Proxy Authentication with JDBC Datasource instead of JDBC URL?

Hello,
A requirement for my current project (ADF 10g) is that a user should be able to log in with his regular database account. For the moment, this is implemented using Proxy Authentication, as described in the following article:
http://blogs.oracle.com/jheadstart/2008/01/using_proxy_authentication.html
For now, we are using a JDBC URL defined in the application module config for the BC. In short: a ProxyAuthConnectionPoolManager class was created that overrides the default ConnectionPoolManagerImpl. The getConnection method has been overridden to create a standard connection (with the username/pw defined on the AM), and additionally, create a proxy connection within this connection with the specific user credentials. The (simplified) code:
    public Connection getConnection(String key, String url, Properties props, String username, String pwd) {
        // first fetch a default connection from the pool through the superclass
        Connection connection = super.getConnection(key, url, props, username, pwd);
        // cast into an OracleConnection
        OracleConnection oraConnection = (OracleConnection) connection;
            // close any proxy sessions that would still exist on the connection
            if (oraConnection.isProxySession()) oraConnection.close(OracleConnection.PROXY_SESSION);
            // get a handle on the session scope
            Map sessionScope = ADFContext.getCurrent().getSessionScope();
            if (sessionScope != null) {
                // find the user object in the session (the account the user logs in with)
                ProxyAuthUser user = (ProxyAuthUser) sessionScope.get(ProxyAuthUser.JHS_USER_KEY);
                if (user != null) {
                    // create a property map with the end user credentials
                    Properties proxyProps = new Properties();
                    proxyProps.put(OracleConnection.PROXY_USER_NAME, user.getDbUsername() + "/" + user.getDbPassword());
                    proxyProps.put(OracleConnection.PROXY_USER_PASSWORD, user.getDbPassword());
                    // open the proxy session
                    oraConnection.openProxySession(OracleConnection.PROXYTYPE_USER_NAME, proxyProps);
            return oraConnection;
    }Now, this works perfectly when using a JDBC URL. But when I switch the JDBC Datasource the ProxyAuthConnectionPoolManager class is not called anymore. This is all done in code in the Application Server. While using a JDBC Datasource is actually necessary: otherwise for each environment (dev, test, production,...) a different WAR file is needed.
What class can I override with code similar to the piece above, to open a proxy connection inside the existing connection, when using a JDBC Datasource?
Your help would be greatly appreciated!
Chris

Hello Krasimir,
Frank Nimphius gave me the solution to this problem. The prepareSession is indeed the best place to put the code:
   private OracleConnection oconn = null;
   public void prepareSession(SessionData SessionData) {
      super.prepareSession(SessionData);
      oconn = ((PrxyTransactionImpl)this.getDBTransaction()).getPrxyConnection();
      // Specify the user that connects through the proxy user and its roles
      Properties prop = new Properties();
      prop.put(OracleConnection.PROXY_USER_NAME,"hr");
      prop.put(OracleConnection.PROXY_USER_PASSWORD,"hr");
      //prop.put(OracleConnection.PROXY_ROLES, roles);
      // Open the proxy session (DB-authenticated users)
      try {
         oconn.openProxySession(OracleConnection.PROXYTYPE_USER_NAME, prop);
      catch (SQLException e) {
         // Close the connection, to avoid connection to remain open after exception
         oconn.abort();
         e.printStackTrace();
   }But Frank also created the following helper classes to extend the ADF BC behavior:
   package oracle.sample.dbprxy.adfbc;
   import oracle.jbo.server.DBTransactionImpl2;
   import oracle.jbo.server.DatabaseTransactionFactory;
    * TransactionFactory that returns PrxTransactionImpl, which is a subclass of
    * DBTransactionImpl2
    * @author Frank Nimphius
   public class PrxyDatabaseTransactionFactory extends DatabaseTransactionFactory {
      public PrxyDatabaseTransactionFactory() {
         super();
       * Override the create method to return an instance of PrxyTransactionImpl instead
       * of DBTransactionImpl2
       * @return PrxyTransactionImpl
      public DBTransactionImpl2 create() {
         return new PrxyTransactionImpl();
   package oracle.sample.dbprxy.adfbc;
   import oracle.jbo.server.DBTransactionImpl2;
   import oracle.jdbc.internal.OracleConnection;
   public class PrxyTransactionImpl extends DBTransactionImpl2 {
      public PrxyTransactionImpl() {
         super();
       * The DBTransactionImpl2 does not expose the connection in a public
       * method. This class is a wrapper to expose the connection to the
       * BC app, so it can be accessed in the ApplicationModuleImpl class
       * @return OracleConnection - SQL Connection
      public OracleConnection getPrxyConnection() {
         return (OracleConnection) this.getJdbcConnection();
   }In the configuration of your Application Module, you have to set the property "TransactionFactory" (normally the last one in the list) to oracle.sample.dbprxy.adfbc.PrxyDatabaseTransactionFactory. This way, the DBTransaction() of your AM will have a getPrxyConnection() method and you will have the connection at your disposal. You won't need the createPreparedStatement in your code anymore.
To close the connection, this is the code behind my "logout button" on the backing bean. Application Module Pooling and Connection Pooling will take care of the rest for you!
   ExternalContext ectx = FacesContext.getCurrentInstance().getExternalContext();
   HttpSession session = (HttpSession)ectx.getSession(false);
   session.invalidate();Another thing: be sure to set the internalconnection property to a different JDBC Datasource (or file based) than the one you are using to connect to the database (the default value). Otherwise connection pooling will be confused and there will be too much pending database connections.
This works for me, all sessions are closed in time and logging out seems secure. I do not have my complete, adjusted code here at my disposal, but next week, when I'm back at work, I'll have a look to see if there is anything I forgot to mention. So this should get you started, but I'll keep you posted!
A huge thank you to Frank again for helping me (/us) out with this problem!! And sorry I forgot to post the answer here sooner. I was too busy with testing it. :-)
Regards,
Chris

