OWASP Top 10
Today we had an Hands “Web Application Security Training” at our client location. It was a very interesting session. Our coach discussed Top 10 Security Vulnerabilities seen in current web applications referred to as OWASP Top 10.
Workshop introduced two useful tools:
WebGoat – an application created by OWASP with all security issues and it also discusses how we can remedy the issues.
ZAP – a proxy to intercept web requests and find security bugs in any web app.
Overriding log4j property file
Overriding log4j property file
Sometimes it is handy to override log4j behaviour. By default it looks for log4j.xml under classpath. But I had a need to override the xml with properties file that is coming from classpath. Just add following as a VM arguments to the program or server runtime arguments.
If log file is under classpath
-Dlog4j.configuration=log4j.properties
OR
-Dlog4j.configuration=mylog4j.properties
If log file is outside classpath
Complete URL notation should be used as in:
-Dlog4j.configuration=file:/c:/work/mylog4j.properties
OR
-Dlog4j.configuration=file:/home/apps/work/mylog4j.properties
Log4j useful patterns
Dev debugging with Class,method and line number
To enable logging of class name, method name and line number from which a log statement was printed,
use:
%C{1}.%M:%L
Weblogic WSRP Keystore
wsrpKeystore.jks found in domain root password:password
Goto myrealm –> Providers –> Credential Mapping –> PKICredentialMapper –> Provider Specific –> you should see details for wsrpKeystore.jks
Now list keystore entires:
$keytool -list -v -keystore DOMAIN_HOME/wsrpKeystore.jks
pasword: password
should list the alias name wsrpconsumer
Goto myrealm –> Credential Mappings –> PKI tab you should see PKI Credential Mappings. Click on wsrpconsumer__81_COMPAT, you will notice it will use alias from above keystore ‘wsrpconsumer’
The Endpoint Interface does not have WebService Annotation
Following error appears when webservices-api.jar is missing on the classpath of the Servlet container (In my case Tomcat 5). Tomcat 5 expects this in either common/lib or common/endorsed
SEVERE: WSSERVLET11: failed to parse runtime descriptor: The Endpoint Interface: com.sun.portal.wsrp.common.stubs.WSRPV1RegistrationPortType does not have WebService Annotation com.sun.xml.ws.model.RuntimeModelerException: The Endpoint Interface: com.sun.portal.wsrp.common.stubs.WSRPV1RegistrationPortType does not have WebService Annotation at com.sun.xml.ws.model.RuntimeModeler.getPortTypeName(RuntimeModeler.java:1316) at com.sun.xml.ws.server.EndpointFactory.createEndpoint(EndpointFactory.java:160) at com.sun.xml.ws.api.server.WSEndpoint.create(WSEndpoint.java:467) at com.sun.xml.ws.transport.http.DeploymentDescriptorParser.parseAdapters(DeploymentDescriptorParser.java:253) at com.sun.xml.ws.transport.http.DeploymentDescriptorParser.parse(DeploymentDescriptorParser.java:147) at com.sun.xml.ws.transport.http.servlet.WSServletContextListener.contextInitialized(WSServletContextListener.java:108) at org.apache.catalina.core.StandardContext.listenerStart(StandardContext.java:3764) at org.apache.catalina.core.StandardContext.start(StandardContext.java:4216) at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:760) at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:740) at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:544) at org.apache.catalina.startup.HostConfig.deployDirectory(HostConfig.java:926) at org.apache.catalina.startup.HostConfig.deployDirectories(HostConfig.java:889) at org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:492) at org.apache.catalina.startup.HostConfig.start(HostConfig.java:1149) at org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:311) at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:120) at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1022) at org.apache.catalina.core.StandardHost.start(StandardHost.java:736) at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1014) at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:443) at org.apache.catalina.core.StandardService.start(StandardService.java:448) at org.apache.catalina.core.StandardServer.start(StandardServer.java:700) at org.apache.catalina.startup.Catalina.start(Catalina.java:552) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:585) at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:295) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:433) Jan 4, 2011 11:21:02 AM org.apache.catalina.core.StandardContext listenerStart SEVERE: Exception sending context initialized event to listener instance of class com.sun.xml.ws.transport.http.servlet.WSServletContextListener com.sun.xml.ws.transport.http.servlet.WSServletException: WSSERVLET11: failed to parse runtime descriptor: The Endpoint Interface: com.sun.portal.wsrp.common.stubs.WSRPV1RegistrationPortType does not have WebService Annotation at com.sun.xml.ws.transport.http.servlet.WSServletContextListener.contextInitialized(WSServletContextListener.java:118) at org.apache.catalina.core.StandardContext.listenerStart(StandardContext.java:3764) at org.apache.catalina.core.StandardContext.start(StandardContext.java:4216) at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:760) at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:740) at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:544) at