Monday 13 September 2010

Tied Up Protection for the Sun One / Oracle iPlanet Web Server - sed_request

I have finally tested and tuned my obj.conf from the previous post on using the sed_request filter in Sun One/iPlanet Web Server 7 to provide some amount of SQL Injection and XSS protection. My final entry, which is added at the end of the Service entries in the default section of obj.conf is:

Input fn="insert-filter"
method="(GET|HEAD|POST)"
filter="sed-request"
sed="s/</\\&lt;/g"
sed="s/%3c/\\&lt;/g"
sed="s/%3C/\\&lt;/g"
sed="s/>/\\&gt;/g"
sed="s/%3e/\\&gt;/g"
sed="s/%3E/\\&gt;/g"
sed="s/\x3C ?iframe//g"
sed="s/\\<src\\>[^a-zA-Z_0-9]*?\\<javascript://g"
sed="s/\\<src\\>[^a-zA-Z_0-9]*?\\<vbscript://g"
sed="s/\\<href\\>[^a-zA-Z_0-9]*?\\<javascript://g"
sed="s/\\<alert\\>[^a-zA-Z_0-9]*?\x28//g"
sed="s/\\<src\\>[^a-zA-Z_0-9]*?\\<http://g"
sed="s/\\<type\\>[^a-zA-Z_0-9]*?\\<text\\>[^a-zA-Z_0-9]*?\\<vbscript\\>//g"
sed="s/\\<href\\>[^a-zA-Z_0-9]*?\\<vbscript://g"
sed="s/\\<url\\>[^a-zA-Z_0-9]*?\\<javascript://g"
sed="s/\x3C ?script\\>//g"
sed="s/\\<type\\>[^a-zA-Z_0-9]*?\\<text\\>[^a-zA-Z_0-9]*?\\<javascript\\>//g"
sed="s/\\<url\\>[^a-zA-Z_0-9]*?\\<vbscript://g"
sed="s/(asfunction|javascript|vbscript|data|mocha|livescript)://g"
sed="s/(?i:<object[ /+\t].*?((type)|(codetype)|(classid)|(code)|(data))[ /+\t]*=)//g"
sed="s/(?i:[ /+\t\"\'`]datasrc[ +\t]*?=.)//g"
sed="s/(?i:<link[ /+\t].*?href[ /+\t]*=)//g"
sed="s/(?i:<meta[ /+\t].*?http-equiv[ /+\t]*=)//g"
sed="s/(?i:<embed[ /+\t].*?SRC.*?=)//g"
sed="s/(?i:[ /+\t\"\'`]on\x63\x63\x63+?[ +\t]*?=.)//g"
sed="s/(?i:<[i]?frame.*?[ /+\t]*?src[ /+\t]*=)//g"
sed="s/(?i:<isindex[ /+\t>])//g"
sed="s/(?i:<form.*?>)//g"
sed="s/(?i:<script.*?[ /+\t]*?src[ /+\t]*=)//g"
sed="s/(?i:<script.*?>)//g"
sed="s/\\<select\\>.{0,40}buser\\>//g"
sed="s/\\<select\\>.{0,40}\\<substring\\>//g"
sed="s/\\<select\\>.{0,40}\\<ascii\\>//g"
sed="s/\\<user_tables\\>//g"
sed="s/\\<user_tab_columns\\>//g"
sed="s/\\<all_objects\\>//g"
sed="s/\\<drop\\>//g"
sed="s/\\<substr\\>//g"
sed="s/\\<sysdba\\>//g"
sed="s/\\<user_password\\>//g"
sed="s/\\<user_users\\>//g"
sed="s/\\<user_constraints\\>//g"
sed="s/\\<column_name\\>//g"
sed="s/\\<substring\\>//g"
sed="s/\\<object_type\\>//g"
sed="s/\\<object_id\\>//g"
sed="s/\\<user_ind_columns\\>//g"
sed="s/\\<column_id\\>//g"
sed="s/\\<table_name\\>//g"
sed="s/\\<object_name\\>//g"
sed="s/\\<rownum\\>//g"
sed="s/\\<user_group\\>//g"
sed="s/\\<utl_http\\>//g"
sed="s/\\<select\\>.*?\\<to_number\\>//g"
sed="s/\\<group\\>.*\\<byb.{1,100}?\\<having\\>//g"
sed="s/\\<select\\>.*?\\<data_type\\>//g"
sed="s/\\<isnull\\>[^a-zA-Z_0-9]*?\x28//g"
sed="s/\\<union\\>.{1,100}?\\<select\\>//g"
sed="s/\\<insert\\>[^a-zA-Z_0-9]*?\\<into\\>//g"
sed="s/\\<select\\>.{1,100}?\\<count\\>.{1,100}?\\<from\\>//g"
sed="s/\x3B[^a-zA-Z_0-9]*?\\<drop\\>//g"
sed="s/\\<select\\>.*?\\<to_char\\>//g"
sed="s/\\<dbms_java\\>//g"
sed="s/\\<nvarchar\\>//g"
sed="s/\\<utl_file\\>//g"
sed="s/\\<inner\\>[^a-zA-Z_0-9]*?\\<join\\>//g"
sed="s/\\<select\\>.{1,100}?\\<from\\>.{1,100}?\\<where\\>//g"
sed="s/\\<intob[^a-zA-Z_0-9]*?\\<dumpfile\\>//g"
sed="s/\\<delete\\>[^a-zA-Z_0-9]*?\\<from\\>//g"
sed="s/\x3B[^a-zA-Z_0-9]*?\\<shutdown\\>//g"
sed="s/\\<dba_users\\>//g"
sed="s/\\<select\\>.{1,100}?\\<top\\>.{1,100}?\\<from\\>//g"

  Don't forget to import the changes into the repository for it to be effective!

Sunday 5 September 2010

How JavaEE is implemented in WLS - Services

Oracle WebLogic Server Internal Services


When people think of JavaEE application servers they tend to think of the JavaEE interfaces and publicly accessible subsystems such as the web container, EJB container, Java Transaction Service, Java Message Service, etc. However, to provide these publicly accessible subsystems and services a large number of “invisible” services, subsystems and components must come together. To provide enterprise level services a number of operating system-like facilities must be used to manage thread pooling, memory, logging, communications in such a way to provide enterprise level qualities of service, integration and scalability. If you look carefully at Oracle WebLogic Server, WebSphere Application Server, or even JBoss these underlying services can be seen, although they aren't meant to be accessible from application code and are only for use by the underlying system software that provides the JavaEE interfaces. This article aims to explain what some of these services are, and how they are managed, integrated and used by the application server interfaces seen by applications. We will look at individual services and how they are related in future articles, but for this article we will look at the group of services with a particular set of interrelationships designed to be started and managed as part of the T3 Server services.

Understanding services and what they mean requires some detective work. The application server exposes their operation, at least for all of those that aren't primordial (i.e. those that are pre-started before the subsystems that allow them to be observed and controlled) , for advanced adminstrators to see. Operation of those started by T3 can be seen by enabling debug logging for an instance of “Server Life Cycle” events in the Admin Server console, although it is important to realise that this doesn't show all services. The additional logging does have considerable overhead so don't do this on a production server!

Start up the Node Manager (startNodeManager.sh) and the server instance hosting the Admin Server (startWebLogic.sh) and after logging in click on the Environments branch link in the Domain Structure tree control on the left side of console main page, followed by the Server link. This will bring up a list of servers, so select the one being monitored by clicking on its link and select the Configuration tab.

When setting the configuration click the Logging subtab followed by the Advanced container link towards the bottom of the page. In this container, for the log file and standard output change the settings to log debug messages. First change the minimum severity to log section to tell the environment that it is in debug mode.



Next setup the destinations for the log entries to ensure we have some output to examine.



Once the settings have been change click on the “Save” button to commit the changes. Next select the Debug tab at the top of the page. For this we need to tell the application server instance which subsystems we want the debug messages to be logged for, in our case the T3Srvr ServerLifeCycle monitoring and the time taken for each subsystem to process the requests.



The page will, by default, contain two sub-trees; “default” and “weblogic”. In our case we want the “weblogic” sub-tree so click on it and look down towards the bottom of the tree and open the “t3” branch followed by “srvr” and click on the check boxes for “DebugServerLifeCycle” and “DebugServerStartStatistics”. Next click on the “Enable” button.



When the process is complete, return to the Domain Structure tree control, Environment tree and Servers sub-tree and click on the target server whose configuration was just changed and click on “Shutdown” followed by “Start”, leaving the “Admin Server” last to process. When the application server instance restarts it will log the subsystems and services being started in each mode to the application server log and the JVM process standard output. We can collect these from the user_projects/domains and target domain servers/<SERVER_NAME>/logs directory and examine them.

If we examine just the ServerLifeCycle entries in the standard output file we will see that the Oracle WebLogic Server runtime makes use of a considerable number of base underlying services to provide the support needed for the containers. The file will have entries similar to the following, but a large number of them.


<03-Apr-2010 19:33:11 o'clock BST> <Debug> <ServerLifeCycle> <BEA-000000> <Time taken to start
weblogic.diagnostics.lifecycle.DiagnosticFoundationService: 1157 ms>
<03-Apr-2010 19:33:11 o'clock BST> <Debug> <ServerLifeCycle> <BEA-000000> <creating service: weblogic.nodemanager.NMService>
<03-Apr-2010 19:33:11 o'clock BST> <Debug> <ServerLifeCycle> <BEA-000000> <starting service: weblogic.nodemanager.NMService>
<03-Apr-2010 19:33:11 o'clock BST> <Debug> <ServerLifeCycle> <BEA-000000> <Time taken to start weblogic.nodemanager.NMService: 136 ms>
<03-Apr-2010 19:33:11 o'clock BST> <Debug> <ServerLifeCycle> <BEA-000000> <creating service: weblogic.timers.internal.TimerService>
<03-Apr-2010 19:33:11 o'clock BST> <Debug> <ServerLifeCycle> <BEA-000000> <starting service: weblogic.timers.internal.TimerService>
<03-Apr-2010 19:33:11 o'clock BST> <Debug> <ServerLifeCycle> <BEA-000000> <Time taken to start weblogic.timers.internal.TimerService: 16 ms>
<03-Apr-2010 19:33:11 o'clock BST> <Debug> <ServerLifeCycle> <BEA-000000> <creating service: weblogic.rjvm.RJVMService>
<03-Apr-2010 19:33:11 o'clock BST> <Debug> <ServerLifeCycle> <BEA-000000> <starting service: weblogic.rjvm.RJVMService>
<03-Apr-2010 19:33:11 o'clock BST> <Debug> <ServerLifeCycle> <BEA-000000> <Time taken to start weblogic.rjvm.RJVMService: 224 ms>
<03-Apr-2010 19:33:11 o'clock BST> <Debug> <ServerLifeCycle> <BEA-000000> <creating service: weblogic.protocol.ProtocolService>
...


