You are on page 1of 17

Q: Could compiling a package cause an internal server error?

A: Possibly, but compiling a package wouldn't normally cause a 500 error directly. If you attempted
to compile a servlet or a utility class on the host machine and the classpath environment setting
was not configured properly, the classes would just fail to compile.

If you compile a single servlet class that has dependencies on other classes in the package, the Java
compiler will attempt to compile the relevant source code for the supporting classes, if present. If the
required source is not present, your servlet will not compile and javac will report the missing
classes.

If you had compiled the servlet class on a development machine and simply uploaded to a host that
was not configured in the same way, didn't have the necessary supporting classes, or had different
versions of them, this may cause a 500 internal server error. However, the range of possibilities is too
broad to guess, so review each of your class dependencies in turn.

A controlled, scripted build and deployment process using tools such as Apache Ant will help
standardise your working environment and minimise unplanned changes.

Q: A JSP script causes 500 errors with some browsers!


A: There are many reasons why a JSP may fail, but apparent browser problems may indicate a fault
in your program logic. The most common flaws in any server side process are those that assume the
client request will have a particular format or all required parameters, e.g.

• A document referrer
• A particular cookie or cookie value
• Specific Javascript features

Several Web browsers have the option to switch off the HTTP referer (sic) header for privacy
reasons, and users may also choose to switch off cookies and Javascript. If your page relies upon any
values that are expected to be passed from client to server by these means, or upon dynamically
generated URLs on the client side, your JSP may fail.

There is practically no way to persuade users to change their browser configuration, so you should
design your application so that it does not rely on these features, or has fallback versions that work
around these limitations.

Q: Can I catch an exception and give my own error message?


A: Yes, you can catch servlet errors and give custom error pages for them, but if there are
exceptional conditions you can anticipate, it would be better for your application to address these
directly and try to avoid them in the first place.

If a servlet relies upon system or network resources that may not be available for unexpected
reasons, you can use a RequestDispatcher to forward the request to an error page.

RequestDispatcher dispatcher = null;

request.getRequestDispatcher(/err/SQL.jsp);

try {
// SQL operation

catch (SQLException se) {

dispatcher.forward(request, response);

With Apache Tomcat, you can add elements to the web.xml configuration file to specify custom
responses to generic exceptions, e.g.

<error-page>

<exception-type>

java.lang.RuntimeException

</exception-type>

<location>

/err/RuntimeException.jsp

</location>

</error-page>

Q: My servlet cannot locate my XSLT file!


A: On Windows systems, the path to files referenced in servlet classes should be given in full,
including the drive letter and the path separator backslashes escaped, e.g.

FileReader xslReader = new FileReader(

"c:\\website\\xsl\\"

+ stylesheet + ".xsl");

These requirements create obvious compatibility issues when working between a Windows
development environment and Unix based production host. Recent JDK versions for Windows
translate paths with forward slash separators, but you can use the system os.name property to work
with completely different directory structures:

String os = System.getProperty("os.name");

if(os.equals("Windows 95")){

csspath = "c:\\codestyle\\Web\\styles\\";
}

else csspath = "/home/codestyle/Web/styles/";

It would ultimately be preferable to externalise such variables by using a servlet configuration


parameter for a "home" directory on the file system and append any specific paths after it. Assign the
home directory in the servlet init method and get a system specific file separator:

home = config.getInitParameter("home");

separator = System.getProperty("file.separator");

Configuration parameters are specified externally to the servlet class and incorporated at run time.
The technique for setting these parameters varies according to the servlet processor, so check your
documentation. Once these parameters are set, file paths can be constructed by abstract reference:

String xslFileName = home +

separator +

"xsl" +

separator +

stylesheet +

".xsl";

Q: How can I fix the Javascript in my servlet?


A: It can be very tricky inserting inline Javascript in servlet output because of the level of quoted
output escaping that can be necessary. If you miss or fail to correctly escape a literal quote, your
Javascript will not parse correctly. For simplicity, it would be preferable to use an external Javascript
file:

<script

type="text/javascript"

src="/scripts/example.js">

</script>

If some Javascript must be included inline, you should move most of the functional code to an
external file and simplify your function calls to minimise the amount of quoted text.

You should also validate the HTML output of your servlet, to make sure it is properly structured.

