Since Oracle XE was initially released in January 2006 I believed
there was no usage restriction whatsoever with regards to the type
of application you could build with Oracle XE and especially in
combination with Oracle Application Express (Oracle APEX).
Just recently a customer of mine was told by an Oracle sales rep
in Germany that certain usage scenarios are not covered by the
Oracle XE license and he therefore would have to purchase a
regular Oracle (at least Standard One) license for that purpose.
This sales rep argued that once you build an application as a
hosted solution storing customer data in this database, this is no
longer covered by the XE license.
I was stunned and couldn't believe that. Then I had a close look
at the official license agreement:
http://www.oracle.com/technetwork/licenses/database-11g-express-license-459621.html
There I noticed that this usage scenario wasn't covered explicitly
and I wasn't 100% sure any more. I have checked the forum again
and there I saw, that these questions do come up once in a while,
here are just a few examples:
https://forums.oracle.com/forums/thread.jspa?messageID=1454706�
https://forums.oracle.com/forums/thread.jspa?messageID=2775638�
Thus I decided to get some official statement from Oracle.
Oracle authorities from Database Product Management and Oracle
Pricing responded to my request and confirmed that any
application-specific usage of Oracle XE is covered by the license
agreement and there is no usage related restriction imposed on
Oracle XE.
I have explicitly asked for the following use cases:
1) A web application for the internal staff only: A calendaring
application where one could record his times of absence. The
application is reachable via the internet but protected by a
login. Only the employees of the company running Oracle XE are
allowed to access the application.
2) A web application used by everybody, no customer content stored
in the database: This could be a company website which is built on
Oracle XE / APEX. This application is reachable over the internet
by everybody. Content is only provided by the company running
Oracle XE.
3) A web application used by customers on their own data (no
manipulation through website): This could be an application
similar to the UPS or DHL tracking of parcels. Information is
processed in other backend systems and published to Oracle XE to
allow a customer to query for his/her own data.
4) Supporting a business process via a web application among
several of my customers: This could be a portal allowing a
customer to invite other parties to bid on a public project (like
building a railroad track). This portal (built using Oracle APEX
and Oracle XE) supports the communication between all parties and
allows the upload / download of files with regard to specific
parts of the bid.
5) A web application used by customers to provide services to
others: This could be multi-tenant shop system where different
customers open their own shop and upload their product catalogs in
order to resell them to their own customers.
Aside from that you would still have to comply to all other
elements of the license agreement:
http://www.oracle.com/technetwork/licenses/database-11g-express-license-459621.html
,
i.e. you have to comply to the export restriction, your end
customers would have to agree to the XE license agreement and so
forth.
Cheers and enjoy Oracle XE and Oracle APEX!
~Dietmar.
6 comments:
Dietmar,
Great breakdown - I have to say I'm a big fan of seeing licenses detailed in the type of use-cases you listed, rather than the 'lawyer-speak' that you typically see.
Hopefully the sort of use-cases you listed could be listed as part of an official XE FAQ since as you say there can be a lot of confusion around what is/isn't permitted.
Like you, I've heard some very incorrect statements made about the licensing so it's great to be able to point back at an official source.
John.
Hi John,
thanks.
Yes, it is always difficult for me to understand the "lawyer speak" as well. And sometimes, even the "translations" aren't really helpful either ;).
>Hopefully the sort of use-cases you listed could be listed as part of an official
>XE FAQ since as you say there can be a lot of confusion around what is/isn't
> permitted.
Yes, I would hope for that but I am not sure this will actually happen.
I strongly believe that this is Oracle's duty to provide clarification on licensing questions/issues, even for a cost-free product.
Unfortunately, since Mark Townsend passed away, nobody official from Oracle seems to monitor the Oracle XE forum any more.
And yes, all clarifications should be added to the official Oracle licensing statement hosted on an official Oracle site.
This is what we have to shoot for.
Nevertheless the statement I have received is pretty clear, I have especially asked for a statement that I could post on my blog.
Cheers,
Dietmar.
Thanks Dietmar. As a user of XE since its first release back in 2005, I find this blog post to be a very clear and useful synopsis of XE licensing.
Making XE freely available has greatly benefited Oracle, as it has allowed developers to choose Oracle over other free alternatives. Back in 2005 we were working on a project in Africa using open-source databases, and then OracleXE was released so we quickly changed direction and went live on 10gXE. The stability and robustness of Oracle was a key factor in this project becoming a success. It is still running in production today.
Developer adoption of XE is a win-win situation for Oracle - they get greater market share AND higher potential future revenue from upgrades to SE and EE.
All the best.
Niall.
The only problem I have with the XE product is that it doesn't get patched like any of the regular products.
If I'm using it on my own machine for prototyping..etc, not a huge concern. If I were to use that for a commercial app, the no patching thing would concern me.
What is your take on that?
Hi Niall,
thanks for sharing.
And yes ... I have had similar experiences.
Cheers,
~Dietmar.
Hi Buzz,
>If I'm using it on my own machine for prototyping..etc, not a huge
> concern. If I were to use that for a commercial app, the no
>patching thing would concern me.
I don't consider myself a security expert, you should rather adress this question to Niall Litchfield, Alexander Kornbrust or Anton Nielsen.
My take on that? Well, what does security mean anyway? You have different layers which can be attacked:
1) the http server
2) your apex application
3) the apex framework
4) the oracle database
5) the operating system
What would I recommend?
1)
- use a current Apache (this one can be hardened)
- use the APEX listener through AJP as a back-end for the Apache http server
- secure the APEX listener: http://krisrice.blogspot.de/2012/05/apex-listener-jdbcsecurity-setup.html
- use SSL
- lock down the ports, i.e. traffic to your machine is only allowed on port 443 (the default ssl port)
2)
- use session state protection
- don't trust anything being sent from the client
- take care of sql injection and cross site scripting attacks
- use a security checker for APEX like sumneva sert or http://www.recx.co.uk/apexsec-security-for-oracle-apex.php
3)
- install the apex runtime only version (no development)
- patch regularly to the latest APEX releases
4)
- lock down direct access to the Oracle XE database
- disable the XML DB http server
- use VPN setups or at least an ssh tunnel to access your database
5)
- never done that but many tools / tutorials available
In addition to that you could even add a web application firewall (waf) and hire a professional security expert trying to hack your site.
Looking at the different layers, typically YOUR OWN application is the weak spot.
Hope that helps,
~Dietmar.
Post a Comment