Whilst this mechanism shows some of the services that underpin the application server instance, it won't show all of them started outside of that being monitored, the class dependences (i.e. where service classes make use of other classes) and it also won't show the detailed interfaces between these classes. So, we need to use the Java investigators tool of choice – reflection. We will also need to use JVM verbose class output to log each class and where it is loaded from. This produces a large amount of logged information that makes using the application server instance itself for anything useful problematic, but by filtering the
information carefully before examining it in depth we can get just the detailed information we need. For our reflection we simply use the same classpath as our application instance did, which can be seen from the command line and startup batch files, and load a class that reflects on each class name that appears in the verbose class output.

When the verbose class logging is enabled (-verbose:class on the JVM command line) an entry appears in the JVM standard output showing the details of each class loaded and which file on the file system it was loaded on. First the JVM classes load, but eventually entries appear referring to the application server classes, e.g.

...
[Loaded weblogic.Server from file:/home/colin/Oracle/Middleware/wlserver_10.3/server/lib/weblogic.jar]
[Loaded java.io.FileFilter from /home/colin/Oracle/Middleware/jdk160_14_R27.6.5-32/jre/lib/rt.jar]
[Loaded java.net.MalformedURLException from /home/colin/Oracle/Middleware/jdk160_14_R27.6.5-32/jre/lib/rt.jar]
[Loaded java.lang.AssertionError from /home/colin/Oracle/Middleware/jdk160_14_R27.6.5-32/jre/lib/rt.jar]
[Loaded weblogic.management.DomainDirConstants from file:/home/colin/Oracle/Middleware/modules/com.bea.core.management.core_2.5.0.0.jar]
[Loaded weblogic.management.DomainDir from file:/home/colin/Oracle/Middleware/modules/com.bea.core.management.core_2.5.0.0.jar]
[Loaded weblogic.management.bootstrap.BootStrapConstants from file:/home/colin/Oracle/Middleware/modules/com.bea.core.management.core_2.5.0.0.jar]
[Loaded weblogic.management.bootstrap.BootStrapMin from file:/home/colin/Oracle/Middleware/modules/com.bea.core.management.core_2.5.0.0.jar]
[Loaded weblogic.management.bootstrap.BootStrap from file:/home/colin/Oracle/Middleware/modules/com.bea.core.management.core_2.5.0.0.jar]
[Loaded weblogic.Home from file:/home/colin/Oracle/Middleware/wlserver_10.3/server/lib/weblogic.jar]
[Loaded weblogic.Home$HomeSingleton from file:/home/colin/Oracle/Middleware/wlserver_10.3/server/lib/weblogic.jar]
...


We need to filter out the entries relating to the application server from those for the JDK and filter out any other unrelated information. On a Unix type system we simply use “grep” to filter only the entries starting “[Loaded “ and then only those that include the application server installation path, in this case “file:/home/colin/Oracle/Middleware/wlserver_10.3” or “file:/home/colin/Oracle/Middleware/modules”.

To get the information to reflect upon we now need to cut out the class names to be loaded using “cut -d ' ' -f2” and pipe it to a file. We then merely create a class to do the reflection and load it using the classpath used to load WLS itself, i.e. we need to use the classpath and other JVM parameters that starts the WebLogic.Server class and its main entry point from startWebLogic.sh:

/opt/Oracle/Middleware/jdk160_14_R27.6.5-32/bin/java -client -Xms256m -Xmx512m -XX:CompileThreshold=8000 -XX:PermSize=48m -XX:MaxPermSize=128m -Dweblogic.Name=AdminServer -Djava.security.policy=/home/colin/Oracle/Middleware/wlserver_10.3/server/lib/weblogic.policy -Xverify:none -da -Dplatform.home=/opt/Oracle/Middleware/wlserver_10.3 -Dwls.home=/opt/Oracle/Middleware/wlserver_10.3/server -Dweblogic.home=/opt/Oracle/Middleware/wlserver_10.3/server -Dweblogic.management.discover=true -Dwlw.iterativeDev= -Dwlw.testConsole= -Dwlw.logErrorsToConsole= -Dweblogic.ext.dirs=/opt/Oracle/Middleware/patch_wls1032/profiles/default/sysext_manifest_classpath:/opt/Oracle/Middleware/patch_jdev1111/profiles/default/sysext_manifest_classpath weblogic.Server


Our class doing the reflection should look something like the following, and to this we pass the output from our filtered class list above:

import java.io.*;
import java.lang.reflect.*;
public class ShowClassFile {
      public static void main(String[] args) {
            if (args.length == 2) {
                 BufferedReader reader;
                 FileWriter writer;
                 String testClassName;
                 try {
                       reader = new BufferedReader(new FileReader(new File(args[0])));
                       writer = new FileWriter(args[1]);
                       while ((testClassName = reader.readLine()) != null) {
                             try {
                                   Class test = Class.forName(testClassName);
                                   String location;
                                   if (test.getClassLoader() != null) {
                                        location = "Class loaded from: " +
                                              test.getProtectionDomain().getCodeSource().getLocation();
                                   } else {
                                        location = "System Classloader loaded class from: " +
                                              test.getClassLoader().getResource(testClassName);
                                   }
                                   // Write the details of the class out to a file
                                   printClassInfo(test, location, writer);
                                   location=null;
                                   test=null;
                             } catch (ClassNotFoundException e) {
                                   System.out.println("Couldn't find class: " + args[0]);
                             }
                             testClassName = null;
                             writer.flush();
                       }
                       reader.close();
                       writer.close();
                 } catch (FileNotFoundException e) {
                       System.out.println("Input or output files not found");
                 } catch (IOException e) {
                       System.out.println("An IOException has occured writing to the file");
                 }
             }
             else {
                    System.out.println("Usage:ShowClassFile objectlistfile outputdetailsfile");
             }
      }
      public static void printClassInfo(Class clazz, String location,
                                                   FileWriter writer) throws IOException {
             writer.write("\n\n*******************************************************\n");
             writer.write("Class Name: " + clazz.getName() + "\n");
             writer.write(location + "\n");
             writer.write("Superclass:" + clazz.getSuperclass() + "\n");
             writer.write("\nInterfaces:\n***********\n");
             writer.write("\nMethods:\n*********\n");
             Method[] methods = clazz.getMethods();
             for (int idx=0; idx < methods.length; idx++)
                    writer.write(methods[idx] + "\n");
             writer.write("\nFields:\n*******\n");
             Field[] fields = clazz.getFields();
             for (int idx2=0; idx2 < fields.length; idx2++)
                    writer.write(fields[idx2] + "\n");
             writer.write("\n*************************************\n\n\n");
             writer.flush();
             fields=null;
             methods=null;
      }
}
...


This gives us detailed output like the following:

*******************************************************
Class Name: weblogic.Server
Class loaded from: file:/home/colin/Oracle/MiddlewareJDev/wlserver_10.3/server/lib/weblogic.jar
Superclass:class java.lang.Object
Interfaces:
***********
Methods:
*********
public static void weblogic.Server.main(java.lang.String[])
public java.lang.String weblogic.Server.toString()
public static boolean weblogic.Server.isRedefineClassesSupported()
public static java.lang.String weblogic.Server.getUsage()
public final native void java.lang.Object.wait(long) throws java.lang.InterruptedException
public final void java.lang.Object.wait(long,int) throws java.lang.InterruptedException
public final void java.lang.Object.wait() throws java.lang.InterruptedException
public native int java.lang.Object.hashCode()
public final native java.lang.Class java.lang.Object.getClass()
public boolean java.lang.Object.equals(java.lang.Object)
public final native void java.lang.Object.notify()
public final native void java.lang.Object.notifyAll()
Fields:
*******
public static final java.lang.String weblogic.Server.WEBLOGIC_INSTRUMENTATION_PROPERTY
public static final java.lang.String weblogic.Server.DIAGNOSTIC_PRE_PROCESSOR_CLASS
public static final java.lang.String weblogic.Server.WEBLOGIC_INSTRUMENTATION_SERVER_SCOPE
public static final java.lang.String weblogic.Server.CLASSLOADER_PREPROCESSOR
...
*******************************************************
Class Name: weblogic.server.AbstractServerService
Class loaded from: file:/home/colin/Oracle/MiddlewareJDev/modules/com.bea.core.weblogic.lifecycle_1.3.0.0.jar
Superclass:class java.lang.Object
Interfaces:
***********
Methods:
*********
public java.lang.String weblogic.server.AbstractServerService.getName()
public void weblogic.server.AbstractServerService.start() throws weblogic.server.ServiceFailureException
public void weblogic.server.AbstractServerService.stop() throws weblogic.server.ServiceFailureException
public void weblogic.server.AbstractServerService.halt() throws weblogic.server.ServiceFailureException
public java.lang.String weblogic.server.AbstractServerService.getVersion()
public final native void java.lang.Object.wait(long) throws java.lang.InterruptedException
public final void java.lang.Object.wait(long,int) throws java.lang.InterruptedException
public final void java.lang.Object.wait() throws java.lang.InterruptedException
public native int java.lang.Object.hashCode()
public final native java.lang.Class java.lang.Object.getClass()
public boolean java.lang.Object.equals(java.lang.Object)
public java.lang.String java.lang.Object.toString()
public final native void java.lang.Object.notify()
public final native void java.lang.Object.notifyAll()
Fields:
*******
public static final java.lang.String weblogic.server.ServerService.EJB
public static final java.lang.String weblogic.server.ServerService.JMS
public static final java.lang.String weblogic.server.ServerService.CONNECTOR
public static final int weblogic.server.ServerStates.SRVR_SHUTDOWN
public static final int weblogic.server.ServerStates.SRVR_STARTING
public static final int weblogic.server.ServerStates.SRVR_RUNNING
public static final int weblogic.server.ServerStates.SRVR_STANDBY
public static final int weblogic.server.ServerStates.SRVR_SUSPENDING
public static final int weblogic.server.ServerStates.SRVR_FORCE_SUSPENDING
public static final int weblogic.server.ServerStates.SRVR_RESUMING
public static final int weblogic.server.ServerStates.SRVR_SHUTTING_DOWN
public static final int weblogic.server.ServerStates.SRVR_FAILED
public static final int weblogic.server.ServerStates.SRVR_UNKNOWN
public static final int weblogic.server.ServerStates.SRVR_SHUTDOWN_PENDING
public static final int weblogic.server.ServerStates.SRVR_SHUTDOWN_IN_PROCESS
public static final int weblogic.server.ServerStates.SRVR_FAILED_RESTARTING
public static final int weblogic.server.ServerStates.SRVR_ACTIVATE_LATER
public static final int weblogic.server.ServerStates.SRVR_FAILED_NOT_RESTARTABLE
public static final int weblogic.server.ServerStates.SRVR_FAILED_MIGRATABLE
public static final int weblogic.server.ServerStates.SRVR_DISCOVERED
public static final int weblogic.server.ServerStates.SRVR_ADMIN
public static final int weblogic.server.ServerStates.SRVR_FORCE_SHUTTING_DOWN
public static final java.lang.String weblogic.server.ServerStates.SHUTDOWN
public static final java.lang.String weblogic.server.ServerStates.STARTING
public static final java.lang.String weblogic.server.ServerStates.RUNNING
public static final java.lang.String weblogic.server.ServerStates.STANDBY
public static final java.lang.String weblogic.server.ServerStates.ADMIN
public static final java.lang.String weblogic.server.ServerStates.SUSPENDING
public static final java.lang.String weblogic.server.ServerStates.FORCE_SUSPENDING
public static final java.lang.String weblogic.server.ServerStates.RESUMING
public static final java.lang.String weblogic.server.ServerStates.SHUTTING_DOWN
public static final java.lang.String weblogic.server.ServerStates.FORCE_SHUTTING_DOWN
public static final java.lang.String weblogic.server.ServerStates.FAILED
public static final java.lang.String weblogic.server.ServerStates.SHUTDOWN_PENDING
public static final java.lang.String weblogic.server.ServerStates.SHUTDOWN_IN_PROCESS
public static final java.lang.String weblogic.server.ServerStates.UNKNOWN
public static final java.lang.String weblogic.server.ServerStates.DISCOVERED
public static final java.lang.String weblogic.server.ServerStates.FAILED_RESTARTING
public static final java.lang.String weblogic.server.ServerStates.ACTIVATE_LATER
public static final java.lang.String weblogic.server.ServerStates.FAILED_NOT_RESTARTABLE
public static final java.lang.String weblogic.server.ServerStates.FAILED_MIGRATABLE
public static final java.lang.String[] weblogic.server.ServerStates.SERVERSTATES
*************************************
...


