Weblogic SAML Attribute Mapper Example

  It is useful to send custom attributes or tokens in the attribute having identity information of the authenticated user.This identity information can be further used by the detination site to access services on behalf of the user. To implement a SAML Attribute Mapper on Weblogic Server, you need to

Continue reading »

How to check for SSL POODLE / SSLv3 bug on WebLogic? How to fix

Details of the SSL POODLE bug can be found here We can address it in the following way. 1) Disable SSL 3.0 support in the client. 2) Disable SSL 3.0 support in the server. We can start WebLogic server with the following JVM option -Dweblogic.security.SSL.protocolVersion=TLS1 Ref :- Use specific SSL

Continue reading »

Two way SSL Webservice on Weblogic Server

This article provides sample Webservice and Webservice Client for two way SSL. It also demonstrates the use of WLSSSLAdapter class to send certificates to the server. 1. Create a JWS with the following policy  : Wssp1.2-2007-Https-ClientCertReq.xml   package examples.webservices.security_jws; import weblogic.jws.WLHttpTransport; import weblogic.jws.Policies; import weblogic.jws.Policy; import javax.jws.WebService; import javax.jws.WebMethod; import javax.jws.soap.SOAPBinding; @WebService(name="SecureHelloWorldPortType",

Continue reading »

Recommended Best Practices for Securing WebLogic Server.

Disable SSL V2, Weak Ciphers, and Null Encryptions You can use the following jvm options to disable Weak Ciphers. -Dweblogic.security.SSL.allowUnencryptedNullCipher=false -Dweblogic.security.disableNullCipher=true Steps to disable SSL V2 follows later. Use Secure Cookies to Prevent Session Stealing Please refer to this article : link Configure WebLogic Server to use a Specific Cipher

Continue reading »

Using RolesAllowed and SecurityRole annotations to secure Webservices on Weblogic

1. Write a JWS that uses the RolesAllowed and SecurityRole annotation package examples.webservices.security_jws; import weblogic.jws.WLHttpTransport; import weblogic.jws.Policies; import weblogic.jws.Policy; import javax.jws.WebService; import javax.jws.WebMethod; import javax.jws.soap.SOAPBinding; import weblogic.jws.security.RolesAllowed; import weblogic.jws.security.SecurityRole; @WebService(name="SecureHelloWorldPortType", serviceName="SecureHelloWorldService", targetNamespace="http://www.bea.com") @SOAPBinding(style=SOAPBinding.Style.DOCUMENT, use=SOAPBinding.Use.LITERAL, parameterStyle=SOAPBinding.ParameterStyle.WRAPPED) @WLHttpTransport(contextPath="SecureHelloWorldService", serviceUri="SecureHelloWorldService", portName="SecureHelloWorldServicePort") @RolesAllowed ( { @SecurityRole (role="testrole") } ) public class SecureHelloWorldImpl { @WebMethod()

Continue reading »

How to load webservices security policy from classpath

1) Add the following JAVA OPTION to the classpath -Dweblogic.wsee.policy.LoadFromClassPathEnabled=true 2) Write a simple policy. Encrypt.xml   <?xml version="1.0"?> <wsp:Policy xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy" xmlns:wssp="http://www.bea.com/wls90/security/policy" > <wssp:Confidentiality> <wssp:KeyWrappingAlgorithm URI="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/> <wssp:Target> <wssp:EncryptionAlgorithm URI="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/> <wssp:MessageParts Dialect="http://schemas.xmlsoap.org/2002/12/wsse#part"> wsp:Body() </wssp:MessageParts> </wssp:Target> <wssp:KeyInfo/> </wssp:Confidentiality> </wsp:Policy> 3) Write a JWS that uses this Policy SecureHelloWorldImpl.java   package examples.webservices.security_jws; import

Continue reading »

Testing secure webservice on Weblogic using SOAP UI

Create  the certificates for the client using keytool and store it at a location. You can refer our articles on SSL to get more details on how to create keystores. Once the client keystore is created you need to do the following configuration on SOAP UI.        

Continue reading »

High CPU Usage of WebLogic Server on Linux

If you observe CPU being hogged by the Weblogic Server process on a linux machine, you need to find out the Weblogic Server process id using ps -ef | grep java After you’ve found out the process id, find the thread id’s ( light weight process id’s) and their CPU

Continue reading »

javax.xml.stream.XMLStreamException while validating xml

javax.xml.stream.XMLStreamException: ParseError at [row,col]:[2,134] Message: Tried all: ‘1’ addresses, but could not connect over HTTP to server: ‘java.sun.com’, port: ’80’ at com.sun.xml.stream.XMLReaderImpl.next(XMLReaderImpl.java:545) at weblogic.servlet.internal.TldCacheHelper$TldIOHelper.parseXML(TldCacheHelper.java:132) at weblogic.descriptor.DescriptorCache.parseXML(DescriptorCache.java:380) at weblogic.servlet.internal.TldCacheHelper.parseTagLibraries(TldCacheHelper.java:65) at weblogic.servlet.internal.War.getTagInfo(War.java:889) at weblogic.servlet.internal.WebAppServletContext$ServletContextWebAppHelper.getTldInfo(WebAppServletContext.java:3708) You might encounter the following exception when the server on which Weblogic is hosted is not able to

Continue reading »

Simple Checklist for WebLogic to JBoss Migration

Compare the supported J2EE specs ( EJB, JMS, Webservices) of the Weblogic Version you are going to migrate from to the JBoss Server version. You will get the details from their official website. Find out the architecture of the Weblogic Application Server ( How many servers? Clusters? Machines?) either from

Continue reading »