Monday, July 20, 2009

Applying a template to the domain used for the Integrated WebLogic Server

JDeveloper provides you with pre-build install of weblogic and a bunch of useful templates for JRF etc. There are time though when you really need to apply a new template. (For example if you are doing Async web services).

This isn't a problem on windows as the domain is easy to find, $USER_HOME/Application Data/JDeveloper/system.X.X.X.X/DefaultDomain, but on Unix the location is under a "dot" directory, ~/.jdeveloper/system.X.X.X.X/DefaultDomain. This causes a problem for the graphical domain configuration wizard because it wont let you pick a domain that lives in a hidden directory. It also doesn't have a box where you can just type your path which is annoying.

The most obvious workaround is to use the configuration wizard in text only mode which gives you an old fashioned but workable UI. In this interface you can just type the path of the system directory when it asks you where your domains live. Don't fall into the trap I did of giving it the full location of the DefaultDomain, it will prompt you for this on the next page.

If you prefer you can also use wlst for the same work. Just issue a readDomain, then an addTemplate, updateDomain, then a final closeDomain.

Friday, July 17, 2009

Jersey, your code, might be vulnerable to XXE attack

XXE is an interesting security hole where you use entity expansion in an XML document. Take for example the following xml file:

<!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd">]>
<search><user>&xxe;</user></search>

You might get the following response from a jersey service depending on how your XML parser in configured:

<!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd">]>
<search><response>User root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
...
not found</reponse></search>

There is a bunch of stuff in this thread on how to disable this expansion by default. This is fixed in the latest builds of Jersey 1.1.1ea so it is recommended that you upgrade. This does reproduce when running Jersey on weblogic so this is of interest. (Doesn't affect the JAX-WS stack)

Of course it is possible that any general xml parsing code you have might be vulnerable so it is worth understanding the problem so you can prevent it from happening in your application.

Friday, July 3, 2009

Java Development on the iPhone

Seems that Apple aside people are starting to find way to get java applications to run on the iPhone from the cheap and cheerful to the rather more high end products from people like Metismo. (Nice chaps, met them at JavaOne; but licenses were 10ks UKP but not for people just playing).

Perhaps I just need to bite the bullet and learn Objective-C...

Wednesday, July 1, 2009

JDeveloper 11 R1, now up on OTN

A brand spanking new version of JDeveloper to go along with the other R1 components released today. Lots of new features to play with in various components along with a whole bunch of bug fixes.