Monday, December 17, 2007

BPEL Read Only Console - Role Based Security

I saw numerous people asking about BPEL read only console, which is not supported out of the box. I guess Oracle might ship this feature in 11g, but here is the hack which will obviously come in mind of any web-developer.

First of all, BPEL Console is just a common J2EE web application which front servlet and couple of JSPs behind the scene. It is deployed in "soasuite/j2ee/oc4j_soa/applications/orabpel/console" By default it is secured by JAZN file based security which you can easily look at "WEB-INF/web.xml".

In nutshell, I just wrote servlet filter and provided non-intrusive role based security to BPEL console. Here are the steps I followed:




Step 1. I wrote standard Servlet Filter with help of java.util.regex.Pattern class.
Note: Current filter code doesn't care about user's role. Every single request will be filtered against filterlist.txt file shown below:




Step 2: I wrote to fake servlet to test this servlet Filter. Now we need to integrate this filter with BPELConsole. We can check in "/soasuite/j2ee/oc4j_soa/config/default-web-site.xml" that BPELConsole is located at "soasuite/j2ee/oc4j_soa/applications/orabpel/console".

a) I put compiled BPELFilter.class file in "soasuite/j2ee/oc4j_soa/applications/orabpel/console/WEB-INF/classes" directory. This is how it looks like: "/soasuite/j2ee/oc4j_soa/applications/orabpel/console/WEB-INF/classes/bpelfilterproject/BPELFilter", where bpelfilterproject is the package name.

b) I changed soasuite/j2ee/oc4j_soa/applications/orabpel/console/WEB-INF/web.xml file to apply this filter settings:


These changes are good enough to make BPEL console read only. Now if we restart SOASuite and click on one of the sensitive URL, e.g. Purge Instances, it should show the page with following message:






Step 3: We are done with basic component, but now it is time to do some Role based security. I had to dig into some JAZN settings in order to make this thing worked. I followed the link http://download.oracle.com/docs/cd/B12314_01/web.904/b10325/configja.htm#1007274 which was very helpful. I realized that BPELConsole is using only one Role called "PUBLIC" which is defined in Web.xml file and not mapped to any of the OC4J Role!!!

So let's follow the best practice which has been defined for ESB console already.
- I need to create two roles called "viewers" and "admins".
- I need to define this role in web.xml and map to oc4j role using orien-web.xml file.
- I need to assign admins to bpeladmin
- I need to assign viewers to guest
- Change the Filter code to do Role based filtering

Then let's do it:

a) Create viewers and admins role from EM as shown below:






b) assign "admins" role to "bpeladmin" user and "viewers" role to "guest" user. (Note: BPELDefaultDomainAdmin is always required to access anything in BPELDomain).


c) Let's change the source code. Here is what I did:

Note: Essentially I am relying on two roles viewers and admins, and if role is viewers and not admins, then I start doing filtering. As we know, bpeladmin can have both viewers and admins role.

d) Final change would be to create these roles in console's web.xml file and and assign those roles to OC4J roles. Here is how "soasuite/j2ee/oc4j_soa/applications/orabpel/console/WEB-INF/web.xml" file looks like:


And to associate these roles with OC4J roles, we need to change /soasuite/j2ee/oc4j_soa/application-deployments/orabpel/console/orien-web.xml file. Here is how orien-web.xml file looks like:



Cool. Now if I login as bpeladmin, everything works great, and when I login as guest it is all read only.



Source code along with Read-Me document can be downloaded from this link.






16 comments:

Dietrich Schroff said...
This comment has been removed by the author.
Anonymous said...

test comment

Anonymous said...

This is a very good article and very useful. Can a similar thing be achieved with ESB Console?
-- Mahesh

Chintan Shah said...

Hello Mahesh,
Yeah it can be achieved for ESB also (out of the box), I will post the article very soon.
Thanks,
Chintan

Chintan Shah said...

Thanks to Nikunj, he changed the code so that filterList.properties will be picked up from classpath.

you can download latest copy from: http://chintanjshah.googlepages.com/BPELReadOnly_v2.zip

Anonymous said...

Hi Chintan,
This a really a very helpful tweak that you've given.

I tried it on my Windows machine and it worked fine without any issues. But when i tried the same on my SOA 2node-clustered instance running on SunSparc, the login screen of the BPELConsole itself is messed up, the username and password textboxes and the submit buttons are only seen, nothing else is seen on the screen. When i try to enter login inputs on these 2 texboxes and click submit, it throws, Authentication Failed error.
Is there something that has to be configured for Sun or for clustered environments.

Chintan Shah said...

May be a file path? If not, you can check log where it really fails. Can you download Nikunj's version from previous comments? I am sure that has worked on Linux.

Unknown said...

i tried BPEL Only Console as given in http://chintanjshah.googlepages.com/BPELReadOnly_v2. All the links enabled in BPELConsole even I login as oc4jguest. Do we need to change anything in default-web-site.xml? or anyothers?

Thanks,
Gomathi

Anonymous said...

Thanks for the blog...good stuff ...
instead of the custom "Not Allowed" message which is inside your code, it would have been better if you redirect to a jsp that can be customized by the client with any message they like ...

This can be easily done by adding this chunk inside the matchAll(filters, requestURL) condition ...

matchAll(filters, requestURL)

filterConfig.getServletContext().getRequestDispatcher("/error.jsp").forward(request, response);
return;

the error.jsp page can then be put in the %OracleAS%\j2ee\OC4J_SOA\applications\orabpel\console

Thanks...once again!!!
Keep up the good work ...

Anonymous said...

I just made an ANT script that extends this idea to create multiple restricted and admin users with a separate error.jsp page ....

http://blogs.oracle.com/SoaRanch/2009/05/read_only_users_for_oracle_bpe.html

Cheers!!!

Unknown said...

Hello,

Is this method works when the Oracle Internet Directory (OID) are used for authentication and authorization?
Thanks for your help
SKA

Sameer said...

How to do a similar thing for SOA Suite 10.1.3.5.1 on weblogic?

Chintan Shah said...

Hello Sameer,

I have not worked on 10.1.3.5 weblogic version, but I believe servlet filter would work everywhere. It would be just matter of finding right location of deployed BPELConsole artifact and web.xml. Then rest of the part would remain the same.

Thanks,

Chintan

Manish Kumar Gupta said...

Hi Chintan,

Did u get any way to implement the same logic for BPEL Console over WebLogic 10.1.3.5.0.

Manish

Srini said...

Hi,
I tried the solution provided at

http://blogs.oracle.com/SoaRanch/entry/read_only_users_for_oracle_bpe

which is created based on your blog here,
It is working fine for the 'default' domain, but it is throwing the below error when i tried to access non 'default' domains through the 'bpelReadOnly2' user.

AccessControlException
access denied (com.collaxa.security.DomainPermission xxuscca read)
An unexpected error has occurred while executing your request. This is most likely related to a defect in the Oracle BPEL Process Manager product. We apologize you can post the error to the OTN forum and we will get back to you as soon as possible.


Could you please suggest me the solution - we have to create users with readOnly access to the processes deployed on the domains other than 'default'.


Please help....

Srini said...

I found a solution for this, just add 'BPMSystemAdmin' role to 'Viewers2' role in Admin Server Console(em Console), you should now able to access All domains using 'bpelReadOnly2' (users in Viewers2) user.