Q: Could compiling a package cause an internal server error?

A: Possibly, but compiling a package wouldn't normally cause a 500 error directly. If you attempted to compile a servlet or a utility class on the host machine and the classpath environment setting was not configured properly, the classes would just fail to compile.

If you compile a single servlet class that has dependencies on other classes in the package, the Java compiler will attempt to compile the relevant source code for the supporting classes, if present. If the required source is not present, your servlet will not compile and javac will report the missing classes.

If you had compiled the servlet class on a development machine and simply uploaded to a host that was not configured in the same way, didn't have the necessary supporting classes, or had different versions of them, this may cause a 500 internal server error. However, the range of possibilities is too broad to guess, so review each of your class dependencies in turn.

A controlled, scripted build and deployment process using tools such as Apache Ant will help standardise your working environment and minimise unplanned changes.

Q: A JSP script causes 500 errors with some browsers!

A: There are many reasons why a JSP may fail, but apparent browser problems may indicate a fault in your program logic. The most common flaws in any server side process are those that assume the client request will have a particular format or all required parameters, e.g.

A document referrer A particular cookie or cookie value Specific Javascript features

Several Web browsers have the option to switch off the HTTP referer (sic) header for privacy reasons, and users may also choose to switch off cookies and Javascript. If your page relies upon any values that are expected to be passed from client to server by these means, or upon dynamically generated URLs on the client side, your JSP may fail.

There is practically no way to persuade users to change their browser configuration, so you should design your application so that it does not rely on these features, or has fallback versions that work around these limitations.

Q: Can I catch an exception and give my own error message?

A: Yes, you can catch servlet errors and give custom error pages for them, but if there are exceptional conditions you can anticipate, it would be better for your application to address these directly and try to avoid them in the first place.

If a servlet relies upon system or network resources that may not be available for unexpected reasons, you can use a RequestDispatcher to forward the request to an error page.

RequestDispatcher dispatcher = null;

request.getRequestDispatcher(/err/SQL.jsp);

try {

// SQL operation

}

catch (SQLException se) {

dispatcher.forward(request, response);

}

With Apache Tomcat, you can add elements to the web.xml configuration file to specify custom responses to generic exceptions, e.g.

<error-page>

<exception-type>

java.lang.RuntimeException

</exception-type>

<location>

/err/RuntimeException.jsp

</location>

</error-page>

Q: My servlet cannot locate my XSLT file!

A: On Windows systems, the path to files referenced in servlet classes should be given in full, including the drive letter and the path separator backslashes escaped, e.g.

FileReader xslReader = new FileReader(

"c:\\website\\xsl\\"

+ stylesheet + ".xsl");

These requirements create obvious compatibility issues when working between a Windows development environment and Unix based production host. Recent JDK versions for Windows translate paths with forward slash separators, but you can use the system os.name property to work with completely different directory structures:

String os = System.getProperty("os.name");

if(os.equals("Windows 95")){

csspath = "c:\\codestyle\\Web\\styles\\";

}

else csspath = "/home/codestyle/Web/styles/";

It would ultimately be preferable to externalise such variables by using a servlet configuration parameter for a "home" directory on the file system and append any specific paths after it. Assign the home directory in the servlet init method and get a system specific file separator:

home = config.getInitParameter("home");

separator = System.getProperty("file.separator");

Configuration parameters are specified externally to the servlet class and incorporated at run time. The technique for setting these parameters varies according to the servlet processor, so check your documentation. Once these parameters are set, file paths can be constructed by abstract reference:

String xslFileName = home +

separator +

"xsl" +

separator +

stylesheet +

".xsl";

Q: How can I fix the Javascript in my servlet?

A: It can be very tricky inserting inline Javascript in servlet output because of the level of quoted output escaping that can be necessary. If you miss or fail to correctly escape a literal quote, your Javascript will not parse correctly. For simplicity, it would be preferable to use an external Javascript file:

<script

type="text/javascript"

src="/scripts/example.js">

</script>

If some Javascript must be included inline, you should move most of the functional code to an external file and simplify your function calls to minimise the amount of quoted text.

You should also validate the HTML output of your servlet, to make sure it is properly structured.