The output from this shows us that there are a large number of classes that offer services, in that they subclass the AbstractServerService, but that not each is shown in the server life cycle output. The AbstractServerService class exposes getName(), getVersion(), start(), stop(), and halt() methods and we will see later that it is these methods that allow the Service Manager to control the state of the underlying services. The list of services run for a typical Oracle WebLogic Server instance, which can change with configuration, is below:



ServicePhase/State
weblogic.server.ServiceActivatorPrimordial
weblogic.t3.srvr.PreConfigBootServicePrimordial
weblogic.management.provider.internal.BeanInfoAccessServicePrimordial
weblogic.management.provider.PropertyServicePrimordial
weblogic.management.internal.DomainDirectoryServicePrimordial
weblogic.management.provider.MSIServicePrimordial
weblogic.upgrade.domain.DomainUpgradeServerServicePrimordial
weblogic.deploy.service.internal.DeploymentServicePrimordial
weblogic.deploy.service.internal.adminserver.AdminDeploymentServicePrimordial
weblogic.deploy.service.internal.targetserver.TargetDeploymentServicePrimordial
weblogic.deploy.internal.targetserver.datamanagement.ConfigRecoveryServicePrimordial
weblogic.management.provider.internal.RuntimeAccessDeploymentReceiverServicePrimordial
weblogic.management.provider.internal.RuntimeAccessServicePrimordial
weblogic.management.mbeanservers.runtime.internal.DiagnosticSupportServicePrimordial
weblogic.t3.srvr.LicenseServicePrimordial
weblogic.t3.srvr.BootServicePrimordial
weblogic.management.provider.internal.WorkManagerServicePrimordial
weblogic.management.provider.internal.DomainAccessServicePrimordial


State: STARTING



ServicePhase/State
weblogic.diagnostics.lifecycle.DiagnosticFoundationServiceSTARTING
weblogic.nodemanager.NMServiceSTARTING
weblogic.timers.internal.TimerServiceSTARTING
weblogic.rjvm.RJVMServiceSTARTING
weblogic.protocol.ProtocolServiceSTARTING
weblogic.server.channels.ChannelServiceSTARTING
weblogic.socket.SocketMuxerServerServiceSTARTING
weblogic.server.channels.AdminPortServiceSTARTING
weblogic.t3.srvr.ListenerServiceSTARTING
weblogic.transaction.internal.PrimordialTransactionServiceSTARTING
weblogic.rmi.internal.RMIServerServiceSTARTING
weblogic.jndi.internal.NamingServiceSTARTING
weblogic.iiop.IIOPClientServiceSTARTING
weblogic.diagnostics.lifecycle.DiagnosticInstrumentationServiceSTARTING
weblogic.ldap.EmbeddedLDAPSTARTING
weblogic.security.SecurityServiceSTARTING
weblogic.jndi.internal.RemoteNamingServiceSTARTING
weblogic.security.acl.internal.RemoteSecurityServiceSTARTING
weblogic.rmi.cluster.RemoteBinderFactoryServiceSTARTING
weblogic.cluster.leasing.databaseless.DatabaseLessLeasingServiceSTARTING
weblogic.cluster.ClusterServiceActivatorSTARTING
weblogic.cluster.leasing.databaseless.PrimordialClusterLeaderServiceSTARTING
weblogic.jndi.internal.ForeignJNDIManagerServiceSTARTING
weblogic.iiop.IIOPServiceSTARTING
weblogic.protocol.ProtocolHandlerServiceSTARTING
weblogic.xml.registry.XMLServiceSTARTING
weblogic.messaging.interception.MessageInterceptionServiceSTARTING
weblogic.cluster.migration.rmiservice.MigratableRMIServiceSTARTING
weblogic.management.provider.internal.EditAccessServiceSTARTING
weblogic.management.mbeanservers.compatibility.internal.CompatibilityMBeanServerServiceSTARTING
weblogic.health.HealthMonitorServiceSTARTING
weblogic.cluster.singleton.MigratableServerServiceSTARTING
weblogic.cluster.migration.MigrationServiceSTARTING
weblogic.t3.srvr.T3InitializationServiceSTARTING
weblogic.jms.dotnet.t3.server.CSharpInitializationServiceSTARTING
weblogic.server.channels.ChannelRuntimeServiceSTARTING
weblogic.transaction.internal.TransactionRecoveryFailBackServiceSTARTING
weblogic.transaction.internal.TransactionRecoveryNoOpServiceSTARTING
weblogic.store.admin.DefaultStoreServiceSTARTING
weblogic.transaction.internal.TransactionServiceSTARTING
weblogic.jdbc.common.internal.JDBCServiceSTARTING
weblogic.store.admin.StoreDeploymentServiceSTARTING
weblogic.management.extension.internal.CustomResourceServerServiceSTARTING
weblogic.ejb.container.deployer.EJB20ServiceActivatorSTARTING
weblogic.connector.common.ConnectorServiceActivatorSTARTING
weblogic.messaging.interception.configuration.ConfiguratorSTARTING
weblogic.jms.JMSServiceActivatorSTARTING
weblogic.application.ApplicationShutdownServiceSTARTING
weblogic.io.common.internal.FileServiceSTARTING
weblogic.time.server.TimerServiceSTARTING
weblogic.rmi.internal.HeartbeatHelperServiceSTARTING
weblogic.jms.BridgeServiceSTARTING
weblogic.jms.saf.SAFServiceSTARTING
weblogic.servlet.internal.WebServiceSTARTING
weblogic.webservice.conversation.internal.ConversationServiceImplSTARTING
weblogic.wtc.gwt.WTCServerLifeCycleImplSTARTING
weblogic.webservice.WSServerServiceSTARTING
weblogic.wsee.wstx.internal.WSATTransactionServiceSTARTING
weblogic.management.mbeanservers.runtime.internal.RuntimeServerServiceSTARTING
weblogic.management.mbeanservers.edit.internal.EditServerServiceSTARTING
weblogic.management.mbeanservers.domainruntime.internal.DomainRuntimeServerServiceSTARTING
weblogic.management.deploy.classdeployment.ClassDeploymentServiceSTARTING
weblogic.server.ServerLifeCycleServiceSTARTING
weblogic.server.channels.EnableAdminListenersServiceSTARTING
weblogic.management.provider.internal.ConfigImageSourceServiceSTARTING
weblogic.messaging.path.PathServiceSTARTING
weblogic.diagnostics.snmp.server.SNMPAgentDeploymentServiceSTARTING
weblogic.management.deploy.internal.DeploymentPreStandbyServerServiceSTARTING


State: STANDBY

State: STARTING

State: START BEFORE ADMIN STATE



ServicePhase/State
weblogic.transaction.internal.TransactionRecoveryServiceSTART BEFORE ADMIN STATE
weblogic.scheduler.JobSchedulerBindingServiceSTART BEFORE ADMIN STATE
weblogic.server.AdminServerListenerServiceSTART BEFORE ADMIN STATE
weblogic.messaging.saf.internal.SAFServerServiceSTART BEFORE ADMIN STATE
weblogic.management.deploy.internal.DeploymentServerServiceSTART BEFORE ADMIN STATE
weblogic.diagnostics.lifecycle.DiagnosticSystemServiceSTART BEFORE ADMIN STATE
weblogic.transaction.internal.PostLoggingResourceServiceSTART BEFORE ADMIN STATE
weblogic.management.deploy.classdeployment.StartupClassPrelistenServiceSTART BEFORE ADMIN STATE
weblogic.management.internal.ConfigurationAuditorServiceSTART BEFORE ADMIN STATE
weblogic.cluster.InboundServiceSTART BEFORE ADMIN STATE
weblogic.t3.srvr.CoreHealthServiceSTART BEFORE ADMIN STATE
weblogic.management.deploy.classdeployment.ShutdownClassDeploymentServiceSTART BEFORE ADMIN STATE
weblogic.diagnostics.snmp.server.SNMPServiceSTART BEFORE ADMIN STATE
weblogic.diagnostics.harvester.HarvesterServiceSTART BEFORE ADMIN STATE
weblogic.console.internal.ConsoleMBeanServiceSTART BEFORE ADMIN STATE
weblogic.management.j2ee.internal.InternalAppDataCacheServiceSTART BEFORE ADMIN STATE
weblogic.management.provider.internal.ConfigBackupServiceSTART BEFORE ADMIN STATE
weblogic.t3.srvr.EnableListenersIfAdminChannelAbsentServiceSTART BEFORE ADMIN STATE
weblogic.management.mbeanservers.runtime.internal.RegisterWithDomainRuntimeServiceEarlySTART BEFORE ADMIN STATE
weblogic.application.internal.BackgroundDeploymentServiceSTART BEFORE ADMIN STATE
weblogic.cluster.singleton.PreAdminSingletonServicesServiceSTART BEFORE ADMIN STATE
weblogic.cluster.leasing.databaseless.ClusterLeaderServiceSTART BEFORE ADMIN STATE


