Wednesday, September 26, 2007

SOA/Enterprise 2.0. The Rebel Alliance takes on Deathstar-2.0

What is the driving force for *2.0 in the enterprise? Deathstar-2.0 jokes aside, Billy (Fusion ECM) and Jake (AppsLab) have been nutting this out. Billy's in the "its all about the data" camp, and Jake's taking the "power to the people" stance. Bex has chipped in with a view that "its about knowledge".

You may think its a cop-out, but I think its a case of you're all right. Depends on what perspective you want to take.

Yes, its all about me, but in the same way that driving around town is all about me. Until a semi wants to cut into my lane. On the road we have established ways of collaborating to keep things moving nicely (signals, lane markers, the odd toot of a horn). It's all about me in the sense that I want to safely get to where I'm going. But the roads department has a broader objective.

I'd suggest that the real difference with Web-2.0 in the wild is that there really is no broader objective to speak of. I blog. I like. That's good enough for me.

But in an enterprise, there's always an over-riding agenda that's bigger than any individual: profitability, customer satisfaction, market share etc. If that's not front of mind, you deserve a pink slip .. give you lots of time for facebook!

With that in mind, I'd like to share a visualisation of the enterprise I call the "SOA Sphere". Not perfect, by tries to cram a number of key concepts together:

  • Information (data/knowledge) is the core asset of an organisation

  • Business Services/processes/applications collaborate with users and act upon the knowledge base

  • Security is an all-encompassing capability; a key enabler of innovation

  • People live, breath and work together in the environment that these services create. No distinction really between employees, customers, partners or the great unwashed


Tuesday, September 25, 2007

Proof! Oracle Development have a funny bone

Recurity Labs GmbH have a very interesting post on their investigation of the new password algorithms in Oracle Database 11g.

I did a double-take when I saw the set of hashing algorithm identifier values (used as a parameter to the ztv2ghashs hashing function)..

0xf00d means: Use MD4
0xdead means: Use SHA1
0xbeaf means: Use MD5

Ah! It's an oldie but a goodie. Brings back schoolboy memories of getting your LCD calculator to spell out well-known petroleum companies.

And good to see that even in the depths of Oracle Development there's a willingness to do something a little special, for no reason other than because they can.

Wednesday, September 19, 2007

Pipes - Web 2.0 Wake-up Call for BPEL?

Recently I've spent some time playing with Yahoo Pipes. I was tipped off by comments to Chris Muir's blog on Drowning in Oracle Blogs Aggregators.

So I've had some fun with Pipes, using it to aggregate all my Oracle news for example. Pipes is still beta and has a fairly modest objective of giving end-users a way to craft their own data feeds on the net, but I think there are some exciting implications.

My Little Experiment

I did a simple experiment with a Perl CGI that issues a "quote of the day" in JSON format, consumed it in Pipes, and then subscribed to an RSS version of the result in FeedReader.

I could have used an existing data source supported by Pipes (RSS, JSON, CSV or XML) but I wanted to experiement with formats. Hence the little bit of coding ..
use strict;
use CGI;
use JSON;

print header();

my $obj = {
title => 'Quote of the Day',
quote => 'the only dependency we have on the proof of concept is whether it works or not'
};

print objToJson($obj);
1;
(btw, that's one of my favourite quotes from a collegue during a particularly long and weary evening;-)

The Pipes editor makes it a piece of cake to get tricky ... like add a flickr lookup that will roll in a suitable photo to go along with the quote:

All fairly straight-forward, but what grabbed my attention is how Pipes provides an extremely intuitive graphical editor that makes it simple for an end-user to transform and consume data in a hosted model that would conventionally require server-side programming to arrange. It even has an integrated "debugger" that lets you see the output at any stage of the pipe you select.

Pipes - a Web 2.0 Wake-up Call for BPEL?

There are a few things that Pipes can't do (yet), like handle SOAP Web Services, incorporate human workflow or asynchronous events, secure published pipes, and of course reach data sources or systems that are not accessible from the Internet.

