Search

Top 60 Oracle Blogs

Recent comments

APEX

APEX 5.1 is Here!

It’s here! Without much fanfare APEX 5.1 became available for download on December 21, 2016! With all the holiday stuff going on I missed it until after the first of the year.

Here’s where you can download APEX 5.1 and find out more:

http://www.oracle.com/technetwork/developer-tools/apex/downloads/download-085147.html

APEX 5.1 is a significant release and should be pretty stable considering the long beta program and early adopter programs it went through.

Major new features include:

The Eternal Newbie

It’s been over a decade since I first heard Tom Kyte talking about Project Marvel, which eventually became Application Express (APEX). Since then I’ve “used” just about every version of APEX. I use the term “used” very loosely, because I typically use APEX for a few days to get a job done, then never touch it again for months. By the time I come back, I pretty much have to start the learning process from the beginning again.

APEX 5.0.2 : Let’s get patching!


APEX 5.0.2 was released just before OOW15. Today is my first day back to work, so I’ve started to patch some stuff. We were already on APEX 5.0.1 across the board, so we didn’t need to do any full installations, just patches.

SO far, so good. No problems in any Dev or Test databases. I expect a pretty quick roll-out across the board.

Cheers

Tim…

APEX 5.0.1 : We’re all patched up!

apexAPEX 5.0.1 was released about a week ago. I started to patch some stuff straight away. We were already on APEX 5.0 across the board, so we didn’t need to do any full installations, just patches.

During the patching I noticed we were getting some issues with supposed misconfiguration of static files. After clearing my browser cache, the message went away, so I tweeted this.

Deploying Application Express with Delphix

VDBs

Seamless cloning of an application stack is an outstanding goal. Seamless cloning of an application stack including the full production database, application server, and webserver in a few minutes with next to zero disk space used or configuration required is the best goal since Alexander Graham Bell decided he wanted a better way tell Mr. Watson to “come here.”

Oracle XFILES now on GitHub

The demonstration environment for Oracle XML DB called XFILES is now on GitHub. As stated…

HOWTO – Oracle Shared Server Setup

A customer of mine run out of memory due to much server processes of dedicated connected client sessions. As an alternative I tried to explain the options between DEDICATED and SHARED SERVER concepts as an initial attempt/workaround for the client software problems. Looking around on the internet for pictures and or newbie documentation, I found …

Continue reading »

OOW 2011 – What’s New, Improved and Coming in Oracle Application Development

Currently at Tom Kyte’s session regarding topics new, improved or coming in Oracle Application Development. Tom told about the history APEX has gone thru and the current setup with the APEX Listener and even the “PL/SQL Gateway” was mentioned. I always have to laugh a bit because this last one touches the XDB Protocol Server …

Continue reading »

The “XFILES APEX Community Edition” (XACE) is available for download

For all those to see and learn what you can do when combining the power of Oracle XMLDB and Oracle APEX an alternative APEX XFILES application is now available for download via http://xace.sourceforge.net. It is based on the combined efforts of Mark Drake and Carl Backstrom to convert the XMLDB XFILES demo application towards APEX. This “XFILES APEX Community Edition”, XACE for short to make a distinction with the more sophisticated official XFILES XMLDB demo application, demonstrates an implementation of versioning based on DBMS_XDB_VERSION and APEX as UI.

Also for Roel Hartman and me, its an exercise to demonstrate what you can learn while “standing on the shoulders of giants”. Also, in the spirit of Carl Backstrom, we want to share our knowledge with the comminity and give “it” back in the hope you will also get excited of these two very powerful options in the Oracle database.

We use this XACE application to help us with our presentation to demonstrate APEX versioning so if you are interested and have the chance see us (and ask questions afterwards) during Kaleidoscope 2011 or (shameless plug here) vote for us on Oracle mix so we are able to present these techniques on Oracle Open World this year as well (“XFILES, The APEX 4 version – The truth is in there“).

