"Multiple same specifications" and the missing boot.log

I'm using Fedora for my DTop and for some time I've had two SELinux warnings during boot complaining about "Multiple same specifications" for some VLC files. Tonight I finally did something about it and found a spot on post on LinuxQuestions.org by lonecrow called SELinux "Multiple same specifications" annoyance, where macemoneta gives the answer.

Getting this fixed was nice, but it's not all the story. I found the warnings during boot on the console, but at first I didn't memorize it and looked for the warning in /var/log/boot.log to discover that it was empty!:

# ll /var/log/boot.log
-rw------- 1 root root 0 Dec 26 21:28 /var/log/boot.log

What the hell, had my system been compromised for I know not how long? Luckily it hasn't (hopefully) since it's an anti-feature of Fedora that logging to boot.log is disabled. You can read for yourself on Bugzilla Bug 151238: boot.log is empty - it's a very old bug that's been in the frozen zone for some time and obviously didn't even get fixed in the most recent dist: Fedora 8. I'm surprised that something that fundamental isn't working, but instead of just complaining I'll have to sign up for bugzilla and give my vote cause I sure can't change it myself.

Rampart basic examples - how you add WS-Security to Axis2

In my personal opinion Web Services Security is the most successful addition to the web service SOAP stack, often called WS-*. It was much needed and avoided to run into conflicts between the big market players, which to the contrary one of the other much needed abilities, that of adding reliability, ran into big time. Some might argue that WS-Addressing is equally successful and it is important, but for one the standardization process took much longer and secondly (again a personal one) I've primarily been using web services in synchronous mode (in-out) and not in complex flows, so I've not had much need for it though I've had to live with it.

It's been some time since I last used WS-Security and it was back in the early days of WSS4J and Axis1. In the meantime Axis2 has evolved with a new architecture and nice features like native XMLBeans support. For WS-Security it's still WSS4J with support for Web Services Security v1.0 (March 2004), and as far as I can tell support for Web Services Security v1.1 (February 2006) is not that far away. With Axis2 the days of adding handlers and adding parameters with generic name/value constructs are over. Now the Axis2 architecture is build on Flows, Phases, Handlers, and Modules (From the OxygenTank) and there's a seperate module, called Rampart, that plugs WS-Security support with WSS4J into Axis2. The Axis2 guide for using rampart: Securing SOAP Messages with Rampart practically covers it all, but for new comers there's a great set of samples covering about just all practical scenarios of using WS-Security. In this post I give an quick overview over these samples.

Note: Rampart does have it's own subsite, but it does not look like it's being maintained since the last release here is still 1.2.

Basic samples

There are 11 examples bundled with the current Rampart. It's all configured with two parameters named InflowSecurity and OutflowSecurity in the files services.xml (server side) and axis2.xml (client side). I'll now go through all of them with the central configurations and a mix of the comments that come with the samples and my own. I'll not show any of the code, for that you'll have to look at the samples yourself.

01. Rampart Engaged and no configuration

The first sample actually does NOT add WS-Security, and shows the basic service that's used and the needed Axis2 configuration. Thereby also showing that Apache Rampart does not work on the messages when simply engaged without any configuration (parameters).

In this post I'll only show the server side configuration since it's almost identical to the client side. For this sample the services.xml file looks like:

    1 <?xml version="1.0" encoding="UTF-8"?>
    2 <!--
    3   !
    4   ! Copyright 2006 The Apache Software Foundation.
    5   !
    6   ! Licensed under the Apache License, Version 2.0 (the "License");
    7   ! you may not use this file except in compliance with the License.
    8   ! You may obtain a copy of the License at
    9   !
   10   !      http://www.apache.org/licenses/LICENSE-2.0
   11   !
   12   ! Unless required by applicable law or agreed to in writing, software
   13   ! distributed under the License is distributed on an "AS IS" BASIS,
   14   ! WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
   15   ! See the License for the specific language governing permissions and
   16   ! limitations under the License.
   17   !-->
   18 <!-- services.xml of sample-1 : No Security-->
   19 <service>
   20   <operation name="echo">
   21     <messageReceiver class="org.apache.axis2.rpc.receivers.RPCMessageReceiver" />
   22   </operation>
   23   <parameter
   24     name="ServiceClass"
   25     locked="false">
   26     org.apache.rampart.samples.sample01.SimpleService
   27   </parameter>
   28 
   29   <module ref="rampart" />
   30 
   31 </service>

