 (Sun Microsystems Inc.)
Weblogic-Application-Version: V1.0

When this app is un-deployed its application policies are automatically removed.

Deploying a Secure application wiht EM

As a reader of this blog, you probably know that Oracle Platform Security Services (OPSS) supports application life cycle from design, to deployment to monitoring etc. Now the security configuration management is exposed through Enterprise Manager - Fusion Middleware Control(names ,names, when will we use shorter names, but let me not get off track). It allows administrator to control how security related artifacts (policies, credentials etc) are deployed to the target server.

The feature is documented in the Oracle Fusion Middleware Security guide (section 7.2.1) but the doc is somewhat awkward. I recently has some email exchange with a customer about this, and I thought while we improve the doc, the clarification might be of interest to others.

"

The following three application security artifacts are of interest during application deployment process.



  1. Identities - Which mean users and groups and application roles to groups/users mapping. These are defined by a Developer during application development process within JDev.
    • In most scenarios, the identities should not be migrated when deploying an application to a remote WLS (it is controlled with the check box, )
      • Mapping Application role to enterprise groups/users in a remote WLS environment is a post application deployment task to be done by an Administrator.
  2. Policies - Which include Application roles and permissions granted to application roles.
    • When deploying the app for the first time, the policies should always be migrated to the Policy store, which is the option controlled by "Append" radio button
    • Upon re-deploying the app, to preserve any application policy modification made in the policy store, the admin should choose the "Ignore" radio button.
  3. Credentials - Which are username/password tuples used by the applications
    • The radio button "Append" means credentials packaged with the application will be deployed to the remote WLS's credential store. In case a credential with the same map and key names already exists in the domain credential store, the migration process will skip that credential, and continue with others.
    • The radio button "Ignore" means credentials packaged with the application will not be deployed to the remote WLS's credential store. In this case, the administrator is then expected to create a credential valid for the environment, before the application works as designed by the developer."
Shout out to my colleague Sam for reviewing this post.

Friday, July 17, 2009

Upgrade to Fusion Middleware 11gR1

So you are on OAS 10.1.x release and want to upgrade to 11gR1. It is a daunting topic, for starters here is the upgrade center. For upgrading custom JavaEE application upgrade see this whitepaper which incidentally I co-wrote.

Let me know if you run into any problems (specifically wrt to Security) during upgrade.

Thursday, July 16, 2009

In case you are wondering what I am upto in October

Come check out the Oracle Open World sessions on OPSS. I hope we get a chance to exchange some ideas after all that's what this Open World is all about.

Wednesday, July 15, 2009

Whats in your wallet?

Ok, behind the clever title (which has been used before in Oracle internal wiki & no relation to Capital One) here is the situation. Often applications access some protected service (WebService, Database, LDAP etc). Many applications store user name/password(Credentials) required to authenticate to these services in some configuration file. Often these credentials are stored in a clear text where they are susceptible to prying eyes, and raise a few eyebrows at the corporate security groups.

Business developers need a place to store these credentials securely and a guarantee that only authorized applications/users can access these.
Enter OPSS's Credential Store Framework(CSF). CSF allows only authorized applications to access credentials that are stored outside of the application, securely in Oracle Wallet (hence What's in your wallet, title). Nice, so developers don't need to worry about secure credentials storage themselves.

But wait, here is the icing on the cake, since the credentials are stored outside the application, administrators can change/update the credentials without changing any application code using the Management tool Oracle Fusion Middleware provides (Enterprise Manager & WLST command).

But wait, there is more, OPSS allows provides build in auditing so if your admin want they can enable audit policy on Credential Store access without any application code changes but again few clicks with the aforementioned management tools.

But wait, there is more, OPSS allows these credentials to be stored in an LDAP (and protected by an LDAP), which is what we recommend in a production situation instead of Oracle wallet.


Check out CSF documentation,

Happy coding.

Monday, July 6, 2009

The foundation for security in Oracle Fusion Middleware and Fusion Applications

Now that Oracle has released Fusion Middleware 11gR1, I can talk about security aspects of it. Starting this release Oracle has combined the security frameworks used in Oracle Application Server with the security framework used in WebLogic Server into "Oracle Platform Security Services" or OPSS.

OPSS is the foundation of security used across the entire Fusion Middleware Suite and Fusion Applications. See details.

