Covering J2EE Security and WebLogic Topics

WebLogic 11g Released

Oracle Fusion Middleware 11g was released today which includes an updated WebLogic Server. For WebLogic Server there’s not a whole lot of news in the security department. Here’s what’s new:

  • A new Oracle Internet Directory Authentication Provider
  • A new Oracle Virtual Directory Authentication Provider
  • Support for WS-SecureConversation 1.3 on JAX-WS
  • Support for MTOM with WS-Security on JAX-WS

What’s interesting from the greater Fusion Middleware perspective, though, is the new Oracle Platform Security Service (OPSS) which provides common security functionality across the Fusion product line. It seems like Oracle took the WebLogic/AquaLogic Enterprise Security idea and ran with it big time. Looks like a major boon for all-Oracle shops…

Another WebLogic Security Blog

A colleague pointed out another blog that covers WebLogic security that you might find useful. Looks like Josh Bregman is off to a good start on his Oracle Fusion Middleware Security blog. Check it out.

Oracle Acquired BEA

The deed is done. Oracle bought BEA.

Rest in pieces, BEA…

Reflections 2007

Happy New Year!

2007 passed by so quickly — it’s funny how the passage of time can feel so relative. Remember back in grade school it seemed like the school year lasted F-O-R-E-V-E-R and that even the summer did, too? I distinctly remember staring out the window in third grade lamenting that school seemed so endless. That day was a bleak winter one and it apparently matched my mood. I even remember time spent daydreaming in class about how old I’d be in the year 2000. That year seemed so magical in the mid- to late-seventies. I couldn’t even envision myself at 33. I’d be so OLD! 2000 had seemed so far away and now it’s 8 years in the past.

I hope that your 2007 was a good one and that 2008 will be even better. (And maybe a little slower, too.)

On the blog front, it’s fun (for me, at least) to mention that a Google search for “client-cert” has my post The Mysterious CLIENT-CERT as the number one result. W00t! Well, at least on some days, it does. On other days it occupies the second slot but clearly Google’s algorithm is out to lunch when that happens. 😉 It’s the Schrodinger’s cat of search results.

Speaking of “w00t,” the “word” was Merriam-Webster’s Word of the Year for 2007. I find that humorous.

Speaking of Schrodinger’s cat, I had a brilliant idea for a quote on T-shirts:

Curiosity killed Schrodinger’s cat. (maybe)

I find that humorous, too. Only too bad for me because a quick search of the net turns up that quote (minus the “maybe”) a bunch of times. I guess I’m not as clever as I thought.

Back to the blog…

In case you missed them, here’s a list of my Top 10 posts for 2007 as reported by that All-Knowing Oracle of Web Traffic, Google Analytics:

  1. WebLogic Embedded LDAP
  2. Common Problems with Authentication Provider Configuration
  3. The Fifteen Minute Guide to Mutual Authentication
  4. The Mysterious CLIENT-CERT
  5. Verisign’s New Intermediate CA and You
  6. Authentication Methods in Web Applications
  7. WebLogic 9.1 Authorization Gotcha
  8. WebLogic Security Framework Overview
  9. WebLogic Auditing
  10. Mutual Authentication in Action

Yikes! That looks almost identical to the list for 2006. Maybe the passage of time is slower than I thought!

Speaking of Oracle, the database company of the same name (you might have heard of them) didn’t buy BEA in 2007. But who knows what 2008 will bring. Maybe Oracle won’t destroy WebLogic if they bought BEA. I don’t know. I’ve read some opinion pieces that BEA can’t survive the onslaught of IBM and Oracle and that it’s just a matter of time before BEA is acquired. Perhaps WebLogic is the Schrodinger’s cat of application servers. Perhaps Oracle is looking for a quantum leap in their product offering. Perhaps that would make Larry say “W00t!”

Serious Adobe Reader (PDF) Vulnerability

There is a very serious Cross-Site Scripting (XSS) vulnerability in Windows versions of Adobe Reader less than 8.x.

If you have a website that hosts PDF files, your website is vulnerable to session hijacking since a user can have his JSESSIONID cookie stolen. There’s little you can do about it server-side since it’s a browser/plugin problem. Server-side, you can either not host PDF files or (possibly) change your MIME type to something unknown.

Users themselves can have a host of bad things happen to them with this exploit. See MSNBC for more details in general terms. For technical details, start with Jeremiah Grossman’s write-up.

The solution is to upgrade to Adobe Reader 8. Adobe says that they will have patches for older versions if people can’t upgrade for some reason. You could also turn off JavaScript or tell your browser to open Acrobat outside of the browser, but getting the new plugin is more fool-proof.

Seriously, don’t go another day without upgrading. This exploit is going to be huge… :-(

Reflections 2006

It’s hard to believe that it’s been a year since I started this blog. From its inception, my intention was to give a little something back to the massive Internet community from which I’ve acquired a wealth of information on subjects ranging from professional to personal. I also knew that I’d get a deeper knowledge of the technical subject matter by simply writing about it.

