HttpOnly Cookie in weblogic 10.0

Similar Messages

• Applet and HttpOnly cookies in IE 6.0 SP1

  Hello all.
  I am working on a trusted file upload applet. This applet creates a
  HttpURLConnection object and simulates a browser POST request. It
  uploads form variables and also sends one or more files to the server.
  Microsoft has introduced support for a new kind of cookie in Internet
  Explorer 6.0 SP1. This is called as a "HttpOnly" cookie and scripts do
  not have access to this cookie. (The cookie does not show up in
  document.cookie variable).
  http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dncode/html/secure10102002.asp
  My server side script that receives the request is an ASP.NET script.
  Since ASP.NET 2.0, the ASPNET_SessionID cookie is sent as a httpcookie.
  When my applet does the POST request, it is able to pick up all the
  cookies, but the ASPNET_SessionID cookie. This is causing my session to
  expire. Is there a way I can pick up HttpOnly cookies too?
  This problem exists only when I'm using the Sun Plugin for IE. When I
  use MS JVM everything is fine. I'm using Sun Plugin version 1.4.2_04.
  Any help is appreciated.
  Adarsh Bhat

  Naveen,
    Normally the browser should support the javascript version you are using. The best way is to upgrade the browser to higher SP if it runs on a different SP.
  Usually, Javascript erros are very abstract, so tough to handle. So, got to be careful when coding.
  Check this link for details on Javascript erros etc
  http://www.irt.org/script/general.htm
  Hope this helps,
  Kumar

• Httponly cookie

  Hello all,
  We are trying to add aditional security to a web based system thats being run by labview.  We run on gweb as a server and use labview to create server side cookies.  We would like to impliment microsoft httponly cookie format.  Does anyone know if this is possible?  the only examples we have found to do this have been for other scripting languages, it appears it may be as simple as adding info to the header of the cookie, but we can not tell for sure if that is the case, and if so if it is possible to add that info using the LV cookie vi's?
  Any help or if someone has implimented it and could send a sample vi it would be greatly appreciated. (btw we are using LV 8.6)
  Chris
  CLAD
  Solved!
  Go to Solution.

  Hi Chris,
  It looks like you may want to take a look at the Internet Toolkit to see if it will do what you want.
  http://sine.ni.com/nips/cds/view/p/lang/en/nid/2501
  You can find an evaluation copy here:
  https://lumen.ni.com/nicif/us/evaltlktrepgen/content.xhtml
  Flash
  National Instruments
  Applications Engineer

• Nessus report says: Apache HTTP Server httpOnly Cookie Information Disclosu

  Hi all,
  Security area ran a Nessus script in the network and it found a known vulnerability over Oracle HTTP Server. Nessus gives a recomendation and I think is not the best recomendation because Oracle Application Server 10g R2 doesn't supports Apache 2.2.22 (only 1.3).
  The question is:
  What other action plan can I execute in order to solve the vulnerability issue?
  This is the Nessus report:
  Apache HTTP Server httpOnly Cookie Information Disclosure
  Synopsis:
  The web server running on the remote host has an information disclosure vulnerability.
  Description:
  The version of Apache HTTP Server running on the remote host has an information disclosure vulnerability. Sending a request with HTTP headers long enough to exceed the server limit causes the web server to respond with an HTTP 400. By default, the offending HTTP header and value are displayed on the 400 error page. When used in conjunction with other attacks (e.g., cross-site scripting), this could result in the compromise of httpOnly cookies.
  Risk factor:
  Medium
  CVSS Base Score:4.3
  CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N
  See also:
  http://fd.the-wildcat.de/apache_e36a9cf46c.php
  See also:
  http://httpd.apache.org/security/vulnerabilities_22.html
  See also:
  http://svn.apache.org/viewvc?view=revision&revision=1235454
  Solution:
  Upgrade to Apache version 2.2.22 or later.
  Plugin output:
  Nessus verified this by sending a request with a long Cookie header : GET / HTTP/1.1 Host: ntoracolp01.intrallianz.es:7202 Accept-Language: en Accept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1 Connection: Close Cookie: z9=AAAAAAAAAAAAAAAAAAAAA......
  Pragma: no-cache User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0) Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */* Which caused the Cookie header to be displayed in the default error page (the response shown below has been truncated) : <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <HTML><HEAD> <TITLE>400 Bad Request</TITLE> </HEAD><BODY> <H1>Bad Request</H1> Your browser sent a request that this server could not understand.<P> Size of a request header field exceeds server limit.<P> <PRE> Cookie: z9=AAAAAAAAAAAAAAA.......
  Plugin ID:
  57792
  CVE:
  CVE-2012-0053
  BID:
  51706
  Other references:
  OSVDB:78556, EDB-ID:18442, IAVA:2012-A-0017
  Thanks

