Thursday, December 23, 2010

Web Security (and Weblogic)

Web Security (and Weblogic)

When defining security roles for a web app.

1/ In your web.xml
Declare how and where the authentication should occur.

<login-config>
<auth-method>FORM</auth-method>
<realm-name>myrealm</realm-name>
<form-login-config>
<form-login-page>/action/auth/login</form-login-page>
<form-error-page>/jsp/security/login-error.jsp</form-error-page>
</form-login-config>
</login-config>

2/ In your web.xml
Declare your authorization roles

<security-role>
<role-name>MessagePoster</role-name>
</security-role>
<security-role>
<role-name>MessageViewer</role-name>
</security-role>
<security-role>
<role-name>QueuePauser</role-name>
</security-role>
<security-role>
<role-name>ServiceEnabler</role-name>
</security-role>
<security-role>
<role-name>LogLevelManipulator</role-name>
</security-role>
<security-role>
<role-name>Resequencer</role-name>
</security-role>
<security-role>
<role-name>MessageRetrier</role-name>
</security-role>
<security-role>
<role-name>ErrorReportCloser</role-name>
</security-role>
<security-role>
<role-name>SystemSwitcher</role-name>
</security-role>
<security-role>
<role-name>OptionsSetter</role-name>
</security-role>


For Weblogic.
In the security realm different security models are possible. This is set from the
Security Model Default: setting
Options are `DD (Deployment Discriptor), Custom Roles, Custom Roles and Policies, Advanced..
When deploying you can set mode
Security
What security model do you want to use with this application?
DD Only: Use only roles and policies that are defined in the deployment descriptors. Custom Roles: Use roles that are defined in the Administration Console; use policies that are defined in the deployment descriptor. Custom Roles and Policies: Use only roles and policies that are defined in the Administration Console. Advanced: Use a custom model that you have configured on the realm's configuration page.

In your Weblogic.xml you can perform the role/ group/ user mappings
(one entry per role)

<wls:security-role-assignment>
<wls:role-name>ErrorReportCloser</wls:role-name>
<wls:principal-name>WATSupportGroup</wls:principal-name>
</wls:security-role-assignment>



Or you can delegate the mapping back to the Weblogic admin console (better).. See my earlier post on defining Weblogic Roles
(one entry per role)

<wls:security-role-assignment>
<wls:role-name>MessageViewer</wls:role-name>
<externally-defined/>
</wls:security-role-assignment>

Oracke Soa Suite

(work in progress) I will fill this in as I progress


Instructions for Soa Suite

Best place to start is a tutorial

http://download.oracle.com/docs/cd/E12839_01/integration.1111/e10275/intro.htm

This tells you what you need to download

· Task 1: Install Oracle JDeveloper Studio

· Task 2: Install the Fusion Order Demo Application

· Task 3: Install Oracle SOA Suite

· Task 4: Create a Connection to an Oracle WebLogic Server

Task1/

Download from

http://www.oracle.com/technetwork/developer-tools/jdev/overview/index.html

Then you need to download Extensions from (http://www.oracle.com/ocom/groups/public/@otn/documents/webcontent/156082.xml)

Oracle SOA Composite Editor

Pretty print Xml

If you want to format your Xml..theres lots of ways

This url uses Xerces

http://stackoverflow.com/questions/139076/how-to-pretty-print-xml-from-java

(it also uses jtidy which I could not get to work with pure XML.. (kept adding HTML tags).

If you want to avoid xerces and just stick to standard java then you need to use the Transformer.

Just to note that top rated answer requires the use of xerces.

If you don't want to add this dependency then you can simply use the standard jdk libraries.

(Note if an error occurs this will return the original text)

package ie.bge.middleware.tools;

import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;

import javax.xml.transform.OutputKeys;
import javax.xml.transform.Source;
import javax.xml.transform.Transformer;
import javax.xml.transform.sax.SAXSource;
import javax.xml.transform.sax.SAXTransformerFactory;
import javax.xml.transform.stream.StreamResult;

import org.xml.sax.InputSource;

public class Test {
public static void main(String[] args) {
Test t = new Test();
System.out.println(t.formatXml("text D"));
}

public String formatXml(String xml){
try{
Transformer serializer= SAXTransformerFactory.newInstance().newTransformer();
serializer.setOutputProperty(OutputKeys.INDENT, "yes");
Source xmlSource=new SAXSource(new InputSource(new ByteArrayInputStream(xml.getBytes())));
StreamResult res = new StreamResult(new ByteArrayOutputStream());
serializer.transform(xmlSource, res);
return new String(((ByteArrayOutputStream)res.getOutputStream()).toByteArray());
}catch(Exception e){
//TODO log error
return xml;
}
}

}

Weblogic DB issue

Found on Weblogic 11g

I have a few DataSources defined. Some of which are on the same DB server just different SID’s (Oracle DB’s).

One of the DB instances was removed. Then all instances of DB’s on that server failed to start, (Even though the other DB was still running. When I untargeted the problem server and re-started, then the 2nd DB started fine.)

Debugging Log4j issues

Log4j

Handy for log4j issues

Set the following switch when you start the JVM to see what log4j is upto.

-Dlog4j.debug

Check for log4j output. This will tell where it is loading its configuration from.

Note be careful with multiple webapps having multiple log4j.xml or log4j.properties. These can override your settings.

This next section is not true.. Its was actually caused by log4j delayed write to log file.. However I'm still including it because the detection techniques are useful.


(My actual problem was incredibly simple, and I shoudl have checked this first, but I made an assumption, and as we all know assumption is the mother of all F£$k ups.. The tool I was working on was using Simple Logging Facade for Java (SLF4J).. The developpers had simply included the slf4j-jdk.jar fil in the classpath instead of the slf4j-log4j.jar. Fixing my problem was simply a case of replacing the wrong jar. USing the log4j debugger was useful however in pinpointing what configuration files were ben picked up.