Page 179
Page 180
Oracle Web Application Server 3.0 is much more than just another Web server. In addition to providing the standard HTTP and CGI services, Oracle Web Application Server lets you develop full-featured applications using reusable building blocks called cartridges. Cartridges can be distributed across the network and have persistence mechanisms that are far superior to anything available through CGI. In addition to a distributed, component-based programming model, the multi-process architecture of Oracle Web Application Server provides the performance, scalability, and fault tolerance of true distributed processing. This chapter provides an overview of this architecture and describes how it is deployed and used to build robust, Web-enabled applications.
The architecture of the Oracle Web Application Server is based on the distributed computing model. It is open and standards-based, providing a scalable and fault-tolerant foundation for Web-based applications. The primary features of the Web Server architecture are a robust HTTP server, the Web Request Broker, and server extensions called cartridges. This section describes these components , the services they provide, and the interactions between them.
The HTTP server consists of two processes: the listener and the dispatcher. The supplied Spyglass listener uses a virtual file system in which the logical paths used in Universal Resource Locators (URLs) are mapped to physical directories in the file system of the host machine. It also has the capability to maintain and identify different versions of HTML files (in different languages, for example) and handle any number of defined MIME types. To improve performance, the listener takes advantage of the host operating system's memory-mapped file capabilities and supports configurable file caching. In addition to supporting SSL (Secure Sockets Layer) encryption and authentication, the listener can also provide security through any of the following methods :
Page 181
You can use any of these four security methods in conjunction with SSL's server certificate authentication and data encryption to provide secured access to specific paths or files in the virtual file system.
The listener is involved in all interactions with the client. It accepts HTTP connections from clients and processes their requests. If a client requests an HTML page, the listener locates it, reads it, and sends it to the client. Similarly, the listener processes CGI requests by executing a script or program and returns the results to the client. Cartridge requests are forwarded to the dispatcher.
The dispatcher is responsible for queuing and executing requests for cartridge services. It relies on the services provided by the Web Request Broker to load and execute cartridges. First, it uses the Virtual Path Management service to identify the cartridge to use based on the URL. It then uses the Authentication Service to determine whether the client is authorized to use the requested cartridge. If the user is successfully authenticated, it then requests an instance of the cartridge from the Web Request Broker. The Web Request Broker loads the cartridge and notifies the dispatcher of the available instance. Finally, the dispatcher accesses the cartridge to process the request, returning the results to the client. Once the dispatcher has an instance of the cartridge, it communicates directly with the cartridge to process additional client requests. Note that the dispatcher and the listener make up a single process and that you can employ multiple listener/dispatcher instances to improve performance. However, the dispatcher interface is not completely integrated with the provided Spyglass listener. Its interface is accessible to other listeners, which allows other Web servers such as Microsoft IIS and Netscape Commerce Server to use the Oracle Web Request Broker and cartridge services.
The Web Request Broker (WRB) is the core of the Web Application Server, providing services to both the dispatcher and to cartridges. It provides all the following services:
Page 182
Security is a critical component of any Web server, and the WRB can provide one or more additional layers of security (beyond those provided by the listener) through its authentication services. You can use authentication services to restrict access by the dispatcher, by an individual cartridge, or both. The Authentication Server is a separate process that you can run in either of two different modes:
In Memory mode provides better performance but obviously consumes considerably more memory on the WRB. ORB mode can cause bottlenecks if the Authentication Server is accessed by many cartridge instances, but it uses fewer resources. When in ORB mode, the Authentication Server can reside on a separate server from the rest of the WRB core. Although this configuration distributes processing, depending on the network configuration, it can have a negative impact on performance.
The Authentication Server uses the same security schemes as the listener and can also use database authentication for cartridges that access an Oracle database. The WRB implements database security through data access descriptors (DADs). Data access descriptors are used to prevent database usernames and passwords from being sent from the client. They accomplish this by associating a descriptor with a specific Oracle instance, username, and password. At least two DADs are defined for an installation: one for Oracle Database administrators and one to be used as the default to handle requests that do not supply one. The DADs are used by the PL/SQL agent, which is the primary means by which cartridges communicate with an Oracle database.
A cartridge is an application that exposes a set of standard interfaces that allow it to be accessed by WRB clients and other cartridges through the intercartridge exchange. Cartridges are typically designed to encapsulate a small set of generic services, providing a modular approach to