Friday, December 2, 2016

Securing Cross-Site Requests to MCS APIs

When your Oracle Mobile Cloud Service APIs are being accessed by a remote server, it is important you manage cross-origin resource sharing (CORS) We ran into this issue when we were building the solution for the Oracle cloud day. The MCS APIs were accessed by a Web Application that was hosted on a different domain, not on our Oracle PaaS domain. When calling an API from the application, we received the error:

XMLHttpRequest cannot load: [request url]. Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin [origin domain] is therefore not allowed access. The response had HTTP status 401.

You can either disallow CORS altogether, or whitelist specific sites.  This is done by setting a property in Security_AllowOrigin.

An example of the property can be seen below:


This means that requests coming from from port 80 are allowed.

More information can be found in the Using Oracle Mobile Cloud Service, Part II: Setting up Mobile Apps, Chapter 5. This chapter explains in detail the pattern matching that is applicable.

To summarize:

1. Login to MCS
2. Click on "Administration"
3. Scroll to the bottom of the page
4. Download
5. Edit or add the property
6. Upload

Administration page in MCS

The setting is applied instantly.

Saturday, November 19, 2016

Editing Application Roles in Oracle Process Cloud Service

The other day I was working on my demo of Oracle Process Cloud Service (PCS) for UKOUG Apps 2016.  After creating the application, I wanted to start working on the process. My use case fits an out of the box pattern nicely, so I started with "Form Approval with Integration Pattern" and PCS created a default process for me; with two swimlanes and a number of activities. The resulting process is shown below.

Process created based on "Form Approval with Integration Pattern"

Every PCS application is provisioned with three standard roles:
  1. Process Owner. Users with this role have access to process activity history, can take actions, alter the process flow etc. Process owners typically manage deployed business processes and use metric analysis tools such as dashboards to monitor the business process. 
  2. Process Reviewer. This role gives access to process activity, but process reviewers can not take actions on tasks or alter tasks flows.  Process reviewers are not participating but typically responsible for reporting on current process instance status. 
  3. Analytics Viewer. assigned this role can create and view business analytics dashboards associated with the specified application.
In this example, I don't want to use these global application roles, I want two other roles:
  1. Expense Submitter. An employee that submits an expense because of traveling or other reasons
  2. Expense Approver.  The manager of the employee that approves the expense items on the expense report.
You can edit the swimlane by clicking on the pencil icon next to the swimlane and select a role. 

Assigning an application role to a swimlane

I did not see the role I was looking for in the list, but that is not a problem: I can add an Application Role to the list by clicking the "+" icon.

So far so good. I added a role "Expenser" and assigned the first swimlane to it. Then I did the same for the second swimlane: I edited the swimlane and added a new role "Expense Approver".

Unfortunately, I made a mistake....

Editing the role

I wanted to call the first swimlane/role "Expense Submitter", remember? I accidentally named it "Expenser". I want to change this name, because I don't like it.

My first attempt is in the current screen. I have the pencil next to the swimlane, so probably I can edit the role here, right? Wrong.
It will bring me back to assigning a role to a swimlane. I can assign it to a different role or a new role. But not edit it. 
So let's look at another option, there is another place to manage roles, on an application level.

Click on the tab "Application Home". This will bring you back to the Application Home. When you click on the "Organisation" link, you will get a pop-up that allows you to delete or add roles. However, you can't edit roles. 

Because I really wanted a new name, I deleted the role and added a new one.

Remember, adding a role will not only impact the swimlane, but also adds an application role for the application. This role will be available for all processes in this application.
Application Home with Dialog to add and remove Application Roles

Of course this makes you wonder what happened with the swimlane that was using the role we just deleted?

Let's see:

Unassigned role after deleting a role from the application

It results in a swimlane with a 'Unassigned role'. So I assigned the newly created role and continued with implementing the process. 


