Beruflich Dokumente
Kultur Dokumente
A: Possibly, but compiling a package wouldn't normally cause a 500 error directly. If you attempted
to compile a servlet or a utility class on the host machine and the classpath environment setting
was not configured properly, the classes would just fail to compile.
If you compile a single servlet class that has dependencies on other classes in the package, the Java
compiler will attempt to compile the relevant source code for the supporting classes, if present. If the
required source is not present, your servlet will not compile and javac will report the missing
classes.
If you had compiled the servlet class on a development machine and simply uploaded to a host that
was not configured in the same way, didn't have the necessary supporting classes, or had different
versions of them, this may cause a 500 internal server error. However, the range of possibilities is too
broad to guess, so review each of your class dependencies in turn.
A controlled, scripted build and deployment process using tools such as Apache Ant will help
standardise your working environment and minimise unplanned changes.
• A document referrer
• A particular cookie or cookie value
• Specific Javascript features
Several Web browsers have the option to switch off the HTTP referer (sic) header for privacy
reasons, and users may also choose to switch off cookies and Javascript. If your page relies upon any
values that are expected to be passed from client to server by these means, or upon dynamically
generated URLs on the client side, your JSP may fail.
There is practically no way to persuade users to change their browser configuration, so you should
design your application so that it does not rely on these features, or has fallback versions that work
around these limitations.
If a servlet relies upon system or network resources that may not be available for unexpected
reasons, you can use a RequestDispatcher to forward the request to an error page.
request.getRequestDispatcher(/err/SQL.jsp);
try {
// SQL operation
dispatcher.forward(request, response);
With Apache Tomcat, you can add elements to the web.xml configuration file to specify custom
responses to generic exceptions, e.g.
<error-page>
<exception-type>
java.lang.RuntimeException
</exception-type>
<location>
/err/RuntimeException.jsp
</location>
</error-page>
"c:\\website\\xsl\\"
+ stylesheet + ".xsl");
These requirements create obvious compatibility issues when working between a Windows
development environment and Unix based production host. Recent JDK versions for Windows
translate paths with forward slash separators, but you can use the system os.name property to work
with completely different directory structures:
String os = System.getProperty("os.name");
if(os.equals("Windows 95")){
csspath = "c:\\codestyle\\Web\\styles\\";
}
home = config.getInitParameter("home");
separator = System.getProperty("file.separator");
Configuration parameters are specified externally to the servlet class and incorporated at run time.
The technique for setting these parameters varies according to the servlet processor, so check your
documentation. Once these parameters are set, file paths can be constructed by abstract reference:
separator +
"xsl" +
separator +
stylesheet +
".xsl";
<script
type="text/javascript"
src="/scripts/example.js">
</script>
If some Javascript must be included inline, you should move most of the functional code to an
external file and simplify your function calls to minimise the amount of quoted text.
You should also validate the HTML output of your servlet, to make sure it is properly structured.
Java questions
Q: Why isn't my custom Calendar class called?
A: If you have a broad import statement like import java.util.*;, the Java Virtual Machine
will adopt the standard distribution version of any named class, such as java.util.Calendar.
You should limit the scope of your import statements and use the fully qualified name of the custom
Calendar class.
import java.util.Date;
import example.custom.Calendar;
The path to any custom class or package must also be on the classpath applicable to your servlet
container and Java compiler at run time. The servlet container will not necessarily "see" any custom
class just because it is in the servlets directory.
One important thing to understand about the run method is that it is only called once when the
Thread object's start method is called. There is nothing inherently cyclic about Runnable
classes or the Thread context; the run method will return immediately unless you set up a loop to
keep it running.
When creating loops in threaded applications, it is important to allow time for other threads to run,
which can be done using the static Thread.sleep(int) method.
String line;
while((line = br.readLine())!=null){
sb.append(line);
separator);
Once you have the tokens, create an array of a specific size using the countTokens() method,
then assign the items by enumerating the tokens.
int i = 0;
while (tokens.hasMoreTokens()){
listArray[i] = tokens.nextToken();
i++;
Once you have confirmed the SAX package is referenced correctly, you will have greater confidence
in tracing your general classpath configuration problem. Explicitly declaring the classpath to the
compiler has the advantage of absolute clarity, but it is best configured as a batch file, editor task or
Ant configuration.
/**
* use preferredMethod().
*/
// Example
Deprecated classes or methods are marked in this way to discourage their use in favour of a new
implementation that may be more efficient, secure or better integrated with the API at large.
Most deprecated API components remain fully functional so that applications built with earlier
versions remain compatible. To find out which components are deprecated and how to upgrade,
compile your application classes with the -deprecation argument:
The compiler will refer you to the relevant classes' JavaDoc page, where you should find guidance
on the recommended alternative.
