A customer of mine run out of memory due to much server processes of dedicated connected client sessions. As an alternative I tried to explain the options between DEDICATED and SHARED SERVER concepts as an initial attempt/workaround for the client software problems. Looking around on the internet for pictures and or newbie documentation, I found …
Currently at Tom Kyte’s session regarding topics new, improved or coming in Oracle Application Development. Tom told about the history APEX has gone thru and the current setup with the APEX Listener and even the “PL/SQL Gateway” was mentioned. I always have to laugh a bit because this last one touches the XDB Protocol Server …
For all those to see and learn what you can do when combining the power of Oracle XMLDB and Oracle APEX an alternative APEX XFILES application is now available for download via http://xace.sourceforge.net. It is based on the combined efforts of Mark Drake and Carl Backstrom to convert the XMLDB XFILES demo application towards APEX. This “XFILES APEX Community Edition”, XACE for short to make a distinction with the more sophisticated official XFILES XMLDB demo application, demonstrates an implementation of versioning based on DBMS_XDB_VERSION and APEX as UI.
Also for Roel Hartman and me, its an exercise to demonstrate what you can learn while “standing on the shoulders of giants”. Also, in the spirit of Carl Backstrom, we want to share our knowledge with the comminity and give “it” back in the hope you will also get excited of these two very powerful options in the Oracle database.
We use this XACE application to help us with our presentation to demonstrate APEX versioning so if you are interested and have the chance see us (and ask questions afterwards) during Kaleidoscope 2011 or (shameless plug here) vote for us on Oracle mix so we are able to present these techniques on Oracle Open World this year as well (“XFILES, The APEX 4 version – The truth is in there“).
The more important below…
Download the XFILES XMLDB source via: http://www.oracle.com/technetwork/database/features/xmldb/index.html (among others webservices, geo location app, version control and more)
You can also download the OTN Developer Days Virtualbox environment to play with a fully installed XMLDB XFILES appl. (example 3 of the “Oracle By Example” XMLDB series).
Last but not least…
If you like it, in the light of the community
…and if you really like the effort done, by the community, donate some of your bucks on “Carl’s Memorial Fund” ! (more info here: http://carlback.blogspot.com/ or under the “donate” link of http://xace.sourceforge.net).
Hope you have some fun with it.
On behalve of…
Trying here to be as correct as possible, as far as I understand it currently.
ANONYMOUS is an Oracle user account specifically designed for HTTP access. It has only one system privilege, that is “create session” and the account is locked by default. If it is unlocked, it only is used for HTTP access via the XDB Protocol Server, aka PL/SQL Gateway, and can access objects in the XDB Repository that are protected by an ACL (Access Control Lists) mentioning this “principal”.
By default there is no ACL file that grants any privilege to this “user” ANONYMOUS. When APEX is installed then there will be a /sys/acls/ro_anonymous_acl.xml file that grants read access to the /images/ or /i/ directory (depending on the APEX version). If you lock ANONYMOUS or remove the ACL defined privileges then APEX can not show/access those files in that XDB Repository folder (/images, /i) if you would need to access these files. For example when using the APEX listener setup the application images and help doc images are stored locally on the server and not in the database, so in principal there is no need to access those image(s) directories in the database.
Example of an ACL which can used by XDB which grants read properties and read content rights to all objects which are protected by this ACL
#66cc66;"><acl description#66cc66;">=#ff0000;">"File /sys/acl/my_acl.xml" xmlns#66cc66;">=#ff0000;">"http://xmlns.oracle.com/xdb/acl.xsd" xmlns:dav#66cc66;">=#ff0000;">"DAV:" xmlns:xsi#66cc66;">=#ff0000;">"http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation#66cc66;">=#ff0000;">"http://xmlns.oracle.com/xdb/acl.xsd http://xmlns.oracle.com/xdb/acl.xsd"#66cc66;">> #66cc66;"><ace#66cc66;">> #66cc66;"><principal#66cc66;">>ANONYMOUS#66cc66;">principal#66cc66;">> #66cc66;"><grant#66cc66;">>true#66cc66;">grant#66cc66;">> #66cc66;"><privilege#66cc66;">> #66cc66;"><read #66cc66;">-properties#66cc66;">/> #66cc66;"><read #66cc66;">-contents#66cc66;">/> #66cc66;"><resolve #66cc66;">/> #66cc66;">privilege#66cc66;">> #66cc66;">ace#66cc66;">> #66cc66;">acl#66cc66;">>
By default when a resource (a file or folder) is created by a process it will get the privileges defined in the bootstrap ACL (which is protected by itself). So no privileges will be granted to this ANONYMOUS account by default. And even when unlocked, this user only opens up, by default, to hierarchy enabled, XDB Repository related objects. Mind the mentioning “by default”; Its is possible to opening up and overrule default security ruling in place when you alter the content of ACL defaults (which is, could be considered, a security breach). For example you could alter the contents of the bootstrap_acl.xml file in such a way, if your have maliceious intentions from within the database, but you would need very powerful database account access to start with anyway, to make this happen.