From a functional perspective, the ability to create a process based on a pattern is very powerful. The responsiveness of the process composer is very good. It is a pleasure to work with it, it feels like a modern application. However from a user experience perspective, I see plenty of room for improvement: 
  1. Navigation
    • Buttons versus links. Why is 'Organization' a link, not a button at the right hand side of the Application Home? Why is closing the application implemented with a link and not a button? There are multiple levels of navigation, and it is not always clear why which pattern is used for what level.
    • Moving from the Workspace to the Process Composer. It is unclear to me how to get back to the workspace once you have entered the process composer, apart from saving the link as a favorite in your browser.
  2. Internationalization
    • Some concepts are translated, some are not. 
    • Consistency. It seems that in the Dutch version, a project role is edited (see illustration), in the English version the dialog is called "edit Application roles" (the correct concept) . 
  3. Concepts. 
    • The name of the Swimlane is the same as the role you assign to it. The role is defined on an Application Level, not a process level. This is not clear from the way it is presented to the user and will only occur to the process developer, once (s)he will develop more than one process
    • It is not possible to edit the name of the role. You have to delete it and then add a new role. This will result in swimlanes with unassigned roles in existing processes. 
    • It is unclear for the process developer what a role entails, the pop-up window does not show where the role is used or what permissions are associated with it
    • By default the submitter of a form is defined as the process owner. In most cases this will not be the case: the receiver of the form is typically the process owner, who will approve or deny the request and has the ability to change the process etc.
This is not an extensive list, but just the issues I ran into while trying to change the name of a process role after having created a process based on a pattern. 

From a functionality perspective PCS is becoming more and more powerful. However, it is very important to keep the User Experience that comes with the functionality consistent within itself and with the other Oracle products as well. Including the Oracle Applications. Because for users, the difference between PaaS and SaaS is inconsequential, they just use the tools. In the end, to users it does not matter whether Oracle calls these tools a 'Platform' or 'Software'. What matters is that they are productive and that the tools are easy to understand. 

I think it is time that Oracle repositions the Oracle Usable Apps group to a higher level to include the PaaS products. And please, as a first recommendation from a UX perspecive, let me edit roles 🙏

Tuesday, May 5, 2015

Virtual Technology Summit: Hands-On Learning With Oracle and Community Experts

The Oracle Technology Network (OTN) is organizing another Virtual Technology Summit this May. The summit includes Database, Java, Middleware, and OS/Virtualization/Hardware content. The VTS will be offered on May 5th, May 12th and May 19th. Lonneke and I will present the following session on reuse in Oracle SOA Suite 12c:

Most people in IT agree: you want to reuse code, rather than type the same thing twice. Choosing the right type of reuse can greatly speed up your development, decrease maintenance efforts, and reduce the number of errors by eliminating similar code.

Of course you can copy something, and reuse it that way. However, this is hard to do, especially if somebody changes the original code. In SOA Suite 12c there are several ways to reuse code, implement patterns and quickly start your project. These options vary from project skeletons using Maven poms to composite templates and creating services. In this presentation we will explain the difference between a pattern, a library and a (micro)service and illustrate this with features from the SOA Suite 12c: maven, templates (BPEL and OSB), BPEL subprocesses, and services. The features will be explained using real-life examples. We will also discuss common pitfalls we have encountered.

At the end of this session attendees will be familiar with the facilities that SOA Suite offers to create consistent quality in projects, and will be better equipped to choose the appropriate method (library, pattern or service) to use in any situation.
View the full agenda here, enjoy!

Monday, April 20, 2015

Creating the platform of the future with Oracle Fusion Middleware 12c

The article "Creating the platform of the future with Oracle Fusion Middleware 12c" written by Antonis Antoniou and myself is published in UKOUG's Oracle Scene Issue 56.

The article shows how Oracle Fusion Middleware 12c offers one complete, modern, open and integrated stack that allows you to create a future-proof platform. To highlight the features of the stack we have used the example of handling lost-luggage by an airline. Based on this use case, the article explains how Oracle Fusion Middleware provides mobile and web access from any device based on user and customer experience best practices. How it enables applications to be responsive and to create valuable insights by incorporating big and fast data capabilities; and gives you control over both structured as well as unstructured knowledge-driven processes. It then discusses its best-in-class integration capabilities, both between the products in the Fusion Middleware stack, as well as with other applications and data either running in the Cloud or on-premise.

