john ho

well it looks like you only have problems with JDBC, since toad and sqlplus use native drivers to connect. i am actually not sure which jdbc driver eclipse uses, but i'm sure it's one of the thin ones.

if you really want to get to the bottom of this, check which driver eclipse uses, then write a small java program that uses that same driver to make a connection to the database with the same connection parameters. Run it many times until you get the error. But you will need cooperation from the DBA to trace the sessions to see really what the problem is.

but i guess since you only have the problem in your dev environment maybe the DBA doesn't want to make the effort in debugging an intermittent glitch ... after all it's not a showstopper, just an annoyance isn't it?

one other thing to try ... do you use SQL Developer from oracle (java based-graphical equivalent of sqlplus)? it also uses jdbc to connect to the database ... see if that has the problem as well.

ok, thanks for the reply ... but what you are describing is JNDI lookup security, isn't it? I saw this thread:

https://forums.oracle.com/forums/thread.jspa?threadID=1093427

If I understand the first reply, from "Jay", that doing this only forces authentication for the EJB lookup, but that is different from security on the EJB's themselves.

However, if I'm only worried about remote invocation of the EJB's, is JNDI authentication sufficient to prevent "rogue" applications from making the EJB calls?

Put another way: without JNDI lookup, is there any other way a client application can still call the EJBs remotely?

Thanks

Do you have to use that TNSNAMES style connection info in your jdbc url? It seems to include a lot of connect options which may actually be causing problems, if you aren't sure you actually need them. I mean this: "(CONNECT_DATA = (SERVER = DEDICATED) (SERVICE_NAME = DBServiceName)(FAILOVER_MODE = (TYPE=session) (METHOD=basic)(RETRIES = 180) (DELAY =5)))"

What if you just used a standard jdbc url like jdbc:oracle:thin:@someHostname:myport:DBServiceName

Other than that, to debug this issue you need your database administrator to help trace the connection. When you get your "The Network Adapter could not establish the connection" error, the server should have a bit more information in the logs on the server side. It may help.

Hey, thanks for replying to this -- after I got no reply for a while I stopped coming back to the thread so that's why I didn't see it until now.

I ended up doing your #3 option. It was indeed a bit of extra work but not too bad, the trick was convincing the MQ drivers to use an instance of the custom SSLSocketFactory that I wrote (which uses certificates only from a specific truststore). But I find it reassuring in a way that you consider this to be super-paranoid, lol.

If anyone is interested, I actually documented my efforts here: http://garbagerie.wordpress.com/2011/12/13/more-fun-with-ssl/

I tried asking this at the weblogic forum on oracle.com but haven't gotten any reply, so I hope someone can help here, it's a general JEE/EJB quesiton on security:

I'm using weblogic 10.3 and I'm new to security with EJB's. I was looking at the documentation at http://docs.oracle.com/cd/E13222_01/wls/docs103/ConsoleHelp/taskhelp/security/ManageSecurityForDD.html
but got a little overwhelmed by the many options on how to implement security. Plus, I am getting confused between JNDI security and EJB layer security (they're not the same thing, right?)

Can someone explain what the simplest way would be to prevent an "unauthorized" client to make remote EJB calls? For example, I know of the ConnectionFilters that you can implement in weblogic, which can prevent remote callers from making T3 or IIOP calls if they're not from an authorized IP, etc. This is a good start but ideally I would want to password protect the EJBs, and any EJB client would have to provide this username/password somehow. Or possibly use two-way SSL for t3? The client app would have to provide a certificate to prove that it's trusted.

To be clear, I don't think I need the container to handle any very fine-grained access control. I just want to make sure that the client (e.g., a webapp) is a trusted one. Once the EJB container is satisfied that the client is trusted (preferably by user/pass) then the client is free to execute any EJB methods.

Thanks in advance.

Ok, this should be a very basic question.

I am trying to connect to an MQ server using SSL. If I use the code:

System.setProperty("javax.net.ssl.keyStore", "<some specific .jks file>"); System.setProperty("javax.net.ssl.keyStorePassword", "<password>"); System.setProperty("javax.net.ssl.trustStore", "<same .jks file>"); System.setProperty("javax.net.ssl.trustStorePassword", "<password>");

then everything is fine, it connects over SSL and all is good. The jks file contains certificates and private key data (I guess) in order to negotiate the connection to the MQ server.

However, it seems to me that by using System.setProperty(...), it sets the properties for the entire JVM, isn't this potentially a problem? Doesn't this mean that if elsewhere in the system, there is code that relies on some default trust store, then it will possibly break? For example, some other code that makes https connections, etc. If this is indeed a problem, what is the best practice solution?

Sorry if this is a obvious question. Thanks.

ok, i hope this is a better name. thanks

ok i know this is a total noob question with a very simply solution, but for the life of me i can't figure it out or google up the answer.

so i have a form-bean that has a single field. when the user submits the form and there is something wrong with the input, the Action forwards it back to the original page with the form. In the browser, the field gets automatically repopulated with the value that the user entered previously, but I actually want it to be blank. How do I do this in struts 1.x? thanks