Q: Are servlets multi-threaded?


A: Yes, servlets are normally multi-threaded. The servlet container allocates a thread for each new
request for a single servlet without any special programming. Each thread of your servlet runs as if a
single user were accessing using it alone, but you can use static variables to store and present
information that is common to all threads, like a hit counter for instance.

Java questions
Q: Why isn't my custom Calendar class called?
A: If you have a broad import statement like import java.util.*;, the Java Virtual Machine
will adopt the standard distribution version of any named class, such as java.util.Calendar.
You should limit the scope of your import statements and use the fully qualified name of the custom
Calendar class.

import java.util.Date;

import example.custom.Calendar;

The path to any custom class or package must also be on the classpath applicable to your servlet
container and Java compiler at run time. The servlet container will not necessarily "see" any custom
class just because it is in the servlets directory.

Q: Why are wait(), notify() and notifyall() methods defined in the


Object class?
A: These methods are detailed on the Java Software Development Kit JavaDoc page for the
Object class, they are to implement threaded programming for all subclasses of Object.

Q: How does the run() method in Runnable work?


A: It may help to think of the run method like the main method in standard single threaded
applications. The run method is a standard entry point to run or execute a class. The run method is
normally only executed in the context of an independent Thread, but is a normal method in all
other respects.

One important thing to understand about the run method is that it is only called once when the
Thread object's start method is called. There is nothing inherently cyclic about Runnable
classes or the Thread context; the run method will return immediately unless you set up a loop to
keep it running.

When creating loops in threaded applications, it is important to allow time for other threads to run,
which can be done using the static Thread.sleep(int) method.

Q: How can I generate an array from a list?


A: The answer to your question would depend on the format of the list, which is perhaps stored in a
file? If there is a consistent character pattern that separates the list items, you might use a
StringTokenizer to capture them. Create a BufferedReader from a FileReader and use
the readLine() method to acquire the data.

FileReader fr = new FileReader(list.txt);


BufferedReader br = new BufferedReader(fr);

StringBuffer sb = new StringBuffer();

String line;

while((line = br.readLine())!=null){

sb.append(line);

String fileContents = sb.toString();

StringTokenizer tokens = new StringTokenizer(fileContents,

separator);

Once you have the tokens, create an array of a specific size using the countTokens() method,
then assign the items by enumerating the tokens.

String[] listArray = new String[tokens.countTokens()];

int i = 0;

while (tokens.hasMoreTokens()){

listArray[i] = tokens.nextToken();

i++;

Q: How can I ensure my compiler will locate the SAX package?


A: One way to ensure your compiler can locate any package it may require is to pass its path to the
compiler explicitly using the -classpath argument.
javac -classpath c:\packages\sax.jar SAXClass.java

Once you have confirmed the SAX package is referenced correctly, you will have greater confidence
in tracing your general classpath configuration problem. Explicitly declaring the classpath to the
compiler has the advantage of absolute clarity, but it is best configured as a batch file, editor task or
Ant configuration.

Q: What does this deprecation message mean?


The deprecation message you have seen means that the methods you are calling have been marked
with a JavaDoc deprecation comment, as below:

/**

* @deprecated This method is deprecated,

* use preferredMethod().

*/

public static void deprecatedMethod(){

// Example

Deprecated classes or methods are marked in this way to discourage their use in favour of a new
implementation that may be more efficient, secure or better integrated with the API at large.

Most deprecated API components remain fully functional so that applications built with earlier
versions remain compatible. To find out which components are deprecated and how to upgrade,
compile your application classes with the -deprecation argument:

javac -deprecation MyClass.java

The compiler will refer you to the relevant classes' JavaDoc page, where you should find guidance
on the recommended alternative.

Q: Where can I find a JDBC driver for my database?


A: This will depend on the database you use and the JDBC version you require. To find the latest
versions, search Google for JDBC driver and add your database name.

Q: How can i get the full path of Explorer.exe?


A: Firstly, you cannot generally obtain this reference from an applet loaded via the Internet because
the Java sandbox will not permit this type of system access.

