Thursday Dec 27, 2012

Book Review: Securing WebLogic Server 12c

"Security is a must in modern Enterprise architecture, and WebLogic implements a very complete, complex architecture for this." is a quote taken from the book covers of Securing WebLogic Server 12c book written by Luca Masini and Rinaldi Vincenzo, published by Packt Publishing ( book then sets the reader's expectation within another quote from the book covers: "Securing WebLogic Server 12c will simplify this complex world abd let you develop abd deploy in a production system with best practices for both the development and deployment world."

When Packt Publishing asked me to review and write about this book, my expectation was to get a book of 400 pages in size that covers security from its Java EE fundamentals down to its implementation in WebLogic Server 12c. When the long awaited shipment arrived, to my surprise, the book only had 80 pages. Such small format is not uncommon for Packt Publishing and in August 2012 I reviewed the "Oracle WebLogic Server 12c: First Look" book written by Michel Schildmeijer ( So my expectation was to find an overview to WebLogic Server 12c features with pointers of how to use them and where to follow up reading about it.

Securing WebLogic Server 12c starts with "WebLogic Security Concepts" that introduces Java EE terms like Principals and Subjects and WebLogic server terms like authentication providers, credential mappers and identity assertion. This chapter touches on many topics without going into details. A nice addition to this chapter would have been pointers to follow up readings for readers to be able to gain a deeper understanding of a topic.

Chapter 2 is about WebLogic server security realms, the identity store and policy stripe you define for a WebLogic server domain. This chapter is interesting to read (I only have problems with statements like "A user is an entity that can be authenticated and used to protect application resources", which I think is a wrong and misleading definition) and explains the WebLogic server user, role and group architecture. It would have helped if there were screen shots to this chapter for people who are not familiar with WebLogic server to better follow. Maybe the requirement for this book, though not spelled out, is that you have WebLogic server 12c installed or experience with a previous version of it. In the following the chapter explains how to configure authentication providers in WebLogic server, by example of LDAP, which IMO is a good and very useful chapter. The troubleshooting section for the LDAP configuration is well written and really shares the author's experience.

Chapter 3 is about Java EE Security with WebLogic and explains how to use Maven to administer WebLogic server by example of creating role mappings on the fly. This chapter clearly is wrongly labeled and should have been titled: "Using Maven to administer WebLogic server" because there is nothing new you learn in regards to security and how to protect WebLogic server or your applications. Instead you learn how to use Maven for configuring role mappings upon deployment instead of editing metadata files at design time.  The security bits mentioned in this chapter are Java EE 6 security annotations for servlets and EJB, so nothing that is really specific to WebLogic server. The Maven information is good and detailed, though lost me here and there in some of its folder and project descriptions. The section "A RESTful and secure EJB component" actually explains that in Java EE 6 EJB modules can be deployed with a servlet in a WAR file, which then - using annotations - you can secure in that you check the user role membership before executing a method.

Chapter 4 explains how to build a custom authentication provider using Maven and a JAAS login module. Its an interesting and useful chapter that gives you some good insight in how you build the authentication provider wrapper for a JAAS login module and how WebLogic server MBeans are used for administration. The custom authentication provider authenticates against a JSP file, which the authors use to simulate a legacy or existing SSO system. Again, Maven is used to assemble the provider and to deploy it. The use of Maven adds some complexity to the custom authentication provider explanations and also take a lot of pages from the overall 80 page budget of this book. I wished the use of Maven for deploying the custom authentication provider was explained in a separate chapter. Again, there are no pointers for readers to follow up with a topic. This is a problem with the book as a whole.

Chapter 5 is about Kerberos integration for authentication, which is a frequent customer requirement. The chapter is a step-by-step instruction to how to make the Kerberos authentication work with WebLogic server though, in my opinion, assume quite abit for the reader to know and have as to seen a beginners guide.

As usual, when doing book reviews, I am annotating book pages with questions I have and follow ups action items. The annotations I used the most in this book were Why and How. For sure pointers to follow-up reading would have been good and welcome. I also had difficulties to identify the audience for this book: As an overview it was too technical and not comprehensive in some areas. As a technical book and reference it wasn't detailed enough, leaving me guessing and wondering far too often. In some parts, like the Kerberos configuration in chapter 5, it reads like notes the authors took while setting up the environment for the company they work for.

So who is this book for? To quote the book: "If you are a WebLogic Server administrator who is looking forward to a step-by-step guide to administer and configure WebLogic security, then this guide is for you. This book is also for WebLogic developers who want to leverage the complex but powerful WevLogic security infrastrucure."