The more important below…

Download the XFILES XMLDB source via: http://www.oracle.com/technetwork/database/features/xmldb/index.html (among others webservices, geo location app, version control and more)
You can also download the OTN Developer Days Virtualbox environment to play with a fully installed XMLDB XFILES appl. (example 3 of the “Oracle By Example” XMLDB series).

Last but not least…

If you like it, in the light of the community

  • share it
  • learn from it
  • participate (and help to make it better)

…and if you really like the effort done, by the community, donate some of your bucks on “Carl’s Memorial Fund” ! (more info here: http://carlback.blogspot.com/ or under the “donate” link of http://xace.sourceforge.net).

Hope you have some fun with it.

On behalve of…

M.

The Oracle XMLDB “anonymous” user account

Trying here to be as correct as possible, as far as I understand it currently.

ANONYMOUS is an Oracle user account specifically designed for HTTP access. It has only one system privilege, that is “create session” and the account is locked by default. If it is unlocked, it only is used for HTTP access via the XDB Protocol Server, aka PL/SQL Gateway, and can access objects in the XDB Repository that are protected by an ACL (Access Control Lists) mentioning this “principal”.

By default there is no ACL file that grants any privilege to this “user” ANONYMOUS. When APEX is installed then there will be a /sys/acls/ro_anonymous_acl.xml file that grants read access to the /images/ or /i/ directory (depending on the APEX version). If you lock ANONYMOUS or remove the ACL defined privileges then APEX can not show/access those files in that XDB Repository folder (/images, /i) if you would need to access these files. For example when using the APEX listener setup the application images and help doc images are stored locally on the server and not in the database, so in principal there is no need to access those image(s) directories in the database.

Example of an ACL which can used by XDB which grants read properties and read content rights to all objects which are protected by this ACL

#66cc66;"><acl description#66cc66;">=#ff0000;">"File /sys/acl/my_acl.xml"
     xmlns#66cc66;">=#ff0000;">"http://xmlns.oracle.com/xdb/acl.xsd"
     xmlns:dav#66cc66;">=#ff0000;">"DAV:"
     xmlns:xsi#66cc66;">=#ff0000;">"http://www.w3.org/2001/XMLSchema-instance"
     xsi:schemaLocation#66cc66;">=#ff0000;">"http://xmlns.oracle.com/xdb/acl.xsd
                         http://xmlns.oracle.com/xdb/acl.xsd"#66cc66;">>
  #66cc66;"><ace#66cc66;">>
    #66cc66;"><principal#66cc66;">>ANONYMOUS#66cc66;">principal#66cc66;">>
    #66cc66;"><grant#66cc66;">>true#66cc66;">grant#66cc66;">>
    #66cc66;"><privilege#66cc66;">>
      #66cc66;"><read #66cc66;">-properties#66cc66;">/>
      #66cc66;"><read #66cc66;">-contents#66cc66;">/>
      #66cc66;"><resolve #66cc66;">/>
    #66cc66;">privilege#66cc66;">>
  #66cc66;">ace#66cc66;">>
#66cc66;">acl#66cc66;">>

By default when a resource (a file or folder) is created by a process it will get the privileges defined in the bootstrap ACL (which is protected by itself). So no privileges will be granted to this ANONYMOUS account by default. And even when unlocked, this user only opens up, by default, to hierarchy enabled, XDB Repository related objects. Mind the mentioning “by default”; Its is possible to opening up and overrule default security ruling in place when you alter the content of ACL defaults (which is, could be considered, a security breach). For example you could alter the contents of the bootstrap_acl.xml file in such a way, if your have maliceious intentions from within the database, but you would need very powerful database account access to start with anyway, to make this happen.