Similar Messages

Toplink Proxy Authentication with 10.1.3 problem

Hi,
I'm are using Toplink Proxy Authentication in a JSF application with SessionFacade pattern and have implemented a preLogin() method of oracle.itech.pil.utils.PILSessionEventManager (which implements SessionEventListener) as described in
http://www.oracle.com/technology/products/ias/toplink/doc/1013/main/_html/dblgcfg008.htm. Due to Class Loader problem while loading of SessionEventManager, I'm explicitly loading the Class by doing this:
try {
Thread.currentThread().getContextClassLoader().loadClass("oracle.itech.pil.utils.PILSessionEventManager");
catch(Exception exp) {
System.out.println("Exception while loading class oracle.itech.pil.utils.PILSessionEventManager "+exp.toString());
The SessionEventManager is loaded by doing this:
session.getEventManager().addListener(new PILSessionEventManager());
(Encountered while using <event-listener-class>oracle.itech.pil.events.PILSessionEventManager</event-listener-class> in sessions.xml file, so removed and added the same using session.getEventManager().addListener(new PILSessionEventManager()) )
But now, I'm encountering ClassCastException during the login to my application
The below pasted exception (oracle.oc4j.rmi.OracleRemoteException: java.lang.ClassCastException: oracle.itech.pil.utils.PILSessionEventManager) is coming when invoking line (Login)session.readObject(oracle.itech.pil.model.Login.class, expression);
Code :
XMLSessionConfigLoader xmlLoader =
new XMLSessionConfigLoader("META-INF/sessions.xml");
SessionManager sessionMgr = SessionManager.getManager();
DatabaseSession session =
(DatabaseSession)sessionMgr.getSession(xmlLoader, "serverSession",
SessionFacadeEJBBean.class.getClassLoader());
// Set Listener through Java code
//session.getEventManager().addListener(new PILSessionEventManager());
new PILSessionEventManager();
System.out.println("I am at getLoginDetails after the listner...>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>");
Login login = null;
LoggedInBB loggedIn = null;
ExpressionBuilder builder = new ExpressionBuilder();
Expression expression = null;
// If username is not null
System.out.println("The _uname is "+_uname);
if (_uname != null) {
expression = builder.get("uname").equalsIgnoreCase(_uname).and(builder.get("empno").equalsIgnoreCase(_empNo));
if (expression != null) {
System.out.println("expression != null >>>>>>>>>>>>>>");
//login = (Login)session.readObject(oracle.itech.pil.model.Login.class, expression);
login =(oracle.itech.pil.model.Login) (session.readAllObjects(oracle.itech.pil.model.Login.class, expression)).get(0);
System.out.println("Login Object is "+login);
Exception:
[TopLink Info]: 2006.05.02 05:04:18.703--ServerSession(21707422)--TopLink, version: Oracle TopLink - 10g Release 3 (10.1.3.0.0) (Build 060118)
[TopLink Info]: 2006.05.02 05:04:22.619--ServerSession(21707422)--serverSession login successful
06/05/02 17:04:22 I am at getLoginDetails after the listner............>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
06/05/02 17:04:22 The _uname is admin
06/05/02 17:04:22 expression != null >>>>>>>>>>>>>>
[TopLink Warning]: 2006.05.02 05:04:22.639--ServerSession(21707422)--java.lang.ClassCastException: oracle.itech.pil.utils.PILSessionEventManager
oracle.oc4j.rmi.OracleRemoteException: java.lang.ClassCastException: oracle.itech.pil.utils.PILSessionEventManager
     at com.evermind.server.ejb.EJBUtils.getUserException(EJBUtils.java:333)
     at com.evermind.server.ejb.interceptor.system.AbstractTxInterceptor.convertAndHandleMethodException(AbstractTxInterceptor.java:69)
     at com.evermind.server.ejb.interceptor.system.TxSupportsInterceptor.invoke(TxSupportsInterceptor.java:39)
     at com.evermind.server.ejb.interceptor.InvocationContextImpl.proceed(InvocationContextImpl.java:69)
     at com.evermind.server.ejb.interceptor.system.DMSInterceptor.invoke(DMSInterceptor.java:52)
     at com.evermind.server.ejb.interceptor.InvocationContextImpl.proceed(InvocationContextImpl.java:69)
     at com.evermind.server.ejb.StatelessSessionEJBObject.OC4J_invokeMethod(StatelessSessionEJBObject.java:86)
     at SessionFacadeEJB_StatelessSessionBeanWrapper2.getLoginDetails(SessionFacadeEJB_StatelessSessionBeanWrapper2.java:172)
     at oracle.itech.pil.backing.LoginBB.LoginButton_action(LoginBB.java:182)
     at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
     at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
     at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
     at java.lang.reflect.Method.invoke(Method.java:585)
     at com.sun.faces.el.MethodBindingImpl.invoke(MethodBindingImpl.java:126)
     at com.sun.faces.application.ActionListenerImpl.processAction(ActionListenerImpl.java:72)
     at oracle.adf.view.faces.component.UIXCommand.broadcast(UIXCommand.java:211)
     at javax.faces.component.UIViewRoot.broadcastEvents(UIViewRoot.java:267)
     at javax.faces.component.UIViewRoot.processApplication(UIViewRoot.java:381)
     at com.sun.faces.lifecycle.InvokeApplicationPhase.execute(InvokeApplicationPhase.java:75)
     at com.sun.faces.lifecycle.LifecycleImpl.phase(LifecycleImpl.java:200)
     at com.sun.faces.lifecycle.LifecycleImpl.execute(LifecycleImpl.java:90)
     at javax.faces.webapp.FacesServlet.service(FacesServlet.java:197)
     at com.evermind.server.http.ResourceFilterChain.doFilter(ResourceFilterChain.java:64)
     at oracle.adfinternal.view.faces.webapp.AdfFacesFilterImpl._invokeDoFilter(AdfFacesFilterImpl.java:367)
     at oracle.adfinternal.view.faces.webapp.AdfFacesFilterImpl._doFilterImpl(AdfFacesFilterImpl.java:336)
