Welcome to the IBM Software-as-a-Service demonstration series. In this series,... demonstrate a set of architectural patterns exploiting features in open...
by user
Comments
Transcript
Welcome to the IBM Software-as-a-Service demonstration series. In this series,... demonstrate a set of architectural patterns exploiting features in open...
IBM Software Group
Building web delivered SaaS applications
on open-source and entry-level IBM middleware
IBM Developer Skills
1
© 2007 IBM Corporation
Welcome to the IBM Software-as-a-Service demonstration series. In this series, we will
demonstrate a set of architectural patterns exploiting features in open source and entrylevel IBM middleware to build cost-effective software-as-a-service solutions.
We will show you how to share a single instance of the middleware between multiple
tenants with different look-and-feels and access control.
IBM Software Group
Demo highlights
PoC SaaS Banking application
Built using entry-level IBM and open source middleware based
on J2EE standards:
WebSphere Application Server, Community Edition
Based on Apache Geronimo J2EE Application Server
Includes Apache Pluto for Portlets, Tomcat for Servlets, Axis for WebServices
DB2 Express-C
With pureXML
OpenLDAP
Illustrating SaaS technical requirements:
Multi-tenancy on a single instance middleware with:
1. Tenant specific access control
2. Tenant specific customizations with configuration at the:
–
User interface and data tiers
3. Shared web services and database schema
2
developerWorks
© 2007 IBM Corporation
Software as a Service
In this demo we will show a proof-of-concept multi-tenant SaaS Banking application
built using WebSphere Application Server, Community Edition (also referred to as WASCE), DB2 Express-C and openLDAP.
WAS-CE is a free lightweight application server built on open source Apache Geronimo
technology based on the J2EE standard.
DB2 Express-C is a version of DB2 that is free to build, deploy and redistribute.
openLDAP is a free, open source implementation of the Lightweight Directory Access
Protocol, or LDAP commonly used for accessing user information from a registry.
We will demonstrate how various features in these middleware products can be used to
support tenant-specific access control, tenant specific customizations at the user interface
and data tiers and shared web services and database schema.
<<Live Demo>>
This is our SaaS banking application running on a single instance of WAS CE and DB2
Express-C. It hosts two tenant banks: 1st Bank N.A and Web Bank.
First we show 1st Bank’s customer: Rob, user id b1u1, logging to his portal.
After logging in, Rob can see the Customer Portal tab.
In the Customer portal, he sees portlets specific to customers: Customer Accounts, loan
applications and loan requests.
Note the look and feel elements specific to 1st Bank, the violet colored theme.
In contrast this is the portal for Web bank.
Here we show Rob trying to log in to Web Bank’s portal by mistake.
Note that he is unable to log in because he is not a Web Bank customer.
In contrast Mary, who is valid Web bank customer, is able to log in using user id b2u1.
Note that the look and feel elements are specific to Web bank, the blue colored theme.
Take a look at the portlets that are available to Mary. These are customer-specific
portlets.
Now we see Alice, who is a valid web bank employee, log in to Web Bank as user b2e1.
She sees the Employee Portal tab.
Her employee portal contains two portlets, Manage Interest Rates and Manage Bank
Customers, which are specific to bank employees rather than bank customers.
Next we review the technical challenges for implementing this scenario.
IBM Software Group
Technical Challenge for:
Tenant specific access control
1. How do you prevent the user population of one tenant
from accessing the portal of another tenant?
In a shared OpenLDAP instance:
use different databases for different tenants
In a shared WebSphere CE instance:
Use different virtual hosts for different tenants
Use different security realms mapped to their own OpenLDAP
databases for different virtual hosts
Use J2EE role based security for different banking roles
3
developerWorks
© 2007 IBM Corporation
Software as a Service
How did we prevent Rob, who is a customer of 1st Bank, from accessing the Web Bank
portal?
We achieved this by exploiting various capabilities of openLDAP and WAS CE
including using different virtual hosts, security realms and openLDAP databases for each
tenant, and J2EE role based security for different roles in each tenant.