This book is well written and contains some good information you want to follow up on after reading the book's 80 pages. However, neither the administrators nor developer finds all that he / she needs to know about WebLogic and Java EE application security to protect a business. In my opinion, the book is good, but the title is wrong! A better title would have been  "WebLogic 12c administration and application deployment with Maven by example of Java EE security".

"Security is a complex matter, and Java EE is not an exception to this rule. To make things even more complicated, WebLogic Server extends standard securtity [...]" - page 5 of  "Securing WebLogic Server 12c". I agree with this statement, but also read from it that the authors were well aware of the need for a more in depth book.

All in all I enjoyed reading this book, though I did not learn a lot in regards to security (the Maven - WebLogic server administration and deployment bits are good though).

My final review summary you can quote me on thus is that The book is a good reference for everyone who has "Maven deployement to WebLogic Server 12c", "custom authentication provider development" and "Kerberos authentication for Windows based authentication" on his or her to-do list.


Ps.: My suggestion to reviewers: Ask more questions about what you read and don't understand. If I see explanations like the following (taken from page 18): "View User Attributes: Some user attributes" then this clearly has not been reviewed with enough care.

Monday Aug 20, 2012

Book Review: Oracle WebLogic Server 12c: First Look

"Oracle WebLogic Server 12c: First Look" written by Michel Schildmeijer and published by Packt Publishing (ISBN 978-1-84968-718-8) is a well structured overview of new features in Java EE 6 and Oracle WebLogic Server 12c. On 117 pages (no typo on my side), Michel provides a well done digest of what you need to know about Java EE 6 development and deployment with WebLogic server 12c. Michel shows in depth expertise in the Java EE and open source landscape as well as in WebLogic server configuration and administration, as well as Oracle Exalogic.

  • Chapter 1 "Ready for the Cloud!" is a brief introduction to Oracle's WLS stratey and the features of Java EE.
  • Chapter 2 "Supporting the Java EE 6" shows an overview of interesting Java EE 6 features like CDI, EJB 3.1, JSF 2.1, JPA, Servlet 3.0 and REST. The book doesn't go in depth when describing the new features but gives you enough information to feed Google for more information.  From a developer perspective its a well written heads up on what you want to research further in preparation for JDeveloper 12c and WLS 12c.
  • Chapter 3 "Deployment, Installation and Configuration Features" lets you know about a lean start option of WLS, class loader analysis, Enterprise Manager functionality and additional packages for application performance monitoring. Again, a lot of heads up to follow up on.
  • Chapter 4 "Integrated and External Services" is about Grid Link and RAC integration, as well as new JDBC features. You also learn about WLS and Java EE security services and the work with RESTful services. Again, this chapter only scratches the surface and is more of a laundry list of what you want to follow up with for your future application development(I at least put down a lot of notes). If you are a project lead or manager (so no developer who need to know exactly how to do things), then this chapter however provides you all information you need to know of.
  • Chapter 5 "Integration and Management with Enterprise Manager 12c Cloud Control is - together with chapter 2 - my personal favorite and explains Enterprise management options a bit closer. Especially WebLogic Server 12c monitoring in this chapter is what I thought "this is what people really need to know about".
  • Chapter 6 "Oracle Weblogic 12c to the Cloud: Exalogic" is less in depth information on what Oracle Exalogic and Exadata is but again provides a reasonable bird's eye overview of the benefits this system provides

As mentioned, 117 pages full of information that are worthwhile reading. The perfect holiday novel for geeks. Definitive, this book is a best value you can get for the cost of if.


Tuesday Feb 28, 2012

Accessing WebLogic Server JDBC DataSource from Java in JSF

There may be a requirement for you to access a JDBC data source defined on the WebLogic Server (for example to query a database or database schema other than the one the application's business service is connected with.

To access the JDBC DataSource, for example from a managed bean in JSF, you code like the following:

connection = null;
try {
  javax.naming.Context initialContext = new javax.naming.InitialContext();
  javax.sql.DataSource dataSource = 
  connection = dataSource.getConnection();
 } catch(Exception e){
      //or handle more gracefully 
In the example above, the JDBC DataSource is defined in WLS as "hrconnDS"

A blog on Oracle JDeveloper, ADF, MAF, MCS and other mobile and web topics inspired by questions and answers posted on the OTN forums.

Frank Nimphius


« May 2016