Skip to content

How to secure specific URL’s of an application on Weblogic

01-Mar-12

 

We can do that by using the DD Model as Custom Roles and Polcies and Defining the URL Pattern Scoped Policies.

The screenshots below will give an idea. If you have any queries feel free to let us know.

 

1.Deploy the application using DD Model as Custom Roles and Policies

 

Create a new user testuser


Go to

Deployments > TestApp > Security > URL Patterns > Roles

Click new and provide url pattern as /protected/* and role as testrole

Click on the testrole and add user testuser to the role condition. Remember to save!

Go to

Deployments > TestApp > Security > URL Patterns > Policies

Create a new policy /protected/* and add testrole to that policy.

 

Filed in Uncategorized | Tagged , | Comments (0) »

General Weblogic Server Interview Questions

21-Feb-12

I often get mails from people asking what are the questions generally asked in Weblogic by interviewers.
Generally for an Administrator’s positions, in addition to Weblogic questions, there are a lot of Unix questions and a few questions related to process and case handling.

These are the important questions that I cover while interviewing.

1. How do you differentiate between a server hang and server crash issue?

When a Server crahes, the JAVA process no longer exists. When the Server is hung, it stops responding.
We can use the weblogic.ADMIN utilty to ping the server. In case of a hang situation we can take multiple thread dumps and analyze the cause of hang.

2. What can be the various reasons for a server crash?

a) Native IO
b) SSL Native Libraries
c) JVM
d) Supported Configuration
e) JDBC Driver issue

3. How do you troubleshoot a crash?

JVM crash generates a hs_err_pid file. We need to look into the stack trace of the hs_err_pid file .
If the thread is from a native io, we need to disable native io.
if the stack trace is from the driver, we need to get in touch with the drive team.
Quite possibly its a problem with driver. Changing the type of driver can be a workaround.
If the thread shows it coming from an optimzed code, we can turn of optimization.
If the stack is from native calls of application, its a bug with the application and it has to b modified.

4. Ho do you troubleshoot Server Hang?

We can use java weblogic.Admin PING to check if we get a normal response.
We need to take multiple thread dumps with kill -3 pid on unix and CTLR Break on Windows.
Analyze the thread dump to find the root cause.

5. What can be the reasons of Server hang?

Memory leak, databse query taking a long time to return, Deadlock.

6. What is memory leak?

Memory leak is when objects are not romved from the heap even when they are not required.

7. What are the various causes for OUT OF MEMORY?

a) Insufficient heap size, not able to match the extra load.
b) Objects licing too long, like HTTP Sessions.
c) Memory leak in application code.
d) Full GC not happening due to JVM Bug.

8. How to troubleshoot and overcome such issues?

Gather memory data by enabling GC verbose.
If its due to Http Session, timing out http session after certain interval might help.
Look into the code for jdbc connection handling.
Optimizing the heap size according to the load.

9. When does High CPU Usage occur?

It occurs when one process or one thread utilizes unexpectedly high proportion of CPU.

10. How to troubleshoot it?

In Solaris environment, we need to take pstack and prstack and see what the threads are doing.
In Windows we need to use pslist and process explorer.

11. What is Clustering and what is achieved through it?

Clustering is the grouping together of servers for the purpose of high availability and scalability.
Load balancing and Failover is achieved.

12. How does Cluster Communication Happen?

Members of the Cluster communicate over the Cluster Multicast IP and Port by sending periodic heart beat messages.

13. What is the difference between the Sun JVM and BEA JRockit JVM?

The most well know JVM is the implementation from Sun. The Sun JVM is called HotSpot. The Sun JVM is shipped in the Java Developer’s Kit (JDK) and Java Runtime Environment (JRE) from Sun.

The BEA JRockit JVM from BEA systems is optimized for reliability and performance for server side applications. To achieve this, BEA JRockit JVM uses technologies such as code generation, hot spot detection, code optimization, advanced garbage collection algorithms and tight operating system integration.