     at oracle.adfinternal.view.faces.webapp.AdfFacesFilterImpl.doFilter(AdfFacesFilterImpl.java:196)
     at oracle.adf.view.faces.webapp.AdfFacesFilter.doFilter(AdfFacesFilter.java:87)
     at com.evermind.server.http.EvermindFilterChain.doFilter(EvermindFilterChain.java:15)
     at oracle.itech.pil.utils.PILFilter.doFilter(PILFilter.java:124)
     at com.evermind.server.http.ServletRequestDispatcher.invoke(ServletRequestDispatcher.java:627)
     at com.evermind.server.http.ServletRequestDispatcher.forwardInternal(ServletRequestDispatcher.java:376)
     at com.evermind.server.http.HttpRequestHandler.doProcessRequest(HttpRequestHandler.java:870)
     at com.evermind.server.http.HttpRequestHandler.processRequest(HttpRequestHandler.java:451)
     at com.evermind.server.http.AJPRequestHandler.run(AJPRequestHandler.java:299)
     at com.evermind.server.http.AJPRequestHandler.run(AJPRequestHandler.java:187)
     at oracle.oc4j.network.ServerSocketReadHandler$SafeRunnable.run(ServerSocketReadHandler.java:260)
     at com.evermind.util.ReleasableResourcePooledExecutor$MyWorker.run(ReleasableResourcePooledExecutor.java:303)
     at java.lang.Thread.run(Thread.java:595)
     Nested exception is:
java.lang.ClassCastException: oracle.itech.pil.utils.PILSessionEventManager
     at oracle.toplink.sessions.SessionEventManager.preExecuteQuery(SessionEventManager.java:508)
     at oracle.toplink.publicinterface.Session.executeQuery(Session.java:976)
     at oracle.toplink.publicinterface.Session.executeQuery(Session.java:938)
     at oracle.toplink.publicinterface.Session.readAllObjects(Session.java:2458)
     at oracle.itech.pil.ejb.SessionFacadeEJBBean.getLoginDetails(SessionFacadeEJBBean.java:399)
     at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
     at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
     at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
     at java.lang.reflect.Method.invoke(Method.java:585)
     at com.evermind.server.ejb.interceptor.joinpoint.EJBJoinPointImpl.invoke(EJBJoinPointImpl.java:35)
     at com.evermind.server.ejb.interceptor.InvocationContextImpl.proceed(InvocationContextImpl.java:69)
     at com.evermind.server.ejb.interceptor.system.DMSInterceptor.invoke(DMSInterceptor.java:52)
     at com.evermind.server.ejb.interceptor.InvocationContextImpl.proceed(InvocationContextImpl.java:69)
     at com.evermind.server.ejb.interceptor.system.TxSupportsInterceptor.invoke(TxSupportsInterceptor.java:37)
     at com.evermind.server.ejb.interceptor.InvocationContextImpl.proceed(InvocationContextImpl.java:69)
     at com.evermind.server.ejb.interceptor.system.DMSInterceptor.invoke(DMSInterceptor.java:52)
     at com.evermind.server.ejb.interceptor.InvocationContextImpl.proceed(InvocationContextImpl.java:69)
     at com.evermind.server.ejb.StatelessSessionEJBObject.OC4J_invokeMethod(StatelessSessionEJBObject.java:86)
     at SessionFacadeEJB_StatelessSessionBeanWrapper2.getLoginDetails(SessionFacadeEJB_StatelessSessionBeanWrapper2.java:172)
     at oracle.itech.pil.backing.LoginBB.LoginButton_action(LoginBB.java:182)
     at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
     at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
     at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
     at java.lang.reflect.Method.invoke(Method.java:585)
     at com.sun.faces.el.MethodBindingImpl.invoke(MethodBindingImpl.java:126)
     at com.sun.faces.application.ActionListenerImpl.processAction(ActionListenerImpl.java:72)
     at oracle.adf.view.faces.component.UIXCommand.broadcast(UIXCommand.java:211)
     at javax.faces.component.UIViewRoot.broadcastEvents(UIViewRoot.java:267)
     at javax.faces.component.UIViewRoot.processApplication(UIViewRoot.java:381)
     at com.sun.faces.lifecycle.InvokeApplicationPhase.execute(InvokeApplicationPhase.java:75)
     at com.sun.faces.lifecycle.LifecycleImpl.phase(LifecycleImpl.java:200)
     at com.sun.faces.lifecycle.LifecycleImpl.execute(LifecycleImpl.java:90)
     at javax.faces.webapp.FacesServlet.service(FacesServlet.java:197)
     at com.evermind.server.http.ResourceFilterChain.doFilter(ResourceFilterChain.java:64)
     at oracle.adfinternal.view.faces.webapp.AdfFacesFilterImpl._invokeDoFilter(AdfFacesFilterImpl.java:367)
     at oracle.adfinternal.view.faces.webapp.AdfFacesFilterImpl._doFilterImpl(AdfFacesFilterImpl.java:336)
     at oracle.adfinternal.view.faces.webapp.AdfFacesFilterImpl.doFilter(AdfFacesFilterImpl.java:196)
     at oracle.adf.view.faces.webapp.AdfFacesFilter.doFilter(AdfFacesFilter.java:87)
     at com.evermind.server.http.EvermindFilterChain.doFilter(EvermindFilterChain.java:15)
     at oracle.itech.pil.utils.PILFilter.doFilter(PILFilter.java:124)
     at com.evermind.server.http.ServletRequestDispatcher.invoke(ServletRequestDispatcher.java:627)
     at com.evermind.server.http.ServletRequestDispatcher.forwardInternal(ServletRequestDispatcher.java:376)
     at com.evermind.server.http.HttpRequestHandler.doProcessRequest(HttpRequestHandler.java:870)
     at com.evermind.server.http.HttpRequestHandler.processRequest(HttpRequestHandler.java:451)
     at com.evermind.server.http.AJPRequestHandler.run(AJPRequestHandler.java:299)
     at com.evermind.server.http.AJPRequestHandler.run(AJPRequestHandler.java:187)
     at oracle.oc4j.network.ServerSocketReadHandler$SafeRunnable.run(ServerSocketReadHandler.java:260)
     at com.evermind.util.ReleasableResourcePooledExecutor$MyWorker.run(ReleasableResourcePooledExecutor.java:303)
     at java.lang.Thread.run(Thread.java:595)
Any clue why this error, which i am facing since 10 days to complete my task
Thanks In Advance
Prashant

