Best practices in the selection of the type of authentication

Hello
I use Jdeveloper 11.1.2.1. I had reviewed the security and best practices (sorry Chris!) on the selection of authentication types.

Frankly, I prefer basic HTTP authentication because it creates a popup of connection for you (simple - less coding), but I met some documents which make me wonder if this is to be avoided.


1. This tutorial uses an approach based on the forms: http://docs.oracle.com/cd/E18941_01/tutorials/jdtut_11r2_29/jdtut_11r2_29.html

2. this video of Frank Nymphius (in 42 minutes) uses Basic authentication: http://download.oracle.com/otn_hosted_doc/jdeveloper/11gdemos/AdfSecurity/AdfSecurity.html

3. fusion Developer Guide for Oracle Application Development Framework 11 g Release 2 (11.1.2.1.0) says:

The most commonly used types of authentication are authentication HTTP Basic and form authentication
It also indicates that the forms-based login page is a JSP or HTML file, [and] you will not be able to change with ADF Faces components.

4. the States of Oracle Fusion Developer Guide (Frank Nymphius) which has a side effect of basic authentication is that a user will be authenticated for all other applications that are running on the same server - you must not use it if your application requires disconnecting...

5. the manual of Jdeveloper Oracle 11 g tells that basic authentication must NOT be used at all (page 776) because it is used primarily for older browsers and is NOT secure according to current standards.

I was able to use Basic authentication, and Digest Http authentication very well, did not attempt to based on the forms for the moment.

For fun, I tried to choose the type of authentication of Client HTTPS and received this very worthy error message (and readable - wonder for java, huh?):

RFC 2068 Hypertext Transfer Protocol--HTTP / 1.1:
10.4.2 401 unauthorized
The request requires user authentication. It MUST contain a header field WWW-Authenticate (section 14.46) containing a fault that is applicable to the requested resource. The client MAY repeat the request with a suitable authorization (section 14.8) header field. If the application already includes identification of the authorization information, then the 401 response indicates that authorization was refused for those credentials. If the 401 response contains the same challenge as the previous answer, and that user agent has already attempted at least once authentication, then the user SHOULD be presented the entity that was given in the response, since that entity MAY include diagnostic information relevant. HTTP access authentication is explained in section 11

I'm sure there is one that depends on the answer to that, but I would use the most reasonable and safe type - without too much cost if possible.

Hello

Basic authentication makes base64 encoding and is OK to use if the site is accessed from HTTPS. The browser actually sends authentication of users with every request, which makes this approach - if used outside of https - less than optimal. The base forms authentication is easy to implement and more record only basic authentication, it sends a name of user and password to each request. The recommendation is always use HTTPS for secure sites. Most of our samples describing the connection use https as it is a configuration that is not extended within what samples are supposed to demonstrate. For safety, "without much overhead if possible" means to weaken security. In your case, if you have tried the digest authentication so I guess that's the one with the least amount of overload

Frank

Tags: Java

Similar Questions

  • What are the best practices for creating only time data types, and not the Date

    Hi gurus,

    We use 12 c DB and we have a requirement to create the column with datatype of time only, if someone please describe what are the best practices for the creation of this.

    I would strongly appreciate ideas and suggestions.

    Kind regards
    Ranjan

    Hello

    How do you intend to use the time?

    If you are going to combine with DATEs or timestamps from a other source, then an INTERVAL DAY TO SECOND or NUMBER may be better.

    Will you need to perform arithmetic operations on time, for example, increase the time to 20%, or take an average?   If so, the NUMBER would be preferable.

    You are just going to display it?  In this case, DAY INTERVAL in SECONDS, DATE or VARCHAR2 would work.

    As Blushadow said, it depends.

  • vSpere 5 Networking of best practices for the use of 4 to 1 GB NIC?

    Hello

    I'm looking for a networking of best practices for the use of 4-1 GB NIC with vSphere 5. I know there are a lot of good practice using 10 GB, but our current config does support only 1 GB. I need to include the management, vMotion, Virtual Machine (VM) and iSCSi. If there are others you would recommend, please let me know.

    I found a diagram that resembles what I need, but it's for 10 GB. I think it works...

    vSphere 5 - 10GbE SegmentedNetworks Ent Design v0_4.jpg(I had this pattern HERE - rights go to Paul Kelly)

    My next question is how much of a traffic load is each object take through the network, percentage wise?

    For example, 'Management' is very small and the only time where it is in use is during the installation of the agent. Then it uses 70%.

    I need the percentage of bandwidth, if possible.

    If anyone out there can help me, that would be so awesome.

    Thank you!

    -Erich

    Without knowing your environment, it would be impossible to give you an idea of the uses of bandwidth.