State: ADMIN

State: RESUMING




ServicePhase/State
weblogic.management.deploy.internal.DeploymentPostAdminServerServiceSTART AFTER ADMIN STATE
weblogic.scheduler.JobSchedulerServiceSTART AFTER ADMIN STATE
weblogic.cluster.replication.ReplicationServiceSTART AFTER ADMIN STATE
weblogic.cluster.singleton.SingletonServicesBatchManagerSTART AFTER ADMIN STATE
weblogic.t3.srvr.EnableListenersServiceSTART AFTER ADMIN STATE
weblogic.management.mbeanservers.runtime.internal.RegisterWithDomainRuntimeServiceLateSTART AFTER ADMIN STATE
weblogic.cluster.OutboundServiceSTART AFTER ADMIN STATE
weblogic.rmi.internal.RMIShutdownServiceSTART AFTER ADMIN STATE
weblogic.transaction.internal.ClientInitiatedTxShutdownServiceSTART AFTER ADMIN STATE
weblogic.servlet.internal.WebAppShutdownServiceSTART AFTER ADMIN STATE
weblogic.rmi.internal.NonTxRMIShutdownServiceSTART AFTER ADMIN STATE
weblogic.deploy.service.internal.adminserver.HeartbeatServiceSTART AFTER ADMIN STATE
weblogic.application.internal.BackgroundDeploymentService$WaitForBackgroundCompletionSTART AFTER ADMIN STATE
weblogic.cache.management.CacheServerServiceSTART AFTER ADMIN STATE
weblogic.management.internal.OCMServiceSTART AFTER ADMIN STATE
weblogic.ejb.container.deployer.MDBServiceActivatorSTART AFTER ADMIN STATE
weblogic.ejb.container.timer.EJBTimerStarterActivatorSTART AFTER ADMIN STATE
weblogic.jms.JMSServicePostDeploymentImplSTART AFTER ADMIN STATE


State: RUNNING




Each one of these services starts at some phase of the startup of the server. This is necessary because services can be dependent upon one another and some may only be necessary to bootstrap other later starting services. Similarly, the startup of the server has a number of phases that take place to allow its integration into the cluster and domain environment. Some services need to load in order to bootstrap the rest of the environment so these are simply described as primordial. The SERVERSTATES string array in the AbstractServerService is used to define the states the server instance passes through and it is these that define what operations are in play by the service at any one time. The server mode and state changes are generally written to the server logs.

The server phases are as follows:



An instance can be in Shutdown mode (i.e. not started), Failed mode, Standby mode, Admin mode or Running mode, with a carefully coordinated set of transitions between each mode that leads to the Shutting Down, Starting, Suspending and Resuming transient pseudo modes. With each mode and transition different services that form part of the core functionality of the Oracle WebLogic Server are started and stopped.

Now we understand something about the number and types of services and what defines them, we need to understand how they are started and controlled and how this enables them to provide an infrastructure on which the rest of the application server functionality is built. The key to this is the ServiceGraph definition of a service which defines groupings of services to start at a particular phase in order to support particular functionality, and the ServiceActivator and ServerServiceManager classes that perform the underlying control. To understand this a little more we need to look a little deeper at the classes and how they are loaded.

We mentioned that we are looking at a particular category of services designed to be loaded in a particular way and that have a specific set of interrelationships which we have alluded to above. If we “grep” the list of classes loaded by WLS we see particular groupings just after the main entry point of the application server, the WebLogic.Server main() method in weblogic.jar, is called. The main function of the webLogic.Server beyond starting the background bootstrap processing is to get the T3Srvr class which is the core “backbone” of the application server started. If we force a failure during startup just as the services are being started we can see the mechanism used here and where to focus on.

Start a WLS instance and enter an incorrect user id and password such that the configuration can't be read.


This gives a stack trace in the output log that shows a little about the internal architecture and shows how the services are started.


<Jan 24, 2010 4:26:52 PM GMT> <Info> <WebLogicServer> <BEA-000377> <Starting WebLogic Server with BEA JRockit(R) Version R27.6.2-20_o-
108500-1.6.0_05-20090120-1115-linux-ia32 from BEA Systems, Inc.>
<Jan 24, 2010 4:26:55 PM GMT> <Info> <Security> <BEA-090065> <Getting boot identity from user.>
Enter username to boot WebLogic server:weblogic
Enter password to boot WebLogic server:
<Jan 24, 2010 4:27:07 PM GMT> <Info> <Management> <BEA-141107> <Version: WebLogic Server 10.3.1.0 Thu Jun 11 00:26:56 EDT 2009 1227385 >
<Jan 24, 2010 4:27:07 PM GMT> <Critical> <WebLogicServer> <BEA-000362> <Server failed. Reason:
There are 1 nested errors:
weblogic.management.ManagementException: [Management:141247]The configuration directory /opt/Oracle/Middleware/wlserver_10.3/common/bin/config does not exist and the admin server is not available.
           at weblogic.management.provider.internal.RuntimeAccessImpl.parseNewStyleConfig(RuntimeAccessImpl.java:200)
           at weblogic.management.provider.internal.RuntimeAccessImpl.<init>(RuntimeAccessImpl.java:115)
           at weblogic.management.provider.internal.RuntimeAccessService.start(RuntimeAccessService.java:41)
           at weblogic.t3.srvr.ServerServicesManager.startService(ServerServicesManager.java:461)
           at weblogic.t3.srvr.ServerServicesManager.startInStandbyState(ServerServicesManager.java:166)
           at weblogic.t3.srvr.T3Srvr.initializeStandby(T3Srvr.java:749)
           at weblogic.t3.srvr.T3Srvr.startup(T3Srvr.java:488)
           at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:446)
           at weblogic.Server.main(Server.java:67)
>
<Jan 24, 2010 4:27:07 PM GMT> <Notice> <WebLogicServer> <BEA-000365> <Server state changed to FAILED>
<Jan 24, 2010 4:27:07 PM GMT> <Error> <WebLogicServer> <BEA-000383> <A critical service failed. The server will shut itself down>
<Jan 24, 2010 4:27:07 PM GMT> <Notice> <WebLogicServer> <BEA-000365> <Server state changed to FORCE_SHUTTING_DOWN>


So, the weblogic.Server main() method creates a T3Srvr class, which we can derive from other
investigation is a singleton at the core of WLS, and calls its run() method. This new thread running the method in turn calls the startup() method which takes WLS through its different states of startup and in the first phase this delegates to the initializeStandby() method to get the instance into the Standby state. It is here that we see the mechanism used to control our services. A ServerServicesManager class is created and its startInStandbyState() method is called. Here we see the RunTimeAccessService start() method called which initializes the application server against its configuration locally or from information directed by the AdminServer.

If we return to our list of classes we can see some of this functionality in operation.

After the T3Srvr class loads we see some related classes being loaded.

[Loaded weblogic.t3.srvr.T3Srvr from file:/home/colin/Oracle/Middleware/wlserver_10.3/server/lib/weblogic.jar]
[Loaded weblogic.security.spi.Resource from file:/home/colin/Oracle/Middleware/modules/com.bea.core.common.security.api_1.0.0.0_5-2-0-0.jar]
[Loaded weblogic.server.ServerLifecycleException from file:/home/colin/Oracle/Middleware/wlserver_10.3/server/lib/weblogic.jar]
[Loaded weblogic.t3.srvr.T3SrvrConsole from file:/home/colin/Oracle/Middleware/wlserver_10.3/server/lib/weblogic.jar]
[Loaded weblogic.utils.ErrorCollectionException from file:/home/colin/Oracle/Middleware/modules/com.bea.core.utils_1.7.0.0.jar]
[Loaded weblogic.server.ServiceFailureException from file:/home/colin/Oracle/Middleware/modules/com.bea.core.weblogic.lifecycle_1.3.0.0.jar]
[Loaded weblogic.security.subject.SubjectStack from file:/home/colin/Oracle/Middleware/modules/com.bea.core.weblogic.security.identity_1.1.2.0.jar]
[Loaded weblogic.security.subject.SubjectManager from file:/home/colin/Oracle/Middleware/modules/com.bea.core.weblogic.security.identity_1.1.2.0.jar]
[Loaded weblogic.security.service.SubjectManagerImpl from file:/home/colin/Oracle/Middleware/modules/com.bea.core.weblogic.security.wls_1.0.0.0_5-2-0-
0.jar]
[Loaded java.security.AccessControlException from /home/colin/Oracle/Middleware/jdk160_14_R27.6.5-32/jre/lib/rt.jar]
[Loaded weblogic.common.T3ServicesDef from file:/home/colin/Oracle/Middleware/wlserver_10.3/server/lib/weblogic.jar]


The T3Srvr handles the initialization of some security features and creates a T3SrvrConsole to wait for instructions, such as to shut down, and then a ServiceFailureException class is loaded from com.bea.core.weblogic.lifecycle_1.3.0.0.jar in the modules directory. This Jar file is one that has changed in version between 10.3 releases as it has some involvement in service control. Then we see the T3ServicesDef class being loaded from weblogic.jar. If we look at our reflected class information we gained earlier we can see that the T3Srvr class makes this class available for use by other classes via its public interface:

public weblogic.common.T3ServicesDef weblogic.t3.srvr.T3Srvr.getT3Services()



If we look at the T3ServicesDef class we can see that its public interface exposes particular categories of service types, i.e. via the NameServicesDef, LogServicesDef, TimeServicesDef, JdbcServicesDef, AdminServicesDef, and IOServicesDef classes.


*******************************************************
Class Name: weblogic.common.T3ServicesDef
Class loaded from: file:/home/colin/Oracle/MiddlewareJDev/wlserver_10.3/server/lib/weblogic.jar
Superclass:null
Interfaces:
***********
Methods:
*********
public abstract weblogic.common.NameServicesDef weblogic.common.T3ServicesDef.name()
public abstract weblogic.common.LogServicesDef weblogic.common.T3ServicesDef.log()
public abstract weblogic.time.common.TimeServicesDef weblogic.common.T3ServicesDef.time()
public abstract weblogic.jdbc.common.JdbcServicesDef weblogic.common.T3ServicesDef.jdbc()
public abstract weblogic.common.AdminServicesDef weblogic.common.T3ServicesDef.admin()
public abstract weblogic.io.common.IOServicesDef weblogic.common.T3ServicesDef.io()
Fields:
*******
public static final java.lang.String weblogic.common.T3ServicesDef.NAME


If look at these classes we see more information, but also immediately after we see the T3ServerServices class load that refers to these and can deduce that the T3ServerServices class, in addition to any other function, is a facade for the T3Srvr class to manage and expose these classes of services.