James, what Venkat and Prashant are trying to do is something like this...
1. If I connect to the DB using scott/tiger then in the preLogin method of the Toplink Session Listener class, the proxy user will connect using something like admin/welcome1 and in the database audit view, the name that shows up SHOULD BE that of admin and NOT of scott. This is called proxy authentication if it works fine.
We developed the above scenario but in the audit logs, we still see scott instead of admin as the user who connected.
2. This feature is available in the DB but our objective is to use it through TopLink
Also see Toplink Proxy Authentication Not Working
I hope I was able to explain the scenario clearly.
Any help will be appreciated
Regards,
Amit

Strange problem with JDBC URL

Hi All,
I don't know whether this is a known issue which has a workaround or I am doing something wrong. But this is the problem.
I have a nice GUI application which takes the JDBC URL, Driver, User name and password and then takes the input and tries to establish a connection with the Database. I was trying it on MySQL and I encountered a problem.
The general format of the JDBC URL for MySQL is "jdbc:mysql://<ip_address>:<port>/<db_name> and if I have MySQL running on 3306 and if I give the URL as:
"jdbc:mysql://localhost:9001" (where my HSQL is running), then, it never gets the connection and the application stays there forever (the call never returns after the DriverManager.getConnection() statement). And if I give the port as something else (say 9898) where nothing is running, then the getConnection() doesn't send me a SQLException.
What could be the problem?

Are you saying that you're connecting using the
MySQL driver to an HSQL database, and
that this results in a hang (rather than a timeout)?
Just to clarify that I've understood the problem.
If so, it should be fairly easy to get a simple test
scenario up and running independent from your "real"
application. Have you tried this, and could you post
the code if so?
Dave.Hi Dave,
Thank you very much trying,
Sorry if my English was poor. I am not trying to connect to HSQLDB using the MySQL Driver.
Actually, I am trying to connect to MySQL db using the MySQL driver, but the DriverManager.getConnection() method hangs when I...
1. Give a wrong URL e.g(jdbc:mysql://localhost:9001/")
2. Run my MySQL on default port (3306)
3. And If I have HSQL or any other program that is listening at port 9001.
The problem seems to be very strange. here's the code below, you can try out yourself...
import java.sql.DriverManager;
import java.sql.SQLException;
public class Demo {
     public static void main(String[] args) {
          try {
               Class.forName("com.mysql.jdbc.Driver");
               DriverManager.getConnection("jdbc:mysql://localhost:9001/", "user", "password"); // <-- The call hangs here
          } catch (SQLException e) {
               e.printStackTrace();
          } catch (ClassNotFoundException e) {
               e.printStackTrace();
}Remember to have your mysql*.jar file in your classpath while running. :)
Thank you....

WWSAPI - Cannot connect to web service via SSL and HTTP proxy authentication with NTLM, errorCode 0x803d0016, HTTP status 407

Hi,
I built a web service client using WWSAPI. The connection works via SSL (without HTTP proxy) and it works with SSL and proxy with basic authentication as well. When I try to connect using a proxy with NTLM authentication, then I get the errorCode
0x803d0016, HTTP status "407 (0x197)", "Proxy Authentication Required".
In WireShark I see only one HTTP request to connect to the proxy with NTLM Message Type: NTLMSSP_NEGOTIATE. The HTTP Response returns Status 407 and the connection ist closed. Comparing this to Internet Explorer - the Connection is not closed and
a second request with NTLMSSP_AUTH is sent.
Why doesn't it make the complete NTLM handshake? Why wasn't sent the NTLMSSP_AUTH directly?
I oriented in the HttpCalculatorWithKerberosOverSslClientExample.
Using WS_HTTP_HEADER_AUTH_SECURITY_BINDING,
WS_SECURITY_BINDING_PROPERTY_HTTP_HEADER_AUTH_SCHEME was set to WS_HTTP_HEADER_AUTH_SCHEME_NTLM, WS_SECURITY_BINDING_PROPERTY_HTTP_HEADER_AUTH_TARGET to WS_HTTP_HEADER_AUTH_TARGET_PROXY. I tried WS_DEFAULT_WINDOWS_INTEGRATED_AUTH_CREDENTIAL_TYPE but also WS_STRING_WINDOWS_INTEGRATED_AUTH_CREDENTIAL_TYPE.
Any idea?
Thanks

Hi,
I built a web service client using WWSAPI. The connection works via SSL (without HTTP proxy) and it works with SSL and proxy with basic authentication as well. When I try to connect using a proxy with NTLM authentication, then I get the errorCode
0x803d0016, HTTP status "407 (0x197)", "Proxy Authentication Required".
In WireShark I see only one HTTP request to connect to the proxy with NTLM Message Type: NTLMSSP_NEGOTIATE. The HTTP Response returns Status 407 and the connection ist closed. Comparing this to Internet Explorer - the Connection is not closed and
a second request with NTLMSSP_AUTH is sent.
Why doesn't it make the complete NTLM handshake? Why wasn't sent the NTLMSSP_AUTH directly?
I oriented in the HttpCalculatorWithKerberosOverSslClientExample.
Using WS_HTTP_HEADER_AUTH_SECURITY_BINDING,
WS_SECURITY_BINDING_PROPERTY_HTTP_HEADER_AUTH_SCHEME was set to WS_HTTP_HEADER_AUTH_SCHEME_NTLM, WS_SECURITY_BINDING_PROPERTY_HTTP_HEADER_AUTH_TARGET to WS_HTTP_HEADER_AUTH_TARGET_PROXY. I tried WS_DEFAULT_WINDOWS_INTEGRATED_AUTH_CREDENTIAL_TYPE but also WS_STRING_WINDOWS_INTEGRATED_AUTH_CREDENTIAL_TYPE.
Any idea?
Thanks

Proxy authentication with WebStart

I am trying to understand how WebStart handles proxy authentication for HTTP between my WebStart client and the server.
WebStart prompts the user for the proxy userid/password when my application starts. This occurs when WebStart attempts to download the jars.
However, now my application starts and wants to start communicating with the host. I am using URLConnection to make HTTP requests back to the same server.
My question is: "How does WebStart help with the proxy authentication for MY http requests?"
Does it insert the correct Authentication header on every HTTP request I create?

