OC4J 9.0.3: JAAS Compliant LoginModule support !

Similar Messages

• Using a JAAS compliant LoginModule in OC4j

  Hi.
  I'm trying to set up an application to use a custom LoginModule in OC4J. The OC4J security FAQ states that this can be done by adding <!--Login Module Data-->... to the jazn-data.xml file as it is done with the oracle.security.jazn.tools.Admintool. The only users I seem to be able to authenticate with is the ones defined in the <jazn-realm> section of jazn-data.xml. If I try to remove this or parts of this section, the application fails to start.
  If I deliberately misspells the classname of the login module, no error message is displayed.
  Do I have to enable the use of custom login modules in any way other then adding them to the jazn-data.xml file? I not, can anyone tell me why I cant get it to work, and what I can do to get it to work?
  I am using a SampleLoginModule from sun.
  The classfiles for the login module is placed in a jar file in <j2ee-home>\lib directory
  The OC4J is version 9.0.3.0.0
  (standalone)
  The login module data in jazn-data.xml:
  <jazn-loginconfig>
  <application>
  <name>jazntest</name>
  <login-modules>
  <login-module>
  <class>sample.module.SampleLoginModule</class>
  <control-flag>required</control-flag>
  <options>
  <option>
  <name>debug</name>
  <value>true</value>
  </option>
  </options>
  </login-module>
  </login-modules>
  <application>
  I am wondering about the name tag in application. What name is this?
  The name of the app IS jazntest.
  Both in server.xml:
  <application name="jazntest" path="../applications/jazntest.ear" auto-start="true" />
  and in http-web-site.xml:
  <web-app application="jazn-test" name="jazntest" root="/jazntest" />
  Any help appreciated.
  Ole

  Ole, Anders,
  A custom LoginModule can indeed be setup with JAZN if it's JAAS-compliant. In order to setup this up, you'll need to do the following:
  1. Define the custom LoginModule in the global jazn-data.xml file (i.e. in the j2ee/home/config directory). The name-value tags are for optional parameters. Most LoginModules have a debug mode but this is optional (see the LoginModule specific documentation).
  2. Put all the LoginModule files in the lib/ext directory of whichever JRE you are using (e.g. $oracle_home/jdk/jre/lib/ext). You may also need to place a copy of the "jaas.jar" file in that same directory.
  3. For the actual application, you want to make sure that you do not use the container's security and authentication constraints defined in the application's web.xml file. Note: unlike the default JAZN RealmLoginModule, custom LoginModules are not integrated with these container security constraints. This means that with the custom LoginModule, you need to programmatically create a LoginContext and explicitly do a "login()" (as described in most JAAS tutorials). You may also need to restart the OC4J instance for some of these changes to take affect.
  Regards,
  -Lee

• Oracle OC4J: JAZNUserManager ready, now adding SSL security support...

  Hello,
  I developed a J2EE application with FORM
  based authentication security using the JAAS
  JAZN Oracle support for encrypted passwords.
  Now I would like to find the way to send it
  as encrypted data with SSL but don't know
  how to do it...
  I already tried adding something
  declaratively like:
  my web.xml
  <auth-method>FORM</auth-method>
  <form-login-config>
  <form-login-page>index.jsp</form-login-page>
  <form-error-page>login_error.jsp</form-error-page>
  </form-login-config>
  <security-constraint>
  <web-resource-collection>
  <user-data-constraint>
  <transport-guarantee>CONFIDENTIAL</transport-guarantee>
  </user-data-constraint>
  </security-constraint>
  But I only got it refusing to send any data... I guess there
  should be a way to do it?
  I also tried:
  <login-config>
  <login-config>
  <auth-method>CLIENT-CERT</auth-method>
  </login-config>
  </login-config>
  but again I received an error message stating I didn't
  have any valid certificates?
  Can anyone help please,
  Best Regards,
  Giovanni

  hi
  I just found a URL to a security guide on this forum, maybe it can help you.
  http://otn.oracle.com/docs/products/ias/doc_library/90200doc_otn/core.902/a90146/toc.htm
  succes
  -Jan

• Where to put JAAS classfiles (loginmodules) when using it from a web app

  Hi,
  I am using JAAS authentication from a web application, the problem is that the login modules that I use, and all the classes that the LoginModule uses are not loaded from the WEB-INF/classes or WEB_INF/lib folder. I have to put them on the jdk/jre/lib/ext. The problem is that the classes I put there collide with other applications that use the same installed JDK.
  I have developed it using jdk1.3.1 and JAAS 1.0.
  Is there a way to put specify where login module classes should be loaded that does not interfere with other applications (that is, I do not want to put any class on the jdk/jre/lib/ext folder).
  Cheers