  Thanks for reply
  I've added read access to developer directory:
  drwxr--r-x 11 developer users 4096 03-18 21:03 developer
  Nothing changed.
  error_log
  [Tue Mar 18 22:42:47.462658 2014] [authz_core:error] [pid 2150:tid 2941197120] [client 192.168.1.100:56103] AH01630: client denied by server configuration: /home/developer/public_html
  No idea how "public_html" get there?!
  access_log
  192.168.1.100 - - [18/Mar/2014:22:38:34 +0100] "GET /~developer HTTP/1.1" 403 1081
  192.168.1.100 - - [18/Mar/2014:22:38:45 +0100] "GET /~developer/www HTTP/1.1" 403 1081
  192.168.1.100 - - [18/Mar/2014:22:42:47 +0100] "GET /~developer/www HTTP/1.1" 403 1081
  192.168.1.100 - - [18/Mar/2014:22:42:47 +0100] "GET /favicon.ico HTTP/1.1" 404 1099
  192.168.1.100 - - [18/Mar/2014:22:42:47 +0100] "GET /favicon.ico HTTP/1.1" 404 1099
  EDIT
  Ok, I've found the solution for that. In file httpd-userdir.conf UserDir was "public_html" instead of "www".
  Now I'm getting error 500
  error_log
  [Tue Mar 18 22:48:36.841443 2014] [mpm_event:notice] [pid 2803:tid 3074947456] AH00489: Apache/2.4.7 (Unix) mod_python/3.5.0- Python/3.3.5 configured -- resuming normal operations
  [Tue Mar 18 22:48:36.841528 2014] [core:notice] [pid 2803:tid 3074947456] AH00094: Command line: '/usr/bin/httpd'
  [Tue Mar 18 22:48:45.873329 2014] [:error] [pid 2805:tid 3033516864] make_obcallback: could not import mod_python.apache.\n
  [Tue Mar 18 22:48:45.874559 2014] [:error] [pid 2805:tid 3033516864] make_obcallback: Python path being used "['/usr/lib/python33.zip', '/usr/lib/python3.3', '/usr/lib/python3.3/plat-linux', '/usr/lib/python3.3/lib-dynload', '/usr/lib/python3.3/site-packages']".
  [Tue Mar 18 22:48:45.874589 2014] [:error] [pid 2805:tid 3033516864] get_interpreter: no interpreter callback found.
  [Tue Mar 18 22:48:45.874612 2014] [:error] [pid 2805:tid 3033516864] [client 192.168.1.100:56122] python_handler: Can't get/create interpreter., referer: http://192.168.1.108/~developer/
  Last edited by maci3k (2014-03-18 22:37:32)

• How to set httponly cookies in J2EE 5

  Hi folks,
  I ma using Tomcat 6 which implements Servlet API 2.5 (part of the J2EE 5). I know I could set the usehttponly="true" in the context.xml to turn on all cookies to httponly. However, if I only need to set certain cookies to be httponly, how to do it in J2EE 5? I do not find Cookie.setHttponly() method in J2EE 5.
  Thanks in advance!
  Billy

  Either the support document cited above is in error or (more likely) has just not been updated for IOS 8.
  It states that:
  AirPrint printers connected to the USB port of an Apple AirPort Base Station or AirPort Time Capsule are not supported with AirPrint. Connect your AirPrint printer to your network using Wi-Fi, or connect it to a LAN port on your AirPort device using Ethernet.
  I have an early HP LaserJet P1102w and found that it can be set up to work wirelessly even if it is connected by USB to either a MAC or Airport/Time Capsule.
  The trick is to install it each way and label each in the system preferences accordingly,  (a separate icon for each version)
  Examples: the wireless  HP P1102 - Air Print, the USB cabled HP P1102w - USB, and the Airport/TC HP P1102w - Airport (or TC or LAN name)
  My iPhone 5s also found the HP1102w using AirPrint.
  Additionally the wireless printer connection will display the printer Options and Supplies just like the USB wired connection -- the Airport/TC connection will not.
  So even if you use the USB/Airport/TC route, you can still quickly switch to the wireless or USB to check the toner (or ink)
  Hope some find this useful.
  Equip:
  HP P1102w (with latest firmware update from HP)
  MacbookPro & Macbook Pro Retina (both running OSX 10.9.5 - Mavericks)
  TimeCapsule (latest Airport Utility & Firmware)
  iPhone 5s ( iOS 8.0.2)

