Fight the POODLE in JBoss 4 and 5, JON 3 and more

The POODLE bug (CVE-2014-3566) affects nearly everything and everybody is trying to secure all of their systems. That includes your JBoss servers. Securing your JBoss 4 or 5 has one pitfall, which I am going to explain in this post. Apart from that it’s easy.

I stumbled on this issue when securing the web interface of a customer’s JON server. (Important note: the following snippet will not work around POODLE for communication from JON server to JON agent!) JON is by default configured to use TLS, so there is a poodle protection installed by default.

Yeahh, well… let’s verify that:

echo "" | openssl s_client -ssl3 -connect  your.server.dns.or.ip:7443

Surprise, surprise: Even with TLS configured the SSL-Session using SSLv3 was established successfuly!

SSL-Session:
    Protocol  : SSLv3
    Cipher    : DHE-RSA-AES256-SHA
    Session-ID: XXX
    Session-ID-ctx:
    Master-Key: XXX
    Key-Arg   : None
    Krb5 Principal: None
    Start Time: 1413471616
    Timeout   : 7200 (sec)
    Verify return code: 21 (unable to verify the first certificate)

The cause for that is that the tomcat configuration doesn’t work as I would expect it. The following configuration does NOT do the trick (server.xml of the deployed tomcat):

<!-- Does NOT work! -->
<Connector port="7443"
    address="0.0.0.0"
    protocol="HTTP/1.1"
    scheme="https"
    ...
    secure="true"
    SSLEnabled="true"
    sslProtocol="TLS"
    ... >
<!-- Does NOT work! -->

The RedHat guys actually posted the solution but it’s easy to mistake the important point. The following configuration bans your evil poodle:

<Connector port="7443"
    address="0.0.0.0"
    protocol="HTTP/1.1"
    scheme="https"
    ...
    secure="true"
    SSLEnabled="true"
    sslProtocols="TLSv1,TLSv1.1,TLSv1.2"
    ... >

Ok there is one obvious (and also important!) difference and one subtle difference. The obvious one is that it is "TLSv1,TLSv1.1,TLSv1.2" and not "TLS". By the way TLSv1.2 is only available from JDK 1.7 on.

But there is also the subtle difference of a single “s” which is very important, because without it it does NOT work. To make it clear, it will only work with "sslProtocols" and will NOT work with "sslProtocol".

That is confusing for me because I have never seen that option documented but the documented option seems to have no effect at all. So I suspect there is a typo in either the code or the documentation.

Hope I could help you somehow! If you’ve got any questions feel free to comment on this post. Good luck on your poodle fighting!

Agile Roadmaps in Software Development

Artikel in deutsch ⤴︎

In general, every software solution requires a roadmap, as the basis for targeted further development and so it can be adapted to users’ needs in the coming years. No matter which niche the software serves, it always represents a form of reliable standard for its users. As a result, features are rarely removed, since this is perceived as a loss and impacts user acceptance.

Normally, the product manager is responsible for planning and marketing software. This person is the product-market expert for his or her specific area. The product manager develops a product strategy, known as the roadmap. Software releases are generally implemented in the form of a project, with the help of a project manager. Project and product managers provide each other with significant support by sharing their experiences.

Continue reading

JBoss EAP / Wildfly – Three ways to invoke remote EJBs

The JBoss EAP / Wildfly application server provides as primary API the EJB client library to invoke remote EJB components. This client library is the implementation of the WildFly application server to invoke EJB components. The lookup of an object, such as a JMS connection factory, from the naming service is with the EJB client library not possible. For this purpose the remote naming implementation can be used. It can handle lookups of objects from the naming service. Both libraries can be used through the InitialContext of the JNDI API.

This post introduces three ways to configure the InitialContext to lookup and invoke EJB components, describes the pro and cons of each approach and introduces a combination of both libraries.

Continue reading

JBoss EAP / Wildfly Management Interfaces and Clients

The JBoss EAP / Wildfly provides a powerful concept for management, configuration, and monitoring of the application server itself and its Java EE applications.

In the previous post we focused on some useful runtime metrics, which are of interest when monitoring your application server and applications. This post introduces the management clients provided by the JBoss EAP / Wildfly Application Server to manage and configure server instances.

Continue reading

Monitoring the JBoss EAP / Wildfly Application Server with the Command Line Interface (CLI)

The JBoss EAP / Wildfly provides a powerful concept for management, configuration and monitoring of the JBoss Application Server itself and its Java EE Applications. The concept is based on the detyped management API. All management clients of the application server use this detyped management API to interact with the server.

In this post we focus on some useful runtime metrics which are of interest when monitoring your application server and application with the Command Line Interface (CLI).

Continue reading

Pick the right tools for remote usability testing

remote-usability-tests

remote-usability-tests

Usability tests in an agile world

Some months ago, we had the idea to develop a virtual UX lab that supports us in collecting user feedback on the fly as early as possible. First, we thought about a tool for unmoderated usability tests. Unfortunately, there was no tool that met our requirements. Most tools that do a great job (e.g., http://www.usabilitytools.com) are cloud-based solutions and require public access to the prototype. This is a no-go for our industrial clients that try to get a competitive advantage with the software we develop for them.

Moderating tests avoids information loss

Another reason that let us reorient towards remote moderated usability tests was the loss of information density if the participants do not have to think aloud and if you are not able to ask questions for further insights. If you conduct only a few tests, you want to get as much information as possible. Andreasen, Nielsen, Schrøder and Stage (2007) showed in their paper “What happened to remote usability testing? An empirical study of three methods” that unmoderated usability tests detected less usability issues than moderated remote or lab usability tests. Continue reading

AngularJS in WARs – The Case of the Session Timeout

AngularJS is a great framework to build modern web applications. Java EE offers a rich and powerful environment to build reliable, scalable, and secure server applications. The combination of both worlds is straight forward: The web archive (WAR) contains all the HTML pages and the JavaScript code. The access to the server is done using JAX-RS.

Also the access control can be implemented using the standard Java EE tools. Using form-based authentication, a user first has to enter login and password before he can access the web pages. In addition to the web pages the servlet used by the AngularJS application can be secured in the same way.

That should solve all problems, am I right? Almost. What is not covered by default is the handling of session timeouts. When a session times out the user is redirected to the login page to establish a new session. This is fine for a human user. An AngularJS application can get quite confused. It access the server in the background, expects a JSON response, and receives instead an HTML page. Here, we show a solution for this problem.

Continue reading

A classification of migration projects

In this article we will try to define a classification of projects that deal in one way or the other with the migration of code or data. This classification is not strictly hierarchical, since in general too many aspects overlap. However, the intent of this document is not to deliver a scientifically precise hierarchy, but to provide you with practical ideas when dealing with migration.

Continue reading