Pages

Thursday, February 18, 2010

Soa 11g Human Task client Authentication

In Soa Suite 10g & 11g you can make your own HumanTask Client ( instead of the Worklist Application ) and integrate this in your own Application. Together with Ronald van Luttikhuizen we made an Human Task Client with works with the Soa Suite 10g & 11g version. The 10g version was a bit tricky because we called the 10g Human Task EJB on an OC4J container from an Weblogic Web application. With Soa Suite 11g I don't have these problems because everything is working on the Weblogic Container. In Soa 11g you have three ways to connect to Human Task Service. Use the local or remote EJB and you can call the soap service. The local EJB option is not acceptable because we need to deploy the customer application on the Soa Suite server else it won't work. With the Soap client I need to configure OWSM on the Weblogic Service and soap is not so fast as the Remote EJB option. This gives a other problem I don't want to use the soa suite weblogic account in the customer application.
The user have to authenticate in the Customer application and this user is also known in the Human Task ( I add the same authenticator in the ADF & Soa Suite server) So why don't we use the same user for the EJB call to the Soa Suite.
To make this works you need to make a domain trust between the two Weblogic domains.
To do this you need to go to the weblogic console and change some domain properties.
First change, enable the "Cross Domain Security Enabled" option.
Save this change and go the advanced options where you need to change the domain credential, this password must match with the Soa suite domain password.


Do this on both domains.

The next step is to create Workflow Client in your application. It will use your Application authentication for this remote EJB, so you don't to have a Soa Suite account in your application code.

String wlsserver = "HumanWorkFlow";
String soaserver = System.getProperty("humantask.url");
String wsurl = "http://"+soaserver;
String t3url = "t3://"+soaserver;
String contextFactory = "weblogic.jndi.WLInitialContextFactory";

String identityDomain = "jazn.com";
IWorkflowContext context = null;

IWorkflowServiceClient workflowServiceClient;
BPMIdentityService bpmClient;


WorkflowServicesClientConfigurationType wscct = new WorkflowServicesClientConfigurationType();

List<ServerType> servers = wscct.getServer();
ServerType server = new ServerType();
server.setDefault(true);
server.setName(wlsserver);
servers.add(server);

RemoteClientType rct = new RemoteClientType();
rct.setServerURL(t3url);

rct.setInitialContextFactory(contextFactory);
rct.setParticipateInClientTransaction(false);

server.setRemoteClient(rct);

workflowServiceClient = WorkflowServiceClientFactory.getWorkflowServiceClient(
WorkflowServiceClientFactory.REMOTE_CLIENT,
wscct,
logger2);

Map<IWorkflowServiceClientConstants.CONNECTION_PROPERTY,java.lang.String> properties =
new HashMap<IWorkflowServiceClientConstants.CONNECTION_PROPERTY,java.lang.String>();

properties.put(IWorkflowServiceClientConstants.CONNECTION_PROPERTY.SOAP_END_POINT_ROOT
, wsurl);

bpmClient = WorkflowServiceClientFactory.getSOAPIdentityServiceClient(identityDomain
, properties
, logger2);


The last step is to acquire and release the Human Tasks on behalf of the application user. Because you don't know the application user password you need to have an account which can do that for the application user. This code can do that for the application user. Make sure that this account don't have too much authorization rights in Weblogic and your application.

String identityUsername = System.getProperty("humantask.user" );
String identityPassword = System.getProperty("humantask.password");

IWorkflowContext contextBehalf = null;

ITaskQueryService taskQueryService = getTaskQueryService();

if ( context == null ) {
System.out.println("HumanWorkflow "+identityUsername+ " context created");
context = taskQueryService.authenticate( identityUsername
, identityPassword.toCharArray()
, identityDomain);
}
contextBehalf = taskQueryService.authenticateOnBehalfOf(context, onBehalfOfUser);

31 comments:

  1. Hi Edwin
    I am working on cross domain security.
    I had some issues, and i posted them on OTN forum.
    Can you please take a look at them and suggest some solution.

    here's the link
    http://forums.oracle.com/forums/thread.jspa?threadID=1052114&tstart=0

    Thanks and Regards
    Nitin

    ReplyDelete
  2. Thanks for your advise, but i have already cross checked all that,a number of times.
    I inquired about the service i was trying to consume, its an ADF-BC service,so its now SOA-ADF integration.
    I am first deploying both composite and this service on same domain,make sure that they work fine and then move to cross domain.