Let’s take a look at the major steps.
IBM Software Group
Multi-tenant access control configuration
using WAS-CE and OpenLDAP
4. Geronimo deployment descriptor
1. Virtual Host Definition
/opt/IBM/WebSphere/AppServerCommunityEdition/var/config/config.xml
<gbean gbeanInfo="org.apache.geronimo.tomcat.HostGBean"
name="org.apache.geronimo.configs/tomcat/1.2/car?ServiceModule=org.apache.geroni
mo.configs/tomcat/1.2/car,j2eeType=Host,name=TomcatVirtualHost_1">
<attribute name="className">org.apache.catalina.core.StandardHost</attribute>
<attribute name="initParams">name=bank1.com
appBase=
workDir=work</attribute>
</gbean>
3. Security Realm Definition
2. OpenLDAP Configuration
4
developerWorks
© 2007 IBM Corporation
Software as a Service
In step 1, we defined two virtual hosts for bank1 and bank2 in the WAS CE configuration
file: config.xml.
In step 2, we define two openLDAP databases in the openLDAP configuration file:
slapd.conf. .
In step 3, we define two security realms for bank1 and bank2 using the WAS CE admin
console.
In step 4, we specify the virtual host and security realm for each tenant bank in the
Geronimo Deployment descriptor in the application EAR file:Geronimo-web.xml file
The relationship between the configuration parameters is shown in the red and green lines
in the chart.
IBM Software Group
Role-based access control configuration in WAS-CE
J2EE declarative permissions in the Pluto Portal driver J2EE deployment descriptor,
e.g. see snippets from WEB-INF/pluto-portal-driver-services-config.xml
- <security-constraint>
- <security-constraint>
- <web-resource-collection>
- <web-resource-collection>
<web-resource-name>employees-only</web-resource-name>
<url-pattern>/portal/Customer Portal</url-pattern>
<url-pattern>/portal/Customer Portal/*</url-pattern>
<http-method>GET</http-method>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>POST</http-method>
<http-method>PUT</http-method>
</web-resource-collection>
- <auth-constraint>
<web-resource-name>customers-only</web-resource-name>
<url-pattern>/portal/Employee Portal</url-pattern>
<url-pattern>/portal/Employee Portal/*</url-pattern>
<http-method>PUT</http-method>
</web-resource-collection>
- <auth-constraint>
<role-name>Employees</role-name>
<role-name>Customers</role-name>
</auth-constraint>
</auth-constraint>
</security-constraint>
</security-constraint>
J2EE API IsCallerInRole() invocations in Pluto’s theme file: navigation.jsp to determine
role appropriate Portal Page for user, e.g. see snippet
<% if (request.isUserInRole("Employees")) { %>
<c:choose> <c:when test="${page == currentPage}">
<li class="selected">
<a href='<c:out value="${pageContext.request.contextPath}"/>/portal/<c:out value="${page.name}"/>'><c:out value="${page.name}"/></a>
</li>
</c:when> ….
5
developerWorks
© 2007 IBM Corporation
Software as a Service
We specify J2EE standard role-based permissions in the Pluto Portal driver deployment
descriptor. In our example here on the left, we can see that the URLs that begin with
/Portal/Employee Portal, can be accessed only by the Employee role.
At runtime we used the J2EE API method IsUserInRole() to show role specific
navigation tabs. For example, we only show the Customer portal tab to users in the
Customer role.
IBM Software Group
Technical Challenge for:
Tenant specific customizations with configuration at the UI and data tiers
2. How do you allow different looks for each tenant,
without requiring custom coding?
In Apache Geronimo/WAS CE:
Use different virtual hosts for different tenants
In Apache Pluto:
Use different style-sheets/skins for different tenants
6
developerWorks
© 2007 IBM Corporation
Software as a Service
Our next challenge addressed is how did we provide different looks for 1st bank and Web
bank without requiring custom coding?
We achieved this by using virtual hosts in WAS CE and with themes, style sheets and
skins in Apache Pluto.