So adding the module doesn't do nothing in itself, contrary to the behavior of WS-Addressing.

02. UsernameToken authentication

The client is configured to add a UsernameToken to the outgoing message. The service is configured to process it.

From now I'll just show the WS-Security parameters to keep it short and focused:

   32   <parameter name="InflowSecurity">
   33     <action>
   34       <items>UsernameToken Timestamp</items>
   35       <passwordCallbackClass>org.apache.rampart.samples.sample02.PWCBHandler</passwordCallbackClass>
   36     </action>
   37   </parameter>

Note how org.apache.rampart.samples.sample02.PWCBHandler supplies the password to wss4j to compute the digest for comparison.

03. UsernameToken authentication with a plain text password

The client is configured to add a UsernameToken to the outgoing message. Note the <passwordType>PasswordText</passwordType> element. The service is configured to process it.

Note how org.apache.rampart.samples.sample03.PWCBHandler authenticates the password

   32   <parameter name="InflowSecurity">
   33     <action>
   34       <items>UsernameToken</items>
   35       <passwordCallbackClass>org.apache.rampart.samples.sample03.PWCBHandler</passwordCallbackClass>
   36     </action>
   37   </parameter>

04. Message integrity and non-repudiation with signature

Both client and servce are configured to sign the outgoing message and to verify the signature of the incoming message using their key pairs.

   32   <parameter name="InflowSecurity">
   33     <action>
   34       <items>Timestamp Signature</items>
   35       <signaturePropFile>service.properties</signaturePropFile>
   36     </action>
   37   </parameter>
   38 
   39   <parameter name="OutflowSecurity">
   40     <action>
   41       <items>Timestamp Signature</items>
   42       <user>service</user>
   43       <passwordCallbackClass>org.apache.rampart.samples.sample04.PWCBHandler</passwordCallbackClass>
   44       <signaturePropFile>service.properties</signaturePropFile>
   45       <signatureKeyIdentifier>DirectReference</signatureKeyIdentifier>
   46     </action>
   47   </parameter>

05. Encryption

Both client and servce are configured to encrypt the outgoing message and to decrypt incoming message using their key pairs.

   32   <parameter name="InflowSecurity">
   33     <action>
   34       <items>Encrypt</items>
   35       <passwordCallbackClass>org.apache.rampart.samples.sample05.PWCBHandler</passwordCallbackClass>
   36       <decryptionPropFile>service.properties</decryptionPropFile>
   37     </action>
   38   </parameter>
   39 
   40   <parameter name="OutflowSecurity">
   41     <action>
   42       <items>Encrypt</items>
   43       <encryptionUser>client</encryptionUser>
   44       <encryptionPropFile>service.properties</encryptionPropFile>
   45     </action>
   46   </parameter>

06. Sign and encrypt a messages

Both client and servce are configured to first sign and then encrypt the outgoing message and to decrypt and verify the incoming message using their key pairs.

