RE: xml access how to set up security access etc
- From: "Justin Cave (DDBC)" <jcave@xxxxxxxxxxx>
- To: <oracle-l@xxxxxxxxxxxxx>
- Date: Thu, 13 May 2004 01:00:14 -0600
Just to make sure I'm on the same page... A third party will be
building and hosting the web site. This web site will end up with
hundreds of suppliers passing in information about their stock. The
proposal is that this web site passes XML data through the intranet
firewall to a web service running in your intranet.
If the supplier is building a web service, it sounds like they're
talking about using an application server in the sense of a middle tier
server hosting an application. They're probably not talking about an
application server in the J2EE sense, but a J2EE application server
wouldn't generally be used in a .Net solution. I would argue that Java
is a better fit for building web services with Oracle, particularly on
the security side, but reasonable people can disagree there. =20
On the XML side, are you thinking about sending XML to the database
rather than calling stored procedures via ODBC? Or am I
misunderstanding that part of the question?
Justin Cave
Distributed Database Consulting, Inc.
http://www.ddbcinc.com/askDDBC
-----Original Message-----
From: oracle-l-bounce@xxxxxxxxxxxxx
[mailto:oracle-l-bounce@xxxxxxxxxxxxx] On Behalf Of Jeroen van Sluisdam
Sent: Thursday, May 13, 2004 12:33 AM
To: 'oracle-l@xxxxxxxxxxxxx'
Subject: RE: xml access how to set up security access etc
I meant that we have a supplier offering to be a new website, host this
website, makes a connection through the internet, passes a firewall in
our company, makes a connection to our backoffice.
We have to built the connection on the backoffice. Supplier wants to get
in through xml, built a translation webservice on our side extra that
will call the backoffice procedures through .net (probably something
like
odbc)
I need concrete arguments to convince management that
a) better to build backoffice procedures in xml so you don't need the
translation service built by the supplier
b) I need an application server to manage security
c) ....
Tnx,
Jeroen
-----Oorspronkelijk bericht-----
Van: Justin Cave (DDBC) [mailto:jcave@xxxxxxxxxxx]
Verzonden: Wednesday, May 12, 2004 10:44 PM
Aan: oracle-l@xxxxxxxxxxxxx
Onderwerp: RE: xml access how to set up security access etc
=3D20
What do you mean "the supplier of the site takes care of security on his
side"? Security needs to be implemented at both side of this sort of
setup
to prevent unauthorized people from submitting reservations to your
system.
You also need to have a way to ensure that reservations are
non-repudiatable, basically that you can prove that reservation requests
came from the supplier the message claims to come from.
I don't see how you can get close to this with just a database-- an
application server seems like an absolutely necessary component here.
You'll
probably want to expose a web service to the internet that allows
customers
to submit their XML request, validates it, and passes the request to the
database. Opening up a connection to a database on the internet would
create pretty significant security concerns that would be, in my
opinion,
impossible to address. Plus, you want layers of security in this sort
of
system, which necessitates extra tiers.
One note about your comment on wanting the application server for other
development purposes. Since you will be deploying this application
server
outside the intranet firewall in the DMZ, it won't be appropriate to
deploy
internal-only applications there. You would want an application server
inside the intranet firewall to handle those applications.
Justin Cave
Distributed Database Consulting, Inc. http://www.ddbcinc.com/askDDBC
-----Original Message-----
From: oracle-l-bounce@xxxxxxxxxxxxx
[mailto:oracle-l-bounce@xxxxxxxxxxxxx]
On Behalf Of Jeroen van Sluisdam
Sent: Wednesday, May 12, 2004 1:10 PM
To: 'oracle-l@xxxxxxxxxxxxx'
Subject: xml access how to set up security access etc
Hi,
=3D20
I'm asked to give an opinion about how to connect an external internet
site
To an oracle database. The supplier of the site takes care of security
on
his side, wants to connect via xml through the internet to a machine
inside
our network new to be built translator service (.net) and from this
connection point Probably will go through odbc or something to our
production environment. =3D20 I have proposed to write the interface on
our
site in xml with oracle tools, to set up Oracle application server on
our
side ( I want to acquire and set up this also for other Developments).
Supplier states this appserver is not necessary. I say yes in order To
manage security, performance. This production database is used for
internal
and External reservationsystems at this time.=3D20 =3D20 This new site =
is
for
suppliers to provide Stock. Expected is the first year up to 200
suppliers
minimum. Widely spread during the Day connections with limited
functionality
(as far as I'm concerned) This 200 users possibly goes up To 600 or 1000
next 2 years. I have already about 400 to 500 users online through
reservations systems (3 tier managed by Mts) and directly about 100
2-tier
users. =3D20 I need concrete do and don'ts concerning architecture about
directly acces through xml with appserver or xml without appserver Or
.net
As far as I'm concerned xml is open standard and everybody can compose
xml
messages through an editor and yes We can implement quite some security
in a
firewall but that's static, difficult to maintain and possibly dangerous
because The external site is not under our control. If you have
experience
in setting this up and know something about the Effort it takes please
let
me know. I need more concrete arguments to state my proposal because I
need
the investment approved. =3D20 Thanks a lot for your response, =3D20
Regards,
=3D20 Jeroen=3D20
----------------------------------------------------------------
Please see the official ORACLE-L FAQ: http://www.orafaq.com
----------------------------------------------------------------
To unsubscribe send email to: oracle-l-request@xxxxxxxxxxxxx put
'unsubscribe' in the subject line.
--
Archives are at //www.freelists.org/archives/oracle-l/
FAQ is at //www.freelists.org/help/fom-serve/cache/1.html
-----------------------------------------------------------------
----------------------------------------------------------------
Please see the official ORACLE-L FAQ: http://www.orafaq.com
----------------------------------------------------------------
To unsubscribe send email to: oracle-l-request@xxxxxxxxxxxxx put
'unsubscribe' in the subject line.
--
Archives are at //www.freelists.org/archives/oracle-l/
FAQ is at //www.freelists.org/help/fom-serve/cache/1.html
-----------------------------------------------------------------
----------------------------------------------------------------
Please see the official ORACLE-L FAQ: http://www.orafaq.com
----------------------------------------------------------------
To unsubscribe send email to: oracle-l-request@xxxxxxxxxxxxx
put 'unsubscribe' in the subject line.
--
Archives are at //www.freelists.org/archives/oracle-l/
FAQ is at //www.freelists.org/help/fom-serve/cache/1.html
-----------------------------------------------------------------
----------------------------------------------------------------
Please see the official ORACLE-L FAQ: http://www.orafaq.com
----------------------------------------------------------------
To unsubscribe send email to: oracle-l-request@xxxxxxxxxxxxx
put 'unsubscribe' in the subject line.
--
Archives are at //www.freelists.org/archives/oracle-l/
FAQ is at //www.freelists.org/help/fom-serve/cache/1.html
-----------------------------------------------------------------
Other related posts:
