Setting secure flag on weblogic (5.1) session cookie.

Similar Messages

• Is the config setting to have iPlanet automatically generate a session cookie

  We have one set of iPlanet servers (xxx.company.com) that servers only HTML code. We have another set of servers, iPlanet and Weblogic, that servers JSPs and html code. Want to be able track users between the sites without having to change each HTML page to create one.
  The last option I can think of is to write a NSAPI plug-in. Thanks.

  You might want to look up persistent session managers that stores the session in a database so it can be shared between servers.

• How to Set up HTTPOnly and SECURE FLAG for session cookies

  Hi All,
  To fix some vulnerability issues (found in the ethical hacking , penetration testing) I need to set up the session cookies (CFID , CFTOKEN , JSESSIONID) with "HTTPOnly" (so not to access by other non HTTP APIs like Javascript). Also I need to set up a "secure flag" for those session cookies.
  I have found the below solutions.
  For setting up the HTTPOnly for the session cookies.
  1] In application.cfc we can do this by using the below code. Or we can do this in CF admin side under Server Settings » Memory Variables
       this.sessioncookie.httponly = true;
  For setting up the secure flag for the session cookies.
  2] In application.cfc we can do this by using the below code. Or we can do this in CF admin side under Server Settings » Memory Variables
       this.sessioncookie.secure = "true"
  Here my question is how we can do the same thing in Application.cfm?. (I am using ColdFusion version 10). I know we can do this using the below code , incase of HTTPOnly (for example).
  <cfapplication setclientcookies="false" sessionmanagement="true" name="test">
  <cfif NOT IsDefined("cookie.cfid") OR NOT IsDefined("cookie.cftoken") OR cookie.cftoken IS NOT session.CFToken>
    <cfheader name="Set-Cookie" value="CFID=#session.CFID#;path=/;HTTPOnly">
    <cfheader name="Set-Cookie" value="CFTOKEN=#session.CFTOKEN#;path=/;HTTPOnly">
  </cfif>
  But in the above code "setclientcookies" has been set to "false". In my application (it is an existing application) this has already been set to "true". If I change this to "false" as mentioned in the above code then ColdFusion will not automatically send CFID and CFTOKEN cookies to client browser and we need to manually code CFID and CFTOKEN on the URL for every page that uses Session. Right???. And this will be headache.Right???. Or any other way to do this.
  Your timely help is well appreciated.
  Thanks in advance.

  BKBK wrote:
  Abdul L Koyappayil wrote:
  BKBK wrote:
  You can switch httponly / secure on and off, as we have done, for CFID and CFToken. However, Tomcat automatically switches JsessionID to 'secure' when it detects that the protocol is secure, that is, HTTPS.
  I couldnt understand this. I mean how are you relating this with my question.
  When Tomcat detects that the communication protocol is secure (that is, HTTPS), it automatically switches on the 'secure' flag for the J2EE session cookie, JsessionID. Tomcat is configured to do that. Coldfusion has no say in it. So, for JsessionID, 'secure' is automatically set to 'false' when HTTP is detected and automatically set to 'true' when HTTPS is detected.
       If this is the case then why I am getting below info for jsessionid (As you mentioned it should set with SECURE flag . Right???). Note that we are using web server - Apache vFabric .And the application that we are using is in https and there is no hit is going from https to http.
  Name:
  JSESSIONID
  Content:
  782BF97F50AEC00B1EBBF1C2DBBBB92F.xyz
  Domain:
  xyz.abc.pqr.com
  Path:
  Send for:
  Any kind of connection
  Accessible to script:
  No (HttpOnly)
  Created:
  Wednesday, September 3, 2014 2:25:10 AM
  Expires:
  When the browsing session ends
  BKBK wrote:
  2]When I checked CF Admin->Server Settings->Memory Variables I found that J2EE SESSION has been set to YES. So does this mean that do we need to set HTTPOnly and SECURE flag for JSESSIONID only or for CF session cookies (CFID AND CFTOKEN ) as well ?.
  Set HTTPOnly / Secure for the session cookies that you wish to use. Each cookie has its pros and cons. For example, the JsessionID cookie is more secure and more Java-interoperable than CFID/CFToken but, from the explanation above, it forbids the sharing of sessions between HTTP and HTTPS.
       I understood that setting thos flags (httponly/secure) is as per my wish. But my question was , is it necessary to set those flags forcf session cookies (cfid and cftoken) as we have enabled J2EE session in CF admin?. Or in other way as the session management is J2EE based do we need to set those flags for CF session cookies?.
  BKBK wrote:
  3]If I need to set HTTPOnly and SECURE flag for JSESSIONID , how can I do that.
  It is sufficient to set the HTTPOnly only. As I explained above, Tomcat will automatically set 'secure' to 'true' when necessary, that is, when the protocol is HTTPS.
       I understood that it is sufficient to set httponly only.but how we will set it for jsessionid?. This is my question. Apache vFabric will alos set secure to true automatically. Any idea??