But I'm thinking it wouldn't take too much enhancement along these lines and we'd see Pipes rapidly encroaching the BPEL domain (albeit without the standards support). This would be a perfect example of the Web 2.0 challenge to Enterprise IT.
  • Pipes - the funky UI that lets anyone create and publish their "flow"

  • BPEL - a robust standards-based engine that runs "processes" that have been designed, tested and deployed by experts
If these two extremes don't come crashing together soon, I think we are not trying hard enough!

I'm not sure if Yahoo could do this without a rip'n'replace of the Pipes back-end, and rethink the whole hosting model. More likely that we see someone re-think our approach to BPEL, and the set of use cases it assumes.

I don't hear or see much movement in this direction from the existing BPEL players however. That includes the commercial offerings like Oracle BPEL Process Manager and also the free/open source kind like ActiveBPEL and OpenBPEL.

I suspect we need to challenge a few key assumptions implicit in current BPEL offerings. That processes are (a) largely a conversation between systems, and (b) built by a developer (or at least a skilled business analyst).

While that can and will remain true for core business processes, I think Pipes is beginning to demonstrate that there is a bigger picture we have yet to address.

Put it this way. I'd like to take a robust BPEL engine with...

  • BPEL standards support of course

  • Web Services (WSDL + SOAP) and WSIF adapter model

  • Sophisticated human workflow and asynchronous task support

  • Something I can deploy behind the firewall if needed (to access enterprise goodies)

  • A decent security model

Then add some of the Pipes goodness:

  • Oh-so-Web-2.0 hosted design tools - made for end-users.

  • "Publish" instead of "Deploy". Implies automatically maintained (and accessible) registry of published pipes/processes.

  • Support for RSS, JSON, CSV and plain XML "web sources"

  • Inheritance by chaining or cloning existing pipes

  • Smart output rendering. Need RSS, JSON or SOAP? If it makes sense, ask for it and the correct format should be delivered. Transformation taken care of by the infrastructure, not the process definition.

As an enterprise user, this means I'd expect to be able to launch my company's BPELPipes site and see the pipes published by IT. If I need something a bit different, I just go ahead and create it (or clone an existing service). And once I've done creating my pipe, I can use it immediately as maybe an RSS feed or somthing I can embed in my portal. And share it with others if I like..

Perhaps here lies the future of Enterprise 2.0 Workflow (WikiWorkflow?!), finally bringing SOA to the people rather than having it left stuck somewhere in the middle tier.

BPEL + Pipes. Workflow for all?

(Post moved to here..)

Sunday, September 02, 2007

Adding reCAPTCHA to Oracle SSO

I've blogged previously about playing with the reCAPTCHA service in Perl. Seriously cool! Not because it's foolproof - it isn't - but the side-effect of helping to digitize old documents and books is a truely great idea.

I'm starting to see reCAPTCHA more often now. Bex Huff put it in his comment form, and blogged about it (though I can't find his posting anymore. Update: link from Bex, thanks!). But I haven't seen it used with Oracle SSO yet ... sounds like an interesting weekend project!

So I had a poke around, and like to share the solution. Although I am going to integrate the recaptcha service, you could use the same approach to add any 2nd or 3rd factor to the SSO authentication process. End result is the reCAPTCHA appearing and working in the Oracle SSO login page. The sample here is based on the Oracle Collaboration Suite 10g branding:


The sources for my example are available as OssoRecaptcha-1.0-src.zip. See readme.txt in the zip for more detailed instructions and discussion.

There are basically two things we need to take care of to integrate reCAPTCHA. First, customise the login page to render the captcha challenge. Secondly, we need to insert a custom authenticator to handle the captcha validation before the standard authentication.

I've used the ReCaptcha Java Library released by Tanesha Networks to simplify things.

Customising the Login Page

This is the simplest part, and pretty well documented in "Creating deployment-specific pages".

The following code renders the captcha challenge and just needs to be included in the login page at an appropriate point.
<%
// create recaptcha
ReCaptcha captcha = ReCaptchaFactory.newReCaptcha(RecaptchaConf.RECAPTCHA_PUBLIC_KEY, RecaptchaConf.RECAPTCHA_PRIVATE_KEY, false);
String captchaScript = captcha.createRecaptchaHtml(request.getParameter("error"), null);
out.print(captchaScript);
%>
RecaptchaConf is a class included in the sample to hold your site-specific reCAPTCHA keys that you can easily get by registering at http://recaptcha.org.

