DOAG 2011 Conference and Exhibition - Update

A short update on the DOAG 2011 Conference and Exhibition. Beside all the posts lately I nearly completely forgot about the running CfP (Call for Presentations).

In more than 400 speakers slots the DOAG 2011 Conference, which takes place November 15th-17th, 2011 in Nuremberg, provides current information on the successful use of the Oracle products as well as practical tips and tricks and exchange of experience. The varity of the presentations is addressing and covering all important fields of the Oracle products - ranging from database to middleware and business applications. This is the optimal opportunity to enlarge your network and to profit from the experiences and know-how of all users. For me the two most important parts are the Oracle Middleware and Development streams. The last one contains an important sub stream: Java. This is the part where I am doing some review work this year. I'm a proud member of the Program Committee. So, I'm excited to see your contributions to this years DOAG Conference and hope, we will meet there!

Read More

Securing your GlassFish. Hardening Guide.

If you are seriously thinking about running a GlassFish in a production environment your are looking for some kind of information about securing it.  Most basically you would do, what sounds right for your and start with a secure installation, think about firewalls and secure applications. And this basically is right. But have you ever thought about the why? I did. And further on I checked back with GlassFish and here is the ultimate hardening guide for your GlassFish installation. I don't have any special version in mind, so most of it should work beginning with v3.

IT-Security Guidelines

Picture CC BY-NC 2.0, annamagal

Work and business processes are increasingly based on IT solutions. For this reason, the security and reliability of information and communications technology gains more and more importance. You simply have to look at what happened to the playstation network lately and you get a feeling about what IT-Security could mean to your business. I always thought of it as a comprehensive checklist of things to do to ensure a secure environment. Simple and boring stuff. And this is, why I was on the hunt for the most comprehensive list I can get to make my own GlassFish installations as secure as possible. Call me innocent and you are right. But: Hey, I'm a simple developer. Let's start with the basics. IT-Security is a lot more than simple checklists. It's a complete bunch of methods, processes, procedures, approaches and measures relating to information security. The most comprehensive standard work is the German Federal Office for Information Security (BSI) IT-Grundschutz. The aim of IT-Grundschutz is to achieve an appropriate security level for all types of information of an organisation. It uses a holistic approach to this process. Through proper application of well-proven technical, organisational, personnel, and infrastructural safeguards. I highly recommend reading a bit about this. What I quickly want to dive into are the so called "IT-Grundschutz Catalogues" as they contain the essential security safeguards which support a systematic approach to IT-Security. Don't get me wrong. This is the "simple" part of it. Dealing with standard threads and catalogues are basics. For a complete BSI solution overview get a coffee and talk to your security officer.

The net and the fish
First important part to notice is that you have to take some time to consider your security needs. There are many screws to tighten and you should make sure to use the right ones. A picture came to my mind if I thought about this: The fishing net could be a symbol for your infrastructure. It keeps your GlassFishes in place and prevents them from shark attacks. And your GlassFish takes care of your Java application, running within it. So first and obvious thing to check is the infrastructure. A typical GlassFish does not swim in the wild. He's hidden behind a reverse proxy which itself sits inside a DMZ. If I am talking about "system hardening" here, it's the most basic security process you should apply to your GlassFishes living in similar situations. Depending on your security needs, you should extend the list to your needs.

Prerequisites
Hardening a single GlassFish instance is useless, if you are running it somewhere. The weakest point of your infrastructure defines your overall security level. So the first thing to check is, if your Hardware is up to date (yes, I'm talking about BIOS and stuff here) and if the operating system you are using is hardened at all. Don't forget about the network (Firewalls, Switches, and so on). If not. Stop reading and check back with the guys that are responsible for that.

Thoughts about password strength
Password strength is a measure of the effectiveness of a password in resisting guessing and brute-force attacks. In its usual form, it estimates how many trials an attacker who does not have direct access to the password would need, on average, to guess it correctly. The strength of a password is a function of length, complexity, and unpredictability. (Source: wikipedia.org) Whenever I talk about changing a password, think about unsing a strong password!

