I saw numerous people asking about BPEL read only console, which is not supported out of the box. I guess Oracle might ship this feature in 11g, but here is the hack which will obviously come in mind of any web-developer.
First of all, BPEL Console is just a common J2EE web application which front servlet and couple of JSPs behind the scene. It is deployed in "soasuite/j2ee/oc4j_soa/applications/orabpel/console" By default it is secured by JAZN file based security which you can easily look at "WEB-INF/web.xml".
In nutshell, I just wrote servlet filter and provided non-intrusive role based security to BPEL console. Here are the steps I followed:
Step 1. I wrote standard Servlet Filter with help of java.util.regex.Pattern class.
First of all, BPEL Console is just a common J2EE web application which front servlet and couple of JSPs behind the scene. It is deployed in "soasuite/j2ee/oc4j_soa/applications/orabpel/console" By default it is secured by JAZN file based security which you can easily look at "WEB-INF/web.xml".
In nutshell, I just wrote servlet filter and provided non-intrusive role based security to BPEL console. Here are the steps I followed:
Step 1. I wrote standard Servlet Filter with help of java.util.regex.Pattern class.
Step 2: I wrote to fake servlet to test this servlet Filter. Now we need to integrate this filter with BPELConsole. We can check in "/soasuite/j2ee/oc4j_soa/config/default-web-site.xml" that BPELConsole is located at "soasuite/j2ee/oc4j_soa/applications/orabpel/console".
a) I put compiled BPELFilter.class file in "soasuite/j2ee/oc4j_soa/applications/orabpel/console/WEB-INF/classes" directory. This is how it looks like: "/soasuite/j2ee/oc4j_soa/applications/orabpel/console/WEB-INF/classes/bpelfilterproject/BPELFilter", where bpelfilterproject is the package name.
b) I changed soasuite/j2ee/oc4j_soa/applications/orabpel/console/WEB-INF/web.xml file to apply this filter settings:
These changes are good enough to make BPEL console read only. Now if we restart SOASuite and click on one of the sensitive URL, e.g. Purge Instances, it should show the page with following message:
Step 3: We are done with basic component, but now it is time to do some Role based security. I had to dig into some JAZN settings in order to make this thing worked. I followed the link http://download.oracle.com/docs/cd/B12314_01/web.904/b10325/configja.htm#1007274 which was very helpful. I realized that BPELConsole is using only one Role called "PUBLIC" which is defined in Web.xml file and not mapped to any of the OC4J Role!!!
So let's follow the best practice which has been defined for ESB console already.
- I need to create two roles called "viewers" and "admins".
- I need to define this role in web.xml and map to oc4j role using orien-web.xml file.
- I need to assign admins to bpeladmin
- I need to assign viewers to guest
- Change the Filter code to do Role based filtering
Then let's do it:
a) Create viewers and admins role from EM as shown below:
b) assign "admins" role to "bpeladmin" user and "viewers" role to "guest" user. (Note: BPELDefaultDomainAdmin is always required to access anything in BPELDomain).
Note: Essentially I am relying on two roles viewers and admins, and if role is viewers and not admins, then I start doing filtering. As we know, bpeladmin can have both viewers and admins role.
d) Final change would be to create these roles in console's web.xml file and and assign those roles to OC4J roles. Here is how "soasuite/j2ee/oc4j_soa/applications/orabpel/console/WEB-INF/web.xml" file looks like:
And to associate these roles with OC4J roles, we need to change /soasuite/j2ee/oc4j_soa/application-deployments/orabpel/console/orien-web.xml file. Here is how orien-web.xml file looks like:
Cool. Now if I login as bpeladmin, everything works great, and when I login as guest it is all read only.
Source code along with Read-Me document can be downloaded from this link.
16 comments:
test comment
This is a very good article and very useful. Can a similar thing be achieved with ESB Console?
-- Mahesh
Hello Mahesh,
Yeah it can be achieved for ESB also (out of the box), I will post the article very soon.
Thanks,
Chintan
Thanks to Nikunj, he changed the code so that filterList.properties will be picked up from classpath.
you can download latest copy from: http://chintanjshah.googlepages.com/BPELReadOnly_v2.zip
Hi Chintan,
This a really a very helpful tweak that you've given.
I tried it on my Windows machine and it worked fine without any issues. But when i tried the same on my SOA 2node-clustered instance running on SunSparc, the login screen of the BPELConsole itself is messed up, the username and password textboxes and the submit buttons are only seen, nothing else is seen on the screen. When i try to enter login inputs on these 2 texboxes and click submit, it throws, Authentication Failed error.
Is there something that has to be configured for Sun or for clustered environments.
May be a file path? If not, you can check log where it really fails. Can you download Nikunj's version from previous comments? I am sure that has worked on Linux.
i tried BPEL Only Console as given in http://chintanjshah.googlepages.com/BPELReadOnly_v2. All the links enabled in BPELConsole even I login as oc4jguest. Do we need to change anything in default-web-site.xml? or anyothers?
Thanks,
Gomathi
Thanks for the blog...good stuff ...
instead of the custom "Not Allowed" message which is inside your code, it would have been better if you redirect to a jsp that can be customized by the client with any message they like ...
This can be easily done by adding this chunk inside the matchAll(filters, requestURL) condition ...
matchAll(filters, requestURL)
filterConfig.getServletContext().getRequestDispatcher("/error.jsp").forward(request, response);
return;
the error.jsp page can then be put in the %OracleAS%\j2ee\OC4J_SOA\applications\orabpel\console
Thanks...once again!!!
Keep up the good work ...
I just made an ANT script that extends this idea to create multiple restricted and admin users with a separate error.jsp page ....
http://blogs.oracle.com/SoaRanch/2009/05/read_only_users_for_oracle_bpe.html
Cheers!!!
Hello,
Is this method works when the Oracle Internet Directory (OID) are used for authentication and authorization?
Thanks for your help
SKA
How to do a similar thing for SOA Suite 10.1.3.5.1 on weblogic?
Hello Sameer,
I have not worked on 10.1.3.5 weblogic version, but I believe servlet filter would work everywhere. It would be just matter of finding right location of deployed BPELConsole artifact and web.xml. Then rest of the part would remain the same.
Thanks,
Chintan
Hi Chintan,
Did u get any way to implement the same logic for BPEL Console over WebLogic 10.1.3.5.0.
Manish
Hi,
I tried the solution provided at
http://blogs.oracle.com/SoaRanch/entry/read_only_users_for_oracle_bpe
which is created based on your blog here,
It is working fine for the 'default' domain, but it is throwing the below error when i tried to access non 'default' domains through the 'bpelReadOnly2' user.
AccessControlException
access denied (com.collaxa.security.DomainPermission xxuscca read)
An unexpected error has occurred while executing your request. This is most likely related to a defect in the Oracle BPEL Process Manager product. We apologize you can post the error to the OTN forum and we will get back to you as soon as possible.
Could you please suggest me the solution - we have to create users with readOnly access to the processes deployed on the domains other than 'default'.
Please help....
I found a solution for this, just add 'BPMSystemAdmin' role to 'Viewers2' role in Admin Server Console(em Console), you should now able to access All domains using 'bpelReadOnly2' (users in Viewers2) user.
Post a Comment