  Unfortunately, the only alternatives are to put all resources required by JAAS in jre/jre/lib/ext OR on the system classpath when the JVM is started.
  This is apparently due to a bug in JAAS. The implementers of JAAS have the LoginContext written so that it loads resources only from the system classpath. Unless this was, for some reason intentional. I don't know what the plans are for JAAS going forward with respect to this.
  Has it been fixed in J2SE 1.4?
  I'll have you know this wreaks havoc with attempting to have your LoginModule use an EJBs to authenticate a user and add Principals to the Subject.

• Looking for OC4J "how-to-security-jaas.zip".

  Hi
  Can somebody point me to the location of this "how-to-security-jaas.zip".
  Need it urgently.
  I found this link mentioning abt the above example.
  http://www.oracle.com/technology/tech/java/oc4j/htdocs/how-to-security-JAAS.html
  Thanks

  http://www.oracle.com/technology/tech/java/oc4j/1013/how_to/index.html
  Frank

• JAAS LoginModule for SunOne Directory Server?

  I have a customer who is using SunOne Directory Server for LDAP.
  I have test code that uses the JAAS's com.sun.security.auth.module.JndiLoginModule to do authentication against an OpenLDAP test server.
  The test code won't work at the customer site because they need to use a special userid/pw along with the subject userid/pw in order to do an authentication. I assume this is LDAP v3 stuff, but the customer is unsure. Unfortunately I have no direct access to the customer's LDAP admin folk. Typical bureaucracy stuff.
  The customer was able to write java code that authenticates to his LDAP server using example code from http://java.sun.com/products/jndi/tutorial/ldap/security/ldap.html which uses the JNDI API and specifies the access userid/pw using Context.SECURITY_PRINCIPAL and Context.SECURITY_CREDENTIALS.
  So thats great, however my application uses JAAS, and therfore only indirectly uses JNDI. The JndiLoginModule provided by JAAS does not appear to support the Context.SECURITY_PRINCIPAL and Context.SECURITY_CREDENTIALS parameters.
  A custom JAAS LoginModule could be written which interfaces to the JNDI LDAP stuff, however considering that JAAS and the SunOne Directory server are both Sun products, I thought perhaps SunOne Directory comes with a JAAS compatible LoginModule that my customer does not know about? I've looked at online docs, but haven't found any such thing yet.

  Hey dav,
  Sorry that I am not posting to give you a solution - it is more to ask for some guidance.
  I am implementing a client-server arch system which has a lot of 'privileged' actions to be managed. I have thus succesfully integrated the basics of JAAS in to the system... but I am now desparately looking for away to have client-side policies distributed at runtime from the server.
  I do not want to get involved with any web/application server stuff more than I need to; unfortunately one of the system requirements is for client-server comms to be facilitated by SOAP over HTTP, and thus probably JAX-RPC - but it is no problem. I have a developed a database backed Policy and (JAAS) Config which constitute parts of the server component. Now it is just a case of getting the policy to the client at client start-up and subsequently the configuration forJAAS authentication. The aim is that this data will be transfered once during login, and anytime that the the policy is requested to be refreshed.
  Since reading you post, I'm wondering what services LDAP or JNDI can offer me?
  Also, is JNDI an appropriate option for data persistence? is it better to go with JDO or some other object store abstraction.
  Kind regards,
  Darren B

• XA Transaction Support In OC4J 10.1.2

  Does OC4J support XA transactions using non emulated data sources? Or does 10.1.2 support XA transactions at all (across datasources-db or jms)?

  The reason is that the commit coordinator lives in Oracle database for 10.1.2.x case. (you have to confiture the db link to do so)
  In OC4J 10.1.3, the transaction manager has been re-implemented and the transaction coordination functionality is now located in OC4J, replacing in-database coordination, which is now deprecated. Also, the middle-tier coordinator is now "heterogeneous", meaning that it supports all XA-compatible resources, not just those from Oracle.
  The middle tier coordinator provides the following features:
  - Supports any XA compliant resource
  - Supports interpositioning and transaction inflow
  - Last Resource Commit Optimization
  - Recovery Logging
  -Frances

• JSF 1.2 supported in OC4J (JDev 11g)

  Hello Everyone,
  How do you know if your container is supporting jsf 1.2 or not, as am wondering if Embedded OC4J in JDev 11g Technology Preview already supporting JSF 1.2 by default!?