org.apache.catalina.startup.HostConfig.deployDirectory(HostConfig.java:926) at org.apache.catalina.startup.HostConfig.deployDirectories(HostConfig.java:889) at org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:492) at org.apache.catalina.startup.HostConfig.start(HostConfig.java:1149) at org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:311) at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:120) at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1022) at org.apache.catalina.core.StandardHost.start(StandardHost.java:736) at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1014) at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:443) at org.apache.catalina.core.StandardService.start(StandardService.java:448) at org.apache.catalina.core.StandardServer.start(StandardServer.java:700) at org.apache.catalina.startup.Catalina.start(Catalina.java:552) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:585) at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:295) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:433) Caused by: com.sun.xml.ws.model.RuntimeModelerException: The Endpoint Interface: com.sun.portal.wsrp.common.stubs.WSRPV1RegistrationPortType does not have WebService Annotation at com.sun.xml.ws.model.RuntimeModeler.getPortTypeName(RuntimeModeler.java:1316) at com.sun.xml.ws.server.EndpointFactory.createEndpoint(EndpointFactory.java:160) at com.sun.xml.ws.api.server.WSEndpoint.create(WSEndpoint.java:467) at com.sun.xml.ws.transport.http.DeploymentDescriptorParser.parseAdapters(DeploymentDescriptorParser.java:253) at com.sun.xml.ws.transport.http.DeploymentDescriptorParser.parse(DeploymentDescriptorParser.java:147) at com.sun.xml.ws.transport.http.servlet.WSServletContextListener.contextInitialized(WSServletContextListener.java:108) ... 24 more Jan 4, 2011 11:21:02 AM org.apache.catalina.core.StandardContext start SEVERE: Error listenerStart Jan 4, 2011 11:21:02 AM org.apache.catalina.core.StandardContext start SEVERE: Context [/producer] startup failed due to previous errors
Open Portal: LifecycleManagerException
Following exception is seen in logs when the class loader finds the portlet.jar file in multiple locations (in my secanario: TOMCAT_HOME/common/lib and MYWebAPP/WEB-INF/lib). The exception vanishes once this jar is removed from the Web application.
Dec 24, 2010 2:59:17 AM com.sun.portal.portletcontainer.appengine.impl.LifecycleManagerImpl initPortletAppDescriptor INFO: PSPL_PAECSPPAI0015 : Loading DD for the portlet application : PortalWeb Dec 24, 2010 2:59:17 AM com.sun.portal.portletcontainer.appengine.impl.LifecycleManagerImpl createPortlets SEVERE: PSPL_PAECSPPAI0013 com.sun.portal.portletcontainer.appengine.LifecycleManagerException: java.lang.ClassCastException: com.vbandaru.somepkg.SomePortlet at com.sun.portal.portletcontainer.appengine.impl.LifecycleManagerImpl.createPortlet(LifecycleManagerImpl.java:319) at com.sun.portal.portletcontainer.appengine.impl.LifecycleManagerImpl.createPortlets(LifecycleManagerImpl.java:355) at com.sun.portal.portletcontainer.appengine.impl.LifecycleManagerImpl.<init>(LifecycleManagerImpl.java:138) at com.sun.portal.portletcontainer.appengine.PortletAppEngineServlet.init(PortletAppEngineServlet.java:151) at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1139) at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:966) at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:3956) at org.apache.catalina.core.StandardContext.start(StandardContext.java:4230) at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:760) at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:740) at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:544) at org.apache.catalina.startup.HostConfig.deployDirectory(HostConfig.java:926) at org.apache.catalina.startup.HostConfig.deployDirectories(HostConfig.java:889) at org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:492) at org.apache.catalina.startup.HostConfig.start(HostConfig.java:1149) at org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:311) at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:120) at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1022) at org.apache.catalina.core.StandardHost.start(StandardHost.java:736) at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1014) at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:443) at org.apache.catalina.core.StandardService.start(StandardService.java:448) at org.apache.catalina.core.StandardServer.start(StandardServer.java:700) at org.apache.catalina.startup.Catalina.start(Catalina.java:552) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:585) at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:295) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:433) Caused by: java.lang.ClassCastException: com.vbandaru.somepkg.SomePortlet at com.sun.portal.portletcontainer.appengine.impl.LifecycleManagerImpl.createPortlet(LifecycleManagerImpl.java:304) ... 29 more
OpenPortal/Weblogic WSRP Interoperability: URL Rewriting Issue
I am trying to consume a Open Portal 2.0 Producer (JSR 286) on Weblogic 10.3.2 Consumer.
Issue: Encoded URL has un-necessary tokens making the resouce URLs break on the consumer side.