*******************************************************
Class Name: weblogic.common.AdminServicesDef
Class loaded from: file:/home/colin/Oracle/MiddlewareJDev/wlserver_10.3/server/lib/weblogic.jar
Superclass:null
Interfaces:
***********
Methods:
*********
public abstract void weblogic.common.AdminServicesDef.threadDump() throws java.lang.Exception
public abstract java.lang.String weblogic.common.AdminServicesDef.lockServer(java.lang.String) throws java.lang.Exception
public abstract java.lang.String weblogic.common.AdminServicesDef.unlockServer() throws java.lang.Exception
public abstract java.lang.String weblogic.common.AdminServicesDef.ping(byte[]) throws java.lang.Exception
public abstract java.lang.String weblogic.common.AdminServicesDef.shut(int) throws java.lang.Exception
public abstract java.lang.String weblogic.common.AdminServicesDef.shut() throws java.lang.Exception
public abstract java.lang.String weblogic.common.AdminServicesDef.shut(java.lang.String,int) throws java.lang.Exception
public abstract java.lang.String weblogic.common.AdminServicesDef.cancelShut() throws java.lang.Exception
public abstract java.lang.String weblogic.common.AdminServicesDef.licenses() throws java.lang.Exception
public abstract java.lang.String weblogic.common.AdminServicesDef.version() throws java.lang.Exception
public abstract void weblogic.common.AdminServicesDef.enableWatchDog(int) throws java.lang.Exception
public abstract void weblogic.common.AdminServicesDef.disableWatchDog() throws java.lang.Exception
Fields:
*******
*************************************
*******************************************************
Class Name: weblogic.jdbc.common.JdbcServicesDef
Class loaded from: file:/home/colin/Oracle/MiddlewareJDev/wlserver_10.3/server/lib/weblogic.jar
Superclass:null
Interfaces:
***********
Methods:
*********
public abstract void weblogic.jdbc.common.JdbcServicesDef.resetPool(java.lang.String) throws java.lang.Exception
public abstract void weblogic.jdbc.common.JdbcServicesDef.shrinkPool(java.lang.String) throws java.lang.Exception
Fields:
*******
*************************************
*******************************************************
Class Name: weblogic.time.common.TimeServicesDef
Class loaded from: file:/home/colin/Oracle/MiddlewareJDev/wlserver_10.3/server/lib/weblogic.jar
Superclass:null
Interfaces:
***********
Methods:
*********
public abstract long weblogic.time.common.TimeServicesDef.currentTimeMillis() throws weblogic.common.T3Exception
public abstract weblogic.time.common.ScheduledTriggerDef
weblogic.time.common.TimeServicesDef.getScheduledTrigger(weblogic.time.common.Schedulable,weblogic.time.common.Triggerable) throws
weblogic.time.common.TimeTriggerException
public abstract weblogic.time.common.ScheduledTriggerDef
weblogic.time.common.TimeServicesDef.getScheduledTrigger(weblogic.time.common.Scheduler,weblogic.time.common.Trigger) throws
weblogic.time.common.TimeTriggerException
public abstract int weblogic.time.common.TimeServicesDef.getRoundTripDelayMillis() throws weblogic.common.T3Exception
public abstract int weblogic.time.common.TimeServicesDef.getLocalClockOffsetMillis() throws weblogic.common.T3Exception
Fields:
*******
*************************************
*******************************************************
Class Name: weblogic.common.NameServicesDef
Class loaded from: file:/home/colin/Oracle/MiddlewareJDev/wlserver_10.3/server/lib/weblogic.jar
Superclass:null
Interfaces:
***********
Methods:
*********
public abstract javax.naming.Context weblogic.common.NameServicesDef.getInitialContext() throws javax.naming.NamingException
public abstract javax.naming.Context weblogic.common.NameServicesDef.getInitialContext(java.util.Hashtable) throws javax.naming.NamingException
public abstract void weblogic.common.NameServicesDef.private_setT3Client(weblogic.common.T3Client)
Fields:
*******
*************************************
*******************************************************
Class Name: weblogic.t3.srvr.T3ServerServices
Class loaded from: file:/home/colin/Oracle/MiddlewareJDev/wlserver_10.3/server/lib/weblogic.jar
Superclass:class java.lang.Object
Interfaces:
***********
Methods:
*********
public weblogic.common.NameServicesDef weblogic.t3.srvr.T3ServerServices.name()
public weblogic.common.LogServicesDef weblogic.t3.srvr.T3ServerServices.log()
public long weblogic.t3.srvr.T3ServerServices.currentTimeMillis() throws weblogic.common.T3Exception
public weblogic.time.common.TimeServicesDef weblogic.t3.srvr.T3ServerServices.time()
public weblogic.jdbc.common.JdbcServicesDef weblogic.t3.srvr.T3ServerServices.jdbc()
public void weblogic.t3.srvr.T3ServerServices.threadDump()
public java.lang.String weblogic.t3.srvr.T3ServerServices.lockServer(java.lang.String)
public java.lang.String weblogic.t3.srvr.T3ServerServices.unlockServer()
public weblogic.common.AdminServicesDef weblogic.t3.srvr.T3ServerServices.admin()
public weblogic.io.common.IOServicesDef weblogic.t3.srvr.T3ServerServices.io()
public javax.naming.Context weblogic.t3.srvr.T3ServerServices.getInitialContext() throws javax.naming.NamingException
public javax.naming.Context weblogic.t3.srvr.T3ServerServices.getInitialContext(java.util.Hashtable) throws javax.naming.NamingException
public void weblogic.t3.srvr.T3ServerServices.private_setT3Client(weblogic.common.T3Client)
public weblogic.time.common.ScheduledTriggerDef
weblogic.t3.srvr.T3ServerServices.getScheduledTrigger(weblogic.time.common.Schedulable,weblogic.time.common.Triggerable)
public weblogic.time.common.ScheduledTriggerDef
weblogic.t3.srvr.T3ServerServices.getScheduledTrigger(weblogic.time.common.Scheduler,weblogic.time.common.Trigger) throws
weblogic.time.common.TimeTriggerException
public int weblogic.t3.srvr.T3ServerServices.getRoundTripDelayMillis() throws weblogic.common.T3Exception
public int weblogic.t3.srvr.T3ServerServices.getLocalClockOffsetMillis() throws weblogic.common.T3Exception
public void weblogic.t3.srvr.T3ServerServices.resetPool(java.lang.String)
public void weblogic.t3.srvr.T3ServerServices.shrinkPool(java.lang.String)
public java.lang.String weblogic.t3.srvr.T3ServerServices.ping(byte[])
public java.lang.String weblogic.t3.srvr.T3ServerServices.shut(int) throws weblogic.server.ServerLifecycleException
public java.lang.String weblogic.t3.srvr.T3ServerServices.shut() throws weblogic.server.ServerLifecycleException
public java.lang.String weblogic.t3.srvr.T3ServerServices.shut(java.lang.String,int) throws weblogic.server.ServerLifecycleException
public java.lang.String weblogic.t3.srvr.T3ServerServices.cancelShut()
public java.lang.String weblogic.t3.srvr.T3ServerServices.licenses()
public java.lang.String weblogic.t3.srvr.T3ServerServices.version()
public void weblogic.t3.srvr.T3ServerServices.enableWatchDog(int)
public void weblogic.t3.srvr.T3ServerServices.disableWatchDog()
public final native void java.lang.Object.wait(long) throws java.lang.InterruptedException
public final void java.lang.Object.wait(long,int) throws java.lang.InterruptedException
public final void java.lang.Object.wait() throws java.lang.InterruptedException
public native int java.lang.Object.hashCode()
public final native java.lang.Class java.lang.Object.getClass()
public boolean java.lang.Object.equals(java.lang.Object)
public java.lang.String java.lang.Object.toString()
public final native void java.lang.Object.notify()
public final native void java.lang.Object.notifyAll()
Fields:
*******
public static final java.lang.String weblogic.common.T3ServicesDef.NAME
*************************************

If we return to what we learned from our stack dump where the T3Srvr was starting the services it used the ServerServicesManager class to stop and start the service we looked at. If we look at our reflected information for this and the classes loaded immediately before it and after it we can see how the services themselves are started via delegation.