  Hi,
  it does.
  Frank

• Using JAAS in a BC4J Client

  Hello
  We are building a BC4J application.
  We would like to use JAAS on the client side (Swing Client), to do some authorization.
  I made a test, authentication a user trough JAAS on the client as follow:
  // Auhorization
  CallbackHandler handler = new InfoCallbackHandler();
  String s = "oracle.security.jazn.tools.Admintool";
  LoginContext loginContext = new LoginContext(s, handler);
  loginContext.login();
  Subject subject = loginContext.getSubject();
  // authenticated action
  Subject.doAs(subject, this);
  This works, as long as the client has access to the jazn.xml file.
  As far as I understand, this loads the RealmLoginModule.
  The RealmLoginModule uses either a jazn.xml file, or LDAP for authentication.
  Now I'm curios about where the RealmLoginModule gets its information from, when the client is running on an other machine than the OC4J Server.
  Where does the RealmLoginModule get the connection information for the OC4J or LDAP- server from?
  Do I have to deliver the security information (jazn.xml file) to the client (I dont want to expose all this information to the Hackers on the client side)?
  Is there a way to delegate the JAAS calls to the middle tier (a security provider , LoginModule, that does RMI-calls to an EJB-component)?
  Is there a way to do authorization with the BC4J interfaces on the client (something like boolean ApplikacitonModule.isUserInRole(Role) or javax.security.auth.Subject ApplikacitonModule.getSubject() or java.util.Set ApplikacitonModule.getPrincipalsForSubject())?
  I would like to get a javax.security.auth.Subject representing the user (and password)
  that is authenticated in the middle tier. This is the Subject (defined by username & password)),
  used for the JNDI lookup, and by the whole J2EE (EJB) security, when creating a root ApplicationModule.
  Is this possible?
  Regards
  Matthais Gerber

  Hi,
  In JDeveloper 9.0.3, BC4J has JAAS support in the middle-tier. You could set jbo.security.enforce to "Test" or "Must" on the application module using "Configuration...", "Edit" in JDev. If you are using the default Oracle 9iAS JAAS you will also need to include BC4J Security library in the project. The jdk\jre\lib\securtiy\java.security should have login.configuration.provider=oracle.security.jazn.spi.LoginConfigProvider.
  You do not need to create LoginContext, CallbackHandler, etc. in either your client app or business objects.
  If you are not using OC4J, you need to have another loginmodule that implement javax.security.auth.spi.LoginModule. You need to set the jbo.security.loginmodule with you loginmodule name, include the class or jar in your library, specify the jaas config file on the java runtime option.
  Please refer to 9.0.3 online help "Working with Security in BC4J" for more information.
  Thanks,
  Yvonn

• How to enable JAAS with jdeveloper

  hi all,
  I start reading about JAAS and previously i developed an web application and now i want to implement XML based JAAS in it i searched different articles which shows JAAS with DB support, can any one mention any good article with baby steps for xml based jaas in jdeveloper,
  I first to understand JAAS with babay steps then i will implement it in my application.
  A hello world type of tutorial with jdeveloper.
  Thanks & Regards
  imran

  Hi,
  I started a how-to about using the JAAS provider for container managed authentication. But this is about using container managed security with custom JAAS login modules.
  If you want to natively code in JAAS, all you need to do is to ensure you set the jaasMode in the aplication's orion-application.xml file. See the OC4J security guide, which is a part of teh OracleAs documentation available nline at otn.oracle.com --> documentation
  The XML provider is the dafult provider configured in OC4J and can have user and groups configured as well as JAAS permissions for each of them. You specify the JAAS LoginModule in the system-jazn-data.xml file of the OC4J container and access the login configuration name within your application as part of the created JAAS LoginContext. Once you have this, you obtain a authenticated subject with the user Principals. Using this principals you can now perform check permissions on the AccessController context.
  Frank

• Application Server Supporting EJB2.0

  Hi
  I am using Websphere4.0 as well as Weblogic 5.1 .
  I want application server which support EJB2.0 spec (especially i want to try out LocalInterface Examples.)
  I want evaluation copy which i can down load.
  I have installed J2EE server 1.3 : For this can anybody tell me about Jars to be set in Class-Path.
  Thanx
  VJ

  You can try Oracle Containers for J2EE (OC4J) at otn.oracle.com/tech/java/oc4j
  this is a J2EE compliant server. But still have an whole implentation about EJB 2.0 (OC4J Developer Preview), However you can try Local interface, CMR, and other features EJB 2.0-specific.
  OC4J is 100% Java implemented. You can launch the OC4J server separately or embebed in the Oracle9iAS (Oracle9i App. Server).