I am trying to understand how WebStart handles
WebStart prompts the user for the proxy
userid/password when my application starts. This
occurs when WebStart attempts to download the jars.
However, now my application starts and wants to start
communicating with the host. I am using URLConnection
to make HTTP requests back to the same server.
My question is: "How does WebStart help with the proxy
authentication for MY http requests?"
Does it insert the correct Authentication header on
every HTTP request I create?Let's split this in two topics.
1. How is proxy authenication supposed to work
2. What does Web Start
Easiest way to figure out Web Start's behaviour is to do some network monitoring. On a Unix box use something like tcpdump to monitor the raw packet traffic and strings|grep for URLs. (There is more advanced monitor software available). Fire up Web Start, authenticate. Watch. You need admin priviledges of course.
Second method would be to analyse Web Start sources, which is available under the Sun community license.
Now comes the interesting question, who proxy authentication is supposed to work.
I had this problem some years ago, when our application was tested from within a corporate network that used a proxy that demanded authentication.
The tricky part was, that our database server asked for an authentication too!
So one would have to provide a (user:password) pair to the proxy and another (user:password) pair to the web server in front of the database.
At that time I found no solution.
To my best knowledge there is only one http-authentication header in the HTTP header section possible, that carries the base64 encoded (user:password) pair. But I would need two and some means to tell which header of the two is for the proxy and which for the destination web server.
Second, HTTP is a stateless protocol. This means every HTTP request has no state in common with the HTTP requests before and after.
Analysis of the just open sourced Mozilla code base showed that Netscape handles proxy authentication against this design rule. Netscpae just issues the same HTTP request for the doc two times. The first time with authentication for the proxy, then the proxy seems to memorize that particular request (so much for the statelessness), and when Netscape fires the second HTTP request, this time with authentication for the destination server, the proxy just lets this request through (BIG BIG security hole here) and the authentication is not fished out by the proxy but will arrive at the destination server.
I was not able to find out at that time, if this behaviour was handled by any standard/RFC. What would happen if 5 proxies with authorization request were between me and the target server?
Hope this helps somehow.
Marc

Proxy authentication with 5800

Hi, I've a 5800. With domestic WiFi all works fine. In the university WiFi I need to authenticate to a proxy server but, while the proxy address and port is present in the configuration window, username and password are asked only through web browser. This means that only web browser works while email and other programs (nimbuzz, opera mini, sport tracker, accuweather, ecc, ecc) don't.
I also tried the simple unix form usernameassword@address instead of the simple address of proxy server but the infos are ignored.
Is it possible to specify in some way this info as part of the connection? Or at least is it planned to add them in a future firmware release (At the moment I'm using release 21)?
Thanks
Walter

I totally agree with Walter.
When the Internet connection you'd like to use has a proxy that REQUIRES AUTHENTICATION, the only online application that can be used is the built-in browser because it asks for user and password.
This is a shame. It would This kind of configuration should be done at the same place you can specify the proxy address and port.
Suzuki

Connection with Advanced - custom JDBC URL fails with some valid JDBC-URLs

Hi,
I am trying to create a connection with a custom JDBC connection string, but SQL*Developer throws the error message:
Status : Failure -Test failed: Required property 'hostname' is not set on the DatabaseProvider my tests are:
<li> with connection via Connection Type set to TNS and a proper alias - it works fine
<li> with connection via Connection Type set to Advanced and exactly the same values from tns in the url: jdbc:oracle:thin:@(DESCRIPTION=(enable=broken)(ADDRESS=(PROTOCOL=tcp)(HOST=172.24.32.113)(PORT=1521))(CONNECT_DATA=(SERVICE_NAME=RESTSVP_SITE1))) - it fails with Status : Failure -Test failed: Required property 'hostname' is not set on the DatabaseProvider<li> with JDBC URL set to jdbc:oracle:thin:@172.24.32.113:1521/RESTSVP_SITE1 - it works fine
As my jdbc url is quite close to the example in [url http://docs.oracle.com/cd/E11882_01/java.112/e16548/apxtblsh.htm#CHDBBDDA]Using JDBC with Firewalls maybe someone can help me to fix it?
Martin
Edited by: berx on Oct 12, 2012 11:32 AM - fixed typos

Hi Martin,
1/oci/thick
2/RAC options
3/TNS connection
1/oci/thick
OCI driver has a slightly different set of features than thin:
-try oci/thick (requires Oracle Client, server or instant client) (It requires SQLDeveloper java and .dll, .so libraries to match)Re: SQL developer 3.1 shows error Incompatible version of libocijdbc
jdbc:oracle:oci:@(DESCRIPTION=(enable=broken)(ADDRESS=(PROTOCOL=tcp)(HOST=your_host_name)(PORT=1521))(CONNECT_DATA=(SERVICE_NAME=your_service_name)))
2/RAC options
More speculatively:
-Try sid instead of service name (will disable some networking features on that connection), try switching load balancing off.
From: Unable to access RAC from SQL Developer!
In general and especially for RAC database you should use SERVICE_NAME to connect and not SID (because only SERVICE_NAME can use load balancing and failover features):
3/TNS connection
with connection via Connection Type set to TNS and a proper alias - it works fine(Which Connection Type TNS did you use? TNS Connect Identifier = oci/thick, TNS Network alias (can be thin (I should check, might depend on oci/thick checkbox))
Is this issue stopping your work i.e. is this workaround unacceptable?
-Turloch
SQLDeveloper team

Oracle Proxy Authentication and WLS 8.1/CMP

Hey folks,
Is there any way to configure WLS 8.1 to automatically set the Oracle CLIENT_IDENTIFIER
variable or use Oracle Proxy Authentication on JDBC connections? I'm interested
in using Oracle auditing with my CMP entity beans, but would like to capture the
app tier user identity, instead of the data source pool user.
Thanks.