For a stand alone application, you would have to identify all the "roots" of the file system (e.g.
Windows drive letters) and recursively check every directory and file in them. Start with
File.listRoots() and examine each entry in the File[] array in turn. For a large file system
this could take a long time and may encounter many SecurityExceptions along the way.
If there is more than one Explorer.exe, you will have to work out which one to use. Generally, it
may be easier to use a java.awt.FileDialog or javax.swing.JFileChooser and ask
the user to select the file.
The basic forName method uses a fully qualified class name to locate, load and initialise a Class
object using the current classloader. There should only be one Class object for each class loaded by
the Java Virtual Machine, so this method also ensures that only one instance is created.
When you use this method to load a JDBC database driver, the driver should call the static
DriverManager.registerDriver method to make itself known. Provided the driver class is
loaded before you call DriverManager.getConnection, the manager will find the relevant
driver by matching the URL argument against the scheme of each registered driver.
All database drivers will have a URL scheme that has the pattern
jdbc:subprotocol:subname, and their boolean acceptsURL method confirms whether
they can handle a given URL. So another important aspect of flexible database connectivity code is
to construct database URLs without hard coding a specific scheme.
You can configure the name of your preferred driver class in your system properties, as an
initialisation parameter of a Web application or as a command line option to the Java interpreter.
Host: www.mysite.example
This header tells the Web server which virtual host you require. This may appear redundant if you
specify the domain name in the URL, but Domain Name Services (DNS) will only resolve the
Internet Protocol (IP) address for a given domain. Java Socket based connections do not set HTTP
headers implicitly. Unless you write a Host header on the socket output stream, a default host may
respond, or the server may issue an error code.
The servlet is removed from service, destroyed with the destroy() methid, then garbaged collected
and finalized.
TOP
Q: What is the difference between the getRequestDispatcher(String path) method of
javax.servlet.ServletRequest interface and javax.servlet.ServletContext interface?
A: The getRequestDispatcher(String path) method of javax.servlet.ServletRequest interface accepts
parameter the path to the resource to be included or forwarded to, which can be relative to the
request of the calling servlet. If the path begins with a "/" it is interpreted as relative to the current
context root.
Q: Explain ServletContext.
A: ServletContext interface is a window for a servlet to view it's environment. A servlet can use this
interface to get information such as initialization parameters for the web applicationor servlet
container's version. Every web application has one and only one ServletContext and is accessible to
all active resource of that application.
TOP
A. The usual format of a servlet parameter is a name=value pair that comes after a question-mark (?) at the
end of the URL. To access these parameters, call the getParameter() method on the
HttpServletRequest object, then write code to test the strings. For example, if your URL parameters
are "func=topic," where your URL appears as:
http://www.myserver.com/myservlet?func=topic
then you could parse the parameter as follows, where "req" is the HttpServletRequest object:
String func = req.getParameter("func");
if (func.equalsIgnoreCase("topic")) {
. . . do some work
}
Q. How can I run multiple instances of the same servlet class in the same WebLogic Server instance?
A. If you want to run multiple instances, your servlet will have to implement the SingleThreadModel
interface. An instance of a class that implements the SingleThreadModel interface is guaranteed not to
be invoked by multiple threads simultaneously. Multiple instances of a SingleThreadModel interface
are used to service simultaneous requests, each running in a single thread.
When designing your servlet, consider how you use shared resources outside of the servlet class such as file
and database access. Because there are multiple instances of servlets that are identical, and may use exactly
the same resources, there are still synchronization and sharing issues that must be resolved, even if you do
implement the SingleThreadModel interface.
Q. What is the difference between the Compatibility realm and myrealm? Under what
circumstances should I use each of these realms?
A. If you have a 6.x config.xml file and you boot WebLogic Server, the following realms are
created:
Q. What are the default groups users and everyone used for?
A. The users and everyone groups are convenience groups that allow you to apply global
roles and security policies. All WebLogic Server users are members of the everyone group.
Only WebLogic Servers who are not the <anonymous> user are members of the users group.
A. The guest user is no longer supported by default in this release of WebLogic Server. In
WebLogic Server 6.x, guest was both the name of a user and the name for anonymous logins.
The new user name for an anonymous user is <anonymous>. You can change this username by
booting WebLogic Server with the following command line argument:
Dweblogic.security.anonymousUserName=newAnonymousUserName
This argument allows you to make the name of the anonymous user guest for the purpose of
backward compatibility.
If you want to have a guest user in this release of WebLogic Server, create a user with the name
guest in the Authentication provider in the default security realm and give the user the
password of guest. If your code depends on the guest user, you should consider rewriting it
to use the utility methods in weblogic.security.WLSPrincipals.