    Thanks
    Nitin

    ReplyDelete
  3. Hi
    I deployed a secured ADF-BC service(not the one i was previously working on) on domain A and a SOA composite on domain B and called the service from composite WITHOUT ENABLING CROSS DOMAIN SECURITY ON DOMAIN A and using weblogic B's admin credentials for calling the service.

    Then I enabled cross domain on both the sides and was now able to call the service with both admin credentials and the user with crossdomainconnector role.

    My Question: -

    1. Cross domain is introduced so that we dont have to pass admin credentials to the other domain or there is something else too?

    2. Also the same approach is not working with the first secured service i was trying to consume(my 1st post is still an issue for me)


    Please Advice

    Thanks
    Nitin

    ReplyDelete
  4. Hi,

    Yes cross domain is a easy way to pass on credentials between domains.

    off course you can also use saml , where you can use sender- voucher see this http://biemond.blogspot.com/2009/10/securing-web-services-with-saml-sender.html
    for more info.

    thanks

    ReplyDelete
  5. Edwin,

    I've been struggling alot to get the 11g worklist application customized to the requirements of my customer.

    I'm now considering building a custom worklist app. Could you tell me how much effort this is or could you maybe be so kind to share your code?

    groeten,
    Gerben
    gvermoen at gmail

    ReplyDelete
  6. Hi,

    Here you got a working example of me

    http://www.sbsframes.nl/jdeveloper/FCFormsShell.zip

    you need to add the bpm-infra and bpm-services jar to the web-inf/lib
    folder.

    thanks

    ReplyDelete
  7. Hello -
    I am getting the following exception can you please help
    java.lang.RuntimeException: weblogic/security/subject/AbstractSubject
    Exception in thread "main" java.lang.RuntimeException: weblogic/security/subject/AbstractSubject

    ReplyDelete
  8. Hi,

    I dont know this error, what did you do and do you see the tasks in the humantasklist application.

    Thanks

    ReplyDelete
  9. i am sorry I meant to say ..

    I tried the example but I am getting ..
    Caused by: java.lang.ClassNotFoundException: weblogic.security.acl.UserInfo

    ReplyDelete
  10. Edwin -
    I downloaded your example from http://www.sbsframes.nl/jdeveloper/FCFormsShell.zip. Thank you so much for sharing your example.

    I added the following jar files to the classpath

    bpm-infra.jar, bpm-services.jar, j2ee-1.3.1.jar, weblogic.jar, wlclient.jar, wsclient.jar, wsclient_extended.jar, xml.jar, xmlparserv2.jar

    I am getting the following error when I try to run the main method in Query.java class

    Exception breakpoint occurred at line 93 of HumanTaskClient.java.
    java.lang.RuntimeException: weblogic/security/acl/UserInfo
    Exception in thread "main" java.lang.RuntimeException: weblogic/security/acl/UserInfo

    ReplyDelete
  11. Hi,

    I think you only need bpm-infra.jar, bpm-services.jar in your web-inf/lib.

    and please generate a wlfullclient jar for java 1.6. for the Query test

    and off course check the project for usernames / password and check if they are the same for your env.

    thanks

    ReplyDelete
  12. Thank you so much! it did work after I generated wlfullclient jar as you suggested. Thank you so much!

    ReplyDelete
  13. Hi Edwin
    We have some users created in company LDAP for human task. I want to have an admin user, used to get the details of tasks(assigned to users in company LDAP) using SOAP client. I tried with the admin user "weblogic" but it is not working.