"Brent Smith" <[email protected]> wrote in message
news:3fa15807$[email protected]..
>
Hey folks,
Is there any way to configure WLS 8.1 to automatically set the OracleCLIENT_IDENTIFIER
variable or use Oracle Proxy Authentication on JDBC connections? I'minterested
in using Oracle auditing with my CMP entity beans, but would like tocapture the
app tier user identity, instead of the data source pool user.
I would ask in the weblogic.developer.interest.jdbc newsgroup.

How to pass Proxy user dynamically in Toplink proxy authentication?

Hi,
I'm using Toplink Proxy Authentication with my ADF JSF application and want to pass the Proxy user dynamically to the preLogin(..) method of mySessionEventListener (Currently proxy user is hard coded).
This is to make my application user as the Proxy user.
I have tried to do this in two ways:
1) In my Login screen Backing Bean, I retrieve the session as
session = sessionFactory.acquireSession(); and set the application user in it as
session.setProperty("proxyUser1", inputText1.getValue());
But,
session.getProperty("proxyUser1") returns null in the preLogin(..) method
2) I add a loginUser property to the mySessionEventListener class and create a constructor to set it.
Then I call the constructor from my Login Backing Bean as
mySessionEventListener eventMgr = new mySessionEventListener(<proxy_user>);
session.getEventManager().addListener( eventMgr );
But, the loginUser property seeems to be transient and does not retain value when retrieved in preLogin(..) method.
Please indicate if anything is wrong. Also, is there any other way to get this done?
Thanks in advance.
Vikas

Hi Vikas,
Probably your sessions.xml defines a ServerSession, and acquireSession method returns a ClientSession. ServerSession is the object that connects to the database, it may have any number of ClientSessions associated with it - all of them use connections provided by ServerSession's connection pools.
So if you'd like to alter the serverSession before login, acquireSession is too late - it triggers login of the ServerSession and returns a ClientSession.
To get the ServerSession before login:
// the first param indicates that the session shouldn't be connected
Session serverSession = sessionFactory.getSharedSession(false, false);Now you have a serverSession on which login hasn't been called yet.
You can set the property into the session, or directly into its login.
In fact you may choose to do whatever you wanted to do in preLogin right here - in this case no preLogin event would be required of course.
Finally to get a ClientSession, call the same api did:
// the first param indicates that the session shouldn't be connected
Session clientSession = sessionFactory.getSession();On the first such call the ServerSession will be connected.
Note that because all the ClientSessions will connect through the connections provided by the same ServerSession they will all use proxyUser1.
If you are interested in using different proxy users for different ClientSessions http://www.oracle.com/technology/products/ias/toplink/doc/1013/main/_html/dblgcfg008.htm#BABDABCF lists several scenarios for that.
Andrei

N-Tier proxy authentication.

I need to implement N-Tier proxy authentication, could some one point me to right link. I found some on the Oracle Doc, buts not helping me , because it does not provide any code or example.
http://download-west.oracle.com/docs/cd/B13789_01/network.101/b10777/authuser.htm#1006352
and
http://download-west.oracle.com/docs/cd/B10501_01/appdev.920/a96590/adgsec03.htm#1004584
We have 9iAS, OID and 9iDB Rel2 and some other application server ie Cold Fusion etc, application are written in Cold Fusion and user login , I would like them to be authenticated via OID. I donot want to create a dtabase user for every application user too. We would like to use OID, however, we are also planning to use Fine Grained Security Control ( FGSC) too for row level security.
Thanks
Suhail

Bad news
Basically it is only supported when via Oracle Portal. I am not sure of the exact implementation and how it may work with providers for oracle portal.
Now the good news,
I have a way by implementing a couple of simple internal pl/sql packages that mod_plsql utilizes you can support n-tier proxy authentication with certs with or without Oracle SSO.

Proxy servlet with reports

Has any one used a proxy servlet with reports to hide all the URL parms???
We are about to try this, so just wanted to see if any one has an comments or suggestions.

Just in case you do not know the following
You can also use cgicmd.dat file for mapping key-value pairs and then use the key in url
The file is in $OH\reports\conf\cgicmd.dat
you can define key like
mykey1: report=test.rdf .....<other comd line args>
and
use key in url
http://machine/servlet/rwservlet?mykey1
More examples in that file itself
[    All Docs for all versions    ]
http://otn.oracle.com/documentation/reports.html
[     Publishing reports to web - 10G ]
http://download.oracle.com/docs/html/B10314_01/toc.htm (html)
http://download.oracle.com/docs/pdf/B10314_01.pdf (pdf)
[   Building reports - 10G ]
http://download.oracle.com/docs/pdf/B10602_01.pdf (pdf)
http://download.oracle.com/docs/html/B10602_01/toc.htm (html)
[   Forms Reports Integration whitepaper 9i ]
http://otn.oracle.com/products/forms/pdf/frm9isrw9i.pdf
---------------------------------------------------------------------------------