I am rendering an image like this with src attribute =
<%= renderResponse.encodeURL(renderRequest.getContextPath() + "/ico_normal.jpg")%>
which produces following url on the consumer:
http://localhost:7001/ConsumerApp/resource/cs__pageLabel%3Dtest_portal_page_2_page_3%26_portlet.portalUrl%3D%252FConsumerApp%252Fconsumer%252Ftest.portal%26_st%3D%26_windowLabel%3DhelloWorldPortletInvoicePortletMINE_1/u_http%3A%2F%2Flocalhost%3A8080%2FhelloWorldPortlet%2Fico_normal.jpg/id_/rr_false/po_/rs_/rc_/iu_oracle:immutableURI/*wsrp*separatororacle:mutableURI;jsessionid=Y1lnM27Zk68ZQ86sBvG19Js9vcncmGTR8s5WStcLQtS448nZ2fQT!-1164873313?oracle:mutableParameters
Please notice the tokens that start with {oracle:mutable*} in above URL which makes the images not to render on the consumer. Once I remove these tokens ({oracle:immutableURI} , {oracle:mutableURI} and {oracle:mutableParameters})and paste in the browser, the image do show up. The solution seems to be while generating the WSRP markup, if I can replace all the tokens of form {oracle:mutable *blah …} with empty string, I will arrive at a solution.
The consumer is sending the following URL template for wsrp-resource:
http://url:domain:url:port/url:path/resource/cs_url:queryString/u_wsrp-url/id_wsrp-resourceID/rr_wsrp-requiresRewrite/po_wsrp-preferOperation/rs_wsrp-resourceState/rc_wsrp-resourceCacheability/iu_oracle:immutableURI/*wsrp*separatororacle:mutableURI?oracle:mutableParameters
Even section 9.2.2 of the WSRP 2.0 specification says, the producer MUST replace all tokens in the consumer-supplied URL template with values, including replacing all tokens for which it does not have a value (or does not understand) with the empty string. So the “{oracle:immutableURI}” and “{oracle:mutableURI}” tokens should be getting replaced with “” (the empty string) by the producer.
#1. is this a bug? what specific Java classes in the source deal with handling encoding so that I can touch them to hotfix this issue for the timebeing in my environment?
#2. Is there any flag or configuration that enable the Producer to use “consumer URL rewriting”?
OpenPortal WSRP: ContainerException
I built few JSR 286 Portlets using OpenPortal container with OpenPortal WSRP Implementation. The portlets were working fine in our DEV enviroment but when moved to QA, whenever the portlet is requested it throws below exception in the logs leaving no clue of what’s happening behind the scenes.
catalina.log
Dec 10, 2010 1:36:56 PM com.sun.portal.portletcontainer.invoker.WindowInvoker getPortletContent WARNING: PSPL_PCCTXCSPPCI0006 com.sun.portal.container.ContainerException: PortletContainer.getMarkup(): javax.servlet.ServletException: Servlet.init() for servlet PortletAppEngineServlet threw exception at com.sun.portal.portletcontainer.impl.PortletContainer.getMarkup(PortletContainer.java:280) at com.sun.portal.portletcontainer.invoker.WindowInvoker.getPortletContent(WindowInvoker.java:378) at com.sun.portal.portletcontainer.invoker.WindowInvoker.render(WindowInvoker.java:252) at com.sun.portal.portletcontainer.driver.PortletContent.getContent(PortletContent.java:71) at com.sun.portal.portletcontainer.driver.DesktopServlet.getPortletContents(DesktopServlet.java:320) at com.sun.portal.portletcontainer.driver.DesktopServlet.getAllPortletContents(DesktopServlet.java:263) at com.sun.portal.portletcontainer.driver.DesktopServlet.doGetPost(DesktopServlet.java:123) at com.sun.portal.portletcontainer.driver.DesktopServlet.doGet(DesktopServlet.java:92) at javax.servlet.http.HttpServlet.service(HttpServlet.java:690) at javax.servlet.http.HttpServlet.service(HttpServlet.java:803) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:269) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:174) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:433) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:117) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:108) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:174) at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:874) at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:665) at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:528) at org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:81) at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:689) at java.lang.Thread.run(Thread.java:595) javax.servlet.ServletException: Servlet.init() for servlet PortletAppEngineServlet threw exception at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1180) at org.apache.catalina.core.StandardWrapper.allocate(StandardWrapper.java:791) at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:648) at org.apache.catalina.core.ApplicationDispatcher.doInclude(ApplicationDispatcher.java:584) at org.apache.catalina.core.ApplicationDispatcher.include(ApplicationDispatcher.java:497) at com.sun.portal.portletcontainer.impl.PortletContainer.invokePAE(PortletContainer.java:883) at com.sun.portal.portletcontainer.impl.PortletContainer.invokePAE(PortletContainer.java:734) at