Example of the default content of the bootstrap_acl.xml file:
SQL#66cc66;">> #993333; font-weight: bold;">SELECT xdburitype#66cc66;">(#ff0000;">'/sys/acls/bootstrap_acl.xml'#66cc66;">)#66cc66;">.getCLOB#66cc66;">(#66cc66;">) #993333; font-weight: bold;">FROM dual; #66cc66;"><acl description#66cc66;">=#ff0000;">"Protected:Readable by PUBLIC and all privileges to OWNER" xmlns#66cc66;">=#ff0000;">"http://xmlns.oracle.com/xdb/acl.xsd" xmlns:dav#66cc66;">=#ff0000;">"DAV:" xmlns:xsi#66cc66;">=#ff0000;">"http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation#66cc66;">=#ff0000;">"http://xmlns.oracle.com/xdb/acl.xsd http://xmlns.oracle.com/xdb/acl.xsd"#66cc66;">> #66cc66;"><ace#66cc66;">> #66cc66;"><principal#66cc66;">>dav:owner#66cc66;">principal#66cc66;">> #66cc66;"><grant#66cc66;">>true#66cc66;">grant#66cc66;">> #66cc66;"><privilege#66cc66;">> #66cc66;"><all #66cc66;">/> #66cc66;">privilege#66cc66;">> #66cc66;">ace#66cc66;">> #66cc66;"><ace#66cc66;">> #66cc66;"><principal#66cc66;">>XDBADMIN#66cc66;">principal#66cc66;">> #66cc66;"><grant#66cc66;">>true#66cc66;">grant#66cc66;">> #66cc66;"><privilege#66cc66;">> #66cc66;"><all #66cc66;">/> #66cc66;">privilege#66cc66;">> #66cc66;">ace#66cc66;">> #66cc66;"><ace#66cc66;">> #66cc66;"><principal#66cc66;">>PUBLIC#66cc66;">principal#66cc66;">> #66cc66;"><grant#66cc66;">>true#66cc66;">grant#66cc66;">> #66cc66;"><privilege#66cc66;">> #66cc66;"><read #66cc66;">-properties#66cc66;">/> #66cc66;"><read #66cc66;">-contents#66cc66;">/> #66cc66;"><read #66cc66;">-acl#66cc66;">/> #66cc66;"><resolve #66cc66;">/> #66cc66;">privilege#66cc66;">> #66cc66;">ace#66cc66;">> #66cc66;">acl#66cc66;">>
Be aware that, although the PUBLIC ACE (Access Control Entries) entry sounds dangerous, this only means that from within the database DIRECT access to the objects via database accounts are possible. This is not possible via HTTP (by default). An example to this effect would be that for the APEX /images directory, which is protected only for read only access of the principal ANONYMOUS, this means that PL/SQL packages (owned/executed by users from WITHIN the database) etc, will not have access to these image files.
The “service” provided via the XDB Protocol Server and its access rules are defined in the xdbconfig.xml configuration file. The services defined there (for example APEX’s entries via PL/SQL, that is, via the PL/SQL gateway) in this xdbconfig.xml file links up to the to be used “principal” (ANONYMOUS in the case of APEX) security access owner, role, trusted user or LDAP definition, for that specific service.