• Use of JAAS in WLS6 for sngle logon

  We're in the design stage of a product, which will be based on Weblogic Server 6 and are hoping to use JAAS.
  I'm quite new to WL in general and JAAS security and having read the documentation, I'm still not clear on a few points about how JAAS is used in WLS6.
  We're intending to provide a single logon for the system and then to log users on to other services such as email etc. behind the scenes, when the user requests them.
  Does JAAS in WLS6 support this and if so, how best could we achieve it?
  One idea I've read on the Sun site is that you can instantiate multiple LoginContexts at different times during the user session, each using a different Configuration pointing to different LoginModules to achieve this.
  A couple of other things I've come across which may be useful in this context are :-
  the <run-as-specified-identity> tag in the deployment descriptor
  LoginModules being able to share information
  Any help much appreciated
  Dave

  Sorry for the delay in replying, I was on vacation
  Dave <[email protected]> wrote in message
  news:[email protected]...
  >
  Thanks for the reply Alex.
  If we just have a single LoginContext with multiple LoginModules, wouldn'tthat mean that when a user logged-on, it would log them on to all of the
  services at the same time ?
  Yes, that is the sequence specified under JAAS
  We were trying to make it so that after the initial logon to the system,the user would be logged on to other services only when they accessed them
  explicitly. Does that mean that we need multiple LoginContexts still ?
  Unfortunately yes, you will need multiple LoginContext instances to do that.
  set configuration
  new context
  context.login
  context.getSubject
  Subject.doAs(subject, action)
  >
  I understand that WLS6 will only provide for JAAS Authentication, notAuthorisation. Does that mean I need to use it in conjunction with the
  existing Weblogic Authorisation, such as ACLs and Realms ?
  >
  The WLS6 JAAS implementation wrappers the existing ACL implementation and is
  independant of the realm being used. Internally the Subject.doAs method
  checks the ACLs of the user associated with the specified Subject instance.
  Can I also ask about the granularity of Resources that can be protected byaccess control. Would these be at the level of Servlets, beans etc.
  I believe you can but I'm not sure, check in the documentation on Servlets &
  beans or post a followup question in those groups
  >
  Is the Beta Refresh available for downloaded now ? If not, how soon doyou think it would be ?
  >
  The beta refresh should be available early the week of 11/13
  As regards the <run-as-specified-identity> tag in the deploymentdescriptor. Could you briefly explain its use and whether it would help us
  with our logon approach ?
  Again I'm not sure, again please post this to the associated group Servlets,
  Beans, etc.
  >
  Thanks very much for your help again.
  Dave
  "Alex McDonald" <[email protected]> wrote:
  Dave,
  The WLS 6 JAAS implementation will support what you intend. While there
  were
  several bugs in the initial WLS 6 Beta these have been fixed in the Beta
  refresh, if you need the updated files sooner I can send you a zip.
  I would suggest the following. Single LoginContext, multipleloginModules.
  Set your first configured loginModule to prompt for theusername/password,
  each of the following loginModules can than use that information behindthe
  scenes or prompt as needed for additional user info. Configure the first
  loginModule as REQUISITE so that it must succeed for the login process to
  continue. The WLS 6 JAAS sample loginModule implementation contains theWLS
  login information, additional email, etc services can be added to the
  Subject container as needed.
  Alex
  Dave <[email protected]> wrote in message
  news:[email protected]...
  We're in the design stage of a product, which will be based on WeblogicServer 6 and are hoping to use JAAS.
  I'm quite new to WL in general and JAAS security and having read thedocumentation, I'm still not clear on a few points about how JAAS is usedin
  WLS6.
  We're intending to provide a single logon for the system and then to
  log
  users on to other services such as email etc. behind the scenes, when the
  user requests them.
  Does JAAS in WLS6 support this and if so, how best could we achieve it?
  One idea I've read on the Sun site is that you can instantiate multipleLoginContexts at different times during the user session, each using a
  different Configuration pointing to different LoginModules to achievethis.
  >>>
  A couple of other things I've come across which may be useful in thiscontext are :-
  the <run-as-specified-identity> tag in the deployment descriptor
  LoginModules being able to share information
  Any help much appreciated
  Dave

