Just to make sure I'm on the same page... A third party will be building and hosting the web site. This web site will end up with hundreds of suppliers passing in information about their stock. The proposal is that this web site passes XML data through the intranet firewall to a web service running in your intranet. If the supplier is building a web service, it sounds like they're talking about using an application server in the sense of a middle tier server hosting an application. They're probably not talking about an application server in the J2EE sense, but a J2EE application server wouldn't generally be used in a .Net solution. I would argue that Java is a better fit for building web services with Oracle, particularly on the security side, but reasonable people can disagree there. =20 On the XML side, are you thinking about sending XML to the database rather than calling stored procedures via ODBC? Or am I misunderstanding that part of the question? Justin Cave Distributed Database Consulting, Inc. http://www.ddbcinc.com/askDDBC -----Original Message----- From: oracle-l-bounce@xxxxxxxxxxxxx [mailto:oracle-l-bounce@xxxxxxxxxxxxx] On Behalf Of Jeroen van Sluisdam Sent: Thursday, May 13, 2004 12:33 AM To: 'oracle-l@xxxxxxxxxxxxx' Subject: RE: xml access how to set up security access etc I meant that we have a supplier offering to be a new website, host this website, makes a connection through the internet, passes a firewall in our company, makes a connection to our backoffice. We have to built the connection on the backoffice. Supplier wants to get in through xml, built a translation webservice on our side extra that will call the backoffice procedures through .net (probably something like odbc) I need concrete arguments to convince management that a) better to build backoffice procedures in xml so you don't need the translation service built by the supplier b) I need an application server to manage security c) .... Tnx, Jeroen -----Oorspronkelijk bericht----- Van: Justin Cave (DDBC) [mailto:jcave@xxxxxxxxxxx] Verzonden: Wednesday, May 12, 2004 10:44 PM Aan: oracle-l@xxxxxxxxxxxxx Onderwerp: RE: xml access how to set up security access etc =3D20 What do you mean "the supplier of the site takes care of security on his side"? Security needs to be implemented at both side of this sort of setup to prevent unauthorized people from submitting reservations to your system. You also need to have a way to ensure that reservations are non-repudiatable, basically that you can prove that reservation requests came from the supplier the message claims to come from. I don't see how you can get close to this with just a database-- an application server seems like an absolutely necessary component here. You'll probably want to expose a web service to the internet that allows customers to submit their XML request, validates it, and passes the request to the database. Opening up a connection to a database on the internet would create pretty significant security concerns that would be, in my opinion, impossible to address. Plus, you want layers of security in this sort of system, which necessitates extra tiers. One note about your comment on wanting the application server for other development purposes. Since you will be deploying this application server outside the intranet firewall in the DMZ, it won't be appropriate to deploy internal-only applications there. You would want an application server inside the intranet firewall to handle those applications. Justin Cave Distributed Database Consulting, Inc. http://www.ddbcinc.com/askDDBC -----Original Message----- From: oracle-l-bounce@xxxxxxxxxxxxx [mailto:oracle-l-bounce@xxxxxxxxxxxxx] On Behalf Of Jeroen van Sluisdam Sent: Wednesday, May 12, 2004 1:10 PM To: 'oracle-l@xxxxxxxxxxxxx' Subject: xml access how to set up security access etc Hi, =3D20 I'm asked to give an opinion about how to connect an external internet site To an oracle database. The supplier of the site takes care of security on his side, wants to connect via xml through the internet to a machine inside our network new to be built translator service (.net) and from this connection point Probably will go through odbc or something to our production environment. =3D20 I have proposed to write the interface on our site in xml with oracle tools, to set up Oracle application server on our side ( I want to acquire and set up this also for other Developments). Supplier states this appserver is not necessary. I say yes in order To manage security, performance. This production database is used for internal and External reservationsystems at this time.=3D20 =3D20 This new site = is for suppliers to provide Stock. Expected is the first year up to 200 suppliers minimum. Widely spread during the Day connections with limited functionality (as far as I'm concerned) This 200 users possibly goes up To 600 or 1000 next 2 years. I have already about 400 to 500 users online through reservations systems (3 tier managed by Mts) and directly about 100 2-tier users. =3D20 I need concrete do and don'ts concerning architecture about directly acces through xml with appserver or xml without appserver Or .net As far as I'm concerned xml is open standard and everybody can compose xml messages through an editor and yes We can implement quite some security in a firewall but that's static, difficult to maintain and possibly dangerous because The external site is not under our control. If you have experience in setting this up and know something about the Effort it takes please let me know. I need more concrete arguments to state my proposal because I need the investment approved. =3D20 Thanks a lot for your response, =3D20 Regards, =3D20 Jeroen=3D20 ---------------------------------------------------------------- Please see the official ORACLE-L FAQ: http://www.orafaq.com ---------------------------------------------------------------- To unsubscribe send email to: oracle-l-request@xxxxxxxxxxxxx put 'unsubscribe' in the subject line. -- Archives are at //www.freelists.org/archives/oracle-l/ FAQ is at //www.freelists.org/help/fom-serve/cache/1.html ----------------------------------------------------------------- ---------------------------------------------------------------- Please see the official ORACLE-L FAQ: http://www.orafaq.com ---------------------------------------------------------------- To unsubscribe send email to: oracle-l-request@xxxxxxxxxxxxx put 'unsubscribe' in the subject line. -- Archives are at //www.freelists.org/archives/oracle-l/ FAQ is at //www.freelists.org/help/fom-serve/cache/1.html ----------------------------------------------------------------- ---------------------------------------------------------------- Please see the official ORACLE-L FAQ: http://www.orafaq.com ---------------------------------------------------------------- To unsubscribe send email to: oracle-l-request@xxxxxxxxxxxxx put 'unsubscribe' in the subject line. -- Archives are at //www.freelists.org/archives/oracle-l/ FAQ is at //www.freelists.org/help/fom-serve/cache/1.html ----------------------------------------------------------------- ---------------------------------------------------------------- Please see the official ORACLE-L FAQ: http://www.orafaq.com ---------------------------------------------------------------- To unsubscribe send email to: oracle-l-request@xxxxxxxxxxxxx put 'unsubscribe' in the subject line. -- Archives are at //www.freelists.org/archives/oracle-l/ FAQ is at //www.freelists.org/help/fom-serve/cache/1.html -----------------------------------------------------------------