Q: Are servlets multi-threaded?

A: Yes, servlets are normally multi-threaded. The servlet container allocates a thread for each new request for a single servlet without any special programming. Each thread of your servlet runs as if a single user were accessing using it alone, but you can use static variables to store and present information that is common to all threads, like a hit counter for instance.

Java questions Q: Why isn't my custom Calendar class called?

A: If you have a broad import statement like import java.util.*;, the Java Virtual Machine will adopt the standard distribution version of any named class, such as java.util.Calendar. You should limit the scope of your import statements and use the fully qualified name of the custom Calendar class.

import java.util.Date;

import example.custom.Calendar;

The path to any custom class or package must also be on the classpath applicable to your servlet container and Java compiler at run time. The servlet container will not necessarily "see" any custom class just because it is in the servlets directory.

Q: Why are wait(), notify() and notifyall() methods defined in the Object class?

A: These methods are detailed on the Java Software Development Kit JavaDoc page for the Object class, they are to implement threaded programming for all subclasses of Object.

Q: How does the run() method in Runnable work?

A: It may help to think of the run method like the main method in standard single threaded applications. The run method is a standard entry point to run or execute a class. The run method is normally only executed in the context of an independent Thread, but is a normal method in all other respects.

One important thing to understand about the run method is that it is only called once when the Thread object's start method is called. There is nothing inherently cyclic about Runnable classes or the Thread context; the run method will return immediately unless you set up a loop to keep it running.

When creating loops in threaded applications, it is important to allow time for other threads to run, which can be done using the static Thread.sleep(int) method.

Q: How can I generate an array from a list?

A: The answer to your question would depend on the format of the list, which is perhaps stored in a file? If there is a consistent character pattern that separates the list items, you might use a StringTokenizer to capture them. Create a BufferedReader from a FileReader and use the readLine() method to acquire the data.

FileReader fr = new FileReader(list.txt);

BufferedReader br = new BufferedReader(fr);

StringBuffer sb = new StringBuffer();

String line;

while((line = br.readLine())!=null){

sb.append(line);

}

String fileContents = sb.toString();

StringTokenizer tokens = new StringTokenizer(fileContents,

separator);

Once you have the tokens, create an array of a specific size using the countTokens() method, then assign the items by enumerating the tokens.

String[] listArray = new String[tokens.countTokens()];

int i = 0;

while (tokens.hasMoreTokens()){

listArray[i] = tokens.nextToken();

i++;

}

Q: How can I ensure my compiler will locate the SAX package?

A: One way to ensure your compiler can locate any package it may require is to pass its path to the compiler explicitly using the -classpath argument.

javac -classpath c:\packages\sax.jar SAXClass.java

Once you have confirmed the SAX package is referenced correctly, you will have greater confidence in tracing your general classpath configuration problem. Explicitly declaring the classpath to the compiler has the advantage of absolute clarity, but it is best configured as a batch file, editor task or Ant configuration.

Q: What does this deprecation message mean? The deprecation message you have seen means that the methods you are calling have been marked with a JavaDoc deprecation comment, as below:

/**

* @deprecated This method is deprecated,

* use preferredMethod().

*/

public static void deprecatedMethod(){

// Example

}

Deprecated classes or methods are marked in this way to discourage their use in favour of a new implementation that may be more efficient, secure or better integrated with the API at large.

Most deprecated API components remain fully functional so that applications built with earlier versions remain compatible. To find out which components are deprecated and how to upgrade, compile your application classes with the -deprecation argument:

javac -deprecation MyClass.java

The compiler will refer you to the relevant classes' JavaDoc page, where you should find guidance on the recommended alternative.

Q: Where can I find a JDBC driver for my database?

A: This will depend on the database you use and the JDBC version you require. To find the latest versions, search Google for JDBC driver and add your database name.

Q: How can i get the full path of Explorer.exe?

A: Firstly, you cannot generally obtain this reference from an applet loaded via the Internet because the Java sandbox will not permit this type of system access.

For a stand alone application, you would have to identify all the "roots" of the file system (e.g. Windows drive letters) and recursively check every directory and file in them. Start with

File.listRoots() and examine each entry in the File[] array in turn. For a large file system this could take a long time and may encounter many SecurityExceptions along the way.

If there is more than one Explorer.exe, you will have to work out which one to use. Generally, it may be easier to use a java.awt.FileDialog or javax.swing.JFileChooser and ask the user to select the file.

How does Class.forName(dbDriver) work with DriverManager.getConnection?

The static forName method is a way to instantiate a class that minimises hard coded dependencies in your Java applications. You may well know the database driver you intend to use when you first write your code, but if you use a String variable for your class name you can re-configure for a different database product without re-writing your client application.

The basic forName method uses a fully qualified class name to locate, load and initialise a Class object using the current classloader. There should only be one Class object for each class loaded by the Java Virtual Machine, so this method also ensures that only one instance is created.

When you use this method to load a JDBC database driver, the driver should call the static DriverManager.registerDriver method to make itself known. Provided the driver class is loaded before you call DriverManager.getConnection, the manager will find the relevant driver by matching the URL argument against the scheme of each registered driver.

All database drivers will have a URL scheme that has the pattern jdbc:subprotocol:subname, and their boolean acceptsURL method confirms whether they can handle a given URL. So another important aspect of flexible database connectivity code is to construct database URLs without hard coding a specific scheme.

You can configure the name of your preferred driver class in your system properties, as an initialisation parameter of a Web application or as a command line option to the Java interpreter.

Q: My Java Web client gets the wrong site!

A: Many Web sites use virtual hosting, which requires you send an HTTP Host header with your request.

Host: www.mysite.example

This header tells the Web server which virtual host you require. This may appear redundant if you specify the domain name in the URL, but Domain Name Services (DNS) will only resolve the Internet Protocol (IP) address for a given domain. Java Socket based connections do not set HTTP headers implicitly. Unless you write a Host header on the socket output stream, a default host may respond, or the server may issue an error code.

Q: Explain the life cycle methods of a Servlet.A: The javax.servlet.Servlet interface defines the three methods known as life-cycle method.

public void init(ServletConfig config) throws ServletExceptionpublic void service( ServletRequest req, ServletResponse res) throws ServletException,

IOExceptionpublic void destroy()First the servlet is constructed, then initialized wih the init() method.Any request from client are handled initially by the service() method before delegating to the doXxx() methods in the case of HttpServlet.

The servlet is removed from service, destroyed with the destroy() methid, then garbaged collected and finalized.

  TOP

Q: What is the difference between the getRequestDispatcher(String path) method of javax.servlet.ServletRequest interface and javax.servlet.ServletContext interface?

A: The getRequestDispatcher(String path) method of javax.servlet.ServletRequest interface accepts parameter the path to the resource to be included or forwarded to, which can be relative to the request of the calling servlet. If the path begins with a "/" it is interpreted as relative to the current context root.

The getRequestDispatcher(String path) method of javax.servlet.ServletContext interface cannot accepts relative paths. All path must sart with a "/" and are interpreted as relative to curent context root.

  TOP

Q: Explain the directory structure of a web application.A: The directory structure of a web application consists of two parts.

A private directory called WEB-INFA public resource directory which contains public resource folder.

WEB-INF folder consists of 1. web.xml2. classes directory3. lib directory

  TOP

Q: What are the common mechanisms used for session tracking?A: Cookies

SSL sessionsURL- rewriting

  TOP

Q: Explain ServletContext.A: ServletContext interface is a window for a servlet to view it's environment. A servlet can use this

interface to get information such as initialization parameters for the web applicationor servlet container's version. Every web application has one and only one ServletContext and is accessible to all active resource of that application.

  TOP

Q: What is preinitialization of a servlet?A: A container doesnot initialize the servlets ass soon as it starts up, it initializes a servlet when it

receives a request for that servlet first time. This is called lazy loading. The servlet specification defines the <load-on-startup> element, which can be specified in the deployment descriptor to make the servlet container load and initialize the servlet as soon as it starts up. The process of loading a servlet before any request comes in is called preloading or preinitializing a servlet.

