Archive for the ‘Integryst’ Category

Application Server Sessions

Saturday, September 15th, 2012

WebCenter Interaction 10gR3 included these lines in the release notes:

Security and SSO
• Session fixation vulnerability. (Issue #7824904)

But what does that mean? First, let’s take a look at how sessions work on the World Wide Interwebs. By their very nature, web browsers are “stateless”. This means the CLIENT (web browser) makes a request to the SERVER, gets its information (a web page or image, for example), and closes that connection. The next time it makes the request, the server has no context from the previous request. To get around this, Netscape is credited with inventing the session cookie, which basically works like this:

  1. Web browser makes request to server the first time.
  2. Server realizes no “session” exists, so it creates a “blob of memory” to reserve for that user. It then creates a “key” that it sends to the browser in the form of a cookie in its response.
  3. The next time the browser makes a request, it sends that cookie. The server reads it and maps the cookie to the “blob of memory” that can contain anything, such as the login information of the user, or that user’s shopping cart.
  4. After a period of time (usually 15 minutes), the server realizes it hasn’t heard from the client and clears that memory to conserve resources.

Generally that “key” that we mentioned above is known as the “session ID”, and it’s usually passed in a cookie. But because not all browsers support(ed) cookies, a workaround was to allow the cookie to be passed on the query string. The problem is, if I know that session ID, I don’t even have to log into the web site you’re accessing – I can just send your cookie to that web site, and it will map my request to that “blob of memory” on the server that belongs to you – complete with your shopping cart or access to whatever private portal resources you had access to.

This is a pretty vague oversimplification, and if you’re interested, Wikipedia has decent articles on sessions and session fixation. WCI 10gR3 took additional measures to counteract the problem. Because it’s not open-source, it’s not easy to determine exactly what their solution was, but it involves clearing a session key when the user navigates away from the portal.

The problem is: what if clearing the session isn’t expected behavior? I ran into this exact scenario with a client using AquaLogic User Interaction (ALUI) trying to upgrade to WebCenter Interaction 10gR3. They had a custom SSO solution that redirected the browser to a login page at another domain. The server would redirect the browser to the new URL and the user would login there. After login, the browser would redirect back, but the original session had been deleted.

Bottom line: for most Plumtree installations, the 10gR3 upgrade is more secure and feature-rich. But use caution when applying this patch when you’ve got a custom SSO solution in-place, and test well before go-live!

Cool Tools 16: JD-GUI Java Decompiler

Sunday, April 3rd, 2011

There was a spirited discussion in the comments for our .NET decompiler post (hey, 2 comments is close to the record for this blog!), and this is long overdue, but in the past year, I’ve become a fanatic user of Emmanuel Dupuy’s JD-GUI Java Decompiler.  It’s free, it works, and it has the ability to decompile entire Java .jar files at once, saving all the source in a folder structure that matches the original source/package names.

The package export capability is excellent when you’d like to see what has changed between portal releases; you just decompile the WCI code before and after, and use Beyond Compare to highlight the differences between builds.

JD-GUI has been my tool of choice for many posts on this blog, and if you’re into getting down and dirty with your WebCenter Interaction Java code, I highly recommend this bad boy:

JD-GUI is a free download here, but I suggest throwing these guys a couple bucks for the donationware.  C’mon, 20 bucks, anyone?  (before you ask, yes, I contributed to the cause..)


WCI Collaboration Hotfix and Certificate Warnings

Thursday, February 3rd, 2011

While this blog isn’t the de-facto source for Oracle WebCenter Interaction critical fixes, we’ve tracked a big chunk of the latest hotfixes - including the more recent Analytics update and Collaboration Critical Fix for IE8

I’ve done a couple of installs with this Collaboration IE8 fix, and although I still haven’t seen Bulk Upload or WebEdit really get bullet-proof (frankly, WebEdit in particular is the bane of my existence), one thing is certain with these updates:  Oracle updated the code-signing certificate for the Bulk Upload applet in the latest critical fix, but never bothered updating the WebEdit applet.

