Systems Integration
Mar 05 2010
My collegue Ron DiFrango recently wrote a blog about exposing custom MBeans within the WebLogic container. Both Ron and myself experienced similar frustrations when trying to work with custom MBeans and his blog is a must read if you're having difficulty finding yours.
Once the container is setup as directed in Ron's blog, you'll quickly notice that several of WLST's APIs for navigating do not work in the custom tree; most notably is the find API. The lack of a find API is especially troubling when you have MBeans such as ones for EHCache that use the memory location as part of the unique identifier, for example:
Mar 04 2010
WebLogic Portal 10.x Solutions - HTTP/HTTPS Mixed Content Issue
Thanks to Andy Pemberton for helping me with this one. It definitely had me confused for a couple days. This issue is specific to IE and only presents itself when you are exposing your portal over HTTP, but are accessing through an HTTPS load balancer or web server. The result is a mixed content popup from IE everytime you access a page. This is caused by an iframe shim being inserted by WebLogic portal for the automatic menu navigation. The fix is easy and straightforward, but finding the solution was not as easy.
To fix this issue, navigate in your Portal Web project to the Merged Project Content "virtual" directory in Eclipse which should be directly under the Portal Web project when viewing in the Portal perspective. Under that directory, navigate to framework -> skins -> bighorn -> msie. Right-
Feb 26 2010
Secure Development - Cross-Site Request Forgery (CSRF)
Last week, we talked about Cross-Site Scripting (XSS) and briefly touched on Cross-Site Request Forgery (CSRF). These two attacks are very common and dangerous, which explains why they consistently rank among the top five web application vulnerabilities in almost all recent studies. This week, we'll go into more detail on CSRF. First, a quick reminder about the difference between these two attacks: XSS involves injecting unauthorized code into web pages, while CSRF involves making unauthorized requests that appear to come from a legitimate, logged-in user. Another way to think about the difference is that XSS abuses the user's trust in the web application, while CSRF abuses the trust of the web application in the user.
Feb 19 2010
Secure Development - Cross-Site Scripting (XSS)
Originally, this week's post was supposed to cover both Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF), but I quickly realized that each of these topics alone are more than enough to fill a blog entry. These two are some of the most common and dangerous web application attacks, and at first glance, it may be hard to tell the difference. Here is an easy way to distinguish them: XSS involves injecting content into an existing page, while CSRF involves taking unauthorized actions on behalf of a logged-on user. XSS can be used (and often is) to launch CSRF attacks, but they are two separate attack modes.
Feb 17 2010
Remote EJBs and Seam 2.2.0 Injection
In this blog I'm going to talk about using remote EJBs that are contained in a seperate deployment than your Seam 2.2.0 components. Note that for accessing local EJBs in the same EAR there's a much simpiler way to go about it, detailed in the Seam documentation. For discrete deployments however, say, a WAR and an EAR, we need to do some plumbing to take advantage of Seam's bijection features.