   32   <parameter name="InflowSecurity">
   33     <action>
   34       <items>Timestamp Signature Encrypt</items>
   35       <passwordCallbackClass>org.apache.rampart.samples.sample06.PWCBHandler</passwordCallbackClass>
   36       <signaturePropFile>service.properties</signaturePropFile>
   37     </action>
   38   </parameter>
   39 
   40   <parameter name="OutflowSecurity">
   41     <action>
   42       <items>Timestamp Signature Encrypt</items>
   43       <user>service</user>
   44       <passwordCallbackClass>org.apache.rampart.samples.sample06.PWCBHandler</passwordCallbackClass>
   45       <signaturePropFile>service.properties</signaturePropFile>
   46       <signatureKeyIdentifier>DirectReference</signatureKeyIdentifier>
   47       <encryptionKeyIdentifier>SKIKeyIdentifier</encryptionKeyIdentifier>
   48       <encryptionUser>useReqSigCert</encryptionUser>
   49     </action>
   50   </parameter>

07. Encrypt and sign messages

Both client and servce are configured to first encrypt and then sign the outgoing message and to verify and decrypt the incoming message using their key pairs.

   32   <parameter name="InflowSecurity">
   33     <action>
   34       <items>Timestamp Encrypt Signature</items>
   35       <passwordCallbackClass>org.apache.rampart.samples.sample07.PWCBHandler</passwordCallbackClass>
   36       <signaturePropFile>service.properties</signaturePropFile>
   37     </action>
   38   </parameter>
   39 
   40   <parameter name="OutflowSecurity">
   41     <action>
   42       <items>Timestamp Encrypt Signature</items>
   43       <user>service</user>
   44       <passwordCallbackClass>org.apache.rampart.samples.sample07.PWCBHandler</passwordCallbackClass>
   45       <signaturePropFile>service.properties</signaturePropFile>
   46       <signatureKeyIdentifier>DirectReference</signatureKeyIdentifier>
   47       <encryptionKeyIdentifier>SKIKeyIdentifier</encryptionKeyIdentifier>
   48       <encryptionUser>useReqSigCert</encryptionUser>
   49     </action>
   50   </parameter>

08. Signing twice

The client is configured to sign the outgoing message twice. Note the aditional <action>> element that defines the second signature (client side) and that we simply use "Signature Signature" as action items (server side - here).

   32   <parameter name="InflowSecurity">
   33     <action>
   34       <items>Timestamp Signature Signature</items>
   35       <passwordCallbackClass>org.apache.rampart.samples.sample08.PWCBHandler</passwordCallbackClass>
   36       <signaturePropFile>service.properties</signaturePropFile>
   37     </action>
   38   </parameter>

09. Encryption with a key known to both parties

Encryption with a key known to both parties. Both client and servce are configured to encrypt the outgoing message and to decrypt incoming message using a known named key.

Note the use of <EmbeddedKeyName>SessionKey</EmbeddedKeyName> and that org.apache.rampart.samples.sample09.PWCBHandler sets the key

   32   <parameter name="InflowSecurity">
   33     <action>
   34       <items>Encrypt</items>
   35       <passwordCallbackClass>org.apache.rampart.samples.sample09.PWCBHandler</passwordCallbackClass>
   36       <decryptionPropFile>service.properties</decryptionPropFile>
   37     </action>
   38   </parameter>
   39 
   40   <parameter name="OutflowSecurity">
   41     <action>
   42       <items>Encrypt</items>
   43       <user>service</user>
   44       <encryptionKeyIdentifier>EmbeddedKeyName</encryptionKeyIdentifier>
   45       <encryptionPropFile>service.properties</encryptionPropFile>
   46       <EmbeddedKeyCallbackClass>org.apache.rampart.samples.sample09.PWCBHandler</EmbeddedKeyCallbackClass>
   47       <EmbeddedKeyName>SessionKey</EmbeddedKeyName>
   48     </action>
   49   </parameter>

10. MTOM Optimizing base64 content in the secured message

Sign and encrypt messages. Both client and servce are configured to first sign and then encrypt the outgoing message and to decrypt and verify the incoming message using their key pairs.

