I have various Oracle apex apps which are session encrypted, protected and on friendly URLs. My objective is to load test the apps. My team is using NeoLoad but it is causing so many issues because of session encryption and protection as HTTP request gets changed.
Is there any tool which is optimized for Load testing apex apps?
Related
I want to build an web application in Oracle APEX, where i want users to enter into the database server through the application server, thus i can ensure more security in my application. IF this is hard, then is there any other way where i can ensure more security in a web application in Oracle APEX?
Oracle APEX is a very stable and secure environement.
As is,
you can encrypt and enforce high level passwords for the users
you can lock account to avoid brute force attacks
Devs and admins have accounts locked after a few attempts by default to avoid this issue
The service can be easily configured with any SSL
Webservices, like most of them, can be programmed to use access_tokens and other validations.
To my knowledge any additions security could be configured on the server and firewall. So I would say that you can do I lot, but it is up to you to perform good practices when defining your system's security.
Hope ity helps and good luck! :)
How can I perform Load testing on Oracle Portal Application Using Jmeter?
I recorded the activity using jmeter proxy and run the recorded request but I got unrealistic results.
Oracle portal is nothing but an ADF application, so it can be testes as any other ADF application.
You basically need an approach as Pino uses here:
http://soadev.blogspot.co.uk/2014/04/jmeter-load-test-oracle-adf-applications.html
Registering tests with JMeter is a tricky business, you need to validate your scenario once recorded by running it with only one thread and check the server logs (in case you use your custom logger) to make sure the functionality on the server is being executed.
How can I manage the session in Oracle JET application.
I've been working on small pilot application where I need to check if the user is logged in on every request.
I didn't find any resource on the same as the framework is recently published by Oracle.
JET uses web sessions if you configure it as a web application. So authentication would be managed by the Web server.
Frank
Because of the client nature of JS source, there's no session on the JET side of your application, Session is a (HTTP) browser feature. You might handle session exactly the way you did with a pure JavaScript, JQuery, Angular or everything else application.
There may be two ways to do it
Use web server to manage the sessions.
You can store session values (some data after login REST API call) in local storage or sessions storage based on your need. For managing
session you can check in your app controller and redirect based on
that.
Hope this help, please let me know if you faced any problem. I have recently implemented session in Oracle JET based on the above points.
We have Windows Server 2008 R2 with IIS on in a web farm environment. I initiate a Classic ASP session and every so often, when refreshing the page, it doesn't show but then comes back again.
I go to http://mainurl.com but have two boxes called http://devbox1.com and http://devbox2.com
I put the files onto one of the DEV boxes which replicates to the other one.
After some reading, I guess this is down to a "common" issue with sharing sessions across a web farm instance.
Could someone please help me how to resolve this please?
Update:
As it's not clear in my post. Do not use the Session.SessionID as the identifier for the cookie as this will change across environments (Microsoft recommend never to store the SessionID in a database).
Quote from MSDN Library - Session.SessionID
You should not use the SessionID property to generate primary key values for a database application. This is because if the Web server is restarted, some SessionID values may be the same as those generated before the server was stopped. Instead, you should use an auto-increment column data type, such as IDENTITY with Microsoft® SQL Server™ or COUNTER with Microsoft Access.
Instead use a self generated id value that you then store in your cookie and the database. This way your Session object can be re-created.
There seems to be some discussion about solution using a database. Just to clarify Classic ASP uses Session object stored in memory this means the minute you switch machines load balanced or otherwise you still lose the session.
Interesting article on the IIS.net forums about this topic - iis 7 Load balancing
Quote from Bill Staples (who at the time was Product Unit Manager, IIS)
One thing to consider, however, is what to do with any application / session state. Classic ASP stores session state in memory that only one process can access. As soon as you scale the sites onto more than one machine, you can no longer guarantee that each incoming request for a particular user session is landing on the same machine, which means the client may suddenly 'lose state' between requests. This is why we recommend that you not use the built-in session support in ASP for these kinds of scenario. Instead we recommend you use SQL or another database to store this kind of data.
My recommendation would be to store the Session in a database create a cookie on the client machine then use this cookie to identify the session from the database.
Cookies can be changed so I would still recommend you use secure cookies across an SSL secured website, especially if data is of a sensitive nature.
You should create sticky sessions while working with web farms because most likely you have load balanced system which under standard configuration will point traffic to the lowest loaded node. As result your users will loose session from time to time.
Ask your network admin team to look how to create sticky session for your particular load balancers and network configuration, they should know exactly what this means.Here is one of the examples what this is and how to configure it: http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/US_StickySessions.html. But once again it is depend on what you are using.
**** solution with cookies or database entries not the best way to handle this situation because once again depend on your web farm configuration IIS may simple reject any attempt to overwrite session ID which you have stored in database or if security is tight enough even refuse to connect to page while connecting to other node.
Can an Oracle APEX application be used to run scripts on the client side local (w7) PC?
I would like to be able to communicate with devices on the local PC, collect data and post it back up to the database. This is for the purpose of test automation which was previously done using MS VBA and MS access.
As with any other sort of web application, not easily. For good reason, web browsers generally do not allow web applications to execute random executables on the client machine. If they did, it would be a huge security hole that would allow an attacker to do whatever they want to your machine just because you visited a malicious web page.
Potentially, you could write (or find) an ActiveX control or a Java applet or some other sort of client-side control that could be given privileges to run scripts on the client machine. But that would probably require a pretty substantial amount of "futzing" with permissions that might make the machine vulnerable to malicious web sites.
Assuming that there are a relatively small number of client machines, you could also potentially install the Oracle Scheduler Agent on each of the machines that you want to execute scripts on and then use the Oracle Scheduler on the database to start jobs on the remote machines. If you did this, you could potentially start jobs on any of the client machines from an APEX interface.