Q. I want to provide additional fields in my Web application for form-based authentication. What
application programming interfaces (APIs) should I use?
Callback[] callbacks=new Callback[1];
callbacks[1]=new TextInputCallback("TextField");
try{
callbackHandler.handle(callbacks)
textField1=((TextInputCallback)callbacks[2].getText
} catch (java.io.IOException ioe) {
throw new LoginException(ioe.toString());
}catch (UnsupportedCallbackException uce) {
throw new LoginException
("Error:"+uce.getCallback().toString() +
"not available to garner authentication information"
+
"from the user");
}
//"textField1 is not set correctly
Q. I am using the 6.x security realm APIs in my application. How do I upgrade this functionality
to the security APIs in this release of WebLogic Server?
A. You can use your 6.x application as is in the WebLogic Server environment by using
Compatibility security.
The management of WebLogic Server changed in 6.x away from direct calls on the realm to the
use of MBeans. This change was the first step in creating a unified administration model for
WebLogic Server. While the Security MBeans introduced in 6.x mirrored the capabilities defined
for the realm, they were not flexible enough to allow security vendors to integrate their products
with WebLogic Server. This release of WebLogic Server provides a set of Security Service
Provider Interfaces (SSPI) and Security SPI MBeans that allow you to write custom security
products for WebLogic Server. These MBeans can also be used to replicate functionality in an
existing application so that the application can be used in the WebLogic Server environment.
If you choose to upgrade your realm, you will need to write an implementation of the MBeans
found in the weblogic.management.security package. These MBeans allow you to
implement management methods that are specific to your 6.x realm. For a description of using
the MBeans in the weblogic.management.security package, see Developing Security
Providers for WebLogic Server.
The following are some hints that may help you upgrade applications based on security realms to
the security architecture available in this release of WebLogic Server:
If you are using the security realm to authenticate users, instead use the JAAS API to
authenticate users.
Table 19-1 lists the mappings between the interfaces in the 6.x of the
weblogic.security.acl package to the interfaces in the
weblogic.managment.security.authentication package.
Note: The weblogic.security.acl package is deprecated in this release of WebLogic
Server.
deleteUser() UserRemover.removeUser()
newGroup() GroupEditor.createGroup()
deleteGroup() GroupRemover.removeGroup()
Group.addMember() GroupEditor.addMemberToGroup
Group.removeMember() GroupEditor.removeMemberFromGroup()
Group.isMember() GroupMemberLister.listGroupMembers() or
SubjectUtils.isUserInGroup()
Group.members() GroupMemberList.listGroupMembers()
userExists() UserReader.isUser()
isGroupMember() GroupReader.groupExists(),
GroupReader.isMember()
A. No. The exportable version of WebLogic supports only 512 bit RSA with 40 bit RC4.
Additionally, Web browsers do not support these types of certificates, and there are no
commercial issuers for DSA certificates.
Q. Can a Weblogic Server deployment have one RSA and one non-RSA certificate?
A. No.
A. WebLogic Server has licensed RSA for SSL communications between WebLogic Server and
WebLogic clients. When using WebLogic Server, no extra licensing for RSA is necessary,
although different rules apply to VARs.
A. Netscape stores the private and public keys together in a key-pair file which prevents you
from separating the public and private keys. Therefore, you must generate another request for a
certificate, not using Netscape utilities.
Q. Can I use RSA encryption algorithms and javax.crypto.* API to build applications?
A. No. WebLogic's RSA license does not permit end-users to use RSA classes directly. You must
obtain your own license for the encryption libraries from RSA.
Q. Can I use a JNDI Initial Context to pass the security credentials of a WebLogic Server user?
A. The ability to use JNDI to pass security credentials was deprecated in 6.1 of WebLogic Server.
You can still use this method in this release WebLogic Server. However, BEA recommends using
the Java Authentication and Authorization Service (JAAS) runAs() method rather than JNDI to
associate a user with a security context. For more information, see Programming WebLogic
Security.
A. The config.xml file no longer has clear text passwords. In place of clear text passwords,
the config.xml file has encrypted passwords. You cannot copy encrypted passwords from
one domain to another. Instead, you can edit the config.xml file and replace the existing
encrypted passwords with clear text passwords and then copy the file to the new domain. The
Administration Console will encrypt the passwords the next time it writes to the file.
Q. Why do I get a certificate configuration error when I start the my Weblogic Server?
A. It is possible that you did not specify a WL_HOME relative file name in your SSL configuration
files.
Q. Why can't I establish an outbound SSL connection when using the demonstration certificates?
A. When establishing an SSL connection, the subject DN of the digital certificate must match the
host name of the server initiating the SSL connection. Otherwise, the SSL connection is dropped.