Note the use of <optimizeParts>[xpath expression]</optimizeParts>

   32   <parameter name="InflowSecurity">
   33     <action>
   34       <items>Timestamp Signature Encrypt</items>
   35       <passwordCallbackClass>org.apache.rampart.samples.sample10.PWCBHandler</passwordCallbackClass>
   36       <signaturePropFile>service.properties</signaturePropFile>
   37     </action>
   38   </parameter>
   39 
   40   <parameter name="OutflowSecurity">
   41     <action>
   42       <items>Timestamp Signature Encrypt</items>
   43       <user>service</user>
   44       <passwordCallbackClass>org.apache.rampart.samples.sample10.PWCBHandler</passwordCallbackClass>
   45       <signaturePropFile>service.properties</signaturePropFile>
   46       <signatureKeyIdentifier>DirectReference</signatureKeyIdentifier>
   47       <encryptionKeyIdentifier>SKIKeyIdentifier</encryptionKeyIdentifier>
   48       <encryptionUser>useReqSigCert</encryptionUser>
   49     </action>
   50   </parameter>

11. Dynamic configuration : Get rid of the config files ... let's use code!

Both client and servce are configured to first sign and then encrypt the outgoing message and to decrypt and verify the incoming message using their key pairs.

Note that we don't use any parameters in the client.axis2.xml, see org.apache.rampart.samples.sample11.Client's getOutflowConfiguration() and getInflowConfiguration() methods and their usage.

   32   <parameter name="InflowSecurity">
   33     <action>
   34       <items>Timestamp Signature Encrypt</items>
   35       <passwordCallbackClass>org.apache.rampart.samples.sample11.PWCBHandler</passwordCallbackClass>
   36       <signaturePropFile>service.properties</signaturePropFile>
   37     </action>
   38   </parameter>
   39 
   40   <parameter name="OutflowSecurity">
   41     <action>
   42       <items>Timestamp Signature Encrypt</items>
   43       <user>service</user>
   44       <passwordCallbackClass>org.apache.rampart.samples.sample11.PWCBHandler</passwordCallbackClass>
   45       <signaturePropFile>service.properties</signaturePropFile>
   46       <signatureKeyIdentifier>DirectReference</signatureKeyIdentifier>
   47       <encryptionKeyIdentifier>SKIKeyIdentifier</encryptionKeyIdentifier>
   48       <encryptionUser>useReqSigCert</encryptionUser>
   49     </action>
   50   </parameter>

Dont update Eclipse - upgrade

I've been a happy Eclipse user for some years now. I've seen all sorts of nice features being added like the WTP project in it self. One thing that hasn't changed that much though is the update tool. Updating Fedora with yum is quite simple and relatively quick, but that's not the way I experience it with Eclipse. It seems rather slow and using to choose mirrors makes it very slow (haven't found the fast sites). I'm not all alone with that: Eclipse updates still lag behind.

Therefore I update seldom, but the other night I thought it was time to update again. So I ate the pain an started goin:

And it kept like this with the diffenrent tools I use, finally getting ready to install and then I got an error! I'm sorry I didn't make a screenshot of it, but I sure as h*** wasn't going to do it once more, so I thought I might try some precision work:

It turned out that my setup contained errors, even though I hadn't had any problems with it. Maybe an update on this plugin could fix it:

Nope, no news. I gave up and dowloaded that latest J2EE package from scracth and installed anew my favorite plugins like subclipse. With a completly new package I decided to stay updated and ran the tool again:

I have perviously updated with success, but now I've realized that I don't update Eclipse - I upgrade.

OASIS Public Review of five (old) SAML Specifications

The OASIS Security Services (SAML) TC has started a Public Review of SAML Specifications that ends on 9 February 2008. The five specifications are:

• SAMLv2.0 HTTP POST "SimpleSign" Binding [HTML]

  This specification defines a SAML HTTP protocol binding, specifically using the HTTP POST method, and not using XML Digital Signature for SAML message data origination authentication. Rather, a “sign the BLOB” technique is employed wherein a conveyed SAML message is treated as a simple octet string if it is signed. Conveyed SAML assertions may be individually signed using XMLdsig. Security is optional in this binding.