Wednesday, February 11, 2009

Going back to dark ages

After coding in Java for over a decade, half of that with IntelliJ I am now trying to code Objective-C in Xcode. As with learning to use any new IDE this is not a fun exercise and I am constantly comparing Xcode to IntelliJ & so far there is only one winner. I can only find only a few built-in refactorings in Xcode. Does Xcode has anything like plugins? Is there a better tool for refactoring Objective-C?

Wednesday, February 4, 2009

getting the current Subject in oc4j

This is a copy of an email I sent.

The problem: How do you get the subject associated with the currently authenticated user.

Solution: There are two ways in oc4j.

* The standard way

http://download.oracle.com/docs/cd/E12524_01/web.1013/e12514/authoriz.htm#CHDDAFBF

1. Configure JAAS mode and
2. invoke Subject.getSubject(AccessController.getContext());

* OC4J proprietary way

Invoke oracle.oc4j.security.Security.getSubject()

This requires an oc4j patchset in 10.1.3.3 and is automatically available in 10.1.3.4

Tuesday, January 27, 2009

iPhone SDK not on Windows :-(

I was quite surprised to find that iPhone SDK is not available on Windows. Arghh. Lately I am seeing double standards in EU hunting Mr. Softie. What is the big deal that MS bundles IE on its OS. Folks who need another Browser can download any of the freely available browser. The fact that you can't uninstall IE does not get in my way of using a browser of my choice.
But that i can't replace the battery on my iPhone/iPod is a blocking issue when the batteries die. I don't want to be held hostage by the battery maker.

Monday, January 26, 2009

N-Tier Security Silos

With the N-tier architecture the person managing the tiers tend to be separate and have separate skills sets. It often leads to knowledge silos and is especially visible when it comes to security. E.g it will be hard pressed to get a DBA who is good at securing Apache http Server. I wonder if there is a need for a security platform that helps to bridge this gap. An example could be that MidTier is more aware of security configured at the Data Tier and mid tier can take advantage of security at Data tier.
I wonder if this is an issue for you? How have you dealt with this?

Tuesday, January 6, 2009

SSL between MidTier & DataBase

Essentially the SSL support between an app server (MT) & Datatier(Database) depends on two things.
1. If the Databases support SSL (Oracle DB support this)
2. The DB driver support this (could be thin or a thick client)

Assuming OC4J is connecting to Oracle DB (which is configured to listen in SSL) here are the steps using Oracle JDBC thin driver.


1.
For OracleAS, you could config SSL as the connection pool
properties, for example:
connection-pool-name="scottConnPoolTCPS"
jndi-name="jdbc/sslDS"
name="jdbc/sslDS"/

factory-class="oracle.jdbc.driver.OracleDriver"
user="scott"
password="tiger"

url="jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=tcps)
(HOST=sracanov-a
u2.au.oracle.com)(PORT=2484))(CONNECT_DATA=(SERVICE_NAME=orcl)))"
commit-record-table-name=""
value="/somepath/Wallets/client/
ewallet.p12"/
value="SSL_DH_anon_WITH_3DES_EDE_CBC_SHA,
SSL_DH_anon_WITH_RC4_128_MD5,SSL_DH_anon_WITH_DES_CBC_SHA"/


WLS to Oracle DB


For WLS, I don't see any doc for this type configuration. I don't
think it could be configured as the connection pool preperty.
However, these might work:

1) Specify the property in the java program as the following example:
//import packages
import java.sql.*;
import oracle.jdbc.*;
import oracle.jdbc.pool.OracleDataSource;

//specify the properties object
java.util.Properties info = new java.util.Properties();
...
// Set the SSL version
info.put ("oracle.net.ssl_version","3.0");

// Set the wallet location
info.put ("oracle.net.wallet_location", "(SOURCE=(METHOD=file)
(METHOD_DATA=(DIRECTORY=directory)))");

// Set the cipher suite
info.
put("oracle.net.ssl_cipher_suites","SSL_DH_DSS_WITH_DES_CBC_SHA");

// Force dn to match service name
info.put("oracle.net.ssl_serevr_dn_match","TRUE");

2) Using WLS SSL protocal, like submitting Context.SECURITY_PROTOCOL
= "ssl" along with in getting the JNDI initial context.
Copying Steve and Dave, they may have more infor on this.


Thanks to Frances Zhao for this information & let me know of your experience with this information.