Get Oracle 1Z0-574 Exam Dumps

Answer : C

In order to avoid man-in-the-middle attacks a security framework must have capabilities

such as:

* Logging in users without the need to type passwords or PINs (not D)

* Dynamically challenging the user for different information, e.g., asking a random question for which only the user will know the answer

* Encrypting and signing transmissions from the client to the back end server (not A)

* Detecting replays using embedded transaction ids or timestamps (not E)

* Presenting proof to the user that the site they are visiting is authentic

Propagating a single proof object, or assertion, can be susceptible to man-in-the-middle attacks and replay attacks. If a rogue entity observes an assertion, it could reuse that assertion for illegitimate requests. Possible solutions include:

* (notB) Invalidate the assertion after every request. In the case of chained SOA Services, service providers must verify each assertion they receives with the authority. The authority can invalidate assertions in its internal cache. Any future verifications with the same assertion would fail. SOA Service providers would need to obtain a new assertion in order to make subsequent service requests. This solves both types of problems mentioned above.

* (notE) Reduce and enforce the assertion's time to live attribute. This would narrow the window of opportunity to reuse an assertion. The assertion would have to be captured and reused in a short period of time (programmatically vs. manually). While this limits the potential for man-in-the-middle attacks, it's not as effective for replay attacks

* Require the signature of a trusted service consumer (client application) in addition to the signed assertion. The caller's signature should cover the assertion to bind it to the message. If all service consumers are required to sign their request messages, then service providers can be shielded from rogue clients, thereby preventing man-in-the-middle attacks.

This solution would need to be enhanced to solve replay attacks. One option is to include a unique request id, timestamp, or sequence number in the request. The target resource could maintain a cache of ids and refuse duplicate requests. A common request id service could be created to issue unique request ids and validate all requests that are received within the security domain

Answer : A, B, D

Assets must be packaged using standards-based approaches with the goal of improving flexibility, reuse, and runtime performance.

Applying packaging standards and best practices is a critical step in ensuring that the assets are deployed for the best quality and performance. It also accelerates the time-to-deployment. Implications:

* Every reusable asset must contain at least one manifest file that self-describes the contents of the package.

* Any components that can be precompiled must be precompiled in the package.

* Non-runtime artifacts must not be included in the deployment package. (e.g. build and test artifacts) (not C)

* Packaging of components must be modular and all common components must be packaged as independent libraries that can be included in multiple packages.

Note: Further implications

* Libraries provided by the platform should not be included in the package. (e.g. Application Server system libraries)

* Libraries and components in a package must not be duplicated. The classloader hierarchy must be used to design the packages to avoid duplication.

* Common libraries must be placed outside the package to be loaded by a higher level classloader (e.g. System classloader).

* Packages must follow predefined industry or company standard naming conventions and structures.

* Static content must not be included in the deployable package. They must be served separately in exploded format.

Answer : A, B, D, E

Examples of the management and visibility gap are listed below:

* On-going Shift to Move to an Agile Shared Service Computing Environment

* On-going Shift to Manage IT from an End User Experience Perspective

* Increasing Need to Enforce Regulatory and Corporate Policies (not C)

* Increasing Number of Heterogeneous IT Infrastructure Components to Manage

* Complex Distributed Environments Require Access to Consolidated Information

Note: Many companies today are deploying enterprise technology strategies (ETS) such as Service-Oriented Architectures (SOA), Business Process Management (BPM), and Cloud Computing, which are designed to make functions, processes, information, and computing resources more available. While these ETSs offer additional benefits and sophistication, they have created a management and visibility gap between the traditionally monitored IT infrastructure resources and the services that contribute to the overall experience encountered by the end user.

Answer : B

Oracle Reference Architecture, Application Infrastructure Foundation, Release 3.0

Answer : E

Enterprise Application Integration (EAI) is an approach for integrating multiple applications. EAI products are built around messaging products and are deployed in either a hub-and-spoke architecture or in a bus architecture.

Some argue that service-oriented integration is actually a form EAI. This is not correct.

EAI is an application-oriented architecture. EAI provides the mechanism to have applications interact to share data and functionality. Service-oriented integration adds the concept (and concrete deployment) of SOA Services that are separate and distinct, with a lifecycle that is independent, from any application in the computing environment.