• Setting secure on session management cookie only in production

  I am faced with the following:
  In our developmentcycle we deliver full application exports to an acceptation environment and after testing to a production environment.
  However, only our production site does HTTPS. Development and acceptation only do HTTP.
  In production we have to set the "secure"flag on the session management cookie.
  We would like to set this flag in our deployment scripts.
  So,
  Is there an API we could use to set the "Secure" flag in the APEX metadata using SQL*Plus?

  hi
  ->Use request.getParameter(String s) to recieve the infomation from the html page into your servlet.for storing session specific info go for
  session.setAttribute(vble,value;
  hope it'll solve your problem.

• Setting Secure and HttpOnly flags in JSESSIONID cookie

  I have a web app hosted on WebLogic (8.1 I'm afraid!), and want to secure the JSESSIONID cookie by setting the Secure and HttpOnly flags on it. The intention is to prevent cookie theft.
  As regards the Secure flag, I've tried using the myCookie.setSecure(true) method. This works fine when I debug and step through the code , but by the time the cookie gets back to the client, it has been reset to false again (I'm not clear what by though...).
  There isn't a Cookie method to allow you to set HttpOnly.
  I've thought of using a filter to intercept the response and set the flags explicitly, but this seems like a lot of work for something that seems very simple. I can't find anything in the WebLogic documentation that allows me to configure the settings either.
  Does anyone have any bright ideas about how I can do this?
  Thanks
  Geoff

  I don't think there is HTTPOnly support for WebLogic 8.1 or other versions.
  May be you want to send a note to WebLogic support to find out of they are planning this feature in future ?
  Jayesh
  Yagna Sys

• Create the JSESSIONID cookie with the secure flag

  Hello,
  I wonder if it is possible, through UCM or Weblogic configurations, to automatically create the JSESSIONID cookie used when a user is logged on with the secure flag?
  I have not found any parameters so far that could allow this.
  Thanks in advance!

  We have public Websites running on UCM/SiteStudio which are only accessible through SSL by visitors. The aim is that every cookies should be secure to be sure that they are not transmitted in plain text to our server.
  We thus would like to find a way to put the secure flag on JSESSIONID to avoid any case of session hijacking.
  Thanks.
  Edited by: Leo-G on 17 juil. 2012 23:57

• Secure JSESSIONID for Weblogic running HTTP behind load balancers

  We run multiple Weblogic application servers behind a load balancer. We use an SSL accelerator to avoid encrypt/decrypt functions on the CPUs hosting Weblogic. Our Weblogic servers are running version 10.3.
  Here is my conundrum:
  1) For security purposes, we want the cookie JSESSIONDID to be secure.
  2) Weblogic doesn't seem to want to allow me to set this secure flag as there is no HTTPS on Weblogic.
  3) Network performance dictates that we don't want to run weblogic using https.
  Any suggestions to get JSESSIONID set as secure and http-only on a Weblogic server that is not running https?
  Thanks.

  We run multiple Weblogic application servers behind a load balancer. We use an SSL accelerator to avoid encrypt/decrypt functions on the CPUs hosting Weblogic. Our Weblogic servers are running version 10.3.
  Here is my conundrum:
  1) For security purposes, we want the cookie JSESSIONDID to be secure.
  2) Weblogic doesn't seem to want to allow me to set this secure flag as there is no HTTPS on Weblogic.
  3) Network performance dictates that we don't want to run weblogic using https.
  Any suggestions to get JSESSIONID set as secure and http-only on a Weblogic server that is not running https?
  Thanks.

• Weblogic.httpd.session.cookies.enable not working in WLS4.5 sp 11 ?