Hardening basics with GlassFish
Before you start doing anything you should think about a security concept. Yes. The documentation stuff. You need to write down, what you are going to do and why. "Which resources am I protecting?" and "From whom am I protecting the resources?". Done? Fine. Let's start.

Install an up-to-date and completely patched version of Java
There are many ways to do this. Get the latest bits, compare the checksums and apply all patches.

Setting up the environment
Very important from security point of view is not to run your Glassfish server as root. This means you need to create a user with restricted rights which you can use for running Glassfish. A good idea is to have a "gfish" user belonging to a "gfishadm" group. This group is the only one allowed to administrate the complete GlassFish installation including files. Note, that you are not going to run GlassFish on port 80 as a non-root user. But this is not too bad at all. As a principle for system hardening you could assume, that all "defaults" are bad. So you don't want to run it there anyway :)

Install an up-to-date and completely patched version of GlassFish
Don't start over with one of the old archives downloaded weeks ago. Visit glassfish.org or oracle.com/goto/glassfish to grep the lates bits. Check the md5 hashes and make sure you really get the right ones. Check back with the critical patch updates website and make sure you have the latest security patches in place.

Configure your ports
As I said before: Try to avoid default settings. Whatever ports are assigned with your basic installation; change them. Even if you find a lot of tools around to query system ports it's still considered good practice to shuffle the ports around.

Restrict access to the http/https ports
Check back with your network guys, to restrict access to your GlassFish server to the http/https port only. All other ports (admin-listener) should be blocked and accessible from the localhost or the cluster nodes only. You can rely on the external firewall product or configure your systems firewall (e.g. iptables) accordingly.

Securing the admin console
If you decide not to protect the admin-listener on network level you need to enable the secure administration feature. The secure administration feature allows an administrator to secure all administrative communication between the domain administration server (DAS), any remote instances, and administration clients such as the asadmin utility, the administration console, and REST clients. In addition, secure administration helps to prevent DAS-to-DAS and instance-to-instance traffic, and carefully restricts administration-client-to-instance traffic.

Change the master password
Glassfish uses the master password to protect the domain-encrypted files from unauthorized access, i.e. the certificate store which contains the certificates for https communication. Every asadmin action needs it to execute successfully. You have to decide if you put your installation in interactive or non-interactive way for the master password challenge. Running it as an autostart demon probably needs a saved master password.

Change the administration password
Same with the administration password. You also have the chance to put this into a password file for an "automatic login". Depending on your network configuration, your thread analysis (from whom do I protect the system) this could be ok. But I advise you to not use any automatic login features available.

Aliasing Passwords
You should change your resource passwords to aliased ones. Use the asadmin create-password-alias cmd to change clear-text passwords in domain.xml to ${ALIAS=xxxx} entries.

A word about certificates
Normally you do not configure SSL certificates with your GlassFish instance. This is done by a reverse proxy and has several advantages. You have some lower load on your instance, you don't have to deal with configuring ssl and certificates. If you are directly terminating your ssl connections with the GlassFish, you have to change the keystore entries accordingly. And certainly you should change the keystore password.

Hiding your identity
As many servers, GlassFish is a bit chatty. The response headers contain some information which should not be disclosed to the public to prevent targeted attacks.

X-Powered-By: Servlet/3.0, JSF/2.0
Server: GlassFish Server Open Source Edition 3.0.1

You can disable this by turning off the "XPowered By:" header with your http-listener and by adding a JVM-Option -Dproduct.name="".

Preventing System.gc()
Set an additional JVM Option -XX:-DisableExplicitGC . This will disable calls to System.gc() even if the JVM still performs garbage collection when necessary.

Extended Hardening
If you have accomplished the most basic parts of the hardening, you could also start over and take care for the following points.