*******************************************************
Class Name: weblogic.t3.srvr.ServerServices
Class loaded from: file:/home/colin/Oracle/MiddlewareJDev/wlserver_10.3/server/lib/weblogic.jar
Superclass:null
Interfaces:
***********
Methods:
*********
Fields:
*******
public static final java.lang.String weblogic.t3.srvr.ServerServices.STANDBY_STATE
public static final java.lang.String weblogic.t3.srvr.ServerServices.ADMIN_STATE
public static final weblogic.server.servicegraph.ServiceDependencies weblogic.t3.srvr.ServerServices.WLS_DEPENDENCIES
public static final java.lang.String[] weblogic.t3.srvr.ServerServices.SERVICE_CLASS_NAMES
public static final java.util.List weblogic.t3.srvr.ServerServices.services
public static final weblogic.server.servicegraph.Service[] weblogic.t3.srvr.ServerServices.serviceArray
public static final weblogic.server.servicegraph.Service[] weblogic.t3.srvr.ServerServices.ORDERED_SUBSYSTEM_LIST
*************************************
*******************************************************
Class Name: weblogic.t3.srvr.ServerServicesManager
Class loaded from: file:/home/colin/Oracle/MiddlewareJDev/wlserver_10.3/server/lib/weblogic.jar
Superclass:class java.lang.Object
Interfaces:
***********
Methods:
*********
public static int weblogic.t3.srvr.ServerServicesManager.getServicesCount()
public static void weblogic.t3.srvr.ServerServicesManager.addRunningStateListener(weblogic.server.RunningStateListener)
public static weblogic.t3.srvr.ServerServicesManager$StartupSnapshot weblogic.t3.srvr.ServerServicesManager.getStartupSnapshot()
public final native void java.lang.Object.wait(long) throws java.lang.InterruptedException
public final void java.lang.Object.wait(long,int) throws java.lang.InterruptedException
public final void java.lang.Object.wait() throws java.lang.InterruptedException
public native int java.lang.Object.hashCode()
public final native java.lang.Class java.lang.Object.getClass()
public boolean java.lang.Object.equals(java.lang.Object)
public java.lang.String java.lang.Object.toString()
public final native void java.lang.Object.notify()
public final native void java.lang.Object.notifyAll()
Fields:
*******
public static final java.lang.String weblogic.t3.srvr.ServerServices.STANDBY_STATE
public static final java.lang.String weblogic.t3.srvr.ServerServices.ADMIN_STATE
public static final weblogic.server.servicegraph.ServiceDependencies weblogic.t3.srvr.ServerServices.WLS_DEPENDENCIES
public static final java.lang.String[] weblogic.t3.srvr.ServerServices.SERVICE_CLASS_NAMES
public static final java.util.List weblogic.t3.srvr.ServerServices.services
public static final weblogic.server.servicegraph.Service[] weblogic.t3.srvr.ServerServices.serviceArray
public static final weblogic.server.servicegraph.Service[] weblogic.t3.srvr.ServerServices.ORDERED_SUBSYSTEM_LIST
*************************************
*******************************************************
Class Name: weblogic.server.ServerStates
Class loaded from: file:/home/colin/Oracle/MiddlewareJDev/modules/com.bea.core.weblogic.lifecycle_1.3.0.0.jar
Superclass:null
Interfaces:
***********
Methods:
*********
Fields:
*******
public static final int weblogic.server.ServerStates.SRVR_SHUTDOWN
public static final int weblogic.server.ServerStates.SRVR_STARTING
public static final int weblogic.server.ServerStates.SRVR_RUNNING
public static final int weblogic.server.ServerStates.SRVR_STANDBY
public static final int weblogic.server.ServerStates.SRVR_SUSPENDING
public static final int weblogic.server.ServerStates.SRVR_FORCE_SUSPENDING
public static final int weblogic.server.ServerStates.SRVR_RESUMING
public static final int weblogic.server.ServerStates.SRVR_SHUTTING_DOWN
public static final int weblogic.server.ServerStates.SRVR_FAILED
public static final int weblogic.server.ServerStates.SRVR_UNKNOWN
public static final int weblogic.server.ServerStates.SRVR_SHUTDOWN_PENDING
public static final int weblogic.server.ServerStates.SRVR_SHUTDOWN_IN_PROCESS
public static final int weblogic.server.ServerStates.SRVR_FAILED_RESTARTING
public static final int weblogic.server.ServerStates.SRVR_ACTIVATE_LATER
public static final int weblogic.server.ServerStates.SRVR_FAILED_NOT_RESTARTABLE
public static final int weblogic.server.ServerStates.SRVR_FAILED_MIGRATABLE
public static final int weblogic.server.ServerStates.SRVR_DISCOVERED
public static final int weblogic.server.ServerStates.SRVR_ADMIN
public static final int weblogic.server.ServerStates.SRVR_FORCE_SHUTTING_DOWN
public static final java.lang.String weblogic.server.ServerStates.SHUTDOWN
public static final java.lang.String weblogic.server.ServerStates.STARTING
public static final java.lang.String weblogic.server.ServerStates.RUNNING
public static final java.lang.String weblogic.server.ServerStates.STANDBY
public static final java.lang.String weblogic.server.ServerStates.ADMIN
public static final java.lang.String weblogic.server.ServerStates.SUSPENDING
public static final java.lang.String weblogic.server.ServerStates.FORCE_SUSPENDING
public static final java.lang.String weblogic.server.ServerStates.RESUMING
public static final java.lang.String weblogic.server.ServerStates.SHUTTING_DOWN
public static final java.lang.String weblogic.server.ServerStates.FORCE_SHUTTING_DOWN
public static final java.lang.String weblogic.server.ServerStates.FAILED
public static final java.lang.String weblogic.server.ServerStates.SHUTDOWN_PENDING
public static final java.lang.String weblogic.server.ServerStates.SHUTDOWN_IN_PROCESS
public static final java.lang.String weblogic.server.ServerStates.UNKNOWN
public static final java.lang.String weblogic.server.ServerStates.DISCOVERED
public static final java.lang.String weblogic.server.ServerStates.FAILED_RESTARTING
public static final java.lang.String weblogic.server.ServerStates.ACTIVATE_LATER
public static final java.lang.String weblogic.server.ServerStates.FAILED_NOT_RESTARTABLE
public static final java.lang.String weblogic.server.ServerStates.FAILED_MIGRATABLE
public static final java.lang.String[] weblogic.server.ServerStates.SERVERSTATES
*************************************
*******************************************************
Class Name: weblogic.server.ServerService
Class loaded from: file:/home/colin/Oracle/MiddlewareJDev/modules/com.bea.core.weblogic.lifecycle_1.3.0.0.jar
Superclass:null
Interfaces:
***********
Methods:
*********
public abstract java.lang.String weblogic.server.ServerService.getName()
public abstract void weblogic.server.ServerService.start() throws weblogic.server.ServiceFailureException
public abstract void weblogic.server.ServerService.stop() throws weblogic.server.ServiceFailureException
public abstract void weblogic.server.ServerService.halt() throws weblogic.server.ServiceFailureException
public abstract java.lang.String weblogic.server.ServerService.getVersion()
Fields:
*******
public static final java.lang.String weblogic.server.ServerService.EJB
public static final java.lang.String weblogic.server.ServerService.JMS
public static final java.lang.String weblogic.server.ServerService.CONNECTOR
public static final int weblogic.server.ServerStates.SRVR_SHUTDOWN
public static final int weblogic.server.ServerStates.SRVR_STARTING
public static final int weblogic.server.ServerStates.SRVR_RUNNING
public static final int weblogic.server.ServerStates.SRVR_STANDBY
public static final int weblogic.server.ServerStates.SRVR_SUSPENDING
public static final int weblogic.server.ServerStates.SRVR_FORCE_SUSPENDING
public static final int weblogic.server.ServerStates.SRVR_RESUMING
public static final int weblogic.server.ServerStates.SRVR_SHUTTING_DOWN
public static final int weblogic.server.ServerStates.SRVR_FAILED
public static final int weblogic.server.ServerStates.SRVR_UNKNOWN
public static final int weblogic.server.ServerStates.SRVR_SHUTDOWN_PENDING
public static final int weblogic.server.ServerStates.SRVR_SHUTDOWN_IN_PROCESS
public static final int weblogic.server.ServerStates.SRVR_FAILED_RESTARTING
public static final int weblogic.server.ServerStates.SRVR_ACTIVATE_LATER
public static final int weblogic.server.ServerStates.SRVR_FAILED_NOT_RESTARTABLE
public static final int weblogic.server.ServerStates.SRVR_FAILED_MIGRATABLE
public static final int weblogic.server.ServerStates.SRVR_DISCOVERED
public static final int weblogic.server.ServerStates.SRVR_ADMIN
public static final int weblogic.server.ServerStates.SRVR_FORCE_SHUTTING_DOWN
public static final java.lang.String weblogic.server.ServerStates.SHUTDOWN
public static final java.lang.String weblogic.server.ServerStates.STARTING
public static final java.lang.String weblogic.server.ServerStates.RUNNING
public static final java.lang.String weblogic.server.ServerStates.STANDBY
public static final java.lang.String weblogic.server.ServerStates.ADMIN
public static final java.lang.String weblogic.server.ServerStates.SUSPENDING
public static final java.lang.String weblogic.server.ServerStates.FORCE_SUSPENDING
public static final java.lang.String weblogic.server.ServerStates.RESUMING
public static final java.lang.String weblogic.server.ServerStates.SHUTTING_DOWN
public static final java.lang.String weblogic.server.ServerStates.FORCE_SHUTTING_DOWN
public static final java.lang.String weblogic.server.ServerStates.FAILED
public static final java.lang.String weblogic.server.ServerStates.SHUTDOWN_PENDING
public static final java.lang.String weblogic.server.ServerStates.SHUTDOWN_IN_PROCESS
public static final java.lang.String weblogic.server.ServerStates.UNKNOWN
public static final java.lang.String weblogic.server.ServerStates.DISCOVERED
public static final java.lang.String weblogic.server.ServerStates.FAILED_RESTARTING
public static final java.lang.String weblogic.server.ServerStates.ACTIVATE_LATER
public static final java.lang.String weblogic.server.ServerStates.FAILED_NOT_RESTARTABLE
public static final java.lang.String weblogic.server.ServerStates.FAILED_MIGRATABLE
public static final java.lang.String[] weblogic.server.ServerStates.SERVERSTATES
*************************************
*******************************************************
Class Name: weblogic.management.runtime.ServerStates
Class loaded from: file:/home/colin/Oracle/MiddlewareJDev/wlserver_10.3/server/lib/weblogic.jar
Superclass:null
Interfaces:
***********
Methods:
*********
Fields:
*******
public static final int weblogic.server.ServerStates.SRVR_SHUTDOWN
public static final int weblogic.server.ServerStates.SRVR_STARTING
public static final int weblogic.server.ServerStates.SRVR_RUNNING
public static final int weblogic.server.ServerStates.SRVR_STANDBY
public static final int weblogic.server.ServerStates.SRVR_SUSPENDING
public static final int weblogic.server.ServerStates.SRVR_FORCE_SUSPENDING
public static final int weblogic.server.ServerStates.SRVR_RESUMING
public static final int weblogic.server.ServerStates.SRVR_SHUTTING_DOWN
public static final int weblogic.server.ServerStates.SRVR_FAILED
public static final int weblogic.server.ServerStates.SRVR_UNKNOWN
public static final int weblogic.server.ServerStates.SRVR_SHUTDOWN_PENDING
public static final int weblogic.server.ServerStates.SRVR_SHUTDOWN_IN_PROCESS
public static final int weblogic.server.ServerStates.SRVR_FAILED_RESTARTING
public static final int weblogic.server.ServerStates.SRVR_ACTIVATE_LATER
public static final int weblogic.server.ServerStates.SRVR_FAILED_NOT_RESTARTABLE
public static final int weblogic.server.ServerStates.SRVR_FAILED_MIGRATABLE
public static final int weblogic.server.ServerStates.SRVR_DISCOVERED
public static final int weblogic.server.ServerStates.SRVR_ADMIN
public static final int weblogic.server.ServerStates.SRVR_FORCE_SHUTTING_DOWN
public static final java.lang.String weblogic.server.ServerStates.SHUTDOWN
public static final java.lang.String weblogic.server.ServerStates.STARTING
public static final java.lang.String weblogic.server.ServerStates.RUNNING
public static final java.lang.String weblogic.server.ServerStates.STANDBY
public static final java.lang.String weblogic.server.ServerStates.ADMIN
public static final java.lang.String weblogic.server.ServerStates.SUSPENDING
public static final java.lang.String weblogic.server.ServerStates.FORCE_SUSPENDING
public static final java.lang.String weblogic.server.ServerStates.RESUMING
public static final java.lang.String weblogic.server.ServerStates.SHUTTING_DOWN
public static final java.lang.String weblogic.server.ServerStates.FORCE_SHUTTING_DOWN
public static final java.lang.String weblogic.server.ServerStates.FAILED
public static final java.lang.String weblogic.server.ServerStates.SHUTDOWN_PENDING
public static final java.lang.String weblogic.server.ServerStates.SHUTDOWN_IN_PROCESS
public static final java.lang.String weblogic.server.ServerStates.UNKNOWN
public static final java.lang.String weblogic.server.ServerStates.DISCOVERED
public static final java.lang.String weblogic.server.ServerStates.FAILED_RESTARTING
public static final java.lang.String weblogic.server.ServerStates.ACTIVATE_LATER
public static final java.lang.String weblogic.server.ServerStates.FAILED_NOT_RESTARTABLE
public static final java.lang.String weblogic.server.ServerStates.FAILED_MIGRATABLE
public static final java.lang.String[] weblogic.server.ServerStates.SERVERSTATES
*************************************


This set of classes controls how the individual component services are grouped, started, stopped and managed with all of their dependencies, such as which services are dependent on others having been started. This is better explained with a class diagram, with the ServerServicesManager as the core.