com.sun.portal.portletcontainer.impl.PortletContainer.getMarkup(PortletContainer.java:221) at com.sun.portal.portletcontainer.invoker.WindowInvoker.getPortletContent(WindowInvoker.java:378) at com.sun.portal.portletcontainer.invoker.WindowInvoker.render(WindowInvoker.java:252) at com.sun.portal.portletcontainer.driver.PortletContent.getContent(PortletContent.java:71) at com.sun.portal.portletcontainer.driver.DesktopServlet.getPortletContents(DesktopServlet.java:320) at com.sun.portal.portletcontainer.driver.DesktopServlet.getAllPortletContents(DesktopServlet.java:263) at com.sun.portal.portletcontainer.driver.DesktopServlet.doGetPost(DesktopServlet.java:123) at com.sun.portal.portletcontainer.driver.DesktopServlet.doGet(DesktopServlet.java:92) at javax.servlet.http.HttpServlet.service(HttpServlet.java:690) at javax.servlet.http.HttpServlet.service(HttpServlet.java:803) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:269) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:174) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:433) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:117) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:108) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:174) at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:874) at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:665) at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:528) at org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:81) at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:689) at java.lang.Thread.run(Thread.java:595)
Our App is hosted on Tomcat 5.5.26 in both QA and DEV environments and it turns out that each of the installation varies in configuration settings in server.xml. This seems to be causing the issue. As shown in below snippet, change unpackWARs=”true” to resolves the issue. Another alternative to making server.xml changes is to deploy the WAR file in exploded format
${TOMCAT_HOME}/conf/server.xml
<Host name="localhost" appBase="webapps" unpackWARs="true" autoDeploy="true" xmlValidation="false" xmlNamespaceAware="false"> </Host>
Open Portal WSRP: CSS class name collision
We have a Open Portal 2.1.2 Producer running on Tomcat 5.5.26.The producer hosts JSR 286 portlets. The consumer is Weblogic 10.3.2 Portal based.
Issue : On the consumer, the CSS style class collide with styles of other portlets. One solution to prevent this collision is to use unque CSS class names but on consumer side federated portal there is no guarantee that the it does not have the style that producer has.
There is a nice article on SDN (see [3]), discussing the javascript namespace collision, suggests prefixing JavaScript variables and functions with <portlet:namespace/>.This is a great solution but,for an external CSS file, there is no way we can use <portlet:namespace/>. For internal CSS in JSP, we can prefix the CSS class with <portlet:namespace/>_someClass.
Rest of the article explains how this can be achieved for External CSS.
original external css file : sample.css
#_someClass { width:300px; word-spacing:12px; font-size:90%; padding-left:12px; padding-right:10px; white-space:nowrap } : : :
Orginal sample.jsp
<%@page contentType="text/html"%> <%@page pageEncoding="UTF-8"%> <%@ page import="javax.portlet.*"%> <%@ taglib uri="http://java.sun.com/portlet_2_0" prefix="portlet"%> <portlet:defineObjects /> <%PortletPreferences prefs = renderRequest.getPreferences();%> <link rel="stylesheet" type="text/css" href="<%=renderResponse.encodeURL(renderRequest.getContextPath() + "/sample.css")%>"/> <div id="someClass"> <p>some portlet content goes here</p> </div>
Now, the approach is to generate the CSS dynamically by prefixing the namespace for each class. The namespace is passed from the sample.jsp to the dynamic CSS generating page as a request paramter as shown below.
Modified CSS file: sample.css.jsp
<% String namespace = request.getParamter("namespace"); <style type="text/css"> .<%=namespace %>_someClass { width:300px; word-spacing:12px; font-size:90%; padding-left:12px; padding-right:10px; white-space:nowrap } : : : </style>
Modified sample.jsp
<%@page contentType="text/html"%> <%@page pageEncoding="UTF-8"%> <%@ page import="javax.portlet.*"%> <%@ taglib uri="http://java.sun.com/portlet_2_0" prefix="portlet"%> <portlet:defineObjects /> <%PortletPreferences prefs = renderRequest.getPreferences();%> <%-- removed link tag and added dynamic CSS page using <jsp:include .../>--%> <jsp:include page="/sample.css.jsp"> <jsp:param name="namespace" value="<portlet:namespace/>"/> </jsp:include> <%-- prefix css class with namespace --%> <div id="<portlet:namespace/>_someClass"> <p>some portlet content goes here</p> </div>
This should resolve the namespace collision issue on the consumer.
References
[1]. My original post on this issue at OpenPortal forums
Sample WSRP Producer URL
Open Oracle WSRP test portal
(http://portalstandards.oracle.com/portletapp/portlets?WSDL)