OWASP Top 10

January 25, 2017 Leave a comment

Today we had an Hands “Web Application Security Training” at our client location. It was a very interesting session. Our coach discussed Top 10 Security Vulnerabilities seen in current web applications referred to as OWASP Top 10.

Workshop introduced two useful tools:

WebGoat – an application created by OWASP with all security issues and it also discusses how we can remedy the issues.

ZAP – a proxy to intercept web requests and find security bugs in any web app.

Advertisements

Overriding log4j property file

October 2, 2015 Leave a comment

Overriding log4j property file

Sometimes it is handy to override log4j behaviour. By default it looks for log4j.xml under classpath. But I had a need to override the xml with properties file that is coming from classpath. Just add following as a VM arguments to the program or server runtime arguments.

If log file is under classpath

  -Dlog4j.configuration=log4j.properties 

OR

 -Dlog4j.configuration=mylog4j.properties

If log file is outside classpath
Complete URL notation should be used as in:

 -Dlog4j.configuration=file:/c:/work/mylog4j.properties

OR

 -Dlog4j.configuration=file:/home/apps/work/mylog4j.properties


								

Log4j useful patterns

March 2, 2012 Leave a comment

Dev debugging with Class,method and line number

To enable logging of class name, method name and line number from which a log statement was printed,
use:

%C{1}.%M:%L

Weblogic WSRP Keystore

February 10, 2011 Leave a comment

wsrpKeystore.jks found in domain root password:password

Goto myrealm –> Providers –> Credential Mapping –> PKICredentialMapper –> Provider Specific –> you should see details for wsrpKeystore.jks

Now list keystore entires:

$keytool -list -v -keystore DOMAIN_HOME/wsrpKeystore.jks
pasword: password

should list the alias name wsrpconsumer

Goto myrealm –> Credential Mappings –> PKI tab you should see PKI Credential Mappings. Click on wsrpconsumer__81_COMPAT, you will notice it will use alias from above keystore ‘wsrpconsumer’

The Endpoint Interface does not have WebService Annotation

January 7, 2011 Leave a comment

Following error appears when webservices-api.jar is missing on the classpath of the Servlet container (In my case Tomcat 5). Tomcat 5 expects this in either common/lib or common/endorsed