The ServerServicesManager implements the ServerServices interface. The ServerServices interface has the ORDERED_SUBSYSTEM_LIST list of services which essentially contains the groupings of the services that are to be started that underpin the application server subsystems, and an enumeration of the dependencies that each needs to start. The ORDERED_SUBSYSTEM_LIST relates to the WLS_DEPENDENCIES which is a reference to the ServerServicesDependencies.

The ServerServicesDependencies contains sets of ServiceGroups, where each ServiceGroup relates to the services that underpin a particular subsystem, e.g. an EJBServiceGroup, a JMSServiceGroup, etc, and an internal CoreServiceGroup set of services that underpin everything else. The ServerServicesDependencies class is a subclass of the ServiceDependencies class that handles some of the ServiceGroup functionality but also some of the high level dependency management.

A ServiceGroup is composed of sets of services represented by the Service class, which maintains the list of dependencies, predecessors, and successors of each service, and it is this that controls the order of service startup. The Service class has a reference to a ServiceActivator class reference for the given service, and it is this that exposes the getName(), getVersion(), start(), stop(), and halt() methods used by the ServerServicesManager to start and stop each service.

The ServiceActivator class inherits the methods and the states from the AbstractServerService
class, and ServerService and ServerStates interfaces. This brings us back to the starting point for our investigation since it is the AbstractServerService class that the services we investigated inherited from.

Whilst the startup mechanism above is complex, it allows configurations where subsystems can be removed and services stopped where they aren't needed as all of the different dependencies are represented. The control for these configurations is handled by another Jar file in the modules directory that we will cover in a future post.

In other future posts we will look in more detail at what some of the core services do, and also at the flow through key containers, such as the web container, and how the services are used to provide the JavaEE functionality

Monday 30 August 2010

iPlanet / Sun One Web Server Fun with Security

I've always been a fan of the Apache HTTP Server derived web servers. The reason is simple – as they are open source at the core they have been extended and built upon to provide the ultimate in flexibility. Then high end vendors, such as Oracle, build and license enterprise level functionality (such as for security and management), and ship their derivative with enterprise level products. This is the case with the Oracle HTTP Server (OHS) web tier packaging for the Oracle WebLogic Server middleware and related products that build upon it.

Take for instance security, where the Apache HTTP Server and its derivatives have the benefits of openssl support supplemented with the modsecurity plugin. This latter plugin offers an engine that implements a large number of security rules, defined in terms of extended regular expressions, that are applied against every request to reject or transform the input or output. This plugin turns the web server into a web application firewall that sits in the flow of each request to whatever sits behind it, whether it be a static page, a CGI application written in Perl, or a Java-based web application server.

The modsecurity plugin is one of the major differentiators between the different web server solutions, and purely targets the Apache derived web servers. The rules are set up in a hierarchy of basic through to extended rules for different security problems, with a basic core set recommended for use everywhere. Processing all of the rules is expensive which is why the modsecurity plugin sits in the normal request flow for the web server and is highly optimised.

However, what if you have been using the Sun One / NetScape / iPlanet web server family? This family of web servers is extensible but with a different API set (Netscape NSAPI), so the Apache derived extensions can't be used. Whilst NSAPI extensions have long been produced for many uses, which often function with greater performance than for the similar function on the Apache web server family, the same breadth of functionality just isn't there. Before the Oracle purchase of Sun, this weakness had been recognised and a multipronged attack on the key problem areas was undertaken. A direct port of the modsecurity engine to the Sun One / iPlanet web server has been started, with an unsupported implementation with near complete functionality in the version 7 codebase, but not all keywords required for the rules are available in this release and it remains unsupported for production use. A simpler but fully supported solution is the sed filter; which is also provided with the version 7 product, but as a separate NSAPI plugin implementing the sed_request and sed_response server application functions (SAFs) which could theoretically be lifted out and run against earlier versions of the web server.

So, how does the sed filter help? Well, although the functionality is less than that of the full modsecurity engine and performance is more limited, as implementing the Unix stream editor (sed) support for simple basic regular expressions it is possible to port some of the key modsecurity rules. The approach is a simple one:

  1. Choose the key rules for modsecurity that are to implemented, e.g. SQL injection, cross-site scripting, etc

  2. Open the rule set for each and copy out the extended regular expression

  3. Translate the extended regular expression to a standard basic regular expression, including replacing the found string with nothing

  4. Import the new sed rule into the obj.conf for the web server instance

This is best explained with a simple example.

First download the modsecurity source code from http://www.modsecurity.org and unpackage the tarball. In the resulting directory tree go to the rules/base_rules subdirectory and open the modsecurity_crs_41_sql_injection_attacks.conf file. In this file are a number of security rules defined, but a simple examination of each will show the format, the phase and a description after the SecRule keyword and some type information. Note that many of the security rules can be applied unchanged by the unsupported Sun One / iPlanet modsecurity engine that will be a full implementation in a future release. After the type information the extended regular expression used to define when the rule is to be applied can be found. For example, consider one SQL injection rule:

SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\buser_tab_columns\b" \

"phase:2,rev:'2.0.5',capture,t:none,ctl:auditLogParts=+E,pass,no

log,auditlog,msg:'Blind SQL Injection Attack',id:'959536',tag:'WEB_ATTACK/SQL_IN

JECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',t

ag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar

:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%

{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matc

hed_var_name}=%{tx.0}"


In this the extended regular expression saying when this rule applies is "\buser_tab_columns\b"

which tells the rules engine to look for the phrase “user_tab_columns” in the input stream.

We want to replace this with nothing, so a sample sed rule for this would be

sed="s/\buser_tab_columns\b//g"

This says to replace all occurences found in the stream with nothing.

Taking this to its extreme, which will not result in the fastest processing, but will ptotect from cross-site scripting and SQL injection POST attacks against a back end Oracle environment, we end up with a complex segment of an obj.conf for Oracle iPlanet Web Server 7.09

Input fn="insert-filter"

method="POST"

filter="sed-request"

sed="s/

sed="s/%3c/\\</g"

sed="s/%3C/\\</g"

sed="s/>/\\>/g"

sed="s/%3e/\\>/g"

sed="s/%3E/\\>/g"

sed="s/\bsrc\b[^a-zA-Z_0-9]*?\bshell://g"

sed="s/\bhref\b[^a-zA-Z_0-9]*?\bshell://g"

sed="s/\x2Eexecscript\b//g"

sed="s/

sed="s/\burl\b[^a-zA-Z_0-9]*?\bvbscript://g"

sed="s/\blivescript://g"

sed="s/\bsettimeout\b[^a-zA-Z_0-9]*?//g"

sed="s/\x3C ?iframe//g"

sed="s/\bsrc\b[^a-zA-Z_0-9]*?\bjavascript://g"

sed="s/

sed="s/\bsrc\b[^a-zA-Z_0-9]*?\bvbscript://g"

sed="s/\btype\b[^a-zA-Z_0-9]*?\btext\b[^a-zA-Z_0-9]*?\becmascript\b//g"

sed="s/\x2Ecookie\b//g"

sed="s/\x3C\x21\x5Bcdata\x5B//g"

sed="s/\x2Eaddimport\b//g"

sed="s/\bhref\b[^a-zA-Z_0-9]*?\bjavascript://g"

sed="s/\btype\b[^a-zA-Z_0-9]*?\btext\b[^a-zA-Z_0-9]*?\bjscript\b//g"

sed="s/\balert\b[^a-zA-Z_0-9]*?\x28//g"

sed="s/\btype\b[^a-zA-Z_0-9]*?\bapplication\b[^a-zA-Z_0-9]*?\bx-vbscript\b//g"

sed="s/\x3C ?meta\b//g"

sed="s/\bsrc\b[^a-zA-Z_0-9]*?\bhttp://g"

sed="s/\btype\b[^a-zA-Z_0-9]*?\btext\b[^a-zA-Z_0-9]*?\bvbscript\b//g"

sed="s/\blowsrc\b[^a-zA-Z_0-9]*?\bshell://g"

sed="s/\bhref\b[^a-zA-Z_0-9]*?\bvbscript://g"

sed="s/\burl\b[^a-zA-Z_0-9]*?\bjavascript://g"

sed="s/\x2Einnerhtml\b//g"

sed="s/\x40import\b//g"

sed="s/\x3C ?script\b//g"

sed="s/\biframe\b.{0,100}?\bsrc\b//g"

sed="s/

sed="s/\burl\b[^a-zA-Z_0-9]*?\bshell://g"

sed="s/\btype\b[^a-zA-Z_0-9]*?\btext\b[^a-zA-Z_0-9]*?\bjavascript\b//g"

sed="s/\x2Efromcharcode\b//g"

sed="s/\bsrc\b[^a-zA-Z_0-9]*?\bshell://g"

sed="s/\bhref\b[^a-zA-Z_0-9]*?\bshell://g"

sed="s/\x2Eexecscript\b//g"

sed="s/

sed="s/\burl\b[^a-zA-Z_0-9]*?\bvbscript://g"

sed="s/\bsettimeout\b[^a-zA-Z_0-9]*?\x28//g"

sed="s/\x3C ?iframe//g"

sed="s/\bsrc\b[^a-zA-Z_0-9]*?\bjavascript://g"

sed="s/

sed="s/\bsrc\b[^a-zA-Z_0-9]*?\bvbscript://g"

sed="s/\btype\b[^a-zA-Z_0-9]*?\btext\b[^a-zA-Z_0-9]*?\becmascript\b//g"

sed="s/\x2Ecookie\b//g"

sed="s/\x3C\x21\x5Bcdata\x5B//g"

sed="s/\btype\b[^a-zA-Z_0-9]*?\bapplication\b[^a-zA-Z_0-9]*?\bx-javascript\b//g"

sed="s/\x2Eaddimport\b//g"

sed="s/\bhref\b[^a-zA-Z_0-9]*?\bjavascript://g"

sed="s/\btype\b[^a-zA-Z_0-9]*?\btext\b[^a-zA-Z_0-9]*?\bjscript\b//g"

sed="s/\btype\b[^a-zA-Z_0-9]*?\bapplication\b[^a-zA-Z_0-9]*?\bx-vbscript\b//g"

sed="s/\x3C ?meta\b//g"

sed="s/\bsrc\b[^a-zA-Z_0-9]*?\bhttp://g"

sed="s/\btype\b[^a-zA-Z_0-9]*?\btext\b[^a-zA-Z_0-9]*?\bvbscript\b//g"