  [ Received from Amit Bhoir ] TOP

Q: What is the difference between Difference between doGet() and doPost()?A: A doGet() method is limited with 2k of data to be sent, and doPost() method doesn't have this

limitation. A request string for doGet() looks like the following: http://www.allapplabs.com/svt1?p1=v1&p2=v2&...&pN=vNdoPost() method call doesn't need a long text tail after a servlet name in a request. All parameters are stored in a request itself, not in a request string, and it's impossible to guess the data transmitted to a servlet only looking at a request string.

  [ Received from Amit Bhoir ] TOP

Q: What is the difference between HttpServlet and GenericServlet?A: A GenericServlet has a service() method aimed to handle requests. HttpServlet extends

GenericServlet and adds support for doGet(), doPost(), doHead() methods (HTTP 1.0) plus doPut(), doOptions(), doDelete(), doTrace() methods (HTTP 1.1). Both these classes are abstract.

Q. How do I call a servlet with parameters in the URL?

A. The usual format of a servlet parameter is a name=value pair that comes after a question-mark (?) at the end of the URL. To access these parameters, call the getParameter() method on the HttpServletRequest object, then write code to test the strings. For example, if your URL parameters are "func=topic," where your URL appears as:

http://www.myserver.com/myservlet?func=topic

then you could parse the parameter as follows, where "req" is the HttpServletRequest object:

String func = req.getParameter("func"); if (func.equalsIgnoreCase("topic")) { . . . do some work }

Q. How can I run multiple instances of the same servlet class in the same WebLogic Server instance? A. If you want to run multiple instances, your servlet will have to implement the SingleThreadModel interface. An instance of a class that implements the SingleThreadModel interface is guaranteed not to be invoked by multiple threads simultaneously. Multiple instances of a SingleThreadModel interface are used to service simultaneous requests, each running in a single thread. When designing your servlet, consider how you use shared resources outside of the servlet class such as file and database access. Because there are multiple instances of servlets that are identical, and may use exactly the same resources, there are still synchronization and sharing issues that must be resolved, even if you do implement the SingleThreadModel interface.

Q. How do I deserialize an httpsession? A. To deserialize an httpsession, construct a utility class that uses the current thread's contextclassloader to load the user defined objects within the application context. then add this utility class to the system CLASSPATH.

Q. What is the difference between the Compatibility realm and myrealm? Under what circumstances should I use each of these realms?

A. If you have a 6.x config.xml file and you boot WebLogic Server, the following realms are created:

Compatibility realm—Allows you to use an existing 6.x security configuration as is in the management environment provided in this release of WebLogic Server. The Realm Adapter providers allows access to existing stores of users, groups, and access control lists (ACLs).

myrealm—Is the default security realm in this release of WebLogic Server. By default, the WebLogic Security providers are configured in myrealm.

For more information, see Managing WebLogic Security.

Q. What are the default groups users and everyone used for?

A. The users and everyone groups are convenience groups that allow you to apply global roles and security policies. All WebLogic Server users are members of the everyone group. Only WebLogic Servers who are not the <anonymous> user are members of the users group.

For more information, see Managing WebLogic Security.

Q. Is there still a guest user?

A. The guest user is no longer supported by default in this release of WebLogic Server. In WebLogic Server 6.x, guest was both the name of a user and the name for anonymous logins. The new user name for an anonymous user is <anonymous>. You can change this username by booting WebLogic Server with the following command line argument:

-Dweblogic.security.anonymousUserName=newAnonymousUserName

This argument allows you to make the name of the anonymous user guest for the purpose of backward compatibility.

If you want to have a guest user in this release of WebLogic Server, create a user with the name guest in the Authentication provider in the default security realm and give the user the password of guest. If your code depends on the guest user, you should consider rewriting it to use the utility methods in weblogic.security.WLSPrincipals.

Q. I want to provide additional fields in my Web application for form-based authentication. What application programming interfaces (APIs) should I use?

A. The CallbackHandler implementation in the WebLogic Authentication provider supports only stringified versions of a username and password when using form-based authentication.