SEVERE: WSSERVLET11: failed to parse runtime descriptor: The Endpoint Interface: com.sun.portal.wsrp.common.stubs.WSRPV1RegistrationPortType does not have WebService Annotation
com.sun.xml.ws.model.RuntimeModelerException: The Endpoint Interface: com.sun.portal.wsrp.common.stubs.WSRPV1RegistrationPortType does not have WebService Annotation
	at com.sun.xml.ws.model.RuntimeModeler.getPortTypeName(RuntimeModeler.java:1316)
	at com.sun.xml.ws.server.EndpointFactory.createEndpoint(EndpointFactory.java:160)
	at com.sun.xml.ws.api.server.WSEndpoint.create(WSEndpoint.java:467)
	at com.sun.xml.ws.transport.http.DeploymentDescriptorParser.parseAdapters(DeploymentDescriptorParser.java:253)
	at com.sun.xml.ws.transport.http.DeploymentDescriptorParser.parse(DeploymentDescriptorParser.java:147)
	at com.sun.xml.ws.transport.http.servlet.WSServletContextListener.contextInitialized(WSServletContextListener.java:108)
	at org.apache.catalina.core.StandardContext.listenerStart(StandardContext.java:3764)
	at org.apache.catalina.core.StandardContext.start(StandardContext.java:4216)
	at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:760)
	at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:740)
	at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:544)
	at org.apache.catalina.startup.HostConfig.deployDirectory(HostConfig.java:926)
	at org.apache.catalina.startup.HostConfig.deployDirectories(HostConfig.java:889)
	at org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:492)
	at org.apache.catalina.startup.HostConfig.start(HostConfig.java:1149)
	at org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:311)
	at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:120)
	at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1022)
	at org.apache.catalina.core.StandardHost.start(StandardHost.java:736)
	at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1014)
	at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:443)
	at org.apache.catalina.core.StandardService.start(StandardService.java:448)
	at org.apache.catalina.core.StandardServer.start(StandardServer.java:700)
	at org.apache.catalina.startup.Catalina.start(Catalina.java:552)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
	at java.lang.reflect.Method.invoke(Method.java:585)
	at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:295)
	at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:433)
Jan 4, 2011 11:21:02 AM org.apache.catalina.core.StandardContext listenerStart
SEVERE: Exception sending context initialized event to listener instance of class com.sun.xml.ws.transport.http.servlet.WSServletContextListener
com.sun.xml.ws.transport.http.servlet.WSServletException: WSSERVLET11: failed to parse runtime descriptor: The Endpoint Interface: com.sun.portal.wsrp.common.stubs.WSRPV1RegistrationPortType does not have WebService Annotation
	at com.sun.xml.ws.transport.http.servlet.WSServletContextListener.contextInitialized(WSServletContextListener.java:118)
	at org.apache.catalina.core.StandardContext.listenerStart(StandardContext.java:3764)
	at org.apache.catalina.core.StandardContext.start(StandardContext.java:4216)
	at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:760)
	at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:740)
	at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:544)
	at org.apache.catalina.startup.HostConfig.deployDirectory(HostConfig.java:926)
	at org.apache.catalina.startup.HostConfig.deployDirectories(HostConfig.java:889)
	at org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:492)
	at org.apache.catalina.startup.HostConfig.start(HostConfig.java:1149)
	at org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:311)
	at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:120)
	at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1022)
	at org.apache.catalina.core.StandardHost.start(StandardHost.java:736)
	at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1014)
	at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:443)
	at org.apache.catalina.core.StandardService.start(StandardService.java:448)
	at org.apache.catalina.core.StandardServer.start(StandardServer.java:700)
	at org.apache.catalina.startup.Catalina.start(Catalina.java:552)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
	at java.lang.reflect.Method.invoke(Method.java:585)
	at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:295)
	at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:433)
Caused by: com.sun.xml.ws.model.RuntimeModelerException: The Endpoint Interface: com.sun.portal.wsrp.common.stubs.WSRPV1RegistrationPortType does not have WebService Annotation
	at com.sun.xml.ws.model.RuntimeModeler.getPortTypeName(RuntimeModeler.java:1316)
	at com.sun.xml.ws.server.EndpointFactory.createEndpoint(EndpointFactory.java:160)
	at com.sun.xml.ws.api.server.WSEndpoint.create(WSEndpoint.java:467)
	at com.sun.xml.ws.transport.http.DeploymentDescriptorParser.parseAdapters(DeploymentDescriptorParser.java:253)
	at com.sun.xml.ws.transport.http.DeploymentDescriptorParser.parse(DeploymentDescriptorParser.java:147)
	at com.sun.xml.ws.transport.http.servlet.WSServletContextListener.contextInitialized(WSServletContextListener.java:108)
	... 24 more
Jan 4, 2011 11:21:02 AM org.apache.catalina.core.StandardContext start
SEVERE: Error listenerStart
Jan 4, 2011 11:21:02 AM org.apache.catalina.core.StandardContext start
SEVERE: Context [/producer] startup failed due to previous errors

Open Portal: LifecycleManagerException

December 27, 2010 Leave a comment

Following exception is seen in logs when the class loader finds the portlet.jar file in multiple locations (in my secanario: TOMCAT_HOME/common/lib and MYWebAPP/WEB-INF/lib). The exception vanishes once this jar is removed from the Web application.