Deployment using JDBC DataSource instead of JDBC URL

Hello,
I've noticed some strange behaviour when deploying an ADF application (11g, latest release) to a WLS (integrated or stand-alone), when using JDBC DataSource as a connection type for the application module.
Normally, when you create your Business Components, a Database Connection is added to the Application Resources panel, eg MyConnection. If you then set your AM to JDBC DataSource instead of JDBC URL, the default datasource would be jdbc/MyConnectionDS. To make the application use the DataSource defined on the WLS, I then uncheck "Auto Generate and Synchronize weblogic-jdbc.xml Descriptors during deployment" in the Application Properties > Deployment tab.
So far so good: after deployment to the WLS, the application uses the DataSource defined on the WLS server (jdbc/MyConnectionDS). When changing it on the server to another database, the application indeed uses this other database. Also, the following is automatically added to the web.xml during deployment to .ear file:
<resource-ref>
    <res-ref-name>jdbc/MyConnectionDS</res-ref-name>
    <res-type>javax.sql.DataSource</res-type>
    <res-auth>Container</res-auth>
</resource-ref>Now the part that doens't make sense to me: if I delete the password in the Database Connection under Application Resources, I can still deploy the application, but the jdbc/MyConnectionDS on the WLS is not found anymore. While it is still there. I get the following error message:
Unable to lookup Data Source at context java:comp/env/jdbc/MyConnectionDS
oracle.jbo.DMLException: JBO-27200: JNDI failure. Unable to lookup Data Source at context java:comp/env/jdbc/MyConnectionDS
I made the JDev connection (used at development) invalid, and the deployed application stops working (at runtime). While it should just be using the JDBC DataSource defined on the WLS, that is still there. The reason appears to be that when there is no password in the Database Connection in JDev, the entry in the web.xml (see above) is not made during deployment.
I am doing something wrong? Or is this "expected" behaviour?
The reason why it bothers me: I have made a reusable component (a Data Control, let's call it A) from a model project, by deploying it to a ADF library JAR. I've set the AM of this project to use a certain jdbc datasource, which will be defined on the WLS.
When importing the library JAR of A inside another application (B), the connection of the A is added to B. But ofcourse, without the password for security reasons, so we're in the situation described above: When I deploy the new application B, the web.xml is not updated with the DataSource of A, and the application doens't work. And what I would like to avoid, is that whenever someone uses component A, that they have to update the connection details of component A in application B. Because when I fill in the password of application A's Database Connection in application B, all works well again.
I hope this question makes sense. :-)
Thanks in advance,
Chris

Arun and Krithika,
Thanks for your replies. I have already done what both of you suggested:
Chris Schryvers wrote:
I then uncheck "Auto Generate and Synchronize weblogic-jdbc.xml Descriptors during deployment" in the Application Properties > Deployment tab.I can get it to work, both for deployment on the internal WLS as on a stand-alone WLS.
My only question is: why does a property at development time (the empty password of the JDev connection) influence the runtime behaviour (the JDBC DataSource not being found after deployment).
Ofcourse, setting the password for the connection in JDev "solves" the problem. But I want to avoid that everyone who uses the reusable component needs to fill in the password for its database connection. In my opinion, that's the whole point of using a JDBC datasource instead of a JDBC URL: the reusable component just states that there needs to be a jdbc/MyConnectionDS on the server and it can be used as is. Wihtout any modifications at development time.
What's more:
Suppose I import the reusable JAR and its connection is added to JDev, without password.
*) Leaving the password empty: DS not found after deployment (web.xml not adjusted, as mentioned in my original post)
*) Entering the correct password: DS found, web.xml adjusted at deploy time.
*) Entering an incorrect password: DS found, web.xml adjusted at deploy time.
It even works when I enter an incorrect password, which proves that the JDBC DataSource on the server is used, instead of the JDev connection. Then why is the web.xml not adjusted when the password remains empty?
Arun, I'll check the documention that you linked to, but this just seems like an weird decision in the implementation of JDev/ADF. :-)

SSL connection with JDBC thin driver

I am attempting to connect to an instance of Oracle 10.2 using the JDBC thin driver with SSL. I want to use the encryption feature of SSL only, but I can not perform the getConnection on the DataSource without running into an exception. According the JDBC docs, the SSL encryption feature is new for the 10.2 release of the JDBC thin driver, but I have seen no working examples. See http://download.oracle.com/docs/cd/B19306_01/java.102/b14355/overvw.htm#CHDIHFBD
I am using ojdbc14.jar on Java 5.0 using a standalone application, and it fails with an IOException (The network adapter could not establish the connection) (Error code 17002). I even enabled tracing using the ojdbc-g.jar to try to figure out what the REAL problem is, but it was not helpful at determining a root cause. I changed the driver type from "thin" to "oci" (and installed Oracle Instant client for my test machine) and the connection works just fine using the same tnsnames file, the same wallet, and the same cipher suite. From the Java perspective the only thing that changed was four characters -> "thin" became "oci". I am still using password based authentication as I understand that the authentication part of SSL is not supported in the thin driver on 10.2
Can anyone verify that the SSL encryption works with JDBC thin as advertised? (not the Oracle Net encryption, but rather the one described in Chapter 11 of the JDBC Developer's Guide. See http://download.oracle.com/docs/cd/B19306_01/java.102/b14355/sslthin.htm#CHDFEICG
I really would prefer to avoid using the OCI driver because of its dependencies on the native platform. Is there something special with how the users are created or how the JDBC API should be used? I am setting what I think to be appropriate parameters (oracle.net.wallet_location, oracle.net.cipher_suites) all to no avail. Does anyone have a working example they can provide?

1) I would suggest posting this question over in the JDBC forum. The folks over there are far more likely to be able to help you.
2) When you do post this question over there, I would strongly suggest posting some sample code/ configuration scripts so that folks can reproduce your problem on their local machines. That tends to make it far easier to debug the problem and/or to notice if you've missed a step.
Justin

Issues with JDBC Connection Pooling

Hi all,
I'm experiencing some unexpected behaviour when trying to use JDBC Connection Pooling with my BC4J applications.
The configuraiton is -
Web Application using BC4J in local mode
Using Default Connection Stagegy
Stateless Release Mode
Retrieving Application Modules using Configuration.createRootApplicationModule( am , cf );
Returning Application Modules using Configuration.releaseRootApplicationModule( am, false );
Three application modules
AppModuleA - connects to DatabaseConnection1
AppModuleB - connects to DatabaseConnection2
AppModuleC - connects to DatabaseConnection2
My requirement is to -
Use App Module Pooling and have individual pool for each Application Module
Use JDBC Pooling and have individual pool for each Database connection
Note: All configuration was achieved in design mode (i.e. right clicking AppModule->Configurations...)
1. Initial approach -
In the configuration for each Application Module I specified the connection type as 'JDBC Datasource' and specified to approriate datasource.
Tried setting doConnecitonPooling to 'true' as well as 'false'
In the data-sources.xml I specified all the appropriate info including min-connections and max-connections.
I would expect, with the above config that BC4J would use OC4J's built in JDBC connection pooling.
2. Second approach -
In the configuration for each Application Module I specified the connection type as JDBC URL.
In the configuration I specified doConnectionPooling = 'true' as well as the max connection, max available and min available
What I experienced in both cases was that the max connections seem to be ignored as the number of connection as reported by the database (v$session) was exceeded by more than 10.
In addition to this once the load was removed the number of JDBC connecitons did not drop (I would have expected it to drop to max available connections)
My questions are -
1. When specifying to use a 'JDBC Datasource' style of connection, is it in fact OC4J that is then responsible for pooling JDBC connections? And in this case should BC4J's doConnectionPooling parameter be set to true or false?
2. Are there any known issues with the use of the JDBC Conneciton Pool as stated by the above to approaches?