IBM Software Group
Portal definition with tenant specific themes
Bank1’s theme
WEB-INF/pluto-portal-driver-config.xml
7
© 2007 IBM Corporation
developerWorks
Software as a Service
Here we can see the Pluto-portal-driver-config.xml file in the upper left with
the Customer portal page and 3 portlets for 1st Bank.
Note the theme specification for these portlets in the file Pluto-bank1-theme.jsp.
IBM Software Group
Portal Look and Feel Definition for each tenant
Navigation.jsp
Defines the portal navigation
WEB-INF/themes/pluto-bank1-theme.jsp
Portlet-skin.jsp
Controls the look and feel through
inclusion of style sheets, navigation files
and skin files
Defines the layout
of each portlet: its title and
the min/max controls
Bank1.css
Define the styles used in the
portlets as well as the styles
used by the theme to define
different parts of the portal
page
Font Definition
8
developerWorks
© 2007 IBM Corporation
Software as a Service
The theme file Pluto-bank1-theme.jsp controls the look and feel through the inclusion of
style sheets, navigation files and skin files.
The skin file defines the layout, title color and controls for each portlet.
The style sheet defines the styles in the portlets and portal pages.
And the navigation file defines the portal navigation, for example top tabs or left hand
links.
With these configuration elements it is possible to provide customized look and feel for
different tenant banks hosted on a single instance of WAS-CE.
IBM Software Group
Technical Challenge for:
Shared web services and database schema
3. How do you share web services and the database layer
between multiple tenants?
Parameterize operations in shared WSDL
interfaces with a tenant id parameter.
Add a tenant id column to shared database
tables and
Use XML columns in DB2 V9.1 to store
customized data for different tenants.
9
developerWorks
© 2007 IBM Corporation
Software as a Service
Our last technical challenge addresses how to share web services and the database layer
between 1st bank and Web bank.
In order to share the web services, we parameterize the services by including a tenant id
parameter in all operations. To share the database schema we include a tenant id column
in each table. In order to provide for flexibility in tenant data configuration, we use the
pureXML capability of DB2 Express-C.
IBM Software Group
Common Web Service Definition Language (WSDL) with
tenant id parameter
10
© 2007 IBM Corporation
developerWorks
Software as a Service
This is the WSDL interface for three of the shared web services with the tenant id
parameter called bank id.
IBM Software Group
Tenant specific database customization using XML columns
Common tables for all tenants
SAASBNK.BANK
(BANKID
VARCHAR(10),
ACCOUNTDATA XML);
SAASBNK.CUSTOMERPROFILEDETAIL
(BANKID
VARCHAR(10),
ACCOUNTDATA XML);
SAASBNK.ACCOUNTXML
(BANKID
VARCHAR(10),
ACCOUNTDATA XML);
First Bank’s AccountData XSD:
<xsd:complexType name=“AccountData”>
<xsd:account>
<xsd:element name=“accid” nillable=“false” type=“xsd:short” />
<xsd:element name=“acctname” nillable=“false” type=“xsd:string” />
<xsd:element name=“description” nillable=“true” type=“xsd:string” />
<xsd:element name=“balance” nillable=“false” type=“xsd:decimal” />
<xsd:element name=“acctype” nillable=“false” type=“xsd:string” />
<xsd:element name=“bankid” nillable=“false” type=“xsd:string” />
<xsd:element name=“customerid” nillable=“false” type=“xsd:string” />
</xsd:account>
</xsd:complexType>
11
developerWorks
Web Bank’s AccountData XSD:
<xsd:complexType name=“AccountData”>
<xsd:account>
<xsd:element name=“accid” nillable=“false” type=“xsd:short” />
<xsd:element name=“acctname” nillable=“false” type=“xsd:string” />
<xsd:element name=“description” nillable=“true” type=“xsd:string” />
<xsd:element name=“balance” nillable=“false” type=“xsd:decimal” />
<xsd:element name=“dateOpened” nillable=“false” type=‘xsd:date”/>
<xsd:element name=“acctype” nillable=“false” type=“xsd:string” />
<xsd:element name=“bankid” nillable=“false” type=“xsd:string” />
<xsd:element name=“customerid” nillable=“false” type=“xsd:string” />
</xsd:account>
</xsd:complexType>
© 2007 IBM Corporation
Software as a Service
Here you can see a bankid column in each of the shared database tables.