Remove unused components/services
Minimize the GlassFish Server installation by removing components that you are not using and do not intend to use. Every component you uninstall reduces the risk for somebody to break into. This needs a whole lot of knowledge about the stuff you are running with your GlassFish.

Define working with update and pkg tools
Think about a small process for working with the update and pkg tools. You should disable the update checks for the admin console ( -Dcom.sun.enterprise.tools.admingui.NO_NETWORK=true) or probably completely remove it from your distribution.

Admin server and instances
Beginning with 3.1 you can have instances beside your admin server. It's considered best practice not to run any application on your admin server at all. So you should have a concept about running your applications on instances and clusters. You could also think about completely shutting down the admin server except for the duration you need it.

Enable authentication and authorization auditing.
Auditing is the process of recording key security events in your GlassFish Server environment. You use audit modules to develop an audit trail of all authentication and authorization decisions. You should track all relevant events via the Audit Logging features.

Check file integrity
There are some tools out there to check the integrity of your installation. Starting with simple rootkit hunters you also find some commercial solutions out there (e.g. tripwire). Think about using such a tool to protect the integrity of your installation.

Bottom Line
This is a very unintuitive topic. You have to have very detailed knowledge about the product you are trying to secure and the complete infrastructure. If you are called to harden GlassFish make sure to understand the security needs and make an assessment about the risks you have to take care of. And it's a team play. A single hardened GlassFish is by far not enough.

Links and Literature
BSI-Standards
IT Security Guidelines (PDF)
Oracle GlassFish Server 3.1 Security Guide
Installing Glassfish 3.0.1 on Ubuntu
Installing Glassfish 3.1 on Ubuntu 10.04 LTS

Read More

JRockit is Now Free!!! Period.

The conversion strategy is going to pay of for the customers. Today, Henrik announced, that JRockit is free. Not as in free-beer but at last under the same conditions, you are used to have for the Sun HotSpot JVM. Oracle has been talking about this since months (e.g. blog) and we are all very excited to see the new converged JVM finally. This is a first big step towards a high reliable, performing and single JVM for all your Java needs. Henrik also published some FaQs along with this announcement: I picked the ones, I like the most:

Q: Does this mean I can now use JRockit with any Java application?
A: Yes, under the same terms as you currently use the Oracle (Sun) JDK. You don't need to inform us and you don't need to pay anything.

Come-on: Give your heart a kick: Let's go: I've written a very short howto starting over with JRockit and GlassFish. Start using it today! :)

Q: I am a developer, does this mean I can now use JRockit Mission Control for free?
A: Yes, there is no cost for development use. See the license for details.

Wow .. man, this is great news in general: I personally love the JRMC. It's the most complete and ootb solution for getting your JVM under control. Nothing against VisualVM or even the JConsole, but ... JRMC plays in a league of it's own.

In general Oracle seems not to recommend moving to JRockit today. Even if you could. I guess, they are right. Everything in Henriks post seems to indicate, that they are willing to have the first converged version out with the Java SE 7 / OpenJDK 7 release later the year.
Anyway, if you are in need for some very effective memory management and a high speed JVM. You finally have it! Great!

And don't forget to look at the JRockit bible: "Oracle JRockit - The Definitive Guide". I have written a review about it a few months ago and I am still getting goose skin thinking about the hard time this book gave me ... but it was worth it!

Read More

New Article in German Java Aktuell (iJUG) about GlassFish 3.1

As usual, another short hint about a recently published article of mine. The German iJUG Magazin called "Java Aktuell" is available since 3rd of May and you can read all about the new GlassFish 3.1 release. If you like, you can check out some other articles of mine. Some of them done in English, too, you just search this blog for posts, labeled "article" and you get some results.

One sentence about the title: "Does it come to a rift - Community and Oracle". I like the visual but I can't comment on the content until I have not read it. And that's sad but true. I haven't until now. But I believe, I will update this post with some more comments if this to-do is removed from my list.

Read More

Blog redesign - and some thoughts.