    That said if you had about 10-15 virtual machines per host with this configuration, you should be fine.

    Sent from my iPhone

  • best practices for the storage of the vm and vhd

    no doubt this question has been answered not once... Sorry

    I would like to know the best practice for the storage of the vm and its virtual hard disk to a SAN.

    Any show advantage does make sense to keep them on separate LUNS?

    Thank you.

    It will really depend on the application of the virtual machine - but for most of the applications no problem by storing everything on the same data store

  • Best practices for the compression of the image in dps

    Hello! I read up on best practices for the compression of the image in dps and I read the asset from the source of panoramas, sequences of images, Pan and zoom images and audio skins is resampled not downloading. You will need to resize them and compress them before deleting the in your article, because the dps do not do it for you. Hey can do!

    So Im also read as he active source of slideshows, scrolling images, and buttons ARE resampled as PNG images. Does this mean that DPS will compress for you when you build the article? Does this say I shouldn't worth going bother to resize these images at all? I can just pop in 300 DPI files 15 MB used in the print magazine and dps will compress their construction article - and this will have no effect on the size of the file?

    And this is also the case with static background images?


    Thanks for your help!

    All images are automatically resampled to based on the size of the folio you do. You can put in any image resolution you want, it's not serious.

    Neil

  • What is the best practice for the enumeration for the ADF?

    Dear all,

    What is the best practice for the enumeration for the ADF?

    I need to add the enumeration to my request. ex: sex, marital status.

    How to deliver? Declarative custom components or is there another way?

    Thank you.
    Angelique

    Check out this topic - '5.3 fill view object Rows with static data' in Guide of Dev
    http://download.Oracle.com/docs/CD/E17904_01/Web.1111/b31974/bcquerying.htm#CEGCGFCA

  • Best practices for the use of reserved words

    Hello
    What is the best practice for the use of the reserved words as column names.
    For example if I insisted on the use of the word to a column name comment as follows:

    CREATE TABLE...
    VARCHAR2 (4000) "COMMENT."
    ...

    What is the impact on the track I could expect and what problems should I be informed when doing something like that?

    Thank you
    Ben

    The best practice is NOT to use reserved words anywhere.
    Developers are human beings human. Humans have their moments to forget things.
    They will not forget to use the "", or you can force it to use the "' everywhere.
    The two methods are Oracle certified ways to end up in hell.

    ----------
    Sybrand Bakker
    Senior Oracle DBA

  • Best practices for the .ini file, reading

    Hello LabViewers

    I have a pretty big application that uses a lot of communication material of various devices. I created an executable file, because the software runs on multiple sites. Some settings are currently hardcoded, others I put in a file .ini, such as the focus of the camera. The thought process was that this kind of parameters may vary from one place to another and can be defined by a user in the .ini file.

    I would now like to extend the application of the possibility of using two different versions of the device hardware key (an atomic Force Microscope). I think it makes sense to do so using two versions of the .ini file. I intend to create two different .ini files and a trained user there could still adjust settings, such as the focus of the camera, if necessary. The other settings, it can not touch. I also EMI to force the user to select an .ini to start the executable file using a dialog box file, unlike now where the ini (only) file is automatically read in. If no .ini file is specified, then the application would stop. This use of the .ini file has a meaning?

    My real question now solves on how to manage playback in the sector of .ini file. My estimate is that between 20-30 settings will be stored in the .ini file, I see two possibilities, but I don't know what the best choice or if im missing a third

    (1) (current solution) I created a vi in reading where I write all the .ini values to the global variables of the project. All other read only VI the value of global variables (no other writing) ommit competitive situations

    (2) I have pass the path to the .ini file in the subVIs and read the values in the .ini file if necessary. I can open them read-only.

    What is the best practice? What is more scalable? Advantages/disadvantages?

    Thank you very much

    1. I recommend just using a configuration file.  You have just a key to say what type of device is actually used.  This will make things easier on the user, because they will not have to keep selecting the right file.

    2. I use the globals.  There is no need to constantly open, get values and close a file when it is the same everywhere.  And since it's just a moment read at first, globals are perfect for this.

  • Best practices with the virtual directories CFIDE and Jakarta

    Right now I'm going through implementation of our new virtualized ColdFusion 10 Application/Web/database server, and I noticed that during installation, since I had 'Connect all IIS sites' selected, he created maps of handler for each, but each also gave a virtual directory for "CFIDE" and "Jakarta".

    Best practices guides told to restrict access to the "adminapi', 'administrator', 'componentutils' and 'wizards' records under the CFIDE directory, but is - it safe to simply remove these virtual directories (and leave the mappings Manager) so that sites can always treat the types of file associated with CF?