  I want to disable the use of cookies in WLS 4.5, and set the following
  weblogic.httpd.session.cookies.enable=false
  In WLS 4.5 sp7, this correctly prevents the server from using cookies
  for session-tracking, forcing the extraction of the session id from a
  rewritten URL.
  However, for WLS 4.5 sp11 cookies are still sent from the server
  Is this a known issue ?
  jo

  I want to disable the use of cookies in WLS 4.5, and set the following
  weblogic.httpd.session.cookies.enable=false
  In WLS 4.5 sp7, this correctly prevents the server from using cookies
  for session-tracking, forcing the extraction of the session id from a
  rewritten URL.
  However, for WLS 4.5 sp11 cookies are still sent from the server
  Is this a known issue ?
  jo

• How to set user InitialContext in Weblogic ?

  Hi ,
  Below 2 questions :
  1). We have an MDB which received an XML message with userId and SiteMinder token.
  We need to process that message to set the Initial Context in Weblogic.What is the best way to do that ?
  2). Since,we have userId in the JMS xml message, the MDB can query LDAP server and get all the groups information.How can i set the groups in Weblogic security realm.
  Thanks,
  Dhirendra
  Thanks

  <p>
  You can use WLST or weblogic.Admin command. WLST is the recommended appraoch. Here are a few links for both of the above:
  </p>
  <p>
  http://edocs.bea.com/wls/docs81/admin_ref/cli.html
  http://e-docs.bea.com/wls/docs91/config_scripting/using_WLST.html
  http://edocs.bea.com/wls/docs90/config_scripting/domains.html
  http://dev2dev.bea.com/blog/hoos/archive/2005/09/what_no_wlst_1.html
  http://dev2dev.bea.com/pub/a/2005/01/wlst_offline.html
  http://dev2dev.bea.com/blog/hoos/archive/2005/10/environment_pro_1.html
  </p>
  <p>
  Hussein Badakhchani
  London Middleware
  </p>
  Edited by hoos at 01/07/2007 3:50 AM
  Edited by hoos at 01/07/2007 3:51 AM

• IMAPMessage is read-only Exception while changing setting the Flag

  Hi,
  I am getting " IMAPMessage is read-only" Exception while setting the Flag to SEEN/DELETED but the chages are effecting in mail(gmail).
  below is my code, please help me in this.
  Session session = Session.getDefaultInstance(props, null);
             Store store = session.getStore("imaps");
             store.connect("imap.gmail.com", username, password);
             Folder inbox= store.getFolder("Inbox");
             inbox.open(Folder.READ_WRITE);
                Message[] msgsArr = inbox.getMessages();
                for (int i = msgsArr .length - 1; i >= 0; i--) {
                  try {
                 IMAPMessage msg = (IMAPMessage) msgsArr ;
  msg.setFlag(Flags.Flag.DELETED, true);
  msg.saveChanges();
  catch (Exception e) {
  e.printStackTrace();
  Thanks,
  Reddy

  You don't need the call to saveChanges after setting the flags.
  Also, you don't need to cast to IMAPMessage.

• Conf. a Win2K Security Realm on WebLogic

       Hi! I'm having some problems configuring a security realm in WebLogic
  server 6.0sp1.
       I'd like that WebLogic use the Windows2000 security realm as the
  default security (it can be used as the secondary security realm
  if it's the only way).     
  We've been trying to make it work for the last two (business) days
  with no hope of being successfull at all.
       We are using the BEA documentation 'Managing Security' as reference,
  and we have some doubts about what's in there.
  First doubt:     The documentation says that we need to create new
  security realm of the type Windows NT. OK, we did it. But we are
  not sure about how to fill the filed Primary Domain. The documentation
  says to put the host and port of the computer where User and Groups
  are defined for the NT domain. I'm using the same computer for
  both (NT domain and Web Logic), so I put the host name (babalu).
  Wich port should I put?
  Second doubt:     The documentation says to create a systerm user on
  the NT domain using NT administrative tools, names it 'system'
  and set some stuff for it. But windows 2000 already has a user
  with that name (SYSTE, but capitalized) and the property that I
  should set on it doesn't exist! By the way, on the system user
  user that windows2000 has I wasn't able to set any property.
  Last doubt (maybe should be the first one) : Does WebLogic 6.0sp1
  support Security Realms from Windows 2000? Or I need to download
  another plugin or somethign like that?
       Thanks for Reading and (hope) Answering my qusetions!
  Roberto Giordano Barra