Dec 24, 2010 2:59:17 AM com.sun.portal.portletcontainer.appengine.impl.LifecycleManagerImpl initPortletAppDescriptor
INFO: PSPL_PAECSPPAI0015 : Loading DD for the portlet application : PortalWeb
Dec 24, 2010 2:59:17 AM com.sun.portal.portletcontainer.appengine.impl.LifecycleManagerImpl createPortlets
SEVERE: PSPL_PAECSPPAI0013
com.sun.portal.portletcontainer.appengine.LifecycleManagerException: java.lang.ClassCastException: com.vbandaru.somepkg.SomePortlet
	at com.sun.portal.portletcontainer.appengine.impl.LifecycleManagerImpl.createPortlet(LifecycleManagerImpl.java:319)
	at com.sun.portal.portletcontainer.appengine.impl.LifecycleManagerImpl.createPortlets(LifecycleManagerImpl.java:355)
	at com.sun.portal.portletcontainer.appengine.impl.LifecycleManagerImpl.<init>(LifecycleManagerImpl.java:138)
	at com.sun.portal.portletcontainer.appengine.PortletAppEngineServlet.init(PortletAppEngineServlet.java:151)
	at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1139)
	at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:966)
	at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:3956)
	at org.apache.catalina.core.StandardContext.start(StandardContext.java:4230)
	at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:760)
	at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:740)
	at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:544)
	at org.apache.catalina.startup.HostConfig.deployDirectory(HostConfig.java:926)
	at org.apache.catalina.startup.HostConfig.deployDirectories(HostConfig.java:889)
	at org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:492)
	at org.apache.catalina.startup.HostConfig.start(HostConfig.java:1149)
	at org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:311)
	at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:120)
	at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1022)
	at org.apache.catalina.core.StandardHost.start(StandardHost.java:736)
	at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1014)
	at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:443)
	at org.apache.catalina.core.StandardService.start(StandardService.java:448)
	at org.apache.catalina.core.StandardServer.start(StandardServer.java:700)
	at org.apache.catalina.startup.Catalina.start(Catalina.java:552)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
	at java.lang.reflect.Method.invoke(Method.java:585)
	at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:295)
	at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:433)
Caused by: java.lang.ClassCastException: com.vbandaru.somepkg.SomePortlet
	at com.sun.portal.portletcontainer.appengine.impl.LifecycleManagerImpl.createPortlet(LifecycleManagerImpl.java:304)
	... 29 more

OpenPortal/Weblogic WSRP Interoperability: URL Rewriting Issue

December 11, 2010 Leave a comment

I am trying to consume a Open Portal 2.0 Producer (JSR 286) on Weblogic 10.3.2 Consumer.

Issue: Encoded URL has un-necessary tokens making the resouce URLs break on the consumer side.

I am rendering an image like this with src attribute =

<%= renderResponse.encodeURL(renderRequest.getContextPath() + "/ico_normal.jpg")%> 

which produces following url on the consumer:

 http://localhost:7001/ConsumerApp/resource/cs__pageLabel%3Dtest_portal_page_2_page_3%26_portlet.portalUrl%3D%252FConsumerApp%252Fconsumer%252Ftest.portal%26_st%3D%26_windowLabel%3DhelloWorldPortletInvoicePortletMINE_1/u_http%3A%2F%2Flocalhost%3A8080%2FhelloWorldPortlet%2Fico_normal.jpg/id_/rr_false/po_/rs_/rc_/iu_oracle:immutableURI/*wsrp*separatororacle:mutableURI;jsessionid=Y1lnM27Zk68ZQ86sBvG19Js9vcncmGTR8s5WStcLQtS448nZ2fQT!-1164873313?oracle:mutableParameters 

Please notice the tokens that start with {oracle:mutable*} in above URL which makes the images not to render on the consumer. Once I remove these tokens ({oracle:immutableURI} , {oracle:mutableURI} and {oracle:mutableParameters})and paste in the browser, the image do show up. The solution seems to be while generating the WSRP markup, if I can replace all the tokens of form {oracle:mutable *blah …} with empty string, I will arrive at a solution.

The consumer is sending the following URL template for wsrp-resource:

http://url:domain:url:port/url:path/resource/cs_url:queryString/u_wsrp-url/id_wsrp-resourceID/rr_wsrp-requiresRewrite/po_wsrp-preferOperation/rs_wsrp-resourceState/rc_wsrp-resourceCacheability/iu_oracle:immutableURI/*wsrp*separatororacle:mutableURI?oracle:mutableParameters 

Even section 9.2.2 of the WSRP 2.0 specification says, the producer MUST replace all tokens in the consumer-supplied URL template with values, including replacing all tokens for which it does not have a value (or does not understand) with the empty string. So the “{oracle:immutableURI}” and “{oracle:mutableURI}” tokens should be getting replaced with “” (the empty string) by the producer.

#1. is this a bug? what specific Java classes in the source deal with handling encoding so that I can touch them to hotfix this issue for the timebeing in my environment?

#2. Is there any flag or configuration that enable the Producer to use “consumer URL rewriting”?