| |||||
| |||||||||||||||||||||||||||||
Ajax - Asynchronous JavaScript and XML - clearly is in the focus of software development. Strongly associated with the new Web 2.0 term, Ajax today is everbody's darling. Inspired by the promise and the developer uptake of Ajax, I thought on doing a reality check on one of my favorite pets: container managed security, authentication in particular. There are a couple of issues that just don't work well with container managed security a) Basic Authentication logon dialogs cannot be customized With Ajax, so my theory, I could request for a protected page, intercept the server side http response and do whatever I want. For basic authentication, I could try and add the WWW-Authenticate: Basic username:password information to the header (where "username:password" need to be base64 encoded). I would repeat this game for as many attempts the user would need to eventually remember the correct password. First surprise: You don't have to think so difficult, username and password can be passed to the server as part of the open function of the XmlHttpRequest object I think that authentication is a good usecase for synchronous Ajax requests because there is no sense in continuing the user work if there isn't a clear decision about who he is and what he is allowed to do. Note that I used an asynchronous request - despite the fact I think the synchronous call is a better usecase - because this is what Ajax is good for. Using asynchronous requests allows you to add some end-user entertainment like showing a progress bar through the process of authentication. This can be done based on the current XmlHttpRequest state (0,1,2,3,4). function onReadyStateChangeResponse(){ }
My lesson learned from this approach is that it is good to know that the XmlHttpRequest object cannot bypass container managed security. It seems that the browser looks at the returned http error code first before XmlHttpRequest gets to see it. Thus the browser logon dialog pops up instead of giving me a second change to do it my way. Form based authentication is next. The idea is that I create a logon form that only retruns the JavaScript and form fields needed to send the logon information. I could use a <DIV></DIV> element to show the logon and error form instantly on my JSP page. I haven't yet implemented this yet and thus cannot say if it is again a waste of my time, but one thing I can see already is that it is a far too complicated approach compared to how easy it is in Web 1.0 (Note that while Web 2.0 exist, there is no Web 1.0. I just don't want to call it the "old days Web" because the old days are too current). I hope that Ajax isn't moving farther away from container managed security though and that there will be an option in the near future to programmatically handle this type of authentication. A JAAS callback handler for Ajax also could make sense if it is integrated with the container. In fact, there are some more good requirements to list for good authentication in Ajax. Or, why should everybody deal himself with encryption, decryption and nonrepudation? Maybe wen browsers will become client comntainers similar to what J2EE containers are on the server. Of course, I don' forget that Ajax is not J2EE ;-) I'll keep on trying and will post a note whenever I am blessed with some success, or a new lesson learned that is worth sharing. Frank Interesting. I cannot imagine what would have to take place to add a new letter to the American-English alphabet. I cannot even imagine it happening. (I called it the American-English alphabet because the UK-English one doesn?t seem to pay any attention to the fact that the letter Z exists and adds all kinds of U?s where they don?t belong and so on?)
But the Swedish have gone and done just I'm pleased to be able to use that as a blog title. Shrek (as he seems to be known by most people in the Oracle Community) is actually Bill Thater. His blog lives here. I met Shrek for the first time at the Hotsos Symposium last month and he's a lovely guy and been doing this Oracle thing for quite a while. Check it out.
I also noticed that everyone seems to be in transit just now. Mark Rittman's I've arrived at the Collaborate'06 hotel now and it's about a quarter to seven in the morning. I flew in to Nashville around 4 o'clock yesterday and got down to the venue, about an hour later. You can tell I... Shifting time.Definitely looking forward to the Beer and Sausage (love good sausages). Over on Doug Burn?s blog there is a link to an interesting piece on large disks. Some people would think that the data warehousing community would welcome large disks. But probably for the majority (those of us that use conventional relational databases) this is not the case. An exception may be for those people that use data warehouse appliances; here data is hashed across all the available disks The Battle Against Huge Disks for Databases ???????BPM(Oracle BPEL Process Manager)?ESB(Oracle ESB)????SOA????????????Web????????????????????????SOAP??????????????????? ???????????OracleAS Web Services?WSDL?URL???? I have just completed the move of my site to the new dedicated host. Finally! with lots of trips away over the last month it has taken some time to get the new site up and running. I just have....[Read More] Posted by Pete On 21/04/06 At 09:51 PM How often do you read the reference guide for something you already know ? When I find little things like the one to follow, I wonder why Oracle doesn’t broadcast these small improvements more clearly.