If you use the demonstration certificates, the host names will not match. To avoid this situation,
use the following command-line argument when starting WebLogic Server:
Dweblogic.security.SSL.ignoreHostnameVerification=true
This argument disables the Hostname Verifier which compares the subject DNs and host names.
This solution is recommended in development environments only. A more secure solution is to
obtain a new digital certificate for the server making outbound SSL connections.
Q. Why do I get a configuration error when establishing an SSL connection to WebLogic Server?
A problem with the configuration of the SSL protocol will also raise the following exception:
A. By default, WebLogic Server contains a Hostname Verifier that compares the subject DNs of
digital certificates and host names. When establishing an SSL connection, the subject DN of the
digital certificate must match the host name of the server initiating the SSL connection. If you
use the demonstration certificates the host names will not match. To avoid this situation, use the
following command-line argument when starting WebLogic Server:
-Dweblogic.security.SSL.ignoreHostnameVerification=true
This argument disables the Hostname Verifier. This solution is recommended in development
environments only. A more secure solution is to obtain a new digital certificate for your
WebLogic client.
In this release of WebLogic Server, WebLogic clients perform a trusted certificate authority
check on the digital certificate for WebLogic Server. The client may reject the digital certificate
of WebLogic Server if the certificate was not issued by a certificate authority trusted by the
client. Previous versions of WebLogic Server did not perform this check.
A. Unless WebLogic Server is configured to ask a client for its digital certificate during the SSL
handshake (referred to as Two-Way SSL), WebLogic Server will not have the digital certificate.
You get this error when a WebLogic servlet or JSP tries to perform peer validation on the client.
Set the Client Certificate Enforced attribute when configuring SSL to requireWebLogic Server to
request client certificates.
Q. Why doesn't my Custom security provider show up (that is, it doesn't appear as a
Configure a new Security_Provider_Type link) in the Administration Console?
A. Check to make sure the system administrator put the MBean JAR file (MJF) in the
lib/mbeantype directory.
Q. Why do I get a 401 Unauthorized User error when using CLIENT-CERT in the login-config
of my web application?
Q. Why can't I use keytool to import a digital certificate into the identity keystore?
A. When using the keytool utility to create a Certificate Signing Request (CSR), a self-signed
digital certificate is placed in the identity keystore. On occasion, a problem will occur when
using the keytool commands to replace the self-signed digital certificate in the keystore with a
signed digital certificate received from a trusted CA. Use the keytool utility to import the trusted
CA certificate into the keystore before importing the signed digital certificate into the keystore.
The steps are as follows:
2. Use the der2pem utility to convert the trusted CA certificate to a PEM file.
3. Use the keytool utility to create an identity keystore. For example:
keytool certreq alias subjectkey keypass keypassword
keystore nameofkeystore storepass keystorepassphrase file
mycertificate.cer
5. Use the keytool import command to import the PEM file for the trusted CA into the
keystore.
6. Use the keytool import command with the -trustcacerts option to import the
signed digital certificate from the certificate authority into the keystore.
Q. Can I programmatically add users and groups to the WebLogic Authentication provider?
Q. When using the WebLogic Credential Mapping provider, how do you create mappings for
anonymous or unauthenticated users?
A. When using the Resource container, special usernames are established for different cases. A
mapping called wls_ra_anonymous is used when there is not authenticated WebLogic user
(meaning, the Subject has no users or is null). The Resource container also defines special
mappings for mappings created during a Resource Adapter's pool startup (wls_ra_initial)
and when no other configured mapping applies to the given Subject (wls_ra_default).
A. Yes. An application can use Java security as well as JAAS authorization within itself. The
application can use checkPermission() and all the other Java security calls. The only
caveat is there is no guarantee of your identity or code base when the application is being called
from the server. At all entry points, your identity and code base must be re-established using
AccessController.doPrivileged() or Subject.DoAs().
Q. When using Java security, how do I change the default permissions for an application?
A. In the Java security policy file, there are three "fake" codebases for each of the three
component types:
These codebases contain the defaults for these types of applications. When evaluating these
defaults, the string "WEBLOGICAPPLICATIONROOT" will be expanded to the top-level
directory when the application was deployed.
A. Yes. Use the SSL listen port (7002). The WebLogic Server muxer is actually performing all
the SSL work so there should be no additional configuration required when using SSL to talk to
the embedded LDAP server.
A. The password is specified in the Credential field of the EmbeddedLDAP MBean. The
password is generated on the first boot of the server and written to the config.xml file. The LDAP
Admin account DN is cn=Admin. Use the WebLogic Server Administration Console to change
the password for the LDAP Admin account. For more information, see Configuring the
Embedded LDAP Server.
A.