For a stand alone application, you would have to identify all the "roots" of the file system (e.g.
Windows drive letters) and recursively check every directory and file in them. Start with
File.listRoots() and examine each entry in the File[] array in turn. For a large file system
this could take a long time and may encounter many SecurityExceptions along the way.
If there is more than one Explorer.exe, you will have to work out which one to use. Generally, it
may be easier to use a java.awt.FileDialog or javax.swing.JFileChooser and ask
the user to select the file.

How does Class.forName(dbDriver) work with


DriverManager.getConnection?
The static forName method is a way to instantiate a class that minimises hard coded dependencies
in your Java applications. You may well know the database driver you intend to use when you first
write your code, but if you use a String variable for your class name you can re-configure for a
different database product without re-writing your client application.

The basic forName method uses a fully qualified class name to locate, load and initialise a Class
object using the current classloader. There should only be one Class object for each class loaded by
the Java Virtual Machine, so this method also ensures that only one instance is created.

When you use this method to load a JDBC database driver, the driver should call the static
DriverManager.registerDriver method to make itself known. Provided the driver class is
loaded before you call DriverManager.getConnection, the manager will find the relevant
driver by matching the URL argument against the scheme of each registered driver.

All database drivers will have a URL scheme that has the pattern
jdbc:subprotocol:subname, and their boolean acceptsURL method confirms whether
they can handle a given URL. So another important aspect of flexible database connectivity code is
to construct database URLs without hard coding a specific scheme.

You can configure the name of your preferred driver class in your system properties, as an
initialisation parameter of a Web application or as a command line option to the Java interpreter.

Q: My Java Web client gets the wrong site!


A: Many Web sites use virtual hosting, which requires you send an HTTP Host header with your
request.

Host: www.mysite.example

This header tells the Web server which virtual host you require. This may appear redundant if you
specify the domain name in the URL, but Domain Name Services (DNS) will only resolve the
Internet Protocol (IP) address for a given domain. Java Socket based connections do not set HTTP
headers implicitly. Unless you write a Host header on the socket output stream, a default host may
respond, or the server may issue an error code.

Q: Explain the life cycle methods of a Servlet.


A: The javax.servlet.Servlet interface defines the three methods known as life-cycle method.
public void init(ServletConfig config) throws ServletException
public void service( ServletRequest req, ServletResponse res) throws ServletException,
IOException
public void destroy()
First the servlet is constructed, then initialized wih the init() method.
Any request from client are handled initially by the service() method before delegating to the
doXxx() methods in the case of HttpServlet.

The servlet is removed from service, destroyed with the destroy() methid, then garbaged collected
and finalized.
TOP
Q: What is the difference between the getRequestDispatcher(String path) method of
javax.servlet.ServletRequest interface and javax.servlet.ServletContext interface?
A: The getRequestDispatcher(String path) method of javax.servlet.ServletRequest interface accepts
parameter the path to the resource to be included or forwarded to, which can be relative to the
request of the calling servlet. If the path begins with a "/" it is interpreted as relative to the current
context root.

The getRequestDispatcher(String path) method of javax.servlet.ServletContext interface cannot


accepts relative paths. All path must sart with a "/" and are interpreted as relative to curent context
root.
TOP

Q: Explain the directory structure of a web application.


A: The directory structure of a web application consists of two parts.
A private directory called WEB-INF
A public resource directory which contains public resource folder.

WEB-INF folder consists of


1. web.xml
2. classes directory
3. lib directory
TOP

Q: What are the common mechanisms used for session tracking?


A: Cookies
SSL sessions
URL- rewriting
TOP

Q: Explain ServletContext.
A: ServletContext interface is a window for a servlet to view it's environment. A servlet can use this
interface to get information such as initialization parameters for the web applicationor servlet
container's version. Every web application has one and only one ServletContext and is accessible to
all active resource of that application.
TOP

Q: What is preinitialization of a servlet?


A: A container doesnot initialize the servlets ass soon as it starts up, it initializes a servlet when it
receives a request for that servlet first time. This is called lazy loading. The servlet specification
defines the <load-on-startup> element, which can be specified in the deployment descriptor to
make the servlet container load and initialize the servlet as soon as it starts up. The process of
loading a servlet before any request comes in is called preloading or preinitializing a servlet.
[ Received from Amit Bhoir ] TOP

Q: What is the difference between Difference between doGet() and doPost()?