  Hi! Thanks for the answer. I'll try to run WebLogic as a service.
  In fact, I tried it before but I wasn't able to. I started the
  service by hand, but I wasn't able to access the server. So, I
  click on the 'remove web logic as service'(something like that)
  in the WebLogic program group. Ok, it was removed. But when I tried
  to put it back I didn't find no funny button to help me! Could
  you help me with that?
  Another thing. If I use NT Realm as a Caching Realm I'll be
  able to see the NT user and users groups with the Web Logic management
  GUI ?
  Thanks once again,
  Roberto Giordano Barra
  "arthur" <[email protected]> wrote:
  >
  Hi,
  By saying win2k I am assuming you mean creating an NT
  realm.
  Do not bother specifying a port, just put the server name.
  You have to ensure that you are running the weblogic server
  as
  a NT service if you want to use the NTrealm.
  Make sure under Caching Realm you specify the NTrealm.
  That should be it.
  Hope this helps.
  Regards,
  -Arthur
  "Roberto Giordano Barra" <[email protected]> wrote:
       Hi! I'm having some problems configuring a security
  realm in WebLogic
  server 6.0sp1.
       I'd like that WebLogic use the Windows2000 securityrealm
  as the
  default security (it can be used as the secondary security
  realm
  if it's the only way).     
  We've been trying to make it work for the last two (business)
  days
  with no hope of being successfull at all.
       We are using the BEA documentation 'Managing Security'
  as reference,
  and we have some doubts about what's in there.
  First doubt:     The documentation says that we need to create
  new
  security realm of the type Windows NT. OK, we did it.
  But we are
  not sure about how to fill the filed Primary Domain.The
  documentation
  says to put the host and port of the computer where User
  and Groups
  are defined for the NT domain. I'm using the same computer
  for
  both (NT domain and Web Logic), so I put the host name
  (babalu).
  Wich port should I put?
  Second doubt:     The documentation says to create a systerm
  user on
  the NT domain using NT administrative tools, names it
  'system'
  and set some stuff for it. But windows 2000 already has
  a user
  with that name (SYSTE, but capitalized) and the property
  that I
  should set on it doesn't exist! By the way, on the system
  user
  user that windows2000 has I wasn't able to set any property.
  Last doubt (maybe should be the first one) : Does WebLogic
  6.0sp1
  support Security Realms from Windows 2000? Or I needto
  download
  another plugin or somethign like that?
       Thanks for Reading and (hope) Answering my qusetions!
  Roberto Giordano Barra

• Missing Secure Flag & HttpOnly Flag From SSL Cookie - OWA

  Hello, I'm a bit stuck on this issue for a few days and hoping to get some help on this...
  We are running Exchange 2010 /w SP1 Rollup 6. Server is running great and OWA is on 443. We have two servers for Exchange. One if running the Transport and Mailbox, and the other is CAS. We use IBM for firewall / IDS and we run scheduled penatration tests.
  We came back with two vulnerabilities:
  1) Missing HttpOnly Flag From Cookie
  2) Missing Secure Flag From SSL Cookie
  Their solution is to:
  Add the HttpOnly to all cookies and Add the Secure flag to cookies sent over SSL
  I tried adding this line and playing with the boolean with no luck:
  <httpCookies httpOnlyCookies="false" requireSSL="true" domain="" />
  I set this in the web.config under Program Files\Microsoft\Exchange Server\V14\ClientAccess\Owa
  If I turn httpOnlyCookies="true" it will break OWA
  Any help would be appreicated ! Thanks :)
  Will

  Hi,
  We do not set the cookies to HttpOnly because we require access to certain of these cookies from scripts. 
  So we cannot change this, but we take care to use best practices and safe guards within our code to protect against cross site scripting attacks. 
  So it is by design.
  Xiu Zhang
  TechNet Community Support

• Setting secure cookie in iPlanet

  Hi All,
  I would like to set the JSESSIONID cookie as Secure. I read the product documentation for iPlanet Web Server 6.0 and it suggest to use the session-cookie in web-apps.xml. I try to modify the file as following and restart the server
  <?xml version="1.0" encoding="UTF-8"?>
  <!DOCTYPE vs PUBLIC "-//Sun Microsystems, Inc.; iPlanet//DTD Virtual Server Web Applications 6.0//EN"
       "http://developer.iplanet.com/webserver/dtds/iws-webapps_6_0.dtd">
  <vs>
  <session-cookie is-secure="true"/>
  </vs>
  Unfortunately, it doesn't work, the JSESSIONID is still not Secure Cookie. Does anyone have solution on this? Thanks in advance.
  -Wallace

  I do face the Same Problem. Please Let me know aswell.