• Implement JAAS in App Server Agnostic Way

  Is is possible to build a JAAS solution for authentication and authorization of
  a J2EE application without having to include WebLogic specific classes? The examples
  supplied in BEA's documentation make it look like I need to utilize WebLogic specific
  classes to handle authentication even. I am trying to build a security solution
  that will be valid on a variety of app servers, including WebLogic, and I do not
  want to have to rely on having seperate code for each app server.

  The vendor dependency in Weblogic is only in the way you plug your
  custom module into the server security itself, not in the JAAS
  authentication and authorization part.
  So as long as you deal with JAAS only classes in your login module(s)
  and policy the you should be able to plug it into any JAAS compliant app
  server (the SPPI interface does it for Weblogic and probably the other
  servers will have some other proprietary APIs to implement).
  That being said there is one bug that I've encountered in Weblogic so
  far and it is that the server system user has to be named "kernel
  identity" and your login module should be able to authenticate it if you
  replace completely the default security providers. But it's not a big
  issue as you'll probably need some bootstrapping user for your
  LoginModule anyway and you can just configure it to be "kernel identity"
  if you use Weblogic...
  HTH,
  Dejan
  William Rohrbach wrote:
  Is is possible to build a JAAS solution for authentication and authorization of
  a J2EE application without having to include WebLogic specific classes? The examples
  supplied in BEA's documentation make it look like I need to utilize WebLogic specific
  classes to handle authentication even. I am trying to build a security solution
  that will be valid on a variety of app servers, including WebLogic, and I do not
  want to have to rely on having seperate code for each app server.

• IAS 10.1.2-how to configure different oc4j listen to different virtualhost?

  Hi
  I have requirement,
  we have oracle portal based web site that can be used by outside users over the internet.
  And then we have are deploying few new apps/webservices/ear files on a oc4j called core_ws. These web services should not be accessed outside.
  I have created a virtaul host in apache on a different port(7799) which was not exposed to public world.
  But, how to configure core_ws to inform Apache to listen on only port 7799 but not on port 80?
  I tried a diffent route to attack the problem(as mentioned below) which managmenet did not like:
  created location directive, worked in dev but not in production as there ISA sitting front of apache.
  We could apply filter on the URLs of these web services in ISA but my director did not like the idea as each time there is additional web service we have mess with it.
  So, he prefers running these web services on a different port that will not have access to public.
  Appreciate your help if have acheived the same earlier.

  By your description, it sounds like you want to do what is in this My Oracle Support document:
  How To Create Virtual Host Specific OC4J Applications (Doc ID 389819.1)
  https://support.oracle.com/CSP/main/article?cmd=show&type=NOT&id=389819.1
  (requires login)
  You said you were using 10.1.2, so that will work, its a method of creating separate virtualhosts and using rewrites to direct to error pages if an incorrect request is made. For 10.1.3, but there is a dynamic method which is a better approach.
  ...Ken