Example of the default content of the bootstrap_acl.xml file:

SQL#66cc66;">> #993333; font-weight: bold;">SELECT xdburitype#66cc66;">(#ff0000;">'/sys/acls/bootstrap_acl.xml'#66cc66;">)#66cc66;">.getCLOB#66cc66;">(#66cc66;">) #993333; font-weight: bold;">FROM dual;
 
#66cc66;"><acl description#66cc66;">=#ff0000;">"Protected:Readable by PUBLIC and all privileges to OWNER" 
     xmlns#66cc66;">=#ff0000;">"http://xmlns.oracle.com/xdb/acl.xsd" 
     xmlns:dav#66cc66;">=#ff0000;">"DAV:" 
     xmlns:xsi#66cc66;">=#ff0000;">"http://www.w3.org/2001/XMLSchema-instance" 
     xsi:schemaLocation#66cc66;">=#ff0000;">"http://xmlns.oracle.com/xdb/acl.xsd 
          http://xmlns.oracle.com/xdb/acl.xsd"#66cc66;">>
  #66cc66;"><ace#66cc66;">>
    #66cc66;"><principal#66cc66;">>dav:owner#66cc66;">principal#66cc66;">>
    #66cc66;"><grant#66cc66;">>true#66cc66;">grant#66cc66;">>
    #66cc66;"><privilege#66cc66;">>
      #66cc66;"><all #66cc66;">/>
    #66cc66;">privilege#66cc66;">>
  #66cc66;">ace#66cc66;">>
  #66cc66;"><ace#66cc66;">>
    #66cc66;"><principal#66cc66;">>XDBADMIN#66cc66;">principal#66cc66;">>
    #66cc66;"><grant#66cc66;">>true#66cc66;">grant#66cc66;">>
    #66cc66;"><privilege#66cc66;">>
      #66cc66;"><all #66cc66;">/>
    #66cc66;">privilege#66cc66;">>
  #66cc66;">ace#66cc66;">>
  #66cc66;"><ace#66cc66;">>
    #66cc66;"><principal#66cc66;">>PUBLIC#66cc66;">principal#66cc66;">>
    #66cc66;"><grant#66cc66;">>true#66cc66;">grant#66cc66;">>
    #66cc66;"><privilege#66cc66;">>
      #66cc66;"><read #66cc66;">-properties#66cc66;">/>
      #66cc66;"><read #66cc66;">-contents#66cc66;">/>
      #66cc66;"><read #66cc66;">-acl#66cc66;">/>
      #66cc66;"><resolve #66cc66;">/>
    #66cc66;">privilege#66cc66;">>
  #66cc66;">ace#66cc66;">>
#66cc66;">acl#66cc66;">>

Be aware that, although the PUBLIC ACE (Access Control Entries) entry sounds dangerous, this only means that from within the database DIRECT access to the objects via database accounts are possible. This is not possible via HTTP (by default). An example to this effect would be that for the APEX /images directory, which is protected only for read only access of the principal ANONYMOUS, this means that PL/SQL packages (owned/executed by users from WITHIN the database) etc, will not have access to these image files.

The “service” provided via the XDB Protocol Server and its access rules are defined in the xdbconfig.xml configuration file. The services defined there (for example APEX’s entries via PL/SQL, that is, via the PL/SQL gateway) in this xdbconfig.xml file links up to the to be used “principal” (ANONYMOUS in the case of APEX) security access owner, role, trusted user or LDAP definition, for that specific service.

Normally an anonymous user is a user whose credentials have not been validated (hence unauthenticated) that is permitted access to only unprotected resources, but by default all created objects in the XDB repository will be protected by the default bootstrap ACL and in normal cases a ACL with a defined ANONYMOUS principal is not created, does not exist in the database. Even if, you would still need entries in the xdbconfig.xml file that link the (unlocked) ANONYMOUS account with a defined service that grants you access or an entry point to the database.

The underlying by Oracle implemented security mechanism is the same as for the database and also it used the advanced security feature VPD. Due to the fact that Oracle itself makes use of this, a extra license is not needed for this advanced security feature, as long as you don’t use it yourself. Oracle XMLDB in itself is a “no cost option” that comes along when you buy the licenses needed for your database software.

This is a backup copy of a XMLDB OTN Forum Thread.