• Enable secure session cookie on Sun ONE Web Server 6.1

  How can I enable secure session cookie (JSESSIONID) on Sun ONE Web Server 6.1?.
  For 6.0 is <session-cookie is-secure="true"/> inside the <web-app> tags in web-apps.xml but I'm not able to find this setting for 6.1.

  There is a fix in 6.1sp5 that enables the session cookie to be marked as secure.
  See the release notes and search for 6262885 under Issues Resolved in 6.1sp5:
  http://docs.sun.com/app/docs/doc/819-2479/6n4p1bdea?a=view

• "java.sql.SQLException: Result set already closed"    on weblogic 9.1

  Hello together,
  i'm using hibernate 3.2.5ga on weblogic 9.1 through a data source with JTA defined to access oracle 10 with the Oracle's Thin XA Driver. Sporadically i get this:
  Caused by: java.sql.SQLException: Result set already closed
       at weblogic.jdbc.wrapper.ResultSet.checkResultSet(ResultSet.java:102)
       at weblogic.jdbc.wrapper.ResultSet.preInvocationHandler(ResultSet.java:58)
       at weblogic.jdbc.wrapper.ResultSet_oracle_jdbc_driver_OracleResultSetImpl.getInt(Unknown Source)
       at org.hibernate.type.IntegerType.get(IntegerType.java:28)
       at org.hibernate.type.NullableType.nullSafeGet(NullableType.java:163)
       at org.hibernate.type.NullableType.nullSafeGet(NullableType.java:154)
       at org.hibernate.type.AbstractType.hydrate(AbstractType.java:81)
       at org.hibernate.persister.entity.AbstractEntityPersister.hydrate(AbstractEntityPersister.java:2096)
       at org.hibernate.loader.Loader.loadFromResultSet(Loader.java:1380)
       at org.hibernate.loader.Loader.instanceNotYetLoaded(Loader.java:1308)
       at org.hibernate.loader.Loader.getRow(Loader.java:1206)
       at org.hibernate.loader.Loader.getRowFromResultSet(Loader.java:580)
       at org.hibernate.loader.Loader.doQuery(Loader.java:701)
       at org.hibernate.loader.Loader.doQueryAndInitializeNonLazyCollections(Loader.java:236)
       at org.hibernate.loader.Loader.doList(Loader.java:2220)
       at org.hibernate.loader.Loader.listIgnoreQueryCache(Loader.java:2104)
       at org.hibernate.loader.Loader.list(Loader.java:2099)
       at org.hibernate.loader.hql.QueryLoader.list(QueryLoader.java:378)
       at org.hibernate.hql.ast.QueryTranslatorImpl.list(QueryTranslatorImpl.java:338)
       at org.hibernate.engine.query.HQLQueryPlan.performList(HQLQueryPlan.java:172)
       at org.hibernate.impl.SessionImpl.list(SessionImpl.java:1121)
       at org.hibernate.impl.QueryImpl.list(QueryImpl.java:79)
  This exception is thrown when i try to execute a named query for retrieving some data.
  Does anybody know what is wrong?
  Edited by eazy_rida at 12/17/2007 8:32 AM