Wednesday, August 13, 2014

Create Service Bus Customization File using WLST

For one of our Oracle Fusion Middleware projects we had the requirement that the IT Ops activities should be scripted as much as possible. These activities included things like packaging, deploying, and automated testing of Service Bus projects, SOA Composites, and BPM processes. One of the more challenging tasks to script was to create and extract the runtime configuration of services deployed on Oracle Service Bus 11g using customization files. There seems to be no WLST feature readily available for this purpose. Based on some resources that all contained part of the solution, we were able to construct a WLST script for this purpose which you can find in this blog.

This blog briefly explains the use of customization files, how to create a customization file using the Service Bus Console, includes the WLST script to execute this task, and provides a brief conclusion.

Customization Files

Customization files are XML files that contain the configuration of Service Bus resources and projects. Examples of such configurations are Service URIs, JCA settings, Retry Settings, and so on. Customization files provide a convenient way to apply environment-specific configuration during deployment. You can both apply, as well as create and extract the runtime configuration of Service Bus resources and projects into customization files using the Service Bus Console.

Creating customization file using the Service Bus Console

Read more about customization files in the Oracle Fusion Middleware Administrator's Guide for Oracle Service Bus.

WLST Script

Based on the following resources a WLST script can be created to export an OSB project including its customization file from a runtime environment:

The WLST script is as follows:

from import FileOutputStream
from java.util import Collections

from com.bea.wli.config import Ref
from com.bea.wli.config.mbeans import ConfigMBean 
from import EnvValueTypes

import sys

# Utility function to export project and cust file
def exportProject():

        if projectName == "None":
            print "No project specified, exiting deployment"

        if customizationFile == "None":
            print "No customization file specified, exiting"

        ALSBConfigurationMBean = findService("ALSBConfiguration", "")
        print "ALSBConfigurationMBean found"
        configMBean = JMX.newMBeanProxy(mbs, ObjectName.getInstance("com.bea:Name=Config.XBus Kernel,Type=com.bea.wli.config.mbeans.ConfigMBean"), ConfigMBean)
        print "ConfigMBean found"

        # Get reference to OSB project        
        ref = Ref.makeProjectRef(projectName);
        collection = Collections.singleton(ref)
        # Export OSB project JAR            
        print "Export JAR for OSB project:", projectName
        theBytes = ALSBConfigurationMBean.exportProjects(collection, passphrase)
        aFile = File(exportJar)
        out = FileOutputStream(aFile)
        print "Project " + projectName + " exported"

        # Export OSB customization file
        print "Export customization file for:", projectName
        theBytes = configMBean.createCustomizationFile(collection, EnvValueTypes.ENV_VALUE_TYPES);
        out = FileOutputStream(customizationFile);
        print "Cust file for " + projectName + " exported"

    adminUser         = sys.argv[1]  
    adminPassword     = sys.argv[2]  
    adminUrl          = sys.argv[3]   
    projectName       = sys.argv[4]
    exportJar         = sys.argv[5]
    customizationFile = sys.argv[6]    
    passphrase        = "your-passphrase"
    connect(adminUser, adminPassword, adminUrl) 

    print "Unexpected error: ", sys.exc_info()[0]


WLST provides a very powerful and comprehensive scripting environment for Oracle Fusion Middleware products. While most administration and management features can be accessed and executed through WLST, some of the features that are available through IDEs or consoles are not (easily) available through WLST and require a workaround or some research. One of these examples was shown in this blog.

Monday, July 14, 2014

Oracle BPM Suite 12c and SOA Suite 12c at eProseed World 2014

As most of you know, Oracle officially released SOA Suite 12c (12.1.3) and BPM Suite 12c (12.1.3) a couple of week ago. Exciting times for people like us, who have worked extensively with BPEL Process Manager, Oracle ESB, SOA Suite 10g, and SOA Suite 11g! The same week that 12c was released, eProseed World 2014 took place. During this event all eProseed employees meet for a fun couple of days full of social and work-related sessions. Because Vennster is merging into the eProseed Netherlands office we will soon migrate this blog to an eProseed domain. For us it was an excellent chance to meet all our new colleagues. In between the tour of Luxembourg city and an afternoon full of Highland Games (nobody got injured :-), multiple sessions where organized to present and discuss Oracle BPM and SOA 12c.