Blogging also allows me to scratch my writing itch. During the first month or so, I wrote several posts a week. Over time, that was simply not a pace I could maintain. I’m down to one or two posts a month now primarily because each post takes several hours since I usually prototype what I’m discussing and try to be very thorough.

I also thought that Google AdSense income would cover my hosting costs. Let’s just say that part hasn’t panned out. 😉 If you plan on starting a technical blog and want AdSense income, pick a subject that has broad appeal. Also keep in mind that technical websites tend to attract corporate workers who are behind ad-blocking software such as WebSense so many of your viewers won’t even see the ads. Fortunately, hosting is cheap these days.

Top 10 Posts for 2006

In case you missed them, here are my top 10 most popular posts:

  1. WebLogic Embedded LDAP
  2. The Fifteen Minute Guide to Mutual Authentication
  3. Common Problems with Authentication Provider Configuration
  4. The Mysterious CLIENT-CERT
  5. WebLogic Security Framework Overview
  6. Authentication Methods in Web Applications
  7. WebLogic 9.1 Authorization Gotcha
  8. WebLogic Auditing
  9. Security Realm Logging in WebLogic 8.1
  10. Mutual Authentication in Action

Yes, I’m also surprised that a post on WebLogic’s embedded LDAP takes the top slot. While most of its traffic is subject-specific, it also gets a lot of hits for a Firefox error message that I included in the text. Hmm, I wonder if “Britney Spears” is still the top ranking search phrase. I’ll have to start sprinkling such terms around! 😉

Another thing to note from this list is that all of the posts are WebLogic-related. I had intended to cover generic J2EE security but the reality is that there’s only so much J2EE security you can cover before getting into specific implementations of it. With this in mind, I hope to expand somewhat into the security aspects of WebSphere and JBoss in 2007. Hopefully, I’ll be able to provide meaningful content related to these servers while expanding my horizons at the same time.

Thanks for reading and please consider using the RSS feed or the email list for getting the latest posts. This isn’t a high volume blog so getting the posts sent to you sure beats checking the website for them.

Have a great new year!

Free Download: Consolidated Browser

In a recent post I mentioned RSS and the free newsletter as alternatives to manually checking to see if this site has been updated. Today, I’d like to offer you something I’ve been using for a while to monitor sites that don’t have RSS feeds. I call it the Consolidated Browser.

The Consolidated Browser is nothing more than an HTML page that you store on your computer and load in your browser. You configure it to point to your sites of interest. All it does is display those sites in a stack of iframes in your browser window. There are quicklinks to each site’s iframe and the entire collection refreshes at a configurable interval. All you need to do is slide the outer scrollbar to see if anything has changed on the sites.

Configuration is easy. Edit the file and change the following section to point to your favorite sites:

sites[0] = “”;
sites[1] = “”;
sites[2] = “”;

You can have as many sites as you wish. Simply increase the index number by one for each new site.

The entire page of entries is refreshed every ten minutes by default. To change the interval (in seconds), change 600 in the following line:

<meta http-equiv=”refresh” content=”600″>

That’s all there is to it. It’s cheesy but effective. I like to keep my Consolidated Browser in a Firefox tab for easy access. Throw it on a web server and you can quickly check your sites wherever you go.

You’re free to modify and distribute the file however you’d like. Please let me know if you make any improvements. You don’t have to, of course, but I’d love to hear your ideas.

Right click here and choose Save Link As to download the Consolidated Browser.

Free Bastion Blog Newsletter

If you’d prefer to get this blog’s content delivered directly to your inbox, consider signing up for the Bastion Blog Newsletter. At the end of each week I’ll send you an email containing that week’s content. Your email address will be kept strictly confidential.

Sign up for the Free Bastion Blog Email Newsletter

Besides visiting the website or subscribing to the newsletter, there’s always the RSS feed if you are interested in that approach.


Since this is my first post, it seems like a good time to give you an overview of what you’ll find here.

I intend to focus on J2EE application security topics in general and WebLogic security in particular. I’ll also occasionally cover non-security related aspects of the WebLogic stack. The majority of the posts will be technical but I’ll sometimes throw in Executive Summaries on certain topics to make sure that we’re all on the same page. I hope these posts will be especially helpful for developers who are dealing with security issues for the first time. In fact, my first “real” post, Monty Python Teaches Application Security, will be one of these overviews.

Hopefully, a like-minded community will grow around this blog so that we can learn from each other. Feel free to comment profusely and set me straight when I need it.

About Me

I’ve worked with Java since 1998 and J2EE since 2001. WebLogic has been my primary platform for J2EE development since 2002 and, through a twist of fate, I’ve dealt with application security since then, too.

I can be reached via email at mike at

Thanks for reading,

Mike Fleming


Bookmark this page on