  Hi Joe
  Here is the full stack trace:
  org.springframework.orm.hibernate3.HibernateSystemException: Exception occurred inside setter of uk.co.cpp.ptarmigan.domain.npp.NppCoveredParty.assets; nested exception is org.hibernate.PropertyAccessException: Exception occurred inside setter of uk.co.cpp.ptarmigan.domain.npp.NppCoveredParty.assets
       at org.springframework.orm.hibernate3.SessionFactoryUtils.convertHibernateAccessException(SessionFactoryUtils.java:661)
       at org.springframework.orm.hibernate3.HibernateAccessor.convertHibernateAccessException(HibernateAccessor.java:412)
       at org.springframework.orm.hibernate3.HibernateTemplate.execute(HibernateTemplate.java:379)
       at org.springframework.orm.hibernate3.HibernateTemplate.find(HibernateTemplate.java:872)
       at org.springframework.orm.hibernate3.HibernateTemplate.find(HibernateTemplate.java:868)
       at uk.co.cpp.ptarmigan.business.dao.hibernate.HibernateNppPolicyDAOImpl.findPolicyByPolicyNumber(HibernateNppPolicyDAOImpl.java:109)
       at uk.co.cpp.testptarmigan.PartyServiceTest.testFetchPhoneAngelUser(PartyServiceTest.java:79)
       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
       at org.springframework.test.ConditionalTestCase.runBare(ConditionalTestCase.java:76)
       at com.intellij.rt.execution.junit.JUnitStarter.main(JUnitStarter.java:40)
       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
       at com.intellij.rt.execution.application.AppMain.main(AppMain.java:90)
  Caused by: org.hibernate.PropertyAccessException: Exception occurred inside setter of uk.co.cpp.ptarmigan.domain.npp.NppCoveredParty.assets
       at org.hibernate.property.BasicPropertyAccessor$BasicSetter.set(BasicPropertyAccessor.java:65)
       at org.hibernate.tuple.entity.AbstractEntityTuplizer.setPropertyValues(AbstractEntityTuplizer.java:337)
       at org.hibernate.tuple.entity.PojoEntityTuplizer.setPropertyValues(PojoEntityTuplizer.java:200)
       at org.hibernate.persister.entity.AbstractEntityPersister.setPropertyValues(AbstractEntityPersister.java:3571)
       at org.hibernate.engine.TwoPhaseLoad.initializeEntity(TwoPhaseLoad.java:133)
       at org.hibernate.loader.Loader.initializeEntitiesAndCollections(Loader.java:854)
       at org.hibernate.loader.Loader.doQuery(Loader.java:729)
       at org.hibernate.loader.Loader.doQueryAndInitializeNonLazyCollections(Loader.java:236)
       at org.hibernate.loader.Loader.loadCollection(Loader.java:1994)
       at org.hibernate.loader.collection.CollectionLoader.initialize(CollectionLoader.java:36)
       at org.hibernate.persister.collection.AbstractCollectionPersister.initialize(AbstractCollectionPersister.java:565)
       at org.hibernate.event.def.DefaultInitializeCollectionEventListener.onInitializeCollection(DefaultInitializeCollectionEventListener.java:63)
       at org.hibernate.impl.SessionImpl.initializeCollection(SessionImpl.java:1716)
       at org.hibernate.collection.AbstractPersistentCollection.forceInitialization(AbstractPersistentCollection.java:454)
       at org.hibernate.engine.StatefulPersistenceContext.initializeNonLazyCollections(StatefulPersistenceContext.java:844)
       at org.hibernate.loader.Loader.doQueryAndInitializeNonLazyCollections(Loader.java:241)
       at org.hibernate.loader.Loader.doList(Loader.java:2213)
       at org.hibernate.loader.Loader.listIgnoreQueryCache(Loader.java:2104)
       at org.hibernate.loader.Loader.list(Loader.java:2099)
       at org.hibernate.hql.classic.QueryTranslatorImpl.list(QueryTranslatorImpl.java:912)
       at org.hibernate.engine.query.HQLQueryPlan.performList(HQLQueryPlan.java:172)
       at org.hibernate.impl.SessionImpl.list(SessionImpl.java:1121)
       at org.hibernate.impl.QueryImpl.list(QueryImpl.java:79)
       at org.springframework.orm.hibernate3.HibernateTemplate$30.doInHibernate(HibernateTemplate.java:881)
       at org.springframework.orm.hibernate3.HibernateTemplate.execute(HibernateTemplate.java:374)
       ... 28 more
  Caused by: java.lang.reflect.InvocationTargetException
       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
       at org.hibernate.property.BasicPropertyAccessor$BasicSetter.set(BasicPropertyAccessor.java:42)