I needed to change the undo_retention parameter in a 10gR2 database. Unfortunately I forgot whether the parameter was in seconds or [...] I'll be attending IOUG Collaborate next week in Nashville, Tenn. and will provide all the news that's fit to blog as it develops. The entire Oracle panoply is speaking there it seems - Charles Phillips, Thomas Kurian, Andy Mendelsohn, etc. More important, though, looking forward to that BBQ... It was a beautiful spring morning as I drove to Oracle in Reading today. I usually take the back roads through the Chiltern Hills as for me this is far quicker than the motorway route. Seeing the red kites hunting above the hills and the beech woods bursting into colour sets me up nicely for the day, even Reading?s traffic jams evaporated. Some days the world just looks too good. Clemens Utschig has blogged about how to use the Oracle DB XE with BPEL developer install. I have seen a couple of queries about this recently and thought it was worth repeating what Clement had said. This is the configuration in which I run my BPEL installation on my laptop.
If it doesn't work and you get strange errors most likely cause is the data-sources.xml has not been edited correctly so shutdown BPEL PM, check your data-sources.xml and try again. Note that in a production environment you may well run BPEL Process Manager inside a full application server (say an Oracle App Server mid-tier install) and so could use the nice GUI tools to change datasources. Also it is worth pointing out that if you are using BPEL in a production environment then you should use it with a version of the database that BPEL PM has been certified with. I was reading the morning newspaper with a cup of coffee, well, actually I was reading slashdot.org, and I tripped across this story about some new 750G disks @ 7200 RPM soon to be released by Seagate. This filled me with a sense of dread about having to, once again, go through the process of [...] Having the problem that, each time when starting up Oracle Discoverer Plus (10.1.2) and you try to login, you need to login twice to because the first time login failed.
Well here’s the solution to your problem. This behaviour is caused by an incorrect conversion of the URL in OC4J.
Quick fix
The shorttime solution (for end users) [...] The Register has some interesting analysis of the slanging match that has developed between Larry Ellison and Red Hat chief executive Matthew Szulik sparked by the latter's purchase of JBoss.
"Why... [[ This is a content summary only. Visit my website for full links, other content, and more! ]] I read in blog from Pete Finnigan about the potential security hole in DBMS_SCHEDULER package.
DBMS_SCHEDULER as a new alternative for DBMS_JOB by Patrick Sinke
Note that on some OS, like AIX5L / oracle 10.2.0.2, the job runs as ORACLE, not as NOBODY [[ ... ]] There is a new INSIDE OCP column in the Oracle Magazine this month (May-June 2006 Edition).
It is about the Application Server exam. In the magazine, it is referenced as 1Z1-311, but the beta phase ended half a year ago, so the exam is now production 1Z0-311. I could guess most answers, and I hope I can succeed at first try, which is no sure thing. Anyway, I will try it next Friday at Oracle University in Baden/Zurich. [[ ... ]] New in JDeveloper 10.1.3 are scalable vector icons for the modelers. You have a choice of three predefined actor models. Just right click on an actor and select "Attach Image" to switch between them or use your own. As well as the new kid on the block, "Big Head" Balthazar, there's a special cameo from Skeletor, reprising his role from 10.1.2 and previous releases, and Schubert. You may remember him from such Oracle products as Real Time Collaboration aka OIM. Troy McClure had other commitments. If you're an ADF user and want to start to consume rich Ajax components then I have just the article for you. I've just published the following on the Ajax Resources Page on OTN: "Ajax Transactions Using ADF and JavaServer Faces". In the paper I show how to hook Ajax callback events up so that they have access to ADF [Read entire post...] Non-oracle post here. How would you like to drive 370 miles to work. That's TO work. You would then turn around and drive back home in the evening. 740 miles per day. 7 hours a day in traffic. And the... AMIS has a good write-up about declaring dimensions to help query rewrite. Someone called N1V1Hd $3c41r3 has posted exploit code for the bug in the package function SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_METADATA to the bugtraq mailing list. The post is titled " Oracle 10g 10.2.0.2.0 DBA exploit " and it details how a package function can....[Read More] Posted by Pete On 20/04/06 At 11:13 PM Security expert calls for Oracle makeover - by Martin Veitch "A UK security expert has called for change in Oracles security strategy, including the removal of the firms chief security officer.....[Read More] Posted by Pete On 20/04/06 At 10:46 PM In yesterdays note about async miracles, I promised some more info on how to implement a callback with a listener on top of the BPEL java API. Why would you want to do that? Well, of course you can use the API, to find your instance and then get the result, but this would be blocking again, as long as you are not using a thread - and this is exactly what we will do today. First here are the steps how you'd do it normally:
Ok - back to the real callback implementation:
All you need to do now is to initiate the thread from your client program, pass the parameters, and start it :-D Happy threading .. Having questions? send your feedback on Implementing an async callback with the BPEL java api here | |||||||||||||||||||||||||||||
| Blogs | | | About |
The opinions expressed in these blogs are those of individual authors. This site is not owned or sponsored by Oracle Corporation. OraBlogs Aggregator release 0.2. All your base are belong to us. $Id: orablogs.uix,v 1.4 2004/03/02 12:05:32 brian Exp $ |