If a Web application requires more authentication information, use the javax.security.auth.TextInputCallback interface of the JAAS Callback application programming interface (API) in the code for your LoginModule. The implementation of the javax.security.auth.TextInputCallback interface needs to use the name of the authentication field as the prompt to the method constructor. For example:

Callback[] callbacks=new Callback[1];callbacks[1]=new TextInputCallback("TextField");

try{callbackHandler.handle(callbacks)textField1=((TextInputCallback)callbacks[2].getText

} catch (java.io.IOException ioe) {throw new LoginException(ioe.toString());

}catch (UnsupportedCallbackException uce) {throw new LoginException("Error:"+uce.getCallback().toString() + "not available to garner authentication information"

+"from the user");

}//"textField1 is not set correctly

When the ServletCallbackHandler gets a TextInputCallback, the callback looks for a field matching the prompt of the TextInputCallback. If there is a match, the callback handler sets the value in the callback. If no match is found, an UnsupportedCallback exception is raised.

Q. I am using the 6.x security realm APIs in my application. How do I upgrade this functionality to the security APIs in this release of WebLogic Server?

Specifically, I am using the security.getRealm() method and then the getGroup(), getGroups(), and getUser() methods on the returned realm.

A. You can use your 6.x application as is in the WebLogic Server environment by using Compatibility security.

The management of WebLogic Server changed in 6.x away from direct calls on the realm to the use of MBeans. This change was the first step in creating a unified administration model for WebLogic Server. While the Security MBeans introduced in 6.x mirrored the capabilities defined for the realm, they were not flexible enough to allow security vendors to integrate their products with WebLogic Server. This release of WebLogic Server provides a set of Security Service Provider Interfaces (SSPI) and Security SPI MBeans that allow you to write custom security products for WebLogic Server. These MBeans can also be used to replicate functionality in an existing application so that the application can be used in the WebLogic Server environment.

If you choose to upgrade your realm, you will need to write an implementation of the MBeans found in the weblogic.management.security package. These MBeans allow you to implement management methods that are specific to your 6.x realm. For a description of using the MBeans in the weblogic.management.security package, see Developing Security Providers for WebLogic Server.

The following are some hints that may help you upgrade applications based on security realms to the security architecture available in this release of WebLogic Server:

If you are using the security realm to authenticate users, instead use the JAAS API to authenticate users.

Table   19-1 lists the mappings between the interfaces in the 6.x of the weblogic.security.acl package to the interfaces in the weblogic.managment.security.authentication package.

Note: The weblogic.security.acl package is deprecated in this release of WebLogic Server.

 

Table 19-1 Interface Mapping

Methods in the 6.x weblogic.security.acl package

Corresponding Method in the weblogic.management.security.authentication package

newUser() UserEditor.createUser()

deleteUser() UserRemover.removeUser()

newGroup() GroupEditor.createGroup()

deleteGroup() GroupRemover.removeGroup()

Group.addMember() GroupEditor.addMemberToGroup

Group.removeMember() GroupEditor.removeMemberFromGroup()

Group.isMember() GroupMemberLister.listGroupMembers() or SubjectUtils.isUserInGroup()

Group.members() GroupMemberList.listGroupMembers()

userExists() UserReader.isUser()

isGroupMember() GroupReader.groupExists(), GroupReader.isMember()

  Q. Does WebLogic Server support Diffie-Hellman or DSS/DSA digital certificates?

A. No. The exportable version of WebLogic supports only 512 bit RSA with 40 bit RC4. Additionally, Web browsers do not support these types of certificates, and there are no commercial issuers for DSA certificates.

Q. Can a Weblogic Server deployment have one RSA and one non-RSA certificate?

A. No.

Q. Must we pay RSA licensing costs for non-RSA client code?

A. WebLogic Server has licensed RSA for SSL communications between WebLogic Server and WebLogic clients. When using WebLogic Server, no extra licensing for RSA is necessary, although different rules apply to VARs.

Q. How do I use Netscape security certificates with WebLogic Server?

A. Netscape stores the private and public keys together in a key-pair file which prevents you from separating the public and private keys. Therefore, you must generate another request for a certificate, not using Netscape utilities.