Thanks for the additional info. Please see my comments. below.
Sorry should have been more specififc -
1. Is each application pool using a different JDBC user? You mentioned DatabaseConnection1 and DatabaseConnection2
above; are these connections to different schemas / users? If so, BC4J will create a separate connection pool for each
JDBC user. Each connection pool will have its own maximum pool size.
Each 'DatabaseConnection' refers to a different database, actually hosted on a seperate physical server, different
schema and different user.BC4J will maintain a separate connection pool for each permutation of JDBC URL / schema. If each user is connecting
to a different DB instance then I would expect no greater than 10 DB sessions. However, if a DB instance is hosting
more than user then I would expect greater than 10 DB sessions (though still no more than 10 DB sessions per user).
2. Are all the v$session sessions related to the JDBC clients? There should be at least one additional database
session which will be related to the session that is querying v$session.
When querying the v$session table I specifically look for connections from the user in quesiton and from the machine
name in question and in doing so eliminate the database system's connections, as well as the query tools'
connection. One area I'm not sure about is the connection BC4J uses to write to its temporary tables. I am using
Stateless release mode and have not explicetly stated to save to the database but I'm wondering if it still does if so
and how does it come into the equation with max connections?BC4J's internal connections are also pooled and the limits apply as mentioned above. So, if you have specified
internal connection info for a schema which is different than the users above I would expect the additional conns.
One helpful diagnostic tool, albeit programmatic, might be to print the information about the connection pools after
your test client(s) have finished. This may be accomplished as follows:
// get a reference to the BC4J connection pool manager
import oracle.jbo.server.ConnectionPoolManagerFactory;
import oracle.jbo.server.ConnectionPoolManagerImpl;
import oracle.jbo.pool.ResourcePool;
import java.io.PrintWriter;
import java.util.Enumeration;
// get the ConnectionPoolManager. assume that it is an instance of the supplied manager
ConnectionPoolManagerImpl mgr = (ConnectionPoolManagerImpl)ConnectionPoolManagerFactory.getConnectionPoolManager();
Enumeration keys = mgr.getResourcePoolKeys();
PrintWriter pw = new PrintWriter(System.out, true);
while (keys.hasMoreElements())
Object key = keys.nextElement();
ResourcePool pool = (ResourcePool)mgr.getResourcePool(key);
System.out.println("Dumping pool statistics for pool: " + key);
pool.dumpPoolStatistics(pw);
}

Problem with JDBC and Tomcat

I don't know where the problem originate, the only thing in my memory is that the program worked very well on my PC yesterday, but today, without even slightest change, it doesn't work anymore. As to debug it, I simplified the codes to the least, but it still refuse to work. I was beaten down by this problem totally, and cannot make out any solution for it, so, I come here, hoping to find a warrior to kill this damned bug for me.
My program is a Servlet, but for the purpose of debugging, I have recode it to an Application/Servlet. When run as a application, I can get the result expected, but as a Servlet, :-(, maybe you should see it by yourself. My server software is Tomcat 4.1.15, and the JDK version is 1.4.0. To excute this program, you should add Data Source "Test" to ODBC.
///////////////////////code begins/////////////////////////
import java.sql.*;
import javax.servlet.*;
import javax.servlet.http.*;
import java.io.*;
import java.util.*;
public class Ex extends HttpServlet
     int ErrorType = 0;
     String err = new String("");
     public static void main(String args[]) throws Exception{
          Ex cEx = new Ex();
          cEx.init();
          System.out.println(cEx.ErrorType);
     public void init() {
          String url = "jdbc:odbc:Test";
          ErrorType = 3;     //passed
          try{
               Class.forName("sun.jdbc.odbc.JdbcOdbcDriver");
          } catch (ClassNotFoundException e) {
               e.printStackTrace();
               ErrorType = 1; //trapped in Class.forName
          try{
               Connection c = DriverManager.getConnection(url);
          } catch (SQLException e) {
               e.printStackTrace();
               ErrorType = 2; //trapped in DriverManager.getConnection
               err = e.getMessage();
     public void service(HttpServletRequest req, HttpServletResponse res)
               throws IOException {
          res.setContentType("text/html; charset=GB2312");
          PrintWriter out = res.getWriter();
          out.println("Success " + "<p>" + ErrorType + "<p>" +err);
          out.close();
//////////////////////////code ends///////////////////////////////
The result from the Servlet tell me that the problem occurred within the connection process, I don't know who should be responsible to this - Tomcat or JDBC?

If you could print the exception that you got then that would help :) In the mean time, I could make a guess. It is unlikely that your application server (in this case, Tomcat) is blocking connections from your servlet. So the problem is either with JDBC directly or with the underlying datasource. It seems unlikely that it is JDBC given that you have stated that the code has not changed and it works in application form.
My guess would be that you are coming up against some sort of security constraint (eg: your DBMS is letting you log in from one IP but not another?, your Java plug-in security policy is disallowing the connection?). It's hard to say.
But if it works as an application but not via a servlet then you could try putting this in your java.policy file, which is located in the directory where your plug-ins are installed (eg: "C:\Program Files\Java\<version>\lib\security\") on Windows systems;
permission java.net.SocketPermission "bend xp:1099", "listen,connect,accept";
Try that, see if it works :)
Ben

Proxy Authentication with JDBC Datasource instead of JDBC URL?

Similar Messages

Maybe you are looking for