• Setting Secure and HttpOnly flags in JSESSIONID cookie

  I have a web app hosted on WebLogic (8.1 I'm afraid!), and want to secure the JSESSIONID cookie by setting the Secure and HttpOnly flags on it. The intention is to prevent cookie theft.
  As regards the Secure flag, I've tried using the myCookie.setSecure(true) method. This works fine when I debug and step through the code , but by the time the cookie gets back to the client, it has been reset to false again (I'm not clear what by though...).
  There isn't a Cookie method to allow you to set HttpOnly.
  I've thought of using a filter to intercept the response and set the flags explicitly, but this seems like a lot of work for something that seems very simple. I can't find anything in the WebLogic documentation that allows me to configure the settings either.
  Does anyone have any bright ideas about how I can do this?
  Thanks
  Geoff

  I don't think there is HTTPOnly support for WebLogic 8.1 or other versions.
  May be you want to send a note to WebLogic support to find out of they are planning this feature in future ?
  Jayesh
  Yagna Sys

• WAR cookie example not working. Please help!

  Hi,
            The cookie example worked fine if I put everything unpackaged under the
            public_html/cookie directory. However, when I jarred this directory as
            cookie.war and registered it with WLS, I got this exception when trying
            to access CookieCounter servlet.
            javax.servlet.ServletException: Servlet class: servlets.CookieCounter
            could not
            be loaded - the requested class wasn't found in the classpath
            Also, I was able to get to the hello.html page (my welcome-file) when I
            put in this request
            http://127.0.0.1:7001/cookie
            That means the server was able to extract the cookie.war file and parse
            web.xml correctly.
            The structure of my cookie.war file is exactly the same as the cookie
            directory's.
            This is what my cookie.war file looks like
            error.jsp
            WEB-INF/classes/servlets/CookieCounter.class
            WEB-INF/classes/CookieCounter.class
            WEB-INF/CookieCounter.java
            WEB-INF/web.xml
            images/cookie.jpg
            hello.html
            This is the entry in weblogic.properties
            weblogic.httpd.webApp.cookie=c:/weblogic/myserver/public_html/cookie.war
            my web.xml is
            <!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application
            1.2//EN" "http://java.sun.com/j2ee/dtds/web-app_2_2.dtd">
            <web-app>
            <!--
            <context-param>
            <param-name>weblogic.servlet.reloadCheckSecs</param-name>
            <param-value>0</param-value>
            </context-param>
            -->
            <servlet>
            <servlet-name>CookieCounter</servlet-name>
            <servlet-class>servlets.CookieCounter</servlet-class>
            </servlet>
            <servlet-mapping>
            <servlet-name>CookieCounter</servlet-name>
            <url-pattern>monster</url-pattern>
            </servlet-mapping>
            <welcome-file-list>
            <welcome-file>hello.html</welcome-file>
            </welcome-file-list>
            <error-page>
            <error-code>404</error-code>
            <location>/error.jsp</location>
            </error-page>
            </web-app>
            The problem seems to be that weblogic was able to find
            CookieCounter.class under the unpackaged cookie directory but not inside
            cookie.war
            Please help.
            Thanks a lot.
            By the way, if you have a war file that works, please send it to me at
            [email protected]
            I would greatly appreciate it.
            

  Try resetting it:
  Press and hold the On/Off Sleep/Wake button and the Home
  button at the same time for at least ten seconds, until the Apple logo appears.
  Next try restoring via itunes.

• Help !!  its urgent !!! HTTPS to HTTP switching in weblogic App server !!