Customising SSO Authentication

We have a simple task: intercept and evaluate the catpcha response before allowing standard SSO authentiation to proceed. Simple, yet not exactly documented unfortunately. The documentation for "Integrating with Third-Party Access Management Systems" is almost what we need to do, but not quite.

The approach I have taken is to sub-class the standard authenticator (oracle.security.sso.server.auth.SSOServerAuth) rather than just implement an IPASAuthInterface plug-in.

The only method of significance is "authenticate", where if the captcha response is present, we evaluate it prior to handing off to the standard authentication.
public IPASUserInfo authenticate(HttpServletRequest request)
throws IPASAuthException, IPASInsufficientCredException
{

SSODebug.print(SSODebug.INFO, "Processing OssoRecaptchaAuthenticator.authenticate for " + request.getRemoteAddr());
if (request.getParameter("recaptcha_challenge_field") == null) {
throw new IPASInsufficientCredException("");
} else {
// create recaptcha and test response before calling auth chain
ReCaptcha captcha = ReCaptchaFactory.newReCaptcha(RecaptchaConf.RECAPTCHA_PUBLIC_KEY, RecaptchaConf.RECAPTCHA_PRIVATE_KEY, false);
ReCaptchaResponse captcharesp = captcha.checkAnswer(request.getRemoteAddr(),
request.getParameter("recaptcha_challenge_field"),
request.getParameter("recaptcha_response_field"));
SSODebug.print(SSODebug.INFO, "ReCaptcha response errors = " + captcharesp.getErrorMessage());
if (!captcharesp.isValid()) {
throw new IPASAuthException(captcharesp.getErrorMessage());
}

return super.authenticate(request);
}
}
A couple of things to note:

  • This method is first called prior to the login challenge to see if you are already authenticated, hence the check for a captcha response before boldly going ahead to authenticate
  • The specific exception messages raised in this class seem to get "lost" by the time the handler returns to the login page (at which point you always seem to have a generic failure message). In other words, users will basically just get told to try again. I haven't found a way around this yet.
  • See the example usage of SSODebug to log messages which will appear in the SSO log (as configured in ORACLE_HOME/sso/conf/policy.properties)
  • We'll deploy the custom class into the OC4J_SECURITY container, rather than to $ORACLE_HOME/sso/plugins since it seems plugins get a limited environment that does not include all of the required support classes. Deploying to OC4J_SECURITY avoids this problem.

Deployment

The most robust approach to deployment is to explode, modify and the rebuild the OC4J_SECURITY EAR file ($ORACLE_HOME/sso/lib/ossosvr.ear) once you are confident everything is working fine. I haven't covered how you do that here however.

Rather, I'm deploying the sample directly into an existing OC4J_SECURITY container. Note that with this approach, if you ever redeploy the OC4J_SECURITY application (which can happen during an upgrade or patch for example), then your changes
would be destroyed.

There's an Ant build script included in the sample that takes care of the details, but is pretty straightforward...

Firstly, two copy operations:
  1. Copy the login page to $ORACLE_HOME/j2ee/OC4J_SECURITY/applications/sso/web/
  2. Copy the supporting jar files to $ORACLE_HOME/j2ee/OC4J_SECURITY/applications/sso/web/WEB-INF/lib/
Second, the authenticator configuration is governed by $ORACLE_HOME/sso/conf/policy.properties.
MediumSecurity_AuthPlugin = oracle.security.sso.server.auth.SSOServerAuth
# replaced with:
MediumSecurity_AuthPlugin = com.urion.captcha.OssoRecaptchaAuthenticator
Finally, we are ready to restart the OC4J_SECURITY container
opmnctl restartproc process-type=OC4J_SECURITY
and test out the customised login. Try...
http://you.site:port/oiddas
Give it a go! Love to hear from anyone who deploys reCAPTCHA on a production Oracle Portal or Applications site for example.

Postscript: Patrick Wolf obviously had a weekend free also, and has now posted a solution for adding reCATPCHA to APEX ;-) Cool!

Postscript 2008-06-03: I finally got around to setting this up with its own sourceforge project.