For ease of configurability and flexibility in accessing the data, we store the tenantspecific data in a single XML column which is stored in a hierarchical structure rather
than as a large object. The xml column can contain multiple XSDs, allowing for each
tenant to store their data in a different format.
In our example we see that Web Bank stores a ‘date opened’ element in their account
data xml column while 1st Bank does not.
IBM Software Group
Value for YOU
1.
Simplified install, and support for more tenants using less hardware
due to:
Shared middleware instance
Lower middleware footprint
2.
Shared management of SaaS applications for all tenants
3.
Lower up-front and operational costs due to:
1.
2.
3.
Free open-source middleware
Capability to run on commodity hardware
Little or no code changes for tenant specific customizations
4.
Open standards based, portable and vendor neutral application code
5.
Option of migrating to enterprise-level IBM middleware (e.g.
WebSphere Portal Server) for greater scalability in number of
concurrent requests
For more technical details on our sample solution:
See the attached source code and deployment instructions in the demo launch page
Additional information on WAS CE and DB2 Express-C: http://ibm.com/developerworks/kickstart
1
developerWorks
© 2007 IBM Corporation
Software as a Service
Implementing a SaaS solution using WAS-CE, DB2 Express-C, openLDAP and the
technical implementation guidelines outlined in this demo provides a number advantages:
First, you’ll simplify your install and support more tenants using less hardware due to the
shared middleware instance and small footprint of that middleware.
Because the middleware is shared, you’re able to share the management of your
application and infrastructure, further reducing cost and complexity.
The middleware we’ve talked about today is free, and is designed to run on commodity
hardware. This results in lower up-front and operational costs. Our architecture also
requires little or no code changes to support tenant-specific customizations.
All of the middleware we used is based on open standards and is portable between
operating system platforms.
While you are free to use WAS CE and DB2 Express-c without a license fee, support for
these products is available from IBM.
And finally, when greater scalability and availability is required, you have the option of
migrating your solution to IBM’s enterprise-level middleware.
For more technical details on our sample solution you can download the source code and
deployment instructions from the demo launch page. Further information on WAS CE
and DB2 Express-C is available from the developerWorks Kickstart site at
http://ibm.com/developerworks/kickstart.
IBM Software Group
Ready to Go Further With IBM?
Learn
more.
Deploy
faster.
Market your
SaaS Solution
Join the SaaS Community
Register for PartnerWorld
http://www.ibm.com/partnerworld/join
Select Software as a Service as an interest area
Network with other SaaS business partners at SaaSpace.com
Visit the Virtual Innovation Center (VIC)
Take the SaaS Education Courses
Fill out the VIC Project Profile for a no-charge technical assessment and custom
enablement road-map
Qualify for the SaaS Specialty
Receive additional marketing resources and benefits
www.ibm.com/partnerworld/saas
developerWorks
© 2007 IBM Corporation
Software as a Service
IBM has innovative resources and programs to help you manage change & become
relevant in the Software as a Service market. Whether you’re an ISV, System Integrator
or Reseller, we can provide education, support and benefits to help you grow revenue and
differentiate yourself.
The first step will be to join the SaaS community. You will automatically be kept aware
of new SaaS technical benefits and workshops and get the enablement help that you need
to transform your application for delivery in the IBM Software as a Service model.
Then, as a member of IBM SaaS community, you can register at the Virtual Innovation
Center (VIC) where you will get personalized access to product support and education to
help build your Software as a Service knowledge and skills.
As an Advanced level member of PartnerWorld, you have the opportunity to gain access
to additional marketing and sales support by qualifying for the Software as a Service
(SaaS) specialty.
For more information, Visit our main site at www.ibm.com/partnerworld/saas.