What does this mean?  Well, when you’re uploading files with the Bulk Upload applet, you get a message that the certificate has been validated by a trusted source:

But, whenever you load a page with Collaboration portlets on it, the WebEditControl applet loads (more on this another time), and you get a signature warning that says “The digital signature was generated with a trusted certificate but has expired”:

Oracle’s official stance can be summarized thusly: “Pfft, what’s the big deal, anyway?  Suck it up or fix it yourself.”.  OK, so while I took some liberties with my paraphrasing there (sorry Oracle!), I went with option two: self-signing the WebEditControl applet.  It’s a non-trivial exercise, and all you get out of the deal is a nice clean prompt without the warning, but I’ve heard enough inquiries about this warning so I figured I’d just fix it:

The best part for you?  You can save yourself the huge pain of getting a code-signing cert, and download the Integryst-signed .jar file after the break, and say goodbye to that signature warning! (more…)

Happy New Year from Integryst!

Friday, December 31st, 2010

Hi all!  It’s been a great 2010, and I wanted to thank all of you for your readership this year.  I’d also like to extend a special thanks to the extremely talented guys who have helped out on the Integryst Team in 2010: Ray, Mitch, Andrew, Rick, Adam, and Faron - you guys all rock!

Stay tuned in 2011 for some more great Plumtree / ALUI / WebCenter Interaction tips, tricks, hacks, tools, and apps!

Best Wishes,


PS I’m kind of a stickler for language and grammar in everything I write (“It’s often ‘its’, not ‘it’s'”, for example), but I came across this great video recently that hopefully you’ll find entertaining and informative as well. The gist: don’t let perfect grammar get in the way of conveying a compelling message. So forgive me for taking some linguistic liberties in past and future posts!

Stephen Fry Kinetic Typography – Language from Matthew Rogers via LifeHacker

Wall of Shame Rant: Comment Spammers

Monday, September 6th, 2010

I know I haven’t posted in a while, but – wow - those comments keep coming in!  Oh wait, no, they’re all from spammers who clearly have nothing to do but waste my time deleting them all.  These leeches should all … well, let’s keep it clean for the kiddies.  Spam is a fact of life, and it’s only going to get worse.

Fortunately, I was able to get a little bit of satisfaction recently by NOT approving the following post:

Dear Russian Mafia, I didn’t approve this asshole’s comment.  You know what to do. 

For the rest of you all, I’ve turned on Captchas for commenting so at least the automated spambots will be kept out.  Sorry for the additional 10 seconds when posting comments here!

There’s a WCI App For That 3: Automater

Friday, June 4th, 2010

Let’s face it: sometimes even the simplest actions in the portal can take WAY too many clicks.  Take creating a single community:  you need to pick a community template, create pages, create Publisher portlets and add them to the pages, create Collab Projects, set security, etc.  And many times, most of this information is the same for every new community.  Community Templates help, but it still requires a LOT of clicks.

Integryst’s Automater product tackles this problem by allowing you to script multiple portal actions, only prompting for the unique information each time.  For example, at one client they wanted to create a “Network”, which consists of 7 communities, dozens of portlets, and multiple admin and regular users.  It literally would take over 100 clicks each time – and eventually there are going to be 100+ of these “networks”.  Tha’ts a lot of clicks!

Not using Automater, though.   Administrators just enter the information that’s unique to each network, and those 100 clicks are rolled into one:

All kinds of actions can be scripted – and secured so that only certain groups have access to specific actions:


There’s A WCI App For That 2: PublisherManager

Friday, May 7th, 2010

You’ve read about Integryst’s PublisherEditor.  You’ve seen the video and read the product page.  The product continues to evolve, and is still the best WYSIWYG editor for AquaLogic / WebCenter Publisher on the market.  This post, though, is about an additional utility that comes included with PublisherEditor, called PublisherManager.

Articles have been written about finding published content URLs and changing publishing targets, but to date there hasn’t been a safe way to do a global search and replace of text in Content Items and Presentation Templates, or generate a report on publishing targets.  PublisherManager fills that void with a clean UI and the ability to download a report as a CSV so you can identify :

PublisherManager and PublisherEditor work with WebCenter Interaction 6.0 –, and AquaLogic Publisher 6.1 – 6.5. 

Interested in a demo?  Drop me a line.

Cool Tools 5: .NET Decompilers

Wednesday, April 21st, 2010

Any self-respecting programmer has a suite of decompilers in their arsenal.  Hey, the WebCenter Interaction portal is great, but it’s not without its fair share of bugs, and often Oracle Support isn’t going to give you a lot of, well, support – so sometimes you need to take matters into your own hands.  Today’s Cool Tools are two of the best .NET decompilers I’ve used; I’ll have a post for Java decompilers soon.