sed="s/\bhref\b[^a-zA-Z_0-9]*?\bvbscript://g"

sed="s/\burl\b[^a-zA-Z_0-9]*?\bjavascript://g"

sed="s/\x2Einnerhtml\b//g"

sed="s/\x3C ?script\b//g"

sed="s/\biframe\b.{0,100}?\bsrc\b//g"

sed="s/

sed="s/\burl\b[^a-zA-Z_0-9]*?\bshell://g"

sed="s/\btype\b[^a-zA-Z_0-9]*?\btext\b[^a-zA-Z_0-9]*?\bjavascript\b//g"

sed="s/<(a|abbr|acronym|address|applet|area|audioscope|b|base|basefront|bdo|bgso

und|big|blackface|blink|blockquote|body|bq|br|button|caption|center|cite|code|co

l|colgroup|comment|dd|del|dfn|dir|div|dl|dt|em|embed|fieldset|fn|font|form|frame

|frameset|h1|head|hr|html|i|iframe|ilayer|img|input|ins|isindex|kdb|keygen|label

|layer|legend|li|limittext|link|listing|map|marquee|menu|meta|multicol|nobr|noem

bed|noframes|noscript|nosmartquotes|object|ol|optgroup|option|p|param|plaintext|

pre|q|rt|ruby|s|samp|script|select|server|shadow|sidebar|small|spacer|span|strik

e|strong|style|sub|sup|table|tbody|td|textarea|tfoot|th|thead|title|tr|tt|u|ul|v

ar|wbr|xml|xmp)[^a-zA-Z_0-9]//g"

sed="s/(asfunction|javascript|vbscript|data|mocha|livescript)://g"

sed="s/(fromcharcode|alert|eval)\x73*\x28//g"

sed="s///g"

sed="s/[/'\"<]xss[/'\">]//g"

sed="s/(88,83,83)//g"

sed="s/'';!--\"=&{()}//g"

sed="s/&{//g"

sed="s/

sed="s/(?i:.*?((@[i\\\\])|(([:=]|(&[#\x28\x29=]x?0*((58)|(3A)|(61)|(3D

));?)).*?([(\\\\]|(&[#()=]x?0*((40)|(28)|(92)|(5C));?)))))//g"

sed="s/(?i:[ /+\t\"\'`]style[ /+\t]*?=.*?([:=]|(&[#()=]x?0*((58)|(3A)|(61)|(3D))

;?)).*?([(\\\\]|(&[#()=]x?0*((40)|(28)|(92)|(5C));?)))//g"

sed="s/(?i:

)//g"

sed="s/(?i:[ /+\t\"\'`]datasrc[ +\t]*?=.)//g"

sed="s/(?i:

sed="s/(?i:

sed="s/(?i:

sed="s/(?i:

sed="s/(?i:

sed="s/(?i:[ /+\t\"\'`]on\x63\x63\x63+?[ +\t]*?=.)//g"

sed="s/(?i:<[i]?frame.*?[ /+\t]*?src[ /+\t]*=)//g"

sed="s/(?i:])//g"

sed="s/(?i:)//g"

sed="s/(?i:

sed="s/(?i:)//g"

sed="s/(?i:[\"\'][ ]*(([^a-z0-9~_:\'\" ])|(in)).*?(((l|(\\\\u006C))(o|(\\\\u006F

))(c|(\\\\u0063))(a|(\\\\u0061))(t|(\\\\u0074))(i|(\\\\u0069))(o|(\\\\u006F))(n|

(\\\\u006E)))|((n|(\\\\u006E))(a|(\\\\u0061))(m|(\\\\u006D))(e|(\\\\u0065)))).*?

=)//g"

sed="s/(?i:[\"\'][ ]*(([^a-z0-9~_:\'\" ])|(in)).+?(([.].+?)|([\x5B].*?[\x5D].*?)

)=)//g"

sed="s/\bsys\x2Euser_catalog\b//g"

sed="s/\bconstraint_type\b//g"

sed="s/\bsys\x2Euser_tables\b//g"

sed="s/\bmsysqueries\b//g"

sed="s/\bmsysaces\b//g"

sed="s/\x40\x40spid\b//g"

sed="s/\bcharindex\b//g"

sed="s/\bsys\x2Eall_tables\b//g"

sed="s/\bsys\x2Euser_constraints\b//g"

sed="s/\bselect\b.{0,40}buser\b//g"

sed="s/\bwaitfor\b[^a-zA-Z_0-9]*?\bdelay\b//g"

sed="s/\bselect\b.{0,40}\bsubstring\b//g"

sed="s/\bsys\x2Euser_triggers\b//g"

sed="s/\blocate[^a-zA-Z_0-9]+\x28//g"

sed="s/\bsys\x2Euser_tab_columns\b//g"

sed="s/\battnotnull\b//g"

sed="s/\bsys\x28tab\b//g"

sed="s/\bselect\b.{0,40}\bascii\b//g"

sed="s/\bsys\x2Euser_views\b//g"

sed="s/\binstr[^a-zA-Z_0-9]+\x28//g"

sed="s/\bsys\x2Euser_objects\b//g"

sed="s/\buser_tables\b//g"

sed="s/\buser_tab_columns\b//g"

sed="s/\ball_objects\b//g"

sed="s/\bpg_class\b//g"

sed="s/\bsyscat\b//g"

sed="s/\bsubstr\b//g"

sed="s/\bsysdba\b//g"

sed="s/\btextpos[^a-zA-Z_0-9]+\x28//g"

sed="s/\battrelid\b//g"

sed="s/\bpg_attribute\b//g"

sed="s/\buser_password\b//g"

sed="s/\buser_users\b//g"

sed="s/\buser_constraints\b//g"

sed="s/\bxtype[^a-zA-Z_0-9]+\bchar\b//g"

sed="s/\bcolumn_name\b//g"

sed="s/\bsubstring\b//g"

sed="s/\bobject_type\b//g"

sed="s/\bobject_id\b//g"

sed="s/\buser_ind_columns\b//g"

sed="s/\bcolumn_id\b//g"

sed="s/\bmb_users\b//g"

sed="s/\btable_name\b//g"

sed="s/\bobject_name\b//g"

sed="s/\brownum\b//g"

sed="s/\batttypid\b//g"

sed="s/\buser_group\b//g"

sed="s/\butl_http\b//g"

sed="s/\bselect\b.*?\bto_number\b//g"

sed="s/\btbcreator\b//g"

sed="s/\bgroup\b.*\bbyb.{1,100}?\bhaving\b//g"

sed="s/\bselect\b.*?\bdata_type\b//g"

sed="s/\bisnull\b[^a-zA-Z_0-9]*?\x28//g"

sed="s/\bopenrowset\b//g"

sed="s/\bunion\b.{1,100}?\bselect\b//g"

sed="s/\binsert\b[^a-zA-Z_0-9]*?\binto\b//g"

sed="s/\bselect\b.{1,100}?\bcount\b.{1,100}?\bfrom\b//g"

sed="s/\x3B[^a-zA-Z_0-9]*?\bdrop\b//g"

sed="s/\bloadb[^a-zA-Z_0-9]*?\bdata\b.*\binfile\b//g"

sed="s/\bselect\b.*?\bto_char\b//g"

sed="s/\bdbms_java\b//g"

sed="s/\bnvarchar\b//g"

sed="s/\butl_file\b//g"

sed="s/\binner\b[^a-zA-Z_0-9]*?\bjoin\b//g"

sed="s/\bprint\b[^a-zA-Z_0-9]*?\x40\x40//g"

sed="s/\bselect\b.{1,100}?\bfrom\b.{1,100}?\bwhere\b//g"

sed="s/\bvarchar\b//g"

sed="s/\bintob[^a-zA-Z_0-9]*?\bdumpfile\b//g"

sed="s/\bifb[^a-zA-Z_0-9]*?\x28[^a-zA-Z_0-9]*?\bbenchmark[^a-zA-Z_0-9]*?\x28//g"

sed="s/\bopenquery\b//g"

sed="s/\bselect\b.{1,100}?\blength\b.{1,100}?\bfrom\b//g"

sed="s/\bcastb[^a-zA-Z_0-9]*?\x28//g"

sed="s/\bdelete\b[^a-zA-Z_0-9]*?\bfrom\b//g"

sed="s/\bsql_longvarchar\b//g"

sed="s/\bselect\b.*?\bdump\b.*\bfrom\b//g"

sed="s/\'sa\'//g"

sed="s/\bifnull\b[^a-zA-Z_0-9]*?\x28//g"

sed="s/\bintob[^a-zA-Z_0-9]*?\boutfile\b//g"

sed="s/\bsql_variant\b//g"

sed="s/\x3B[^a-zA-Z_0-9]*?\bshutdown\b//g"

sed="s/\bselect\b.*?\binstr\b//g"

sed="s/\bautonomous_transaction\b//g"

sed="s/\bdba_users\b//g"

sed="s/\bselect\b.{1,100}?\btop\b.{1,100}?\bfrom\b//g"

sed="s/\b(?:coalesce\b|root\x40)//g"

sed="s/\b(?:(?:rel(?:(?:nam|typ)e|kind)|to_(?:numbe|cha)r|d(?:elete|rop)|group\b

[^a-zA-Z_0-9]*\bby|insert|where)\b|s(?:(?:ubstr(?:ing)?|leep)[^a-zA-Z_0-9]+\x28|

(?:hutdown|elect)\b)|(?:b(?:enchmark|in)|find_in_set|position|mid)[^a-zA-Z_0-9]+

\x28|c(?:o(?:n(?:cat[^a-zA-Z_0-9]+\x28|vert\b)|unt\b)|ha?r\b)|u(?:n(?:hex[^a-zA-

Z_0-9]+\x28|ion\b)|pdate\b)|l(?:o(?:cate|wer)[^a-zA-Z_0-9]+\x28|ength\b)|a(?:ttn

(?:ame|um)\b|scii[^a-zA-Z_0-9]+\x28)|h(?:aving\b|ex[^a-zA-Z_0-9]+\x28))//g"

sed="s/(?:[\\\x28\x29\x25#]|--)//g"

sed="s/\b(?:benchmark|encode)\b//g"

sed="s/(?:[\\\x28\x29\x25#]|--)//g"

This gives maximum protection at the cost of performance, but with more web servers taking the strain the impact should be controllable. Note that the most effort in producing this was in identifying which rules are relevant to a given environment and then automating the porting of extended regular expression syntax elements to basic regular expression equivalents – which sometimes is so complex that alternatives are easier to produce from the ground up.

So, you now have a complex web application firewall using Sun One / Oracle iPlanet Web Server 7 that allows you to implement now whilst awaiting the greatly improved native modsecurity support to be implemented and fully supported in a future release. I can't guarantee this solution will meet your needs, but I can say it gives a good starting point that offers great latitude to tuning through rule deletion to meet specific security needs.