14. TUning JVM Parameters.

If you have a single processor, single thread machine then you should use the serial collector (default for some configurations, can be enabled explicitly for with -XX:+UseSerialGC). For multiprocessor machines where your workload is basically CPU bound, use the parallel collector. This is enabled by default if you use the -server flag, or you can enable it explicitly with -XX:+UseParallelGC. If you’d rather keep the GC pauses shorter at the expense of using more total CPU time for GC, and you have more than one CPU, you can use the concurrent collector (-XX:+UseConcMarkSweepGC). Note that the concurrent collector tends to require more RAM allocated to the JVM than the serial or parallel collectors for a given workload because some memory fragmentation can occur.

15. How do you do performance tuning of WLS?

It can be categorized in 4 parts.
a. Application Tuning.
jsp precompilation, ejb pool size cache..

b. OS Tuning

Setting tcp ip parameter.
tcp_time_wait_interval
tcp_conn_req_max_q

c. Core Server Tuning.

tune workmanager, tune chuck size and chunck pool size, using performance packs, conenction backlog buffering.

d. JVM Tuning
tuning gc strategy, monitoring garbage collection..

Filed in Uncategorized | Tagged | Comments (4) »

Webservice Security – WS-Trust and WS-SecureConversation an overview

03-Feb-12

Webservices

“A Web Service is a system designed to support interoperable communication from machine to machine over a network. It includes an interface described in a machine-processable format (WSDL), and is typically conveyed using HTTP with XML serialization.”
Webservices exist in a wide range of architecture, technologies and software design. They provide an interaction mechanism between Business to Business applications. Webservices rely on SOAP Protocol for the interaction between the B2B applications. SOAP is and XML Based protocol that uses HTTP as its base transport protocol. Following is an example of a SOAP Request and SOAP Response

 

REQUEST

 

POST /SecureHelloWorldService/SecureHelloWorldService

HTTP/1.1 User-Agent: BEA WebLogic Server 10.3.0.0

Content-Type: text/xml; charset=utf-8 SOAPAction: “”

Host: 127.0.0.1:7000

Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2

Connection: keep-alive Content-Length: 187

 

<env:Envelope xmlns:env=”http://schemas.xmlsoap.org/soap/envelope/”>

<env:Header />

<env:Body>

<m:sayHello xmlns:m=”http://www.bea.com”>

<m:s>World</m:s>

</m:sayHello>

</env:Body>

</env:Envelope>

 

RESPONSE

 

HTTP/1.1 200 OK Date: Tue, 24 Jan 2012 06:15:42 GMT

Transfer-Encoding: chunked

Content-Type: text/xml; charset=utf-8

SOAPAction: “” X-Powered-By: Servlet/2.5 JSP/2.1

 

<env:Envelope

xmlns:env=”http://schemas.xmlsoap.org/soap/envelope/”>

<env:Header />

<env:Body>

<m:sayHelloResponse xmlns:m=”http://www.bea.com”>

<m:return>Hello World</m:return>

</m:sayHelloResponse>

</env:Body>

</env:Envelope>

 

Webservices Security

For a secure environment data exchange cannot happen in clear text as sensitive information might be exchanged. Also securing the communication channel for all communication is an overhead and might not be acceptable in all scenarios. Hence many specifications exist which allows to secure the data exchanged. One such framework is WS-Policy which defines how secure messages can be exchanged. To demonstrate this I have secured the above Webservice using standard policies and captured the SOAP Request and SOAP Response

 

@Policies({    @Policy(uri=”policy:Auth.xml”, direction=Policy.Direction.inbound),    @Policy(uri=”policy:Sign.xml”),    @Policy(uri=”policy:Encrypt.xml”)})

 

The message body is encrypted

<env:Body wsu:Id=”Body_FE10KgY262Y31ZRm” xmlns:wsu=”http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd”>