You have heard about the recent Blogger outage? This blog was affected also. I lost a redesign I did in the few hours between the trouble started and they started noticing it. Anyway, I am not too sad about this. I'm not blogging on a daily basis and I could do without 20.5 hours of not being able to post. And the blog was accessible all the time. That is something I call a good service.

All the discussions about the outage bring some things back to the users minds. You are not paying for the service. It's free and with this being a free service, I am very happy about it's stability. I have seen some more and worser outages with services I pay for. Thanks Google for providing blogger.com to us. And thanks for your overall performance and stability.

Your probably reading this in a reader, so I thought I share a screenshot of the new blog design with your. It's lighter, more open and content centric. I am going to drop the black background on the main eisele.net pages, too. Hope, you like it. come back often and contribute! I am happy to have your here and thanks for any hint and contribution you, dear fellow reader, do!
Have a great week, happy blogging (again) and take care!

Read More

GlassFish 3.1 SecureJDBCRealm - Detecting failed logins.

Playing around with security in GlassFish is a lot of fun. If you have a project and some kind of security organization in place and you have to implement stuff, that fulfills requirements regarding high or higher protection needs, you most often are alone with that. This is a short howto about what I did to extend the existing JDBCRealm a bit to keep track of failed logins and deactivate users after they reached their configured limit.

What's there and what did I do?
You probably know the GlassFish JDBC Realm already. It's a quite comfortable way to use a database as a user back-end for your container security. If you configure your web application appropriate your can ensure, that only valid users hit your protected resources. The only thing you have to do is to configure your JDBCRealm and off you go. If you are not familiar with the topic so far, I suggest, you dig into the Java EE 6 tutorial a bit to get a basic understanding.
So far so good. But what happens in an environment where you have to take care of additional protection needs? Some typical ones? Encrypted passwords in your database. You could achieve this with setting a digest-algorithm (MessageDigest: e.g. MD5) and off you go. What about tracking failed logins? Here we go. That's most obviously nothing the standard JDBCRealm does. So, I was trying to build a more SecureJDBCRealm and add this feature.

Starting point
If I already have an example, I am going to add my stuff there. So I started over looking at the code already there. The com.sun.enterprise.security.auth.realm.JDBCRealm is an excellent place to look at.
So I basically copied it (with remaining copyright-headers of course ;)) and added my own features. Beside the fact, that you need at last two more properties for your realm, you need some additional prepared statements to execute in order to be able to keep track of the tries a user did. And you also do need your own SecureJDBCLoginModule to call your realm.
The steps I took in a very high-level view:
0) Add two more params to the realm (user-tries-column and user-tries-max)
1) change the passwordQuery to include the new "sanity-check" for userTriesColumn + " <=" + userTriesMax
2) Add three new prepared statements triesReadQuery, triesUpdateQuery, triesResetQuery
3) Change the isUserValid() method to include the test if more tries are available for a given username and add some logic for handline the tries colum (increment and reset)
4) I added a new public property to the realm to be able to getTriesLeft() for a given user.
5) implement the SecureJDBCLoginModule

Great. That basically was it. Now you have a new column mapping in your login module to track the not successful login attempts a user does. To be honest, this is not high performance in general. And using the programmatic request.login() with it's simple ServletException that is thrown is not very convenient. So even if you use this login module, you still have to find a way to tell the user about it's left tries and what he possibly did wrong.

Try it out - and give feedback!
If you are willing to try it out: Here you are. I made the complete maven based project (GF 3.1) available for you on github. Use it as it is. Without any warranty. And don't blame me, if something goes wrong. If you have ideas or better approaches: let me know! Happy to discuss this a bit!