    weblogic
    welcome1
    weblogic
    jwilliams




    All

    State
    EQ
    ASSIGNED


    TextAttribute1
    EQ
    READY_TO_SHIP_STATUS_417442

    ReplyDelete
  14. <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:tas="http://xmlns.oracle.com/bpel/workflow/taskQueryService" xmlns:com="http://xmlns.oracle.com/bpel/workflow/common" xmlns:tas1="http://xmlns.oracle.com/bpel/workflow/taskQuery" xmlns:task="http://xmlns.oracle.com/bpel/workflow/task">
    <soapenv:Header/>
    <soapenv:Body>
    <tas:taskListRequest>
    <com:workflowContext>
    <com:credential>
    <com:login>weblogic</com:login>
    <com:password>welcome1</com:password>
    <com:identityContext>weblogic</com:identityContext>
    <com:onBehalfOfUser>jwilliams</com:onBehalfOfUser>
    </com:credential>
    </com:workflowContext>
    <tas1:taskPredicateQuery startRow="0" endRow="0">
    <tas1:predicate>
    <tas1:assignmentFilter>All</tas1:assignmentFilter>
    <tas1:clause joinOperator="AND">
    <tas1:column>State</tas1:column>
    <tas1:operator>EQ</tas1:operator>
    <tas1:value>ASSIGNED</tas1:value>
    </tas1:clause>
    <tas1:clause joinOperator="AND">
    <tas1:column>TextAttribute1</tas1:column>
    <tas1:operator>EQ</tas1:operator>
    <tas1:value>READY_TO_SHIP_STATUS_417442</tas1:value>
    </tas1:clause>
    </tas1:predicate>
    </tas1:taskPredicateQuery>
    </tas:taskListRequest>
    </soapenv:Body>
    </soapenv:Envelope>

    ReplyDelete
  15. Hi,

    Is weblogic, the owner of the Task or is weblogic in the assigned group and do you see them in the worklistapp.

    thanks

    ReplyDelete
  16. Hi Edwin,
    I got your example working, but I can't seem to find the Task Details url, it's always coming empty (null) I checked your code and you are using task.getSystemMessageAttributes().getUrlAttribute1() , so what do you think is the proper replacement for this to use it in my inline frame!
    I use SOA 11.1.1.3

    ReplyDelete
  17. Hi,

    Did you add this attribute in your query

    // specific "text string" columns
    queryColumns.add(TableConstants.WFTASK_TEXTATTRIBUTE1_COLUMN.getName());

    thanks

    ReplyDelete
  18. Hi Edwin,
    in case of cluster environment with multiple soa servers, should we give t3ursl as private String t3url = "t3://" +host1:port,host2:port;

    Please confirm.
    Thanks,
    Biltu

    ReplyDelete
  19. Hi

    Yes indeed in case of t3 you can use t3:/host,host2:8001 for http you need a load balancer

    ReplyDelete
    Replies
    1. Hi,
      I have same configuration, but only I can create WorkflowContext to first node managed (wlhomsoa01.intra.goias.gov.br), when I connect on wlhomsoa02.intra.goias.gov.br I'm getting WorkflowContext on null, (No get "jazn.xml" form wlhomsoa02.intra.goias.gov.br)

      thanks

      Delete
    2. Did you store the jazn config in the database, probably you need to store OPSS in a database or a ldap. Else the second server can't read it.

      Delete
    3. Tanks Edwin,

      I have OPSS file based (File/XML based system-jazn-data.xml).
      I am going explain the complete steps for you, the exception was in this line:

      IWorkflowContext iWorkflowC = itTask.authenticate(null, null, null); // Here not created the context
      IBPMContext ctx = (IBPMContext)iWorkflowC;

      the varible "iWorkflowC" is incomplete for the node 2 (wlhomsoa02.intra.goias.gov.br) in my cluster (I have 2 managed server with soa), them "ctx" is incomplete.

      The exception on trace is after above line, in line:

      ProcessMetadataSummary metadataSummary =
      processUtils_.getMetadataForProcess(ctx, processName, version);

      The error was but the context "ctx" is incomplet for node 2, so the true exception is not show in log, (show one exception in after step).

      BPM-71051

      Exception
      exception.71051.type: error
      exception.71051.severity: 2
      exception.71051.name: Error during authentication.
      exception.71051.description: Error while authenticating user {0}, identity context {1}. Provide valid userName, password and identityContext.
      exception.71051.fix: Contact Oracle support if exception can not be fixed

      at weblogic.rjvm.ResponseImpl.unmarshalReturn(ResponseImpl.java:234)
      at weblogic.rmi.cluster.ClusterableRemoteRef.invoke(ClusterableRemoteRef.java:348)
      at weblogic.rmi.cluster.ClusterableRemoteRef.invoke(ClusterableRemoteRef.java:259)
      at oracle.bpm.services.processmetadata.ejb.ProcessMetadataServiceBean_fasv2m_ProcessMetadataServiceRemoteImpl_1036_WLStub.listProcessMetadataSummary(Unknown Source)
      at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
      at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
      at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
      at java.lang.reflect.Method.invoke(Method.java:597)
      at weblogic.ejb.container.internal.RemoteBusinessIntfProxy.invoke(RemoteBusinessIntfProxy.java:85)
      at $Proxy15.listProcessMetadataSummary(Unknown Source)
      at br.gov.goias.segplan.util.ProcessUtils.getMetadataForProcess(ProcessUtils.java:122)
      at br.gov.goias.segplan.util.QueryToFlexField.findInstances(QueryToFlexField.java:128)
      at br.gov.goias.segplan.util.QueryToFlexField.main(QueryToFlexField.java:61)
      Caused by: java.lang.NullPointerException
      at oracle.bpel.services.workflow.verification.impl.WorkflowContext.hashCode(WorkflowContext.java:583)

