UPDATE: My presentation at the Rational Conference

As I blogged earlier, I have am giving a presentation at this year's Rational conference in Orlando. Due to some scheduling shifts, my presentation has been renumbered and moved. I will be presenting on Wednesday June 3rd at 11:15am. Mine will be for generic audiences, but will have some technical details for the geeks like myself in the audience. Here is the session summary:




EM11 How a tactical HATS solution became a strategic asset - A Customer Story
Wednesday, June 3, 11:15 am - 12:15/12:45 pm
Room: Americas Seminar
Kenny Smith, Principal, Strongback Consulting
Alisa Morse, HATS Product Manager, IBM Rational software

Learn how one customer stemmed revenue loss, and is now reaching into new accounts using Host Access Transformation Services (HATS) to transform their 3270 green screen application to a modern, easy to use Web application. HATS gives you the tools needed to extend your 3270 and 5250 applications to the Web, portlets, rich clients, browsers on mobile devices, or as Web services without changing the underlying green screen application code. This session will include an introduction to HATS followed by a case study on how Total System Services, Inc. (TSYS), a provider of electronic payment services, extended their 3270 credit card processing application to the Web quickly, with low development costs, reduced training time, and high end user satisfaction.

If you will be there at the convention, be sure to say hello, or comment below if you're reading my blog. If you are interested in attending, you can register at http://www-01.ibm.com/software/rational/rsdc/ .

WebSphere App Server and Struts2 don't mix

As I have recently found out by the school of hard knocks, these two do not mix when Java EE web container security is enabled.

Background:

Struts2 is the follow on to the very popular and ubiquitous framework Apache Struts. Struts2 is actually a combination of Struts and WebWorks and is a really slick framework. The more I used it the more I liked it (sans the crap with security issues). Under Stuts1, the framework was built around a Struts action servlet. Under Struts2, struts operates under servlet Filter which is where the problem comes in for WebSphere.

The Problem:

The problem arises when you need to turn on container based security. This is enabled in the web.xml file:


Default Constraint


Customer Data
/customer/*
PUT
GET
TRACE
POST
DELETE
OPTIONS


validUsers


NONE

Whenever a user browses within the application to a URL that has customer in the string, it should prompt the user for security credentials with a login page. This happens quite easily in Apache Tomcat, but WebSphere just navigates right to the secured resource without ever grabbing credentials. This happens in WebSphere App Server 6.1 and 7.0, and it is a certified bug, even when enabling the custom JVM property com.ibm.ws.webcontainer.disablesecuritypreinvokeonfilters=true

The Solution:

For WAS 6.1, upgrade to fixpack 23 (6.1.0.23), and enable the custom property. This fixpack has already been released. If you have developed your application under WAS 7.0 and are using servlet spec 2.5 and JDK 6, then you'll have to wait for fix pack 7.0.0.5 which is due in July/August time frame. Otherwise, you will have to create a whole new application to deploy under JDK 5 to deploy to WAS 6.1 and copy over your compatible Java artifacts. The easy solution is to use Apache Tomcat in the interim.

Here are some other links to the issue:

http://www-01.ibm.com/support/docview.wss?&uid=swg1PK76656&loc=en_US&cs=utf-8&lang=en

http://www-01.ibm.com/support/docview.wss?rs=180&context=SSEQTP&q1=7.0.0.5&q2=security&uid=swg24022479&loc=en_US&cs=utf-8&lang=en

http://www-01.ibm.com/support/docview.wss?rss=180&uid=swg21284395

http://del.icio.us/klenny/struts2

Security Certificate expiration in Lotus Domino on May 18th 2009

What is happening
The certificate for some Java applets in Lotus Domino 6.5.x, Domino 7.0.x, Domino 8.0.x, and Domino 8.5 have an expiration date of May 18, 2009. Starting May 19th, Web users will see a dialog with a message similar to one of the following when loading a Web page that contains a Java applet from the Domino server:

"The digital signature was generated with a trusted certificate but has expired or is not yet valid."
"The security certificate has expired or is not yet valid."

This issue can occur even if IBM is set up as a trusted publisher in the browser.

What does this mean
Please be assured that this message does not mean security has been compromised. It simply reflects the expiration of the signature originally provided in the security certificate used with certain Domino applets. You can find an explanation in the following technote:

Title: "Security certificate expiration messages generated from Domino applets (May 18, 2009)"
URL: http://www.ibm.com/support/docview.wss?rs=899&uid=swg21381298

Action needed to resolve
To resolve the situation, you have three options: (1) Instruct users to "Always Trust" content from IBM, (2) if using Domino 7.x, upgrade to Domino 7.0.4, or (3) download and apply fixes. IBM recommends that you replace the affected Jar files (option 3) as described in the following download document for any supported release of Domino:

Title: "Download re-signed Java applets for Lotus Domino (May 18, 2009)"
URL: http://www.ibm.com/support/docview.wss?rs=899&uid=swg24022981

Alternatively, an interim fix will be posted to Fix Central for the latest Modification and Fix Pack levels by May 8th. These include Domino 6.5.6 FP3, 7.0.3 FP1, 7.0.4, 8.0.2 FP1, and 8.5.0. If you're not running one of these releases, access the download document above, which provides fixes for all supported release levels.

General Self-Help Resources
Here are links to other ways that you can access IBM Lotus Notes & Domino self-help support information on the Web:
1. My Support (http://www.ibm.com/software/support/einfo.html)
2. Lotus Support is just a click away (http://www.ibm.com/software/lotus/support/clickaway/); learn more about Lotus Software Self-Assist Options.
3. IBM Software Support Site design update (http://www.ibm.com/software/support/gcnews.html)
4. New Lotus Notes Domino Wiki (http://www.lotus.com/ldd/dominowiki.nsf)
5. Fix Central (http://www.ibm.com/support/fixcentral/)

New Lotus channel on YouTube

Lotus has launched its own channel on Youtube. http://www.youtube.com/collaboration4you

There are 25 short videos that describe how Lotus solutions address actual business needs. Here's a great sample:



If any of these technologies sound of interest, give us a buzz to find out more.

Corporate Survey of Browsers

Lifehacker.com had an article on a Forrester Research survey of companies asking them what their default internet browser standard is. I was shocked...yes...shocked to see that IE6 still accounts for 60% of the corporate install base.

Does anyone reading this have a justifyable reason why this is so? What is it that keeps your organization from either upgrading to IE7 (or now IE8), or even better, standardizing on Firefox or Chrome or some other browser?

I think this is just plain gross negligence on behalf of most of these company CTO/CIOs. IE6 has so many weaknesses both in security and in features. These organizations are trapped in 2002. Making a web site forward compatible from IE6 is downright difficult as it does not fully support web standards. Review my previous posts on IE, and look up the results for the Acid2 test.

Argh!! Ok... I'll get off my soap box now.