  Hi,
  I am using servlets in Weblogic Server environemt. My client (browser based) switches
  from HTTPS to HTTP and vice versa while accessing different servlets.
  In IE application works fine but when using Netscape it fails in many parts .
  I have read that there is a fix for Netscape , it goes like this
  " Question : When a Netscape browser starts a session with WebLogic Server on an
  HTTP page and then moves to an HTTPS page, a new session is created. How can I preserve
  the session while switching to or from HTTPS?
  Answer : The cookie WebLogic Server sends includes the port number. When the Netscape
  browser sees a cookie with a different port number, it assumes the destination is
  a different server, so it does not return the cookie to WebLogic Server. The way
  to prevent this is to specify the domain name that WebLogic Server writes in the
  cookie with the weblogic.httpd.session.cookie.domain property. For example:
  weblogic.httpd.session.cookie.domain=.mydomain.com "
  I have tried this also by giving different versions of the above mentioned line in
  weblogic.properties file
  i) weblogic.httpd.session.cookie.domain=.myServerName
  where myServerName is name of the machine in which Weblogic App server is running

  Which ports are you using for HTTP and HTTPS?
  Robert Patrick wrote:
  Is the browser talking directly to WLS or going through another web server (and the
  weblogic plug-in)? In the URLs being used from the browser, do you always uss the full
  machine name (e.g., mymachine.mydomain.com) or are you trying to use just the hostname
  (e.g., mymachine) or the IP address?
  Robert
  Ajay Singh wrote:
  Hi,
  I am using servlets in Weblogic Server environemt. My client (browser based) switches
  from HTTPS to HTTP and vice versa while accessing different servlets.
  In IE application works fine but when using Netscape it fails in many parts .
  I have read that there is a fix for Netscape , it goes like this
  " Question : When a Netscape browser starts a session with WebLogic Server on an
  HTTP page and then moves to an HTTPS page, a new session is created. How can I preserve
  the session while switching to or from HTTPS?
  Answer : The cookie WebLogic Server sends includes the port number. When the Netscape
  browser sees a cookie with a different port number, it assumes the destination is
  a different server, so it does not return the cookie to WebLogic Server. The way
  to prevent this is to specify the domain name that WebLogic Server writes in the
  cookie with the weblogic.httpd.session.cookie.domain property. For example:
  weblogic.httpd.session.cookie.domain=.mydomain.com "
  I have tried this also by giving different versions of the above mentioned line in
  weblogic.properties file
  i) weblogic.httpd.session.cookie.domain=.myServerName
  where myServerName is name of the machine in which Weblogic App server is running

• HTTPS to HTTP switching in weblogic App server

  Hi,
  I am using servlets in Weblogic Server environemt. My client (browser based) switches
  from HTTPS to HTTP and vice versa while accessing different servlets.
  In IE application works fine but when using Netscape it fails in many parts .
  I have read that there is a fix for Netscape , it goes like this
  " Question : When a Netscape browser starts a session with WebLogic Server on an
  HTTP page and then moves to an HTTPS page, a new session is created. How can I preserve
  the session while switching to or from HTTPS?
  Answer : The cookie WebLogic Server sends includes the port number. When the Netscape
  browser sees a cookie with a different port number, it assumes the destination is
  a different server, so it does not return the cookie to WebLogic Server. The way
  to prevent this is to specify the domain name that WebLogic Server writes in the
  cookie with the weblogic.httpd.session.cookie.domain property. For example:
  weblogic.httpd.session.cookie.domain=.mydomain.com "
  I have tried this also by giving different versions of the above mentioned line in
  weblogic.properties file
  i) weblogic.httpd.session.cookie.domain=.myServerName
  where myServerName is name of the machine in which Weblogic App server is running