    1 the site we have is the default localhost is linked to, I felt I would just let these virtual directories, since to reach CF ACP this server, we'd have to goto: http://localhost/CFIDE/administrator/index.cfm

    I know that if a file from a site needs to access things like file CFScripts, CF will automatically take the virtual directory is there and create < script > tags use a src of "/ CFIDE/scripts" (which if I remove this virtual directory, would break the functionality, but assuming that I do not use this technology to other sites) It removes "CFIDE" and "Jakarta" is going to hurt anything?

    Look at the Guide of ColdFusion 9 Lockdown that Pete Freitag wrote.  A large part of it still applies to the 10 ColdFusion, especially security aspects of IIS.  There is an article on the creation of filters of aggregate demand which allows you to block access to most (or all) of the subdirectories in CFIDE.

    Regarding the Jakarta virtual directory, you need this one.  That's what allows the IIS connector to function.

    -Carl V.

  • Best practices for the configuration of virtual drive on NGC

    Hello

    I have two C210 M2 Server with 6G of LSI MegaRAID 9261-8i card with 10 each 135 GB HDDs. When I tried the automatic selection of the RAID configuration, the system has created a virtual disk with RAID 6. My concern is that the best practice is to configure the virtual drive? Is - RAID 1 and RAID5 or all in a single drive with RAID6? Any help will be appreciated.

    Thank you.

    Since you've decided to have the CPU on the server apps, voice applications have specified their recommendations here.

    http://docwiki.Cisco.com/wiki/Tested_Reference_Configurations_%28TRC%29

    I think that your server C210 specifications might be corresponding TRC #1, where you need to have

    RAID 1 - first two drives for VMware

    RAID 5 - 8 hard drives within the data store for virtual machines (CUCM and CUC)

    HTH

    Padma

  • Best practices for the integration of the Master Data Management (MDM)

    I work on the integration of MDM with Eloqua and are looking for the best approach to sync data lead/Contact changes of Eloqua in our internal MDM Hub (output only). Ideally, we would like that integration practically in real time but my findings to date suggest that there is no option. Any integration will result in a kind of calendar.

    Here are the options that we had:

    1. "Exotic" CRM integration: using internal events to capture and queue in the queue changes internal (QIP) and allows access to the queue from outside Eloqua SOAP/REST API
    2. Data export: set up a Data Export that is "expected" to run on request and exteernally annex survey via the API SOAP/REST/in bulk
    3. API in bulk: changes in voting that has happened since the previous survey through the API in bulk from Eloqua outside (not sure how this is different from the previous option)

    Two other options which may not work at all and who are potentially antimodel:

    • Cloud connector: create a campaign questioning changes to schedule and configure a connector of cloud (if possible at all) to notify MDM endpoint to query contact/lead "record" of Eloqua.
    • "Native" integration CRM (crazy): fake of a native CRM endpoint (for example, Salesforce) and use internal events and external calls to Eloqua push data into our MDM

    Issues related to the:

    1. What is the best practice for this integration?
    2. Give us an option that would give us the close integration in real-time (technically asynchronous but always / event-based reminder)? (something like the outgoing in Salesforce e-mail)
    3. What limits should consider these options? (for example API daily call, size response SOAP/REST)

    If you can, I would try to talk to Informatica...

    To imitate the integrations of native type, you use the QIP and control what activities it validated by internal events as you would with a native integration.

    You will also use the cloud api connector to allow you to set up an integration CRM (or MDM) program.

    You have fields of identification is added objects contact and account in Eloqua for their respective IDs in the MDM system and keep track of the last update of MDM with a date field.

    A task scheduled outside of Eloqua would go to a certain interval and extract the QAP changes send to MDM and pull the contacts waiting to be sent in place of the cloud connector.

    It isn't really much of anything as outgoing unfortunately use Messaging.  You can send form data shall immediately submit data to Server (it would be a bit like from collections of rule of integration running of the steps in processing of forms).

    See you soon,.

    Ben

  • Best practices on the number of decision-making at the bean

    Hi people,

    Here I use Jdev 11.1.1.7.0. where I have a case take the count on lines that are inserted in the bean.

    Here we go...

    The bean code

    developer way 1:
    button_click(){
    int count = voins.getRowcount();
    }
    

    developer way 2:
    button_click(){
    int count = iteratorbind.getEstimatedRowcount();
    }
    

    Developer tracks 1: view object fetch at the bean intended to take the number of lines.

    -Developer 1 said that best practices on taking into account is to use the view «getRowcount()» object

    Note: the developer 1 2 from that developer comment is further practice. It is a time process is necessary

    2-way Developer: using iterator to get the number of lines

    -Director 2 indicates, for the County, can we use "estimatedRowcount".

    Note: the developer commentary 2 Developer 1 way is worse practice taking the view the bean object.