The SOA Suite 12c presentation included an overview of 10 years of Oracle & SOA, new features and important themes in Oracle SOA Suite 12c, and information on the migration tool bundled with SOA Suite 12c to perform in-flight upgrade from 11g to 12c.

Friday, May 16, 2014

To Pull or to Push

In a recent project various designs were discussed to integrate business processes implemented in Oracle BPM with a Java front-end application. More specifically, how status changes in these processes could be communicated to the end user via the front-end. The possible scenarios quickly boiled down to a poll versus push approach and various in-between scenarios. This blog lists the various approaches and design considerations.


The custom-built Java application provides a thin and stateless User Interface that is used by local branch employees to sell products to customers. The process of selling these products is coordinated through a business process that is implemented in Oracle BPM 11g. The configuration of the products for a particular customer is done by the employee through the Java application. After the configuration of the product is completed, the Java application sends a signal to the process. The process will initiate various automated tasks such as credit checking. In the meantime the employee waits until these tasks are executed, then views the results of those checks and continues with the completion of the order.

The question we discussed is how to inform the employee, though the Java application, that the checks are executed by the process and the employee can move on. We know the milestone in the process is reached through a combination of the occurrence of a particular Human Task and the process state itself.

Solution based on polling

In a polling approach, the Java front-end application polls for the process status and workflow status every few seconds using the out-of-the-box Oracle BPM and Human Workflow APIs. The client applications poll to see if process instances have reached a particular milestone; if so the application moves forward. Since the Java application is stateless and has no server side, the custom application directly polls from every client session and not from a central web server. This means every new client will increase the load on the BPM platform. Stress tests showed that in this scenario the OBPM engine would be mostly busy handling polling requests and couldn’t accommodate for a high degree of concurrently running process instances.

The basic polling approach is simple to implement from the perspective of the Java front-end, but not very scalable.

We could consider optimizing the polling. For example to use a Coherence Grid or Service Bus Result Cache as caching layer between the Java clients and the Oracle BPM APIs and have the clients poll the cache instead of the APIs directly. Upside is that such a cache is easily created and that we limit the number of requests on the backend BPM engine by centralizing the polling requests and using a default caching mechanism. Downside is that the polling results can be outdated when the actual process state has changed and the process status data in the cache is not yet invalidated.

Solution based on pushing

The Java front-end clients are interested in some status change. For this purpose, a natural approach would be to push an event from the process to the Java clients when that particular milestone is reached. The preferred choice in this scenario would be to use JMS for this since this standard is both supported by Java as well as Oracle BPM 11g through the use of JCA Adapters. The pro of this approach is that it is much more scalable. We only perform an activity (publish an event) when needed, we don’t do useless polling. Downside however in this case is that the front-end application doesn’t support event subscription using JMS and this would require a significant change in that application.


We used a three step approach:

  • Short-term. Expose a new service that encapsulates the polling logic. Implement this service on the Service Bus and use Result Caching to cache the polling results. This service is easily created and alleviates the back-end usage of OBPM APIs. The business needs to accept that results can be outdated in some scenarios as a trade-off for the increased load that can be supported.
  • Middle-term. Push events from the BPM process using Mediator and a JCA JMS Adapter when a certain milestone is reached and store the event data in a custom table. Have the Java front-end poll on the custom table. In this approach the process uses events, which is the desired approach. We only need a small change to the Java front-end to poll on the custom table instead of the OBPM engine itself, thereby offloading the engine. The Java front-end however still incurs overhead by using a polling approach. 
  • Long-term. Change the custom Java application to support event subscription, for example using JMS. This way the scalability of the front-end application will improve since the number of events is much lower than the number of polling requests. Also, on average the front-end application knows about reaching the milestone faster using events, than it does when periodically polling for that information.