In a SOA environment, when you use the default worklist application, the users must be registered in the Weblogic Server. Legacy applications have there own mechanism of storing user data. In our Oracle world, users and passwords are often stored in tables of the database.
The goal is to re-use this table mechanism in combination with the default Worklist Application. The approach is rather simple, but it is not working.
- Add WebLogic SQLAuthenticator provider in your security realm.
Internal Error in Verification Service for user SKING. lookupUser. Check the underlying exception and correct the error. If the error persists, contact Oracle Support Services. ORABPEL-30504 Internal Error in Verification Service.
The issue is within the worklist application itself. It only authenticates via LDAP and ignoring the SQLAuthenticator.
We are able to fix this issue. The solution is based on the SOA Samples of the Human Worklfow; "workflow-120-SQLIdentityProvider". You can obtain the examples via Oracle TechNet or via your Oracle Rep.
The solution is as follows and is based on the SQL Authenticator Example of Edwin Biemond.
- Apply the SQL Authenticator in your SOA WLS environment.
- Test if users and groups can be viewed and edited.
- Shutdown the admin server and managed servers.
- Copy the dbprovider.jar to the SOA_DOMAIN/lib directory
- make changes in the SOA FMW JPS config file:
- Add a new Identity Store.
- Add a new Service Instance.
- Change JpsContext to the new Identity store.
- Start admin and managed servers
- Test the worklist application with database users.
- DBUserSearchResponse.java
- DBRolesSearchResponse.java
Example of the jps-confix.xml file:
<serviceProviders>
<!-- New ID provider -->
<serviceProvider type="IDENTITY_STORE" name="custom.provider"
class="oracle.security.jps.internal.idstore.generic.GenericIdentityStoreProvider">
<description>Custom IdStore Provider</description>
</serviceProvider>
<!-- EOF New ID provider -->
...
<serviceInstances>
<!-- NEW Service Instance -->
<serviceInstance name="idstore.custom" provider="custom.provider" location="dumb">
<description>Custom Identity Store Service Instance</description>
<property name="idstore.type" value="CUSTOM"/>
<property name="ADF_IM_FACTORY_CLASS" value="org.sample.providers.db.DBIdentityStoreFactory"/>
<property name="DB_SERVER_NAME" value="database.vijfhuizen.local"/>
<property name="DB_SERVER_PORT" value="1521"/>
<property name="DB_DATABASE_NAME" value="orcl"/>
<property name="ST_SECURITY_PRINCIPAL" value="demo"/>
<property name="ST_SECURITY_CREDENTIALS" value="demo"/>
</serviceInstance>
<!-- EOF NEW Service Instance -->
...
<jpsContexts default="default">
<!-- This is the default JPS context. All the mendatory services and Login Modules must be configured in this default context -->
<jpsContext name="default">
<serviceInstanceRef ref="credstore"/>
<serviceInstanceRef ref="keystore"/>
<serviceInstanceRef ref="policystore.xml"/>
<serviceInstanceRef ref="audit"/>
<serviceInstanceRef ref="idstore.custom"/>
</jpsContext>Good luck!
10 comments:
hi Marc,
I wanted to apply your solution on SOA Suite 11.1.1.2 Workflow, but there everything is not file-based anymore, do you have any idea how I can config a new realm via enterprise manager?
Thanks
Farnoush (the_farnoush@yahoo.com)
hi Marc,
I wanted to apply your solution on SOA Suite 11.1.1.2 Workflow, but there everything is not file-based anymore, do you have any idea how I can config a new realm via enterprise manager?
Thanks
This should work, my example is based on SOA 11g PS2.
You configure this via Weblogic Console
Have you tried with the new patch set? I am getting the following error with SOA 11g PS3. Is there anything else that needs to be done? I am able to see the users and groups from within weblogic, but when I try to login to the worklist app I get the below error.
Exception
exception.70692.type: error
exception.70692.severity: 2
exception.70692.name: Error while granting BPMOrganizationAdmin role to SOAOperator.
exception.70692.description: Error occured while granting the application role BPMOrganizationAdmin to application role SOAOperator.
exception.70692.fix: In the policy store, please add SOAOperator role as a member of BPMOrganizationAdmin role, if it is not already present.
Hi,
I am new in soa suite and we are using soa suite 11g. Please let me know how to configure user for human work flow and worklist application. I created simple users in weblogic realm. but how to set which user can be administrator or which user will be end user
Within the Weblogic console you are able to set a specific role to a user. These roles are the groups. Select a group and assign this to a user.
Hi,
I have followed all steps mentioned above. I am using 11.1.1.6 version (windows installation) of OracleBPM11g. Though I have set the SQL Provider as first with SUFFICIENT control flag but still from Oracle BPM Administration Link I am not able to see the users from DB.
Those are visible in EM.
Hi,
Do you know if is posible to use the same example with a provider that is in a Microsoft SQL Server database?
Hi, Marc Kelderman and Arindam Guha Mazumder
I have to followed steps like Arindam does, and from my EM and Console, I can see all user and groups from sql authenticator.
And also I can assign bpm application roles to users from sql authenticator.
But when I try to assign bpm application roles to groups from sql authenticator, the bpm application is not show from bpm workspace.
Is there any clue to solve this problem?
Thanks in advance.
Yes, I have solved this problem. It's happening due to LDAP configuration still present in jps-config.xml file under "jpsContexts" element and BPM worklist always use ldap as default.To solve this, instead of inserting new entry in the "jpsContexts" for custom authenticator just replace "idstore.ldap" with "idstore.custom" and restart your servers (SOA and WLS). It will work. I have tested it on 11.1.1.6.
Post a Comment