Thursday Dec 27, 2012

Book Review: Securing WebLogic Server 12c

"Security is a must in modern Enterprise architecture, and WebLogic implements a very complete, complex architecture for this." is a quote taken from the book covers of Securing WebLogic Server 12c book written by Luca Masini and Rinaldi Vincenzo, published by Packt Publishing ( book then sets the reader's expectation within another quote from the book covers: "Securing WebLogic Server 12c will simplify this complex world abd let you develop abd deploy in a production system with best practices for both the development and deployment world."

When Packt Publishing asked me to review and write about this book, my expectation was to get a book of 400 pages in size that covers security from its Java EE fundamentals down to its implementation in WebLogic Server 12c. When the long awaited shipment arrived, to my surprise, the book only had 80 pages. Such small format is not uncommon for Packt Publishing and in August 2012 I reviewed the "Oracle WebLogic Server 12c: First Look" book written by Michel Schildmeijer ( So my expectation was to find an overview to WebLogic Server 12c features with pointers of how to use them and where to follow up reading about it.

Securing WebLogic Server 12c starts with "WebLogic Security Concepts" that introduces Java EE terms like Principals and Subjects and WebLogic server terms like authentication providers, credential mappers and identity assertion. This chapter touches on many topics without going into details. A nice addition to this chapter would have been pointers to follow up readings for readers to be able to gain a deeper understanding of a topic.

Chapter 2 is about WebLogic server security realms, the identity store and policy stripe you define for a WebLogic server domain. This chapter is interesting to read (I only have problems with statements like "A user is an entity that can be authenticated and used to protect application resources", which I think is a wrong and misleading definition) and explains the WebLogic server user, role and group architecture. It would have helped if there were screen shots to this chapter for people who are not familiar with WebLogic server to better follow. Maybe the requirement for this book, though not spelled out, is that you have WebLogic server 12c installed or experience with a previous version of it. In the following the chapter explains how to configure authentication providers in WebLogic server, by example of LDAP, which IMO is a good and very useful chapter. The troubleshooting section for the LDAP configuration is well written and really shares the author's experience.

Chapter 3 is about Java EE Security with WebLogic and explains how to use Maven to administer WebLogic server by example of creating role mappings on the fly. This chapter clearly is wrongly labeled and should have been titled: "Using Maven to administer WebLogic server" because there is nothing new you learn in regards to security and how to protect WebLogic server or your applications. Instead you learn how to use Maven for configuring role mappings upon deployment instead of editing metadata files at design time.  The security bits mentioned in this chapter are Java EE 6 security annotations for servlets and EJB, so nothing that is really specific to WebLogic server. The Maven information is good and detailed, though lost me here and there in some of its folder and project descriptions. The section "A RESTful and secure EJB component" actually explains that in Java EE 6 EJB modules can be deployed with a servlet in a WAR file, which then - using annotations - you can secure in that you check the user role membership before executing a method.

Chapter 4 explains how to build a custom authentication provider using Maven and a JAAS login module. Its an interesting and useful chapter that gives you some good insight in how you build the authentication provider wrapper for a JAAS login module and how WebLogic server MBeans are used for administration. The custom authentication provider authenticates against a JSP file, which the authors use to simulate a legacy or existing SSO system. Again, Maven is used to assemble the provider and to deploy it. The use of Maven adds some complexity to the custom authentication provider explanations and also take a lot of pages from the overall 80 page budget of this book. I wished the use of Maven for deploying the custom authentication provider was explained in a separate chapter. Again, there are no pointers for readers to follow up with a topic. This is a problem with the book as a whole.

Chapter 5 is about Kerberos integration for authentication, which is a frequent customer requirement. The chapter is a step-by-step instruction to how to make the Kerberos authentication work with WebLogic server though, in my opinion, assume quite abit for the reader to know and have as to seen a beginners guide.

As usual, when doing book reviews, I am annotating book pages with questions I have and follow ups action items. The annotations I used the most in this book were Why and How. For sure pointers to follow-up reading would have been good and welcome. I also had difficulties to identify the audience for this book: As an overview it was too technical and not comprehensive in some areas. As a technical book and reference it wasn't detailed enough, leaving me guessing and wondering far too often. In some parts, like the Kerberos configuration in chapter 5, it reads like notes the authors took while setting up the environment for the company they work for.

So who is this book for? To quote the book: "If you are a WebLogic Server administrator who is looking forward to a step-by-step guide to administer and configure WebLogic security, then this guide is for you. This book is also for WebLogic developers who want to leverage the complex but powerful WevLogic security infrastrucure."

This book is well written and contains some good information you want to follow up on after reading the book's 80 pages. However, neither the administrators nor developer finds all that he / she needs to know about WebLogic and Java EE application security to protect a business. In my opinion, the book is good, but the title is wrong! A better title would have been  "WebLogic 12c administration and application deployment with Maven by example of Java EE security".

"Security is a complex matter, and Java EE is not an exception to this rule. To make things even more complicated, WebLogic Server extends standard securtity [...]" - page 5 of  "Securing WebLogic Server 12c". I agree with this statement, but also read from it that the authors were well aware of the need for a more in depth book.

All in all I enjoyed reading this book, though I did not learn a lot in regards to security (the Maven - WebLogic server administration and deployment bits are good though).

My final review summary you can quote me on thus is that The book is a good reference for everyone who has "Maven deployement to WebLogic Server 12c", "custom authentication provider development" and "Kerberos authentication for Windows based authentication" on his or her to-do list.


Ps.: My suggestion to reviewers: Ask more questions about what you read and don't understand. If I see explanations like the following (taken from page 18): "View User Attributes: Some user attributes" then this clearly has not been reviewed with enough care.

Monday Dec 17, 2012

Accessing ADF Faces components that are read-only from JavaScript

Almost as a note to myself and to justify the time I spent on analyzing aproblem, a quick note on what to watch out for when working trying to access read-only ADF Faces components from JavaScript. 

Those who tried JavaScript in ADF Faces probably know that you need to ensure the ADF Faces component  is represented by a JavaScript object on the client. You do this either implicitly by adding an af:clientListener component (in case you want to listen for a component event) or explicitly by setting the ADF Faces component clientComponent property to true.

For the use case I looked at in JDeveloper 11g R1 ( I needed to make an output text component clickable to call a JavaScript function in response. Though I added the af:clientListener tag to the component I recognized that it also needed the clientComponent property set to true.

Though I remember this as not being required in, I like the new behavior as it helps preventing read-only components from firing client side events unless you tell it to do so by setting the clientComponent property to true.

Note: As the time of writing, JDeveloper is not publicly available and I put the note in this blog as a reminder in case you ever hit a similar challenge so you know what to do.


A blog on Oracle JDeveloper, ADF, MAF, MCS and other mobile and web topics inspired by questions and answers posted on the OTN forums.

Frank Nimphius


« December 2012 »