  try
  weblogic.httpd.session.cookie.domain=.myDomainName
  where myDomainName is something like india.techspan.com, make sure you don't put
  in the name of your machine. WLS doesn't care about that in this property.
  "Ajay Singh" <[email protected]> wrote:
  >
  Hi,
  I am using servlets in Weblogic Server environemt. My client (browser
  based) switches
  from HTTPS to HTTP and vice versa while accessing different servlets.
  In IE application works fine but when using Netscape it fails in many parts
  I have read that there is a fix for Netscape , it goes like this
  " Question : When a Netscape browser starts a session with WebLogic Server
  on an
  HTTP page and then moves to an HTTPS page, a new session is created. How
  can I preserve
  the session while switching to or from HTTPS?
  Answer : The cookie WebLogic Server sends includes the port number. When
  the Netscape
  browser sees a cookie with a different port number, it assumes the destination
  is
  a different server, so it does not return the cookie to WebLogic Server.
  The way
  to prevent this is to specify the domain name that WebLogic Server writes
  in the
  cookie with the weblogic.httpd.session.cookie.domain property. For example:
  weblogic.httpd.session.cookie.domain=.mydomain.com "
  I have tried this also by giving different versions of the above mentioned
  line in
  weblogic.properties file
  i) weblogic.httpd.session.cookie.domain=.myServerName
  where myServerName is name of the machine in which Weblogic App server
  is running

• What is behavior for cookie-http-only?

  I noticed cookie-http-only property available in 9.2 and also 10.3 but what exactly does enabling this do?
  The documentation isn't very clear.
  "Specifies whether HttpOnly cookies are enabled. When this element is set to true, all session cookies would be unavailable to the browser scripts. The default value is true. Therefore, HttpOnly cookies are enabled by default."
  Does that mean it will make my jsessionid as httponly? In 9.2, enabling this property didn't do this.
  Does it just mean it will honor httponly settings? But that would be on the browser end.
  Does it mean it will make my other session cookies as httponly and not jsession id?
  Please clarify

  Smart Mailboxes don't do anything to messages except list them. The messages must reside somewhere else. If the message is deleted from wherever it lives, or if it no longer satisfies the search criteria that define the Smart Mailbox, it will no longer appear. For example, suppose the Smart Mailbox specifies "unread" messages. Once the message has been read, it will not appear in that Smart Mailbox the next time it is opened.

• Arrowpoint cookie HTTP Only flag set.

  Hi All,
  I have a site running an application on which we have identified a vulnerability we wish to close. The CSS11501 is using the advance balance arrowpoint cookie method, however tests are showing that the HTTP only parameter is not set. I am unable to find a way of doing this at present. Does anyone know how to acheive this?
  Until I can do so there is a remote possibilty I am leaving my application open to cross site scripting attacks.
  Microsoft use the HTTPOnly cookie option which sets a HTTPOnly flag. he following url has some information for review.
  Thanks in advance for your help.
  Alfie...

  Alfie,
  your security test tool assume the CSS is a webserver and therefore complains when seeing some missing *flag*.
  However, you won't be able to attack the CSS with whatever method that works against a webserver.
  We have our own onboard DOS feature.
  So, there is no option to use this microsoft HTTPOnly flag because there is no need for it.
  Make sure the servers behind the CSS are protected and have your HTTPOnly flag.
  Gilles.

• WebCentre Content usage of JSESSIONID cookie

  Hi
  We have an issue in our implementation where Webspehere and Weblogic compete on WebSeal for the same cookie name JSESSIONID (It actually looks more like it is Websphere and WebCentre Content that is competing for the JSESSIONID cookie since WebLogic seems to use ADMINCONSOLESESSION cookie). This results in unexpected behaviour in applications running within Websphere. We have confirmed that the issue is caused by a cookie preservation setting in WebSeal but we need this setting enabled for Oracle WebCentre Content and Autovue to work together.
  I am not sure if the following will work but I am thinking of changing WebCentre Content to use another cookie rather than JSESSIONID by explicitly adding a WEB-INF folder and use a weblogic.xml file to change the cookie-name.
  Anyone done this before or do you guys have any ideas on implications or options?
  Regards

  Hi EbodaWill,
  File daycare for fp 2324 where in you can configure & allow you to increase the request header size and avoid the bad request error OR for a package that improves client side persistence & does not use cookies.
  Thanks,
  Sham

• Web content not showing up anymore.

  My article inside have a container that contain a HTML/JS web content.
  Once I edit the html content and update the article, the container is empty.
  I remove the article and upload again still get the same result, it is empty.
  How can I solve this problem?
  Thanks.

  Hi.
  To enable Site Studio features for Web Content inlne editing you have to:
  - Enable Site Studio components in UCM.
  - Install and configure OHS to access UCM and Portal with the same port.
  - Enable authentication propagation when configure UCM-Portal.
  - Add a cookie to weblogic.xml with the context path of the Portal application to prevent lost session between Portal and UCM.
  Publishing Content Using Content Presenter - 11g Release 1 (11.1.1.6.0)
  Enable Site Studio features in WebCenter Portal | Yannick Ongena&amp;#039;s WebCenter And Enterprise 2.0 Blog
  I hope it helps.
  Regards.