Normally an anonymous user is a user whose credentials have not been validated (hence unauthenticated) that is permitted access to only unprotected resources, but by default all created objects in the XDB repository will be protected by the default bootstrap ACL and in normal cases a ACL with a defined ANONYMOUS principal is not created, does not exist in the database. Even if, you would still need entries in the xdbconfig.xml file that link the (unlocked) ANONYMOUS account with a defined service that grants you access or an entry point to the database.
The underlying by Oracle implemented security mechanism is the same as for the database and also it used the advanced security feature VPD. Due to the fact that Oracle itself makes use of this, a extra license is not needed for this advanced security feature, as long as you don’t use it yourself. Oracle XMLDB in itself is a “no cost option” that comes along when you buy the licenses needed for your database software.
This is a backup copy of a XMLDB OTN Forum Thread.
Roel Hartman and me are currently very busy with our Kaleidoscope 2011 presentation “XFiles, the APEX Version: The Truth is in There…“. During this presentation, we will demonstrate the awesome possibilities you can create when you combine the APEX and XMLDB functionality of the APEX database environment. And as you probably also know, two “no cost options” delivered with your Oracle database. Our first presentation/demo will be on the AMIS Kaleidoscope Preview Sessions on the 14th of June, to test our “setup” and combined presentation for the real thing during Kaleidoscope, in Long Beach, USA, this year.
The demo will demonstrate how to setup database build-in versioning capabilities, based on standard XMLDB functionality, that can be used by or for APEX applications, while making use of the file/folder metaphor of the XDB Repository.
The XDB Repository can, by default, be used to, currently via WebDAV or FTP, drag and drop files into the database. This XMLDB functionality also has default versioning, checkin/out, an repository event mechanism and security functionality / capabilities. So why work, while working with this great development environment called APEX, with version tooling like Subversion, if the XMLDB realm of the database already has these capabilities to provide this by default.
The XFILES demo application is used to demonstrate XMLDB functionality but currently still main AJAX based regarding its GUI. In 2008 an effort was made, for that years Oracle Open World conference, by Carl Backstrom (Oracle APEX) and Mark Drake (Oracle XMLDB) to combine the two environments and switch the XFILES AJAX based GUI for the APEX front-end. Due to circumstances, it didn’t had the proper follow up regarding cleaning up the code and share the ideas…see the XFILES tab on this page for more info on this.
Roel and my efforts, regarding this XFILES APEX version, which is based on current and the work done by Mark en Carl in 2008, is called by us, the XFILES APEX Community Edition (abbreviated to XACE), so we are able to implement some chance management without be mistaken by Mark Drake’s still existing AJAX based XFILES version, currently version 5. This version implements and demonstrates Native Database Web Services via XMLDB in the OTN Development Days Virtualbox environment which can be downloaded via Oracle OTN.
More regarding the XFILES XMLDB application and blog posts can be found via the XFILES menu on this site. Information about Roel and his interests can be found on his personal blog roelhartman.blogspot.com and information about official XFILES Oracle XMLDB application and technology can be found on and via the Oracle XMLDB main page. Last but not least, for interest in Oracle APEX go to the apex.oracle.com site.
To give you a preview of the work done, hereby some updated pictures
Click picture to enlarge
Click picture to enlarge
Sometimes the answer can be so simple…
I wanted to reset the OTN Developer Days Virtualbox APEX Listener admin password without redeploying the apex.war file and destroying the current setup, so I searched all config and properties APEX Listener files I could find. Searched via Google. No useful hits. I found a credential file with the passwords in them on the virtualbox environment, probably MD5 hashed ones, but no clue about how to reset them. At final I got in direct contact with Kris Rice which had put so much effort in setting up this training environment…and was a bit startled about the simple solution…
There’s a file named credentials under ~/.apex/[port numner]/. If you remove that, it will reprompt for the passwords. Let me know if you need anything else.
Life can be so simple.
Once per year I try to update the “XML Content” page that, in principle, should contain all my XML relevant thoughts and “how to” posts, so I can find my gained “wisdom” a bit more quickly (getting old and stuff). This year I had only 14 and a bit of such XML related posts, which was afterwards easily explained when I updated my “Paper” page where among others I have a list on “presentations” done… Oops… I have been busy…
Anyway. Enjoy the updated XML content overview reference page, it contains now 100+ posts regarding specific XML(DB) related howto’s, solutions, approaches, ideas, etc.