      Question:

      1) Because do not have an exception if did not create the context ok?

      2) I have other problem, in production enviroment not runing in any nodes, but the config is same that test? in all nodes I get the same exception descripted above for the node 2 in the test enviroment?


      Thanks in advance

      Delete
    4. Additional information

      It is not a security issue because to login with the user and a password wrong I get authentication error:

      oracle.bpel.services.workflow.client.WorkflowServiceClientException: javax.naming.AuthenticationException [Root exception is java.lang.SecurityException: User: eprocessos, failed to be authenticated.]

      at oracle.bpel.services.workflow.client.WorkflowServiceClientContext.createInitialContext(WorkflowServiceClientContext.java:686)

      at oracle.bpel.services.workflow.client.WorkflowServiceClientContext.getJNDIInitialContext(WorkflowServiceClientContext.java:341)

      at oracle.bpel.services.workflow.query.client.TaskQueryServiceRemoteClient.getInitialContext(TaskQueryServiceRemoteClient.java:47)

      at oracle.bpel.services.workflow.query.client.TaskQueryServiceRemoteClient.authenticate(TaskQueryServiceRe



      Do I think it is some library missing or different version on node 2?

      Any help?

      Thanks in advance

      Delete
  20. Hi Edwin,
    thank you very much for your prompt response.
    Please let use what we have to do as per below scenario.
    We have soa_server1 (where we have deployed our client code after exposing it as custom ws)in a wl-domain_1....and all user information are there in different wl-domain2 of OIM (ovd,oid1,oid2).

    Now how can I assign user to Human task from BPEl or BPMN component to Humantask which are deployed in soa_server1 of wl-domain_1.
    Looking for youe response.
    Thanks,
    Biltu

    ReplyDelete
  21. Hi Edwin,
    Please tell us how to use WorkflowServiceClientFactory.LOCAL_CLIENT while creating context by invoking WorkflowServiceClientFactory.getWorkflowServiceClient()
    myHumanTaskClient.war file is deployed in soa_server1 only, so I wanted to use local ejb call rather than remote ejb.
    will there be any issue with cluster enviornment in case we use LOCAL_CLIENT?

    Thanks,
    Biltu

    ReplyDelete
    Replies
    1. Hi,

      I think it should work, probably you don't have to provide any properties.
      Did you got some errors.

      cluster is no problem , it will get the local ejb on the soa server which gets the request.

      thanks

      Delete
  22. Hi,

    I am trying to send the actionable email through humanworkflow task. I am getting the below error.
    1ORABPEL-30504 Internal error in Verification Service. Internal error in Verification Service for user weblogic. hasPermission. Check the underlying exception and correct the error. If the error persists, contact Oracle Support Services.

    The email driver is working fine. Workflow xontext authentication may be the issue.
    can you please help me how to set the credentials for the task service...

    ReplyDelete
    Replies
    1. Hi,

      did you change the authentication providers order, cause the Verification Service only looks at the first provider or you need to set the virtualize attribute.

      Thanks

      Delete
  23. hi,

    i got the following error when doing authenticateOnBehalf: ora-30509:Insufficient privileges to authenticate on behalf of another user.

    any idea how to configure such a user? i have a custom OID based authenticater and it is the first one. I also use a custom identity service plugin. this is with soa 11g, 11.1.1.6.0.

    thanks

    ReplyDelete
  24. Hi,

    i got the following error when i try to get the task list.
    SEVERE: ORABPEL-30504

    Internal error in Verification Service.
    Internal error in Verification Service for user null. lookupUser.
    Check the underlying exception and correct the error. If the error persists, contact Oracle Support Services.

    can you please help me.

    Thanks.

    ReplyDelete