    Developer it is 1, try to catch the model layer directly from code. We can use the iterator to do all the stuff.

    What is the best practice please suggest me is there any other practice taking the number of lines in the bean.

    Thank you.

    Path dev 1)

    A glance in the java doc reveals

    Note that this method retrieves all rows from the database, and then returns the number of rows in the row set collection.

    So, if your table contains a large number of component getRowCount lines takes a lot of time and memory.

    Way 2 dev)

    Call getEstimatedRowCount runs a count (*) selection (your query) to get the number. It's fast, but the number of task may be different if multiple changes are made on the table. I personally never had a problem with that, but I can't speak for you.

    Timo

  • ESXi 3.5 U5 - best practices for the collection of NETWORK adapters

    Hello

    I'm using ESXi 3.5 U5 installed on a Dell PowerEdge R710.

    This server has 4 NETWORK cards

    I want team two network adapters to the default value 0 of the Virtual Switch.

    What are the best practices to achieve this?

    mdsuser wrote:

    I want team two network adapters to the default value 0 of the Virtual Switch.

    What are the best practices to achieve this?

    It depends on what you want to achieve. Fault tolerance, the aggregation?

    Take a look at this document from VMware.

    If you use your search engine of the day and throw it into the words "VMware ESX" and add circuits or consolidation, there will be some hits on various blogs showing solutions to different hardware (in collaboration with Cisco, HP switches).

    Addition:

    This page will also give you an overview of the different types of networking topics virtual.

  • best practices for the evaluation of prerequisite logic GOLD

    Greetings,

    I think TS is not the basic features for the decision-making process (imp) for execution. All recommendations are welcomed and appreciated. Please find below the script.

    I would like to perform some configuration steps (custom step types) to a signal generator based on the selected user 'Test '.

    To make it simple for the signal generator Let's say, we have the following steps:

    The Freq value | Define PWR lvl | Set the Modulation Type. Set the Modulation ON / OFF. Setting the output RF ON / OFF

    For the selected user Tests say that we have Test (0) | B test (1) | C (2) to test (Test A & C requires Modulation, B does not work)

    Here's my question:

    I can't get the Freq VALUE | The VALUE PWR lvl | Value RF Power on / off to run installation of prerequisite for the evaluation of logic GOLD. (i.e. residents.) TestSelected == 0 | 1. 2)

    Ditto for the Type of Modulation Set | The value of Modulation on / off (ie the inhabitants. TestSelected == 0 | 2)

    Thanks in advance for any help provided.

    Chazzzmd78

    people of the country. TestSelected == 0 | 1. 2 would be at the local level. TestSelected is 3.  You're doing a bitwise operation GOLD on numeric values, then the comparison.

    You need

    (the inhabitants. TestSelected == 0) | (the inhabitants. TestSelected == 1) | (the inhabitants. TestSelected is 3)

  • Spectrum X 360 (N1W02PA #UUF): best practices for the use of the power supply battery for laptop (spectrum X 360)

    Hello.

    I know the best practice to use the power supply to charge the battery? I heard that keep charging your battery while using Notepad deteriorate autonomy. I don't know if that's true, but I do not charge my spectrum X 360 at 20% power level.

    Kindly need some expert advice. Thank you.

    Hello:

    My recommendation is to follow the instructions provided in this document from HP to address... paying particular attention to the info listed according to the recommended battery care practices.

    http://h20564.www2.HP.com/hpsc/doc/public/display?docid=c00596784

Maybe you are looking for

  • If I get a separate apple account that my parents will be it spoil the phone bills

    I want to know if I have an account, will we separate invoices?

  • Portege A600 upgraded to Win7 can't find any networks via 3g

    I have a Portege A600 with initially installed Windows Vista.Due to a non hard drive work, I upgraded my hard drive and my operating system to Windows 7.Installation went well.Went on the Toshiba Support Site for drivers and eliminated all of the mis

  • Portege Z30-A-12N - touchpad info/Tech doc. required

    Hello everyone, I would like to get technical information as much as possible on (my) laptop Portege Z30-A-12N computer touchpad.I am a Linux developer and I would like to add the support of the ALPS touchpad at the core, however, it seemsquite diffi

  • Iconia 511p 10 Windows

    I have an Acer Iconia 511P which is my favourite Tablet / PC. I take it with me everywhere wherever I'm going. But now I can't update Windows 10. It is not possible for Intel Graphics Media Accelerator is not compatible with Windows 10. Y at - it any

  • See using the portgroup on all hosts

    HelloCurrently, all guests have 2 NICs for production and 2 NICs for the management and backup of vmotion. We want to combine them into one big located in which production 4 cards network, vmotion, management, and backup. But we are concerned about t