• Identity Provider Discovery Service Protocol and Profile [HTML]

  Defines a generic browser-based protocol by which a centralized discovery service implemented independently of a given service provider can provide a requesting service provider with the unique identifier of an identity provider that can authenticate a principal.

• SAML V2.0 Attribute Sharing Profile for X.509 Authentication-Based Systems [HTML]

  This deployment profile specifies the use of SAML V2.0 attribute queries and assertions to support distributed authorization in support of X.509-based authentication.

• SAML V2.0 Deployment Profiles for X.509 Subjects [HTML]

  This related set of SAML V2.0 deployment profiles specifies how a principal who has been issued an X.509 identity certificate is represented as a SAML Subject, how an assertion regarding such a principal is produced and consumed, and finally how two entities exchange attributes about such a principal.

• SAML V2.0 LDAP/X.500 Attribute Profile [HTML]

  This profile is a replacement for the X.500/LDAP Attribute Profile found in the original SAML 2.0 Profiles specification [SAML2Prof]. The original profile results in well-formed but schema-invalid XML and cannot be corrected without a normative change.

I've never figured out why these announcements never mention what happens after the hearing is over, especially when the specifications are expected to become an OASIS standard. I can understand that in potentially someone could make a substantial comment that would require another round with the committee, but in general it seems like these specifications follow a slow by sure flow, so why not write something like this is the final review and afterwards they are expected to become standards in ex. April. Maybe they think that readers/reviews know the OASIS process by heart (we don't), they do not have a clue when specifications will finally become standards or they're afraid to promise anything (due to hard earned lessons).

Back in July I looked at the last one in my post: "New SAML V2.0 X.500/LDAP Attribute Profile". The version I wrote about was the Committee Draft 01, 19 December 2006 which is just about a year ago from now. I just did a quick comparison between the two odt versions and it didn't look like it had undergone any significant technical changes, just a couple of textual corrections and the right intro with references. Based on this observation is sort of sad that it still isn't final, but maybe most for the writer (Scott Cantor) since the demand for attribute profiles looks low (Who needs SAML V2.0 Attribute profiles?).

I haven't had time to look at the other specifications but maybe the new year will change that.

Two projects that use the Portlet CSS-classes

In a previous post Sweetxml: Styling my WSRP portlets - does these CSS classes really give us common look-and-feel? I had a first look at the styling guidance that comes with portlet standards JSR-168 and WSRP V1. Here's a short description of two projects that I found actually use the CSS style classes.

JBoss Portal

In the JBoss Portal 2.6.2 - Reference Guide under section Chapter 23. Layouts and Themes the subsection 23.7.3. List of CSS Selectors. This is much more than described in the portlet specs since it covers the hole page and content elements that the JBoss Portal has for themes. The turnover to the portlet content is very clear, and the know classes are defined and some new ones like ex. the ones for the link pseudo-classes and some new ones called WSRP Selectors.

"insideMIT" Portal Project Notebook

This is an active project where the insideMIT Project Plan show that they are currently working on Phase 6: SAP integration - Add portlets that talk to SAP.. Under Web Development Standards the purpos is stated as:

• Promote a uniform look and feel across all enterprise web applications and web sites built by Administrative Computing.
• Promote uniformity of the code used in MIT Administrative Computing web applications. Specifically, to promote the production of well-formed web pages.
• Provide guidelines intended to reduce the work required to support multiple web browsers and platforms.
• Promote "best web" development practices.

This sounds very much like the intentions for the WSRP CSS-classes. This project uses some of the portlet CSS-classes as can be seen in Mapping of WSRP Classes to "Inside MIT" Applications. It's under half of the CSS-classes they (re)use, and unfortunately there's no explanation to this, but I guess it's simply that they don't need more.

It's an intranet portal so I can't access and see the actual markup, but there's a short presentation of the InsideMIT Portal - hey no, it's publicly available but just not currently.