Read More

Enforcing Upload Limits with Primefaces 2.2.1

A very short tip I came across lately. If you are looking into enforcing some limits to your upload component:
<p:fileUpload fileUploadListener="#{fileUploadController.handleFileUpload}"
description="Allowed Files"/>

you are most likely able to use allowTypes and sizeLimit attributes. But what about enforcing project wide settings without repeating this in any faces template over and over again?
Simple as you might guess: Write your own component. All you have to do is to extend the org.primefaces.component.fileupload.FileUpload component a bit like this:

public class ExcludeListPrimeFileUpload extends FileUpload {
public ExcludeListPrimeFileUpload() {
super();

// allowed file-types
setAllowTypes("*.doc;*.docx;*.pdf;*.ppt;*.pptx;*.zip;*.txt");
//size limit 30 megabyte = 31 457 280 bytes
setSizeLimit(new Long(31457280));
}
}

and register it as a replacement for the org.primefaces.component.FileUpload component-type with your faces-config.xml.
<component-type>org.primefaces.component.FileUpload</component-type>
<component-class>net.eisele.test.primetest.ExcludeListPrimeFileUpload</component-class>
</component>

If you use the Browsee Button you now see, that you are only able to select any of the provided file-types:

That was simple and quick. Thanks PrimeFaces ;)

Read More

Kscope11 - Preparations done. I am a proud speaker.

ODTUG Kscope11, the annual Oracle Development Tools User Group conference is nearly around the corner. It is bringing together the best Oracle minds in the industry. The content covers BI and Oracle EPM, Application Express, Database Development,and Fusion Middleware. You can attend symposiums, hands-on training labs, presentations, and much more. The list of this year's Fusion Middleware content is quite impressive. And the best part: I am delivering two parts of it.

All the Java ADF Beginners Need to Know Part 1 and Part 2
Session 1, 06/27/2011, 11:15 AM-12:15 PM
Session 2, 06/27/2011, 1:15 PM-2:15 PM

Two mini-lessons on Java concepts and syntax, aimed at PL/SQL developers and DBAs who need to know sufficient Java to start building ADF Components with Java. In general this is a basic Java course to get everybody up to speed with the language in general. I will try to spend as less time as possible on the slides and simply show the basic concepts with examples right in the IDE.

In general I am very excited and looking forward to it. Not only because of this years beautiful location, which is Long Beach, California, located on the Pacific Ocean Shores, just 22 miles south of downtown LA but also because I am really looking forward meeting all those great people again I met there last year.

Take a look at the pictures I took from last years Kaleidoscope in Washington D.C. I hope to share some from this years visit, too!

Read More

Oracle WebLogic Server 11g Release 1 (10.3.5) Patch Set 4 seems to be out!

Right ahead of the weekend I came across a new PS release for WebLogic server. After I still see the 10.3.4 releases being distributed from the official download page, I guess we are a bit ahead of time and the rest of the FMW PS4 is still to be released during the day.

Ok. Here we go: download the latest win32 version or get the generic zip installer. Both container WebLogic Server 10.3.5 and the Oracle Enterprise Pack for Eclipse (11.1.1.7.2). Together with the latest Java(TM) SE Runtime Environment (build 1.6.0_24-b07) and the Oracle JRockit(R) (build R28.1.3-11-141760-1.6.0_24-20110301-1429-windows-ia32,compiled mode). The documentation is also available online. Find the WebLogic documentation in a separate book. In general there is not much to see. The "what's new section" is nearly empty and I honestly don't see any breathtaking news. There is even still an old Coherence 3.6 version bundled with the download. Odd.
Looking at the WL_HOME/wlserver_10.3/bugsfixed/bugsfixed.htm you can see, that they fixed four (4) bugs ;)

10155450
EJB: A NullPointerException sometimes occurs when an EJB client performs a JNDI lookup for an EJB application that is deployed on a cluster.
10191490
Web services: Unable to attach a custom WS-policy to a JAX-RPC Web service.
10258751
JMS: A JMS Messaging Bridge fails to connect to a secure destination.
11664124
Core components: libstackdump.so is missing from the software distribution.

Nice. This could be considered as the last stable release here. Now we are all waiting for the first Java EE 6 version to come out.

Read More