<ns1:EncryptedData Id=”3ZpXu9BlqgQNKF4s” Type=”http://www.w3.org/2001/04/xmlenc#Content” MimeType=”text/xml” Encoding=”UTF-8″ xmlns:ns1=”http://www.w3.org/2001/04/xmlenc#”> <ns1:EncryptionMethod Algorithm=”http://www.w3.org/2001/04/xmlenc#tripledes-cbc” /> <ns1:CipherData> <ns1:CipherValue> T7MoCfhyDwXRjLrpRhZ62es3qK2jhTbY2ReS1ZSWhRaBidi8DwW5EbzNQKgudtPa8m7zxkW/ljebMV5dSvIZrJC1o+6peC111iFgPC4jMyA= </ns1:CipherValue>

</ns1:CipherData>

</ns1:EncryptedData>

</env:Body>

 

In addition to this, security tokens need to be passed for authentication and authorization purpose.

Username Password Token

<wsse:UsernameToken wsu:Id=”unt_CQbnapvDgXSDnTtZ” xmlns:wsu=”http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd”> <wsse:Username>weblogic</wsse:Username>

<wsse:Password Type=”http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText”> weblogic </wsse:Password>

</wsse:UsernameToken>

 

Binary Security Token

<wsse:BinarySecurityToken wsu:Id=”bst_MIWyV2RKFBlLh9AT”xmlns:wsu=”http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd”ValueType=”http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3″EncodingType=”http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary”>MIICYTCCAgugAwIBAgIQsAtcv4jhs9Rpsu6m…..

…………………………………………………………………………………xuT69jAN

BgkqhkiG9w0BAQQFADB5MQswCQYDVQQGEwJVUzEQM

/wsse:BinarySecurityToken>

 

Following is the lists of supported tokens that can be used for authentication and authorization purposes

Lists of tokens (Table 1)

Table 1

Token Type Description
User Name Token-Plain Carries basic information (username and a clear text password or shared secret) for purposes of authenticating the user identity to the WSP. Communication is done in plain text so SSL over HTTPS transport must be used to protect the credentials.
Kerberos Token Carries basic information (username and, optionally, a password or shared secret), in a Kerberos token, for purposes of authenticating the user identity to the WSP.
X.509 Token Contains an X.509 formatted certificate for authentication using credentials created with a public key infrastructure (PKI). In this case, the WSC and WSP must trust each other’s public keys or share a common, trusted certificate authority.
SAML-Holder-Of-Key Token Uses the SAML holder-of-key confirmation method whereby the WSC supplies a SAML assertion with public key information as the means for authenticating the requester to the web service provider. A second signature binds the assertion to the SOAP payload. Can use either SAML v1.x or SAML v2.
SAML-Sender Vouches Token Uses the SAML sender-vouches confirmation method whereby the WSC adds a SAML assertion and a digital signature to a SOAP header. A sender certificate or public key is also provided with the signature. Can use either SAML v1.x or SAML v2.

 

Key Exchange using WS-Trust

In the model above it’s the responsibility of the server to validate the tokens, signatures and perform authentication and authorization. This again can be an overhead, especially if the numbers of clients are very high. Also if the client is not known to the Service, it becomes difficult to establish a trust with the client. To address this situation WS-Trust standard has been adopted.  In this model, the responsibility of establishing the trust has been assigned to a third party. Clients request for a Security Token from a Secure Token Server (STS). Once they get the token, they present the token to the Service. The exchange mechanism and standard format of the token has been provided in WS-Trust specification.  In my test, I used opensso (an open source STS Server) and captured the request-response interaction as depicted in Figure below.

 



1)Client requests for a Security token to a Secure Token Server

<soap:Envelope  xmlns:wsa=”http://schemas.xmlsoap.org/ws/2004/08/addressing”  xmlns:wsu=”http://schemas.xmlsoap.org/ws/2002/07/utility”  xmlns:wsse=”http://schemas.xmlsoap.org/ws/2002/12/secext”  xmlns:soap=”http://schemas.xmlsoap.org/soap/envelope/”>