Q. How do I restrict access to servlets and JSPs?

The Java Servlet API Specification v2.3 allows you to declaratively restrict access to specific Servlets and JSPs using the Web Application deployment descriptor. Section 13.3.2 of the specification has an example deployment descriptor that uses declarative security. For more information, see Programming WebLogic HTTP Servlets. You can also specify roles for EJBs and Web applications through the Administration Console. For more information, see Securing WebLogic Resources.

Q. Can I use RSA encryption algorithms and javax.crypto.* API to build applications?

A. No. WebLogic's RSA license does not permit end-users to use RSA classes directly. You must obtain your own license for the encryption libraries from RSA.

Q. Can I use a JNDI Initial Context to pass the security credentials of a WebLogic Server user?

A. The ability to use JNDI to pass security credentials was deprecated in 6.1 of WebLogic Server. You can still use this method in this release WebLogic Server. However, BEA recommends using the Java Authentication and Authorization Service (JAAS) runAs() method rather than JNDI to associate a user with a security context. For more information, see Programming WebLogic Security.

Q. Are WebLogic Server passwords secure?

A. The config.xml file no longer has clear text passwords. In place of clear text passwords, the config.xml file has encrypted passwords. You cannot copy encrypted passwords from one domain to another. Instead, you can edit the config.xml file and replace the existing encrypted passwords with clear text passwords and then copy the file to the new domain. The Administration Console will encrypt the passwords the next time it writes to the file.

Q. Why do I get a certificate configuration error when I start the my Weblogic Server?

For example: Alert> <WebLogicServer> <Security> configuration problem with certificate file

A. It is possible that you did not specify a WL_HOME relative file name in your SSL configuration files.

For more information, see Managing WebLogic Security.

Q. Why can't I establish an outbound SSL connection when using the demonstration certificates?

A. When establishing an SSL connection, the subject DN of the digital certificate must match the host name of the server initiating the SSL connection. Otherwise, the SSL connection is dropped. If you use the demonstration certificates, the host names will not match. To avoid this situation, use the following command-line argument when starting WebLogic Server:

-Dweblogic.security.SSL.ignoreHostnameVerification=true

This argument disables the Hostname Verifier which compares the subject DNs and host names. This solution is recommended in development environments only. A more secure solution is to obtain a new digital certificate for the server making outbound SSL connections.

Q. Why do I get a configuration error when establishing an SSL connection to WebLogic Server?

For example: <WebLogic Server> <SSLListenThread listening on port 8802> Failed to connect to t3s://localhost:8802.

A problem with the configuration of the SSL protocol will also raise the following exception:

<java.io.IOException: Write Channel Closed, possible handshaking or trust failure>

A. By default, WebLogic Server contains a Hostname Verifier that compares the subject DNs of digital certificates and host names. When establishing an SSL connection, the subject DN of the digital certificate must match the host name of the server initiating the SSL connection. If you use the demonstration certificates the host names will not match. To avoid this situation, use the following command-line argument when starting WebLogic Server:

-Dweblogic.security.SSL.ignoreHostnameVerification=true

This argument disables the Hostname Verifier. This solution is recommended in development environments only. A more secure solution is to obtain a new digital certificate for your WebLogic client.

In this release of WebLogic Server, WebLogic clients perform a trusted certificate authority check on the digital certificate for WebLogic Server. The client may reject the digital certificate of WebLogic Server if the certificate was not issued by a certificate authority trusted by the client. Previous versions of WebLogic Server did not perform this check.

Q. Why does my servlet return a no certificate message?

A. Unless WebLogic Server is configured to ask a client for its digital certificate during the SSL handshake (referred to as Two-Way SSL), WebLogic Server will not have the digital certificate. You get this error when a WebLogic servlet or JSP tries to perform peer validation on the client. Set the Client Certificate Enforced attribute when configuring SSL to requireWebLogic Server to request client certificates.

Q. Why doesn't my Custom security provider show up (that is, it doesn't appear as a Configure a new Security_Provider_Type link) in the Administration Console?

A. Check to make sure the system administrator put the MBean JAR file (MJF) in the lib/mbeantype directory.

Q. Why do I get a 401 Unauthorized User error when using CLIENT-CERT in the login-config of my web application?

A. To use a login-config of CLIENT_CERT, ensure the following:

1. Two-way SSL is configured on the server with the Client Enforced option set.

2. The web application is access via https.

3. A user corresponding to the CN attribute of the digital certificate for the web application is defined as a user in the default security realm and that the security realm has an Identity Assertion provider configured.