• Details on TAF support in Oracle AS 10g

  Hi experts,
  I'm currently writing a Master's Thesis on High Availability of Applications based on Sun’s JEE platform.
  With Oracle being one of the big players in this market I'm going to investigate the features of the Oracle product stack and compare it with other solutions including opensource.
  At the moment I'm looking for details on TAF-support in Oracle AS 10g. Let’s assume one has installed the latest release of the Oracle 10g database in a RAC configuration on two or more physical nodes to store the applications data. Let’s further assume one has set up the latest release of the Oracle AS 10g on different hosts building an AS farm with clustered OC4J-instances. Now one would like to connect a JEE application running within these OC4J-instances to the RAC database.
  Therefore one can configure an OC4J datasource to use a service definition supporting network failover and transparent application failover (TAF) specified in the tnsnames.ora on the AS hosts or directly describe the service in the data-sources.xml. To my knowledge only datasources configured to use the OCI client can be used with TAF. Everything right so far?
  Now the interesting part. The best what TAF can do is automatically reconnect to the next known database node if it’s current node is not reachable or fails, and continue processing an open cursor for select so that the application can continue to use it’s current connection.
  If the application is running a database transaction it can only be rolled back and rerun after failover.
  In a good old plain Java application one had to implement the OracleOCIFailover interface and register a callback with the db connection in order to receive failover events. Therefore you need to process the query in a different thread.
  In a JEE server only the container should be responsible for creating threads, or? How does the Oracle AS support TAF? How can a user application get notice of a failover and react appropriately. Is the behaviour always the same no matter one decides to implement the data access via simple DAOs or entity beans (CMP/BMP)? I assume it is safe to use a connection pool and container will take care of the necessary cleanup jobs, right? Will the complete connection pool be reconstructed or only connections to the failed node?
  Does the application server internally use these OCI callbacks and wrap them up into special Exceptions? Is there anything an application programmer has to do in order to make his data access code ready for TAF, especially in case of failover while the db is processing transactional code?
  Any insights and/or code snippets would be greatly appreciated!
  Ah, one last question. From a HA perspective is it generally a bad idea to put application logic into the database (use CDM RuleFrame and so on) as there is no support in preserving package states or do you think this makes no difference as one has always to repeat everything since the last commit point no matter in which tier the code resides?
  During the next days I’m going to set up the above environment for testing. A 10.0.2.1 RAC on RHE4 is already up and running fine. AS 10.1.3.0.0 on RHE4 is following today or tomorrow.
  Many thanks for all answers!
  Regards,
  Eric

  Hi,
  well, I thought I could dig into the OC4J documentation before installing the server. After reading the OC4J Service Guide for 10.1.2 and 10.1.3 I'm a little bit confused.
  First I read the 10.1.2 Service Guide and almost everything seemed to be clear. I found a lot of answers to the questions above. I'd like to sum them up. Please correct me if I got something wrong!
  - TAF only works on top of OCI driver
  - TAF can be used with connection pooling
  - OC4J takes care of connection pool cleanup (OC4J and OCI Pool)
  These two pools are mentioned. It's not clear to me how they work together. Do one of you know some source where I can get more information about this?
  - after a failover all connections in the pool are checked by OC4J and only alive ones will survive
  - in case of a failover TAF issues an exception
  - the application has to catch this exception and acknowledge with a rollback, after that the transaction can be restarted (this seems to be the responsibility of the applications code, oc4j will not replay something automatically; If I got it right, CMP entity beans will be an exception to this rule - there OC4J will proceed transparently...)
  - the application can use OCI callbacks to customize the failover behavior (well I would like to see some source code example here, as I can't imagine how this could look like)
  After that I read the 10.1.3 service guide. The section about datasources in conjunction with HA is much shorter. Besides TAF new? mechanism is introduced, namely Fast Connection Failover (FCF). There is not much information about it but references to the JDBC Guide, because FCF is a feature of the implicit JDBC connection cache. Where cache seems to be just another word for pool.
  By the way, the example on p. 4-36 looks wrong at first glance. Enabling FCF and setting:
  <property name="fastConnectionFailoverEnabled" value="false"/> ???
  Seems to be a typo in the docu, or?
  I got the impression, that the text is written as if FCF being TAF's successor, without explicitly saying this. Is this right?
  So I proceeded reading the JDBC Developer Guide to lean more about FCF. Here is what I learned:
  - since 10g available
  - FCF is driver independend (you can also use the thin driver)
  - prerequisites are implicit connection cache (pool) enabled, ONS must be configured
  - in case of a failover the transcation will be rolled back automatically (not by the application); whereas using TAF you have to use a rollback to acknowledge the error
  - only one exception ORA-17008 to catch
  - application has to obtain a new connection from the cache (pool), where as using TAF the old connection object can be used, and resend the transaction (same as with TAF)
  So when to use what? The comparison on p. 27-8 was not very helpful to find an answer to this question.
  On p. 28-1 one can read that TAF does not work with the OCI Connection Pool. That's seems to be contradictory to the statement in Service Guide of 10.1.2 that OC4J takes care of both pools (OC4J and OCI). Or has something changed in 10.1.3 in that regard? May be this is because of the changes in Cache or Pool Management?
  What is the advantage of using TAF within OC4J in 10g, if there is any?
  What about select statements with FCF? You can only read about transactions. I'd assume the application would get the same exception executing a query (ORA-17008) as executing a transaction, right? So TAF should have the advantage of transparently proceeding selects after a failover. Am I right?
  I'd love to see more examples and comparisons of TAF and FCF.
  Regards,
  Eric