       ... 52 more
  Caused by: org.hibernate.exception.GenericJDBCException: could not initialize a collection: [uk.co.cpp.ptarmigan.domain.npp.NppCoveredParty.assets#component[partyId,policyId]{partyId=77951, policyId=78632}]
       at org.hibernate.exception.SQLStateConverter.handledNonSpecificException(SQLStateConverter.java:103)
       at org.hibernate.exception.SQLStateConverter.convert(SQLStateConverter.java:91)
       at org.hibernate.exception.JDBCExceptionHelper.convert(JDBCExceptionHelper.java:43)
       at org.hibernate.loader.Loader.loadCollection(Loader.java:2001)
       at org.hibernate.loader.collection.CollectionLoader.initialize(CollectionLoader.java:36)
       at org.hibernate.persister.collection.AbstractCollectionPersister.initialize(AbstractCollectionPersister.java:565)
       at org.hibernate.event.def.DefaultInitializeCollectionEventListener.onInitializeCollection(DefaultInitializeCollectionEventListener.java:63)
       at org.hibernate.impl.SessionImpl.initializeCollection(SessionImpl.java:1716)
       at org.hibernate.collection.AbstractPersistentCollection.initialize(AbstractPersistentCollection.java:344)
       at org.hibernate.collection.AbstractPersistentCollection.read(AbstractPersistentCollection.java:86)
       at org.hibernate.collection.PersistentBag.toArray(PersistentBag.java:257)
       at java.util.Collections.sort(Collections.java:158)
       at uk.co.cpp.ptarmigan.domain.npp.NppCoveredParty.setAssets(NppCoveredParty.java:54)
       ... 57 more
  Caused by: java.sql.SQLException: Result set already closed
       at weblogic.rjvm.BasicOutboundRequest.sendReceive(BasicOutboundRequest.java:108)
       at weblogic.rmi.internal.BasicRemoteRef.invoke(BasicRemoteRef.java:137)
       at weblogic.jdbc.rmi.internal.ResultSetImpl_weblogic_jdbc_wrapper_ResultSet_oracle_jdbc_driver_OracleResultSetImpl_922_WLStub.next(Unknown Source)
       at weblogic.jdbc.rmi.internal.ResultSetStub_weblogic_jdbc_rmi_internal_ResultSetImpl_weblogic_jdbc_wrapper_ResultSet_oracle_jdbc_driver_OracleResultSetImpl_922_WLStub.next(Unknown Source)
       at weblogic.jdbc.rmi.internal.ResultSetStraightReader.next(ResultSetStraightReader.java:27)
       at weblogic.jdbc.rmi.SerialResultSet.next(SerialResultSet.java:84)
       at org.hibernate.loader.Loader.doQuery(Loader.java:697)
       at org.hibernate.loader.Loader.doQueryAndInitializeNonLazyCollections(Loader.java:236)
       at org.hibernate.loader.Loader.loadCollection(Loader.java:1994)
       ... 66 more
  Caused by: java.sql.SQLException: Result set already closed
       at weblogic.jdbc.wrapper.ResultSet.checkResultSet(ResultSet.java:102)
       at weblogic.jdbc.wrapper.ResultSet.preInvocationHandler(ResultSet.java:58)
       at weblogic.jdbc.wrapper.ResultSet_oracle_jdbc_driver_OracleResultSetImpl.next(Unknown Source)
       at weblogic.jdbc.rmi.internal.ResultSetImpl_weblogic_jdbc_wrapper_ResultSet_oracle_jdbc_driver_OracleResultSetImpl.next(Unknown Source)
       at weblogic.jdbc.rmi.internal.ResultSetImpl_weblogic_jdbc_wrapper_ResultSet_oracle_jdbc_driver_OracleResultSetImpl_WLSkel.internalInvoke1(Unknown Source)
       at weblogic.jdbc.rmi.internal.ResultSetImpl_weblogic_jdbc_wrapper_ResultSet_oracle_jdbc_driver_OracleResultSetImpl_WLSkel.invoke(Unknown Source)
       at weblogic.rmi.internal.BasicServerRef.invoke(BasicServerRef.java:550)
       at weblogic.rmi.internal.BasicServerRef$1.run(BasicServerRef.java:440)
       at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:363)
       at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:147)
       at weblogic.rmi.internal.BasicServerRef.handleRequest(BasicServerRef.java:436)
       at weblogic.rmi.internal.BasicServerRef.access$300(BasicServerRef.java:58)
       at weblogic.rmi.internal.BasicServerRef$BasicExecuteRequest.run(BasicServerRef.java:975)
       at weblogic.work.ExecuteThread.execute(ExecuteThread.java:209)
       at weblogic.work.ExecuteThread.run(ExecuteThread.java:181)
  We are using using a connection within a client application (in our case we are executing this from a jUnit Integration test) so could this be caused by the handling of these remote connections?