A: A doGet() method is limited with 2k of data to be sent, and doPost() method doesn't have this
limitation. A request string for doGet() looks like the following:
http://www.allapplabs.com/svt1?p1=v1&p2=v2&...&pN=vN
doPost() method call doesn't need a long text tail after a servlet name in a request. All parameters
are stored in a request itself, not in a request string, and it's impossible to guess the data
transmitted to a servlet only looking at a request string.
[ Received from Amit Bhoir ] TOP

Q: What is the difference between HttpServlet and GenericServlet?


A: A GenericServlet has a service() method aimed to handle requests. HttpServlet extends
GenericServlet and adds support for doGet(), doPost(), doHead() methods (HTTP 1.0) plus doPut(),
doOptions(), doDelete(), doTrace() methods (HTTP 1.1).
Both these classes are abstract.
Q. How do I call a servlet with parameters in the URL?

A. The usual format of a servlet parameter is a name=value pair that comes after a question-mark (?) at the
end of the URL. To access these parameters, call the getParameter() method on the
HttpServletRequest object, then write code to test the strings. For example, if your URL parameters
are "func=topic," where your URL appears as:

  http://www.myserver.com/myservlet?func=topic

then you could parse the parameter as follows, where "req" is the HttpServletRequest object:

  String func = req.getParameter("func");
  if (func.equalsIgnoreCase("topic")) {
    . . . do some work
  }

Q. How can I run multiple instances of the same servlet class in the same WebLogic Server instance?
A. If you want to run multiple instances, your servlet will have to implement the SingleThreadModel 
interface. An instance of a class that implements the SingleThreadModel interface is guaranteed not to
be invoked by multiple threads simultaneously. Multiple instances of a SingleThreadModel interface
are used to service simultaneous requests, each running in a single thread.
When designing your servlet, consider how you use shared resources outside of the servlet class such as file
and database access. Because there are multiple instances of servlets that are identical, and may use exactly
the same resources, there are still synchronization and sharing issues that must be resolved, even if you do
implement the SingleThreadModel interface.

Q. How do I deserialize an httpsession?


A. To deserialize an httpsession, construct a utility class that uses the current thread's contextclassloader to
load the user defined objects within the application context. then add this utility class to the system
CLASSPATH.

Q. What is the difference between the Compatibility realm and myrealm? Under what
circumstances should I use each of these realms?

A. If you have a 6.x config.xml file and you boot WebLogic Server, the following realms are
created:

 Compatibility realm—Allows you to use an existing 6.x security configuration as is in the


management environment provided in this release of WebLogic Server. The Realm
Adapter providers allows access to existing stores of users, groups, and access control
lists (ACLs).
 myrealm—Is the default security realm in this release of WebLogic Server. By default, the
WebLogic Security providers are configured in myrealm.
For more information, see Managing WebLogic Security.

Q. What are the default groups users and everyone used for?
A. The users and everyone groups are convenience groups that allow you to apply global
roles and security policies. All WebLogic Server users are members of the everyone group.
Only WebLogic Servers who are not the <anonymous> user are members of the users group.

For more information, see Managing WebLogic Security.

Q. Is there still a guest user?

A. The guest user is no longer supported by default in this release of WebLogic Server. In
WebLogic Server 6.x, guest was both the name of a user and the name for anonymous logins.
The new user name for an anonymous user is <anonymous>. You can change this username by
booting WebLogic Server with the following command line argument:

­Dweblogic.security.anonymousUserName=newAnonymousUserName

This argument allows you to make the name of the anonymous user guest for the purpose of
backward compatibility.

If you want to have a guest user in this release of WebLogic Server, create a user with the name
guest in the Authentication provider in the default security realm and give the user the
password of guest. If your code depends on the guest user, you should consider rewriting it
to use the utility methods in weblogic.security.WLSPrincipals.

Q. I want to provide additional fields in my Web application for form-based authentication. What
application programming interfaces (APIs) should I use?

A. The CallbackHandler implementation in the WebLogic Authentication provider supports only


stringified versions of a username and password when using form-based authentication.