Using WSRP CSS classes - an example by Oracle

Since I wrote my last post Styling my WSRP portlets - does these CSS classes really give us common look-and-feel? I've been looking for recommendations and best practice on this field of web design. In this post I'll list some of the best sources I've found and compare with an example by Oracle.

Semantic (X)HTML

I hadn't heard of this before stumbling upon it, but the concept i straight forward and not to far away from projects I've worked on myself. There are several good references but one of best are The Early Bird Catches the CSS: Planning Structural HTML by Virginia DeBolt (on Wise-Women). Other great sources:

• Do Canonical Web Designs Exist?
• Canonical Web Design, Redux
• HTML as Self-Describing Data
• Explaining semantic mark-up
• Understanding and extending semantics in HTML
• Semantics in HTML
  • Part I - Traditional HTML Semantics
  • Part II - Standardizing Vocabularies
  • Part III - Directions in HTML Semantics

Where the last one has the full crossover to microformats.

The Oracle CSS Portlet

As an effort to enable/show WSRP 1.0 interoperability several of the member of that committee has exposed both producers and some simple portal pages consuming the different producers. One of the portlets exposed by Oracle are The Oracle CSS Portlet:

which can be found alongside others on the Hosted WSRP root page with "WSRP/JSR 168 Sample Portlets". This example portlet is perfect to get an idea on how to use the classes.

Before looking into the actual markup a run through W3C's Markup Validation Service gives:This page is not Valid HTML 4.01 Transitional! - Failed validation, 9 Errors. This is not that bad and most of the errors seem minor.

In the markup there's no rule as to where the portlets start, but in this example it's not so hard. Using the great Web Eeveloper add-on to Firefox, with "View style information" (under 'CSS') it looks like this:

This is a very resonale guess as to where the page template stops and the portlet starts. This is also of relevance as this concerns the use of section classes.

The first part of the template until the portlet part is like:

    1 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
    2 <HTML dir="LTR" lang="da">
    3 <HEAD>
    4 <TITLE>CSS Portlet</TITLE>
    5 </HEAD>
    6 <BODY bgcolor="#FFFFFF">
    7 <SCRIPT TYPE="text/javascript">function show_context_help(h) {window.open(h,"Help","menubar=1,toolbar=1,scrollbars=1,resizable=1,width=700,height=500").focus();}</SCRIPT>
    8 <NOSCRIPT></NOSCRIPT>
    9 <LINK REL=Stylesheet TYPE="text/css"
   10   HREF="http://portalstandards.oracle.com/portal/pls/portal/PORTAL.wwui_api_body.render_wizard_css?p_version=10.1.4.0.0.594">
   11 <A HREF="#content"><IMG SRC="/images/pobtrans.gif" ALT="Spring over navigeringslinks" border=0></A>
   12 <TABLE CELLSPACING="0" CELLPADDING="0" WIDTH="90%" align="CENTER" CLASS="OraWizBannerColor">
   13   <TR>
   14     <TD ALIGN="LEFT" width="5%" valign=TOP rowspan=2><IMG SRC="/images/logo.gif" ALT="Oracle Portal" border=0></TD>
   15     <TD ALIGN="RIGHT" valign="TOP"><IMG SRC="/images/pobtrans.gif" height=1 width=10 border=0 ALT=""> <A
   16       HREF="http://portalstandards.oracle.com/portal/pls/portal/PORTAL.home" class="OraWizBannerLink">Startside</A> <IMG
   17       SRC="/images/pobtrans.gif" height=1 width=10 border=0 ALT=""> <A
   18       HREF="http://portalstandards.oracle.com/portal/page/portal/TOPLEVELSITE" class="OraWizBannerLink">Builder</A></TD>
   19   </TR>
   20 </TABLE>
   21 <CENTER>
   22 <TABLE BORDER="0" CELLPADDING="0" CELLSPACING="0" WIDTH="90%">
   23   <TR>
   24     <TD>
   25     <TABLE WIDTH="100%" BORDER="0" CELLPADDING="0" CELLSPACING="0">
   26       <TR>
   27         <TD width="3%" class="OraBgColorDark">&nbsp;</TD>
   28         <TD width="96%" class="OraBgColorDark"><FONT class="OraGlobalPageTitle">CSS Portlet</FONT></TD>
   29         <TD class="OraBgColorDark">&nbsp;</TD>
   30       </TR>
   31     </TABLE>
   32 
   33     </TD>
   34   </TR>
   35   <TR>
   36     <TD>
   37     <TABLE border="0" cellpadding="0" cellspacing="0" width="100%">
   38       <TR>
   39         <TD rowspan="2" valign="TOP">
   40         <TABLE border="0" cellpadding="0" cellspacing="0">
   41           <TR>
   42             <TD valign="TOP" class="OraBgColorDark"><IMG src="/images/FFFFFFsl.gif" valign="TOP" border="0"></TD>
   43           </TR>
   44         </TABLE>
   45         </TD>
   46         <TD rowspan="2" valign="TOP"><IMG src="/images/compedit.gif" valign="TOP" border="0"></TD>
   47         <TD align="right" valign="TOP" width="100%">
   48         <FORM>
   49         <TABLE border="0" cellpadding="1" cellspacing="4">
   50           <TR>
   51             <TD BGCOLOR="#999999">
   52             <BUTTON TYPE="button"
   53               onClick="javascript:window.location='http://portalstandards.oracle.com/portal/page/portal/OracleHostedWSRPPortal/Samples'">Close</BUTTON>
   54 
   55             </TD>
   56           </TR>
   57         </TABLE>
   58         </FORM>
   59         </TD>
   60       </TR>
   61     </TABLE>
   62     </TD>
   63   </TR>
   64 </TABLE>
   65 </CENTER>
   66 <CENTER>
   67 <TABLE WIDTH="90%" BORDER="0" CELLPADDING="0" CELLSPACING="0">
   68   <TR>
   69     <TD>
   70     <BLOCKQUOTE>
   71     <BLOCKQUOTE>

Aiming to to be "4.01 Transitional" is a common choice, though strict would have been more correct in terms of the HTML 4.01 specification itself. The layout is clearly controlled by a tables and not through CSS2. The double nesting in <blockquote> elements is non-semantic.

The next markup section is the portlet markup, and it comes with an abvious change from uppercase to lowercase, supporting my guess that this in fact the content provided by the portlet:

   72     <p class="portlet-section-header">This is a portlet section header - uses style "portlet-section-header"</p>
   73     <p class="portlet-section-subheader">This is a portlet section sub-header - uses style "portlet-section-subheader"</p>
   74     <p class="portlet-section-body">This is a portlet section body - uses style "portlet-section-body"</p>
   75 
   76     <p class="portlet-section-alternate">This is an alternate row within this section - uses style
   77     "portlet-section-alternate"</p>
   78     <p class="portlet-section-footer">This is a portlet section footer - uses style"portlet-section-footer"</p>
   79     <p class="portlet-font">This is regular text with in the portlet body - uses style "portlet-font"</p>
   80     <p class="portlet-font-dim">This text uses style "portlet-font-dim"</p>
   81     <p class="portlet-msg-status">This is a status message with in the portlet - uses style "portlet-msg-status"</p>
   82     <p class="portlet-msg-info">Help: This is a Help message - uses style "portlet-msg-info"</span></p>
   83     <p class="portlet-msg-error">Error: This is an error message - uses style "portlet-msg-error"</p>
   84     <p class="portlet-msg-alert">Warning: This is a warning - uses style "portlet-msg-alert"</p>
   85     <p class="portlet-msg-success">This text is a verification of the successful completion of a task - uses style
   86     "portlet-msg-success"</p>