That’s right folks! Playing with latest beta of free Oracle Database 11g Express Edition couldn’t be any easier than that. If you are using Amazon EC2, you can have a fully working image with 64 bit Oracle Linux and Oracle 11g XE database running in a matter of few clicks and a minute to get the instance to boot.
Image — ami-ae37c8c7
Name — pythian-oel-5.6-64bit-Oracle11gXE-beta-v4
Source — 040959880140/pythian-oel-5.6-64bit-Oracle11gXE-beta-v4
You can find it in public images and at this point it’s only in US East region.
If you never used Amazon EC2 before, see detailed step-by-step guide on how to get started with EC2 on the example of this 11g XE image.
This image works great with Amazon EC2 Micro instance and I configured it specifically for Micro instance. Micro instance costs you only 2 cents per hour to run or even less than 1 cent if you are using spot instance requests (and there is free offer for new AWS users as Niall mentioned in the comments).
So what’s there?
Few things worth to mention:
I will be keeping the AMI up to date as things develop so AMI id could change — check back here of just search public AMIs for the latest image. I setup short URL for this page — http://bit.ly/Oracle11gXE.
If you don’t know how to use Amazon EC2 – I recommend to read the second chapter of Expert Oracle Practices: Oracle Database Administration from the Oak Table. This chapter was written by Jeremiah Wilton who’s been long time playing with Amazon EC2 for Oracle before any of us even thought of it.
When few folks confirm that it works, I’ll submit an image vi http://aws.amazon.com/amis/submit.
Update 4-Apr-2011: Create v3 image – fixed typo in database passwords, fixed retrieval of public key for ssh login as root, changed startup sequence so that ssh keys are initialized earlier as well public key retrieval.
Update 4-May-2011: Created v4 image – Increased SGA size to 212M. Set large_pool to 32M (Automatic SGA management doesn’t do it’s job properly – this is why APEX was not working – not enough large pool memory allocated). Enabled DIRECT IO and ASYNC IO for filesystem – buffered IO slowed down things a lot. Now APEX is actually pretty usable on Micro instance. Remember that you can run it on large instance to run in comfort but you are overpaying since there is 2 CPUs in large instance and 7.5GB of RAM while you can’t use more than 1GB. Of course, you could disable Direct IO and use OS buffering to take advantage of more RAM but can’t leverage both cores with APEX (it limits capacity to a single core).
Update 23-Jul-2011: If you need to use networking services from APEX (like web-service, sending emails and etc) then you need to configure network ACLs for APEX_040000 user.
I decided to add a twist to my usual blogs - a book review, which I have not done before. I have been reading a book - Oracle Apex 4.0 Cookbook by Marcel van der Plas and Michel van Zoest and published by Packt, a UK based publisher. Michel is one of the first Apex Certified Experts in the world - a no small feat. It has been technically reviewed by a well known cast - Oracle ACE Director Dimitri Gielis, who also won Oracle Magazine's Apex Developer of the Year in '09; Maarten van Luijtelaar and Oracle ACE and frequent blogger Surachart Opun.
No, no this isn’t another DBFS post but a more simple and direct way of achieving the same
Just had a funny discussion with Roel Hartman regarding how to trick the Tomcat APEX 4 setup in believing that the virtual XFILES directory in the database was actually available on disk of the local server. This is probably not the way to solve this but should be realized via Tomcat / APEX 4. The OTN Development virtualbox environment with APEX 4 gets his “/i/” images via Tomcat from the directory.
#66cc66;">[oracle@localhost i#66cc66;">]$ pwd #66cc66;">/home#66cc66;">/oracle#66cc66;">/apache#66cc66;">-tomcat#66cc66;">-6#66cc66;">.0#66cc66;">.20#66cc66;">/webapps#66cc66;">/ROOT#66cc66;">/i
The easiest solution would have been to copy the XFILES images and files in a directory called XFILES under the ROOT directory.