If a Web application requires more authentication information, use the


javax.security.auth.TextInputCallback interface of the JAAS Callback
application programming interface (API) in the code for your LoginModule. The implementation
of the javax.security.auth.TextInputCallback interface needs to use the name of
the authentication field as the prompt to the method constructor. For example:

Callback[] callbacks=new Callback[1];
callbacks[1]=new TextInputCallback("TextField");

try{
callbackHandler.handle(callbacks)
textField1=((TextInputCallback)callbacks[2].getText
} catch (java.io.IOException ioe) {
throw new LoginException(ioe.toString());
}catch (UnsupportedCallbackException uce) {
throw new LoginException
("Error:"+uce.getCallback().toString() + 
"not available to garner authentication information" 
+
"from the user");
}
//"textField1 is not set correctly

When the ServletCallbackHandler gets a TextInputCallback, the callback looks


for a field matching the prompt of the TextInputCallback. If there is a match, the callback
handler sets the value in the callback. If no match is found, an UnsupportedCallback 
exception is raised.

Q. I am using the 6.x security realm APIs in my application. How do I upgrade this functionality
to the security APIs in this release of WebLogic Server?

Specifically, I am using the security.getRealm() method and then the getGroup(),


getGroups(), and getUser() methods on the returned realm.

A. You can use your 6.x application as is in the WebLogic Server environment by using
Compatibility security.

The management of WebLogic Server changed in 6.x away from direct calls on the realm to the
use of MBeans. This change was the first step in creating a unified administration model for
WebLogic Server. While the Security MBeans introduced in 6.x mirrored the capabilities defined
for the realm, they were not flexible enough to allow security vendors to integrate their products
with WebLogic Server. This release of WebLogic Server provides a set of Security Service
Provider Interfaces (SSPI) and Security SPI MBeans that allow you to write custom security
products for WebLogic Server. These MBeans can also be used to replicate functionality in an
existing application so that the application can be used in the WebLogic Server environment.

If you choose to upgrade your realm, you will need to write an implementation of the MBeans
found in the weblogic.management.security package. These MBeans allow you to
implement management methods that are specific to your 6.x realm. For a description of using
the MBeans in the weblogic.management.security package, see Developing Security
Providers for WebLogic Server.

The following are some hints that may help you upgrade applications based on security realms to
the security architecture available in this release of WebLogic Server:

 If you are using the security realm to authenticate users, instead use the JAAS API to
authenticate users.
 Table 19-1 lists the mappings between the interfaces in the 6.x of the
weblogic.security.acl package to the interfaces in the
weblogic.managment.security.authentication package.
Note: The weblogic.security.acl package is deprecated in this release of WebLogic
Server.

Corresponding Method in the


weblogic.management.security.
Table 19-1 Interface
authentication package
Mapping
Methods in the 6.x
weblogic.security.acl package
newUser() UserEditor.createUser()

deleteUser() UserRemover.removeUser()

newGroup() GroupEditor.createGroup()

deleteGroup() GroupRemover.removeGroup()

Group.addMember() GroupEditor.addMemberToGroup

Group.removeMember() GroupEditor.removeMemberFromGroup()

Group.isMember() GroupMemberLister.listGroupMembers() or
SubjectUtils.isUserInGroup()

Group.members() GroupMemberList.listGroupMembers()

userExists() UserReader.isUser()

isGroupMember() GroupReader.groupExists(),
GroupReader.isMember()

Q. Does WebLogic Server support Diffie-Hellman or DSS/DSA digital certificates?

A. No. The exportable version of WebLogic supports only 512 bit RSA with 40 bit RC4.
Additionally, Web browsers do not support these types of certificates, and there are no
commercial issuers for DSA certificates.

Q. Can a Weblogic Server deployment have one RSA and one non-RSA certificate?

A. No.

Q. Must we pay RSA licensing costs for non-RSA client code?

A. WebLogic Server has licensed RSA for SSL communications between WebLogic Server and
WebLogic clients. When using WebLogic Server, no extra licensing for RSA is necessary,
although different rules apply to VARs.

Q. How do I use Netscape security certificates with WebLogic Server?

A. Netscape stores the private and public keys together in a key-pair file which prevents you
from separating the public and private keys. Therefore, you must generate another request for a
certificate, not using Netscape utilities.