CLIENT_CERT also applies when perimeter authentication is used (meaning digital certificates are coming in via http headers or cookies). In this case, two-way SSL and https are not required.

Q. Why can't I use keytool to import a digital certificate into the identity keystore?

A. When using the keytool utility to create a Certificate Signing Request (CSR), a self-signed digital certificate is placed in the identity keystore. On occasion, a problem will occur when using the keytool commands to replace the self-signed digital certificate in the keystore with a signed digital certificate received from a trusted CA. Use the keytool utility to import the trusted CA certificate into the keystore before importing the signed digital certificate into the keystore. The steps are as follows:

1. Obtain the trusted CA certificate.

2. Use the der2pem utility to convert the trusted CA certificate to a PEM file.

3. Use the keytool utility to create an identity keystore. For example:

keytool -genkey -alias subjectkey -keypass keypassword -keystore nameofkeystore -storepass keystorepassphrase

4. Use keytool certreq command to create a CSR and submit the CSR to a certificate authority. For example:

keytool -certreq -alias subjectkey -keypass keypassword keystore nameofkeystore -storepass keystorepassphrase -file mycertificate.cer

5. Use the keytool import command to import the PEM file for the trusted CA into the keystore.

6. Use the keytool import command with the -trustcacerts option to import the signed digital certificate from the certificate authority into the keystore.

Q. Can I programmatically add users and groups to the WebLogic Authentication provider?

A. Use the createUser() and createGroup() interfaces in the weblogic.management.security.authentication class.

Q. When using the WebLogic Credential Mapping provider, how do you create mappings for anonymous or unauthenticated users?

A. When using the Resource container, special usernames are established for different cases. A mapping called wls_ra_anonymous is used when there is not authenticated WebLogic user (meaning, the Subject has no users or is null). The Resource container also defines special mappings for mappings created during a Resource Adapter's pool startup (wls_ra_initial) and when no other configured mapping applies to the given Subject (wls_ra_default).

Q. How do I configure multiple Authentication providers to work together in a security realm?

A. The Login Modules for all the different types of supported Authentication providers conform to the JAAS specification. If there are two Authentication providers configured in a security realm and you want valid users from either provider to login into the system, set the JAAS Control Flag on each Authentication provider to REQUISITE.

Q. Can an application use Java security?

A. Yes. An application can use Java security as well as JAAS authorization within itself. The application can use checkPermission() and all the other Java security calls. The only caveat is there is no guarantee of your identity or code base when the application is being called

from the server. At all entry points, your identity and code base must be re-established using AccessController.doPrivileged() or Subject.DoAs().

Q. When using Java security, how do I change the default permissions for an application?

A. In the Java security policy file, there are three "fake" codebases for each of the three component types:

"file:/weblogic/application/defaults/EJB" for EJBs

"file:/weblogic/application/defaults/Web for Web applications

"file:/weblogic/application/defaults/Connector for Connector applications

These codebases contain the defaults for these types of applications. When evaluating these defaults, the string "WEBLOGIC-APPLICATION-ROOT" will be expanded to the top-level directory when the application was deployed.

Q. How do I protect access to the embedded LDAP server?

A. The acls.prop file (located in WLHOME/server/lib/acls.prop) controls access to the embedded LDAP server. You can modify the acls.prop file to control access to the LDAP server. For more information, see Managing the Embedded LDAP Server.

Q. Does the embedded LDAP server support SSL?

A. Yes. Use the SSL listen port (7002). The WebLogic Server muxer is actually performing all the SSL work so there should be no additional configuration required when using SSL to talk to the embedded LDAP server.

Q. What is the password for the LDAP Admin Account?

A. The password is specified in the Credential field of the EmbeddedLDAP MBean. The password is generated on the first boot of the server and written to the config.xml file. The LDAP Admin account DN is cn=Admin. Use the WebLogic Server Administration Console to change the password for the LDAP Admin account. For more information, see Configuring the Embedded LDAP Server.

A.