<soap:Header>      <wsa:To>http://demo</wsa:To>

<wsse:Security soap:mustUnderstand=”1″>  ….      </wsse:Security>    </soap:Header>    <soap:Body wsu:Id=”Id-d7fceab4-62ed-45fb-bc09-69310ff1712e”>      <wsse:RequestSecurityToken>        <wsse:TokenType>wsse:SecurityContextToken</wsse:TokenType>        <wsse:RequestType>wsse:ReqIssue</wsse:RequestType>        <wsp:AppliesTo xmlns:wsp=”http://schemas.xmlsoap.org/ws/2002/12/policy”>          <wsa:EndpointReference>            <wsa:Address>http://localhost:7001//SecureHelloWorldService/SecureHelloWorldService</wsa:Address>          </wsa:EndpointReference>

</wsp:AppliesTo>

</wsse:RequestSecurityToken>    </soap:Body>

</soap:Envelope>

2)Secure Token Server provides the token to the Client.

<soap:Envelope xmlns:wsa=”http://schemas.xmlsoap.org/ws/2004/08/addressing”  xmlns:wsu=”http://schemas.xmlsoap.org/ws/2002/07/utility”  xmlns:wsse=”http://schemas.xmlsoap.org/ws/2002/12/secext”  xmlns:soap=”http://schemas.xmlsoap.org/soap/envelope/”>

<soap:Header>      <wsse:Security soap:mustUnderstand=”1″> ….

</wsse:Security>

</soap:Header>    <soap:Body wsu:Id=”Id-aa53632b-2211-46c8-451-4234b12ecf834″>

<xenc:EncryptedData xmlns:xenc=”http://www.w3.org/2001/04/xmlenc#”>        <xenc:EncryptionMethod Algorithm=”http://www.w3.org/2001/04/xmlenc#tripledes-cbc” />        <xenc:CipherData>          <xenc:CipherValue>…

</xenc:CipherValue>

</xenc:CipherData>

</xenc:EncryptedData>

</soap:Body>  </soap:Envelope>

3)Using the token, the service is invoked.

<soap:Envelope xmlns:soap=”http://schemas.xmlsoap.org/soap/envelope/”  xmlns:xsi=”http://www.w3.org/2001/XMLSchema-instance”  xmlns:xsd=”http://www.w3.org/2001/XMLSchema”  xmlns:wsa=”http://schemas.xmlsoap.org/ws/2004/08/addressing”  xmlns:wsu=”http://schemas.xmlsoap.org/ws/2002/07/utility”  xmlns:wsse=”http://schemas.xmlsoap.org/ws/2002/12/secext”>

<soap:Header>      <wsa:To>http://quoteservice</wsa:To>

<wsse:Security soap:mustUnderstand=”1″> ….      </wsse:Security>

</soap:Header>    <soap:Body wsu:Id=”Id-aa53632b-2211-46c8-451-4234b12ecf834″>

<xenc:EncryptedData xmlns:xenc=”http://www.w3.org/2001/04/xmlenc#”> …

</xenc:EncryptedData>    </soap:Body>

</soap:Envelope>

 

4)Response from the service

<soap:Envelope xmlns:soap=”http://schemas.xmlsoap.org/soap/envelope/”  xmlns:xsi=”http://www.w3.org/2001/XMLSchema-instance”  xmlns:xsd=”http://www.w3.org/2001/XMLSchema”  xmlns:wsa=”http://schemas.xmlsoap.org/ws/2004/08/addressing”  xmlns:wsu=”http://schemas.xmlsoap.org/ws/2002/07/utility”>    <soap:Header>    </soap:Header>    <soap:Body>       <m:sayHelloResponse xmlns:m=”http://www.bea.com”>

<m:return>Hello World</m:return>       </m:sayHelloResponse>

</soap:Body>

</soap:Envelope>

 

References

1) Webservices Vulnerabilities, Security Compass Inc 2007
2) WS Trust Specification

http://specs.xmlsoap.org/ws/2005/02/trust/WS-Trust.pdf

3) WS Security Specification

http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0.pdf

4) Open SSO STS Solution

http://en.wikipedia.org/wiki/OpenSSO

http://www.oracle.com/technetwork/testcontent/opensso-091890.html

Filed in Uncategorized | Tagged , | Comments (2) »