This part of the portlet covers the basic CSS classes for section which here is though the <p> element. Next comes the table:

   87 
   88     <center>
   89     <table width="87%" border="1">
   90       <tr class="portlet-table-header">
   91         <td>This is a table heading - uses style"portlet-table-header"</td>
   92         <td colspan="2">Heading 1</td>
   93         <td>Heading 2</td>
   94         <td>Heading 3</td>
   95       </tr>
   96       <tr class="portlet-table-subheader">
   97         <td>This is a table sub-heading - uses style "portlet-table-subheader"</td>
   98         <td>Sub-heading 1</td>
   99         <td>Sub-heading 2</td>
  100         <td>&nbsp;</td>
  101         <td>&nbsp;</td>
  102       </tr>
  103 
  104       <tr class="portlet-table-body">
  105         <td>This is table body text - uses style "portlet-table-body"</td>
  106         <td>Table body text</td>
  107         <td>Table body text</td>
  108         <td>Table body text</td>
  109         <td>Table body text</td>
  110       </tr>
  111       <tr class="portlet-table-footer">
  112         <td colspan="5" align="center">This is a table footer - uses style "portlet-table-footer"</td>
  113       </tr>
  114     </table>
  115     </center>

If I were to choose I would prefer using the corresponding table elements for header, body and footer. I can't figure out if the subheader is needed or could be done by <caption> and <thead>.

The last part is an example for forms:

  116     <form>
  117     <p align="center" class="portlet-section-header">A Sample Form</p>
  118 
  119     <center>
  120     <table>
  121       <tr>
  122         <td class="portlet-form-label" colspan="2">This is a form label - uses style "portlet-form-label"</td>
  123       </tr>
  124       <tr>
  125         <td class="portlet-form-field-label">This is text for a form field - uses style "portlet-form-field-label"</td>
  126         <td><input name="textfield" type="text" class="portlet-form-input-field"
  127           value='This is user input in a text field - uses style"portlet-form-input-field"' /></td>
  128       </tr>
  129       <tr>
  130         <td class="portlet-form-label" colspan="2" align="center"><input name="Submit" type="button"
  131           class="portlet-form-button" value='This is text on a form button - uses style "portlet-form-button"' /></td>
  132       </tr>
  133     </table>
  134     </center>
  135     </form>

Like with the table part it seems redundant that the style classes repeat the element structure.

And from here it's back to the template with uppercasing:

  136     </BLOCKQUOTE>
  137     </BLOCKQUOTE>
  138     </TD>
  139   </TR>
  140 </TABLE>
  141 </CENTER>
  142 <CENTER>
  143 <TABLE border="0" cellpadding="0" cellspacing="0" width="90%">
  144   <TR>
  145     <TD><IMG src="/images/pobtrans.gif" width="1" height="8"></TD>
  146   </TR>
  147   <TR>
  148     <TD>
  149 
  150     <TABLE width="100%" border="0" cellpadding="0" cellspacing="0">
  151       <TR>
  152         <TD align="right">
  153         <TABLE border="0" cellpadding="0" cellspacing="0">
  154           <TR>
  155             <TD align="right" class="OraBgColorDark"><IMG src="/images/FFFFFFbr.gif"></TD>
  156           </TR>
  157         </TABLE>
  158         </TD>
  159       </TR>
  160       <TR>
  161         <TD height="14" class="OraBgColorDark">&nbsp;</TD>
  162       </TR>
  163     </TABLE>
  164     </TD>
  165   </TR>
  166 </TABLE>
  167 </CENTER>
  168 
  169 </BODY>
  170 </HTML>

Conclusion

Semantic XHTML is considered best practice but it's hard to find in the portlet CSS classes. It is very nice that Oracle has taken the time to create an example for how the classes should be used. The missing part to conclude on is the complexity of the example and even more the richness of the design. The design chosen here is quite minimal and that might make this example more forgiving, as to which variants in the portlet markup would look right.