• Sun One (Netscape) Plugin: Losing HTTP Session Problem

  Hi All,
  We are having some trouble with HTTP sessions. Sometimes our browser will have a session cookie set but will be issued a new session cookie anyways. This seems to occur only one in every 10 attempts, and seems to occur more frequently on certain machines. When this occurs we lose all of the session data that we were previously using.
  Our environment is as follows:
  We have three load balanced Sun One Web Servers fronting 6 mananged 8.1 sp5 web logic instances. We've verified that multicast is working and that we've configured the plugin/application to have a unique cookie name already. We've also set the persistence type to 'replicated'
  Only clue that we have so far comes from our plug-in logs. It seems to be complaining about connection pooling:
  Mon Jan 22 16:04:39 2007 getPooledConn: No more connections in the pool for Host[XXX.XXX.XXX.XXX] Port[8003] SecurePort[8004]
  Mon Jan 22 16:04:39 2007 Connect returns -1, and error no set to 55, msg 'A connect operation on a socket is not complete.'
  Any ideas? Thanks in advance!
  Regards,
  Ray Siu

  Check if your web app has the same cookie name (weblogic.xml) as defined in the obj.conf.
  Jin

• ADF BC Web Service - authenticate with JSESSIONID

  Hi!
  I create ADF Fusion Application Web project. I add a jspx page to ViewController project called "welcome.jspx" and secure Application with HTTP Basic authentication. Now in ViewController page I add POJO class and create webservice from it. Now I run the project and I can access welcome.jspx page only if I provide correct username and password. Now in ViewController project i choose Test WebService on WSDL. If i send test request, I get 403 unathorized. If I add JSESSIONID cookie in the request header, I can access webservice.
  Now in Model project I create simple entity, view on top of it and add to the ApplicationModule. Now in ApplicationModule I create web service from it (Service interface) with method getByKey. I deploy whole application. If I select Test Webservice on the ApplicationModule's generated WSDL I can access webservice without providing securityCredentials. I can access it without providing JSESSIONID cookie (note the difference to the ViewController project). I know that ViewController project and Model have different ContextRoot and I speculate that why it goes (I know that two projects (Model, ViewController) cannot have the same Security Context). In created ApplicationModule I override prepareSession method and monitor who is logged in when executing ADF BC WebService. If I do not provide JSESSIONID cookie the logged "user" in is anonymous, If do provide it, I am logged in as user for which that JSESSIONID is created.
  I know I can secure webservice by attaching security policy, such as oracle/wss_usernamename.* (Soap:Header requires username/password) or oracle/http_token policy and if I do so, I must provide security credentials everytime - I do not like that. I would like to achieve that if I provide JSESSIONID cookie I am authenticated, if do not provide it, I receive 403 unauthorized - the same behaviour as is in the ViewController Dummy webservice.
  So is it possible to add second context root or something like that to the ApplicationSecurity (jazn*.xml files or something like that) to enforce the same security for Model part?
  Perhaps I should explain what I am doing:
  - we have ADF model with service enabled ApplicationModules (web services based on application modules) and now we are building clients to consume them. We have created simple LoginPage (in ViewCOntroller project) where we obtain JSESSIONID cookie. Now we want to contanct websercie with JSESSIONID cookie and weblogic must recognize us, but in case JSESSIONID cookie is not present, invalid - a 401 unauthorized should ne returned.
  Can you provide some hints how to work on?

  That's the end goal, but I haven't gotten that far.  I'm using the 11.1.1.7 versions of ADF JDeveloper and the BPM suite.  I'm attempting to consume an ADF BC web service from my BPM process using the Composer tool, but I first need to figure out how to publish/register the ADF BC web service with the BPM so that I can reference the ADF BC web service in the implementation of the BPM Service Task as a Service Call.  I thought I could register the ADF BC web service with the BPM using the BPM business catalog but when I attempt to add a new service and give it the WSDL generated from JDeveloper I get this error:
  BPM-71536: BCModelsService.wsdl has a dependency to BCModelsService.xsd that cannot be resolved.