Q. How do I restrict access to servlets and JSPs?


The Java Servlet API Specification v2.3 allows you to declaratively restrict access to specific
Servlets and JSPs using the Web Application deployment descriptor. Section 13.3.2 of the
specification has an example deployment descriptor that uses declarative security. For more
information, see Programming WebLogic HTTP Servlets. You can also specify roles for EJBs
and Web applications through the Administration Console. For more information, see Securing
WebLogic Resources.

Q. Can I use RSA encryption algorithms and javax.crypto.* API to build applications?

A. No. WebLogic's RSA license does not permit end-users to use RSA classes directly. You must
obtain your own license for the encryption libraries from RSA.

Q. Can I use a JNDI Initial Context to pass the security credentials of a WebLogic Server user?

A. The ability to use JNDI to pass security credentials was deprecated in 6.1 of WebLogic Server.
You can still use this method in this release WebLogic Server. However, BEA recommends using
the Java Authentication and Authorization Service (JAAS) runAs() method rather than JNDI to
associate a user with a security context. For more information, see Programming WebLogic
Security.

Q. Are WebLogic Server passwords secure?

A. The config.xml file no longer has clear text passwords. In place of clear text passwords,
the config.xml file has encrypted passwords. You cannot copy encrypted passwords from
one domain to another. Instead, you can edit the config.xml file and replace the existing
encrypted passwords with clear text passwords and then copy the file to the new domain. The
Administration Console will encrypt the passwords the next time it writes to the file.

Q. Why do I get a certificate configuration error when I start the my Weblogic Server?

For example: Alert> <WebLogicServer> <Security> configuration problem 


with certificate file

A. It is possible that you did not specify a WL_HOME relative file name in your SSL configuration
files.

For more information, see Managing WebLogic Security.

Q. Why can't I establish an outbound SSL connection when using the demonstration certificates?

A. When establishing an SSL connection, the subject DN of the digital certificate must match the
host name of the server initiating the SSL connection. Otherwise, the SSL connection is dropped.
If you use the demonstration certificates, the host names will not match. To avoid this situation,
use the following command-line argument when starting WebLogic Server:

­Dweblogic.security.SSL.ignoreHostnameVerification=true
This argument disables the Hostname Verifier which compares the subject DNs and host names.
This solution is recommended in development environments only. A more secure solution is to
obtain a new digital certificate for the server making outbound SSL connections.

Q. Why do I get a configuration error when establishing an SSL connection to WebLogic Server?

For example: <WebLogic Server> <SSLListenThread listening on port


8802> Failed to connect to t3s://localhost:8802.

A problem with the configuration of the SSL protocol will also raise the following exception:

<java.io.IOException: Write Channel Closed, possible handshaking


or trust failure>

A. By default, WebLogic Server contains a Hostname Verifier that compares the subject DNs of
digital certificates and host names. When establishing an SSL connection, the subject DN of the
digital certificate must match the host name of the server initiating the SSL connection. If you
use the demonstration certificates the host names will not match. To avoid this situation, use the
following command-line argument when starting WebLogic Server:

-Dweblogic.security.SSL.ignoreHostnameVerification=true

This argument disables the Hostname Verifier. This solution is recommended in development
environments only. A more secure solution is to obtain a new digital certificate for your
WebLogic client.

In this release of WebLogic Server, WebLogic clients perform a trusted certificate authority
check on the digital certificate for WebLogic Server. The client may reject the digital certificate
of WebLogic Server if the certificate was not issued by a certificate authority trusted by the
client. Previous versions of WebLogic Server did not perform this check.

Q. Why does my servlet return a no certificate message?

A. Unless WebLogic Server is configured to ask a client for its digital certificate during the SSL
handshake (referred to as Two-Way SSL), WebLogic Server will not have the digital certificate.
You get this error when a WebLogic servlet or JSP tries to perform peer validation on the client.
Set the Client Certificate Enforced attribute when configuring SSL to requireWebLogic Server to
request client certificates.

Q. Why doesn't my Custom security provider show up (that is, it doesn't appear as a
Configure a new Security_Provider_Type link) in the Administration Console?