I’m kind of split on this one and go back and forth between Dis# Decompiler and Red Gate’s .NET Reflector.  I do a lot of decompiling, and both have proven relatively useful. As professional tools, they’re not cheap ($399 and $195 for the professional versions, respectively), but can save hours of time, and both have free trial versions.  Red Gate’s Reflector even has free version available.

Personally, I sway a little more to Dis# Decompiler for one reason:  You can have it decompile ALL class files in a .DLL at once.  This is highly useful if you’re looking at bad portal code and are trying to search for a particular string somewhere in the portal libraries, but don’t know which class it might be in; you can decompile everything to disk and search with a text tool.  Red Gate, on the other hand, offers Visual Studio integration – which I haven’t tried yet – that promises to allow you to step through compiled code like you would with your own source.

So there you have it – two decent tools to check out when it comes time to figuring out why something’s broken.  Let me know if you’ve got a preference, or feel free to recommend something else!

Dis# Decompiler

Red Gate’s .NET Reflector

There’s A WCI App For That 1: PublisherEditor

Thursday, February 25th, 2010

Special thanks to Fabien Sanglier for giving me the idea for the title of this blog feature (where’d he come up with such a catchy line!?).  Indeed, the WCI Portal has a ton of APIs that allow extensions and customizations, and there are dozens of products, code samples, and utilities that have been developed using them; if you can dream it, there no doubt IS an app for that.  The trick is finding it.

I’ll use this feature to showcase some of ‘em (admittedly, in a somewhat self-serving way).  Most will be products I’m offering or interesting throwaway apps Integryst has developed to share some ideas with you, but I am on the lookout for cool apps created by others to feature here as well.

Today’s feature is PublisherEditor 3.1, a product I’ve written over the past year that includes many features not available in the out-of-the-box Publisher Content Item Editor, resolving common issues with the out-of-the-box version of Publisher such as:

  1. Pasting content from Microsoft Word is possible without corrupting the styles
  2. Check-outs, saves, check-ins, and publishing are performed in one click, and all version history capabilities that Publisher provides are still available
  3. Styles in the rich editor are the same as the page, so there’s no guess-work on what the content will look like when it’s published
  4. Dynamically define styles, fonts, and sizes as you deem appropriate to prevent “style sprawl”
  5. Page anchor links can be created and won’t be broken on save/checkin
  6. Users don’t have to go from the HTML editor to the rich text editor to actually save content (a Publisher 6.5 bug)
  7. Images can be uploaded and actually viewed in the editor; gatewaying, relative links, and adaptive tags such as pt://images aren’t broken.
  8. Adaptive tags are not broken and are actually enhanced (rather than seeing XML you see formatted text)
  9. The HTML DOM won’t be corrupted when you’re updating the HTML
  10. Previews can be viewed in-line on the actual page the item will appear on
  11. Link to other communities, pages, and portlets by selecting them in a simple dialog box – no more copying links!
  12. Easily upload and link to files/documents for quick inclusion in the item
  13. In-line spell checker like Microsoft Word
  14. Browse existing images and files and quickly link to them
  15. Automatically refresh portlet caches so publishing items results in the content actually being updated
  16. Search, Replace, and more!

Take a look at the below video for more information, hit up the product page, and contact me if you’d like a Live Demo!

Happy New Year!

Saturday, January 9th, 2010

Happy New Year all!  As most of you know, I’ve spent the past year establishing Integryst as another premier Web Center Interaction (or AquaLogic Interaction or Plumtree Foundation) consulting and software development organization.  I’d like to thank all my clients in 2009 for the great year, and look forward to 2010!  My New Year’s resolution is to get my blog back up and running; I’ve got a year’s worth of entries that I’ve been stockpiling, so expect some pretty regular updates this year!

As always, check out Function1′s Blog, which is always good for some incredibly educational and entertaining posts as well.  If you’re the RSS type, definitely subscribe to Kenan Shifflet’s RSS Feed Aggregator for All Things ALUI - he keeps track of all WCI/BEA/Plumtree feeds and aggregates them so you don’t have to!