A. Check to make sure the system administrator put the MBean JAR file (MJF) in the
lib/mbeantype directory.

Q. Why do I get a 401 Unauthorized User error when using CLIENT-CERT in the login-config
of my web application?

A. To use a login-config of CLIENT_CERT, ensure the following:


1. Two-way SSL is configured on the server with the Client Enforced option set.
2. The web application is access via https.
3. A user corresponding to the CN attribute of the digital certificate for the web application
is defined as a user in the default security realm and that the security realm has an
Identity Assertion provider configured.
CLIENT_CERT also applies when perimeter authentication is used (meaning digital certificates
are coming in via http headers or cookies). In this case, two-way SSL and https are not required.

Q. Why can't I use keytool to import a digital certificate into the identity keystore?

A. When using the keytool utility to create a Certificate Signing Request (CSR), a self-signed
digital certificate is placed in the identity keystore. On occasion, a problem will occur when
using the keytool commands to replace the self-signed digital certificate in the keystore with a
signed digital certificate received from a trusted CA. Use the keytool utility to import the trusted
CA certificate into the keystore before importing the signed digital certificate into the keystore.
The steps are as follows:

1. Obtain the trusted CA certificate.

2. Use the der2pem utility to convert the trusted CA certificate to a PEM file.
3. Use the keytool utility to create an identity keystore. For example:

keytool -genkey -alias subjectkey -keypass keypassword 


­keystore nameofkeystore ­storepass keystorepassphrase
4. Use keytool certreq command to create a CSR and submit the CSR to a certificate
authority. For example:

keytool ­certreq ­alias subjectkey ­keypass keypassword 
keystore nameofkeystore ­storepass keystorepassphrase ­file 
mycertificate.cer
5. Use the keytool import command to import the PEM file for the trusted CA into the
keystore.

6. Use the keytool import command with the -trustcacerts option to import the
signed digital certificate from the certificate authority into the keystore.

Q. Can I programmatically add users and groups to the WebLogic Authentication provider?

A. Use the createUser() and createGroup() interfaces in the


weblogic.management.security.authentication class.

Q. When using the WebLogic Credential Mapping provider, how do you create mappings for
anonymous or unauthenticated users?

A. When using the Resource container, special usernames are established for different cases. A
mapping called wls_ra_anonymous is used when there is not authenticated WebLogic user
(meaning, the Subject has no users or is null). The Resource container also defines special
mappings for mappings created during a Resource Adapter's pool startup (wls_ra_initial)
and when no other configured mapping applies to the given Subject (wls_ra_default).

Q. How do I configure multiple Authentication providers to work together in a security realm?


A. The Login Modules for all the different types of supported Authentication providers conform
to the JAAS specification. If there are two Authentication providers configured in a security
realm and you want valid users from either provider to login into the system, set the JAAS
Control Flag on each Authentication provider to REQUISITE.

Q. Can an application use Java security?

A. Yes. An application can use Java security as well as JAAS authorization within itself. The
application can use checkPermission() and all the other Java security calls. The only
caveat is there is no guarantee of your identity or code base when the application is being called
from the server. At all entry points, your identity and code base must be re-established using
AccessController.doPrivileged() or Subject.DoAs().

Q. When using Java security, how do I change the default permissions for an application?

A. In the Java security policy file, there are three "fake" codebases for each of the three
component types:

"file:/weblogic/application/defaults/EJB" for EJBs

"file:/weblogic/application/defaults/Web for Web applications

"file:/weblogic/application/defaults/Connector for Connector applications

These codebases contain the defaults for these types of applications. When evaluating these
defaults, the string "WEBLOGIC­APPLICATION­ROOT" will be expanded to the top-level
directory when the application was deployed.

Q. How do I protect access to the embedded LDAP server?

A. The acls.prop file (located in WLHOME/server/lib/acls.prop) controls access to


the embedded LDAP server. You can modify the acls.prop file to control access to the LDAP
server. For more information, see Managing the Embedded LDAP Server.

Q. Does the embedded LDAP server support SSL?

A. Yes. Use the SSL listen port (7002). The WebLogic Server muxer is actually performing all
the SSL work so there should be no additional configuration required when using SSL to talk to
the embedded LDAP server.

Q. What is the password for the LDAP Admin Account?

A. The password is specified in the Credential field of the EmbeddedLDAP MBean. The
password is generated on the first boot of the server and written to the config.xml file. The LDAP
Admin account DN is cn=Admin. Use the WebLogic Server Administration Console to change
the password for the LDAP Admin account. For more information, see Configuring the
Embedded LDAP Server.
A.