Welcome to the IBM Software-as-a-Service demonstration series. In this series,... demonstrate a set of architectural patterns exploiting features in open...
by user
Comments
Transcript
Welcome to the IBM Software-as-a-Service demonstration series. In this series,... demonstrate a set of architectural patterns exploiting features in open...
IBM Software Group Building web delivered SaaS applications on open-source and entry-level IBM middleware IBM Developer Skills 1 © 2007 IBM Corporation Welcome to the IBM Software-as-a-Service demonstration series. In this series, we will demonstrate a set of architectural patterns exploiting features in open source and entrylevel IBM middleware to build cost-effective software-as-a-service solutions. We will show you how to share a single instance of the middleware between multiple tenants with different look-and-feels and access control. IBM Software Group Demo highlights PoC SaaS Banking application Built using entry-level IBM and open source middleware based on J2EE standards: WebSphere Application Server, Community Edition Based on Apache Geronimo J2EE Application Server Includes Apache Pluto for Portlets, Tomcat for Servlets, Axis for WebServices DB2 Express-C With pureXML OpenLDAP Illustrating SaaS technical requirements: Multi-tenancy on a single instance middleware with: 1. Tenant specific access control 2. Tenant specific customizations with configuration at the: – User interface and data tiers 3. Shared web services and database schema 2 developerWorks © 2007 IBM Corporation Software as a Service In this demo we will show a proof-of-concept multi-tenant SaaS Banking application built using WebSphere Application Server, Community Edition (also referred to as WASCE), DB2 Express-C and openLDAP. WAS-CE is a free lightweight application server built on open source Apache Geronimo technology based on the J2EE standard. DB2 Express-C is a version of DB2 that is free to build, deploy and redistribute. openLDAP is a free, open source implementation of the Lightweight Directory Access Protocol, or LDAP commonly used for accessing user information from a registry. We will demonstrate how various features in these middleware products can be used to support tenant-specific access control, tenant specific customizations at the user interface and data tiers and shared web services and database schema. <<Live Demo>> This is our SaaS banking application running on a single instance of WAS CE and DB2 Express-C. It hosts two tenant banks: 1st Bank N.A and Web Bank. First we show 1st Bank’s customer: Rob, user id b1u1, logging to his portal. After logging in, Rob can see the Customer Portal tab. In the Customer portal, he sees portlets specific to customers: Customer Accounts, loan applications and loan requests. Note the look and feel elements specific to 1st Bank, the violet colored theme. In contrast this is the portal for Web bank. Here we show Rob trying to log in to Web Bank’s portal by mistake. Note that he is unable to log in because he is not a Web Bank customer. In contrast Mary, who is valid Web bank customer, is able to log in using user id b2u1. Note that the look and feel elements are specific to Web bank, the blue colored theme. Take a look at the portlets that are available to Mary. These are customer-specific portlets. Now we see Alice, who is a valid web bank employee, log in to Web Bank as user b2e1. She sees the Employee Portal tab. Her employee portal contains two portlets, Manage Interest Rates and Manage Bank Customers, which are specific to bank employees rather than bank customers. Next we review the technical challenges for implementing this scenario. IBM Software Group Technical Challenge for: Tenant specific access control 1. How do you prevent the user population of one tenant from accessing the portal of another tenant? In a shared OpenLDAP instance: use different databases for different tenants In a shared WebSphere CE instance: Use different virtual hosts for different tenants Use different security realms mapped to their own OpenLDAP databases for different virtual hosts Use J2EE role based security for different banking roles 3 developerWorks © 2007 IBM Corporation Software as a Service How did we prevent Rob, who is a customer of 1st Bank, from accessing the Web Bank portal? We achieved this by exploiting various capabilities of openLDAP and WAS CE including using different virtual hosts, security realms and openLDAP databases for each tenant, and J2EE role based security for different roles in each tenant. Let’s take a look at the major steps. IBM Software Group Multi-tenant access control configuration using WAS-CE and OpenLDAP 4. Geronimo deployment descriptor 1. Virtual Host Definition /opt/IBM/WebSphere/AppServerCommunityEdition/var/config/config.xml <gbean gbeanInfo="org.apache.geronimo.tomcat.HostGBean" name="org.apache.geronimo.configs/tomcat/1.2/car?ServiceModule=org.apache.geroni mo.configs/tomcat/1.2/car,j2eeType=Host,name=TomcatVirtualHost_1"> <attribute name="className">org.apache.catalina.core.StandardHost</attribute> <attribute name="initParams">name=bank1.com appBase= workDir=work</attribute> </gbean> 3. Security Realm Definition 2. OpenLDAP Configuration 4 developerWorks © 2007 IBM Corporation Software as a Service In step 1, we defined two virtual hosts for bank1 and bank2 in the WAS CE configuration file: config.xml. In step 2, we define two openLDAP databases in the openLDAP configuration file: slapd.conf. . In step 3, we define two security realms for bank1 and bank2 using the WAS CE admin console. In step 4, we specify the virtual host and security realm for each tenant bank in the Geronimo Deployment descriptor in the application EAR file:Geronimo-web.xml file The relationship between the configuration parameters is shown in the red and green lines in the chart. IBM Software Group Role-based access control configuration in WAS-CE J2EE declarative permissions in the Pluto Portal driver J2EE deployment descriptor, e.g. see snippets from WEB-INF/pluto-portal-driver-services-config.xml - <security-constraint> - <security-constraint> - <web-resource-collection> - <web-resource-collection> <web-resource-name>employees-only</web-resource-name> <url-pattern>/portal/Customer Portal</url-pattern> <url-pattern>/portal/Customer Portal/*</url-pattern> <http-method>GET</http-method> <http-method>GET</http-method> <http-method>POST</http-method> <http-method>POST</http-method> <http-method>PUT</http-method> </web-resource-collection> - <auth-constraint> <web-resource-name>customers-only</web-resource-name> <url-pattern>/portal/Employee Portal</url-pattern> <url-pattern>/portal/Employee Portal/*</url-pattern> <http-method>PUT</http-method> </web-resource-collection> - <auth-constraint> <role-name>Employees</role-name> <role-name>Customers</role-name> </auth-constraint> </auth-constraint> </security-constraint> </security-constraint> J2EE API IsCallerInRole() invocations in Pluto’s theme file: navigation.jsp to determine role appropriate Portal Page for user, e.g. see snippet <% if (request.isUserInRole("Employees")) { %> <c:choose> <c:when test="${page == currentPage}"> <li class="selected"> <a href='<c:out value="${pageContext.request.contextPath}"/>/portal/<c:out value="${page.name}"/>'><c:out value="${page.name}"/></a> </li> </c:when> …. 5 developerWorks © 2007 IBM Corporation Software as a Service We specify J2EE standard role-based permissions in the Pluto Portal driver deployment descriptor. In our example here on the left, we can see that the URLs that begin with /Portal/Employee Portal, can be accessed only by the Employee role. At runtime we used the J2EE API method IsUserInRole() to show role specific navigation tabs. For example, we only show the Customer portal tab to users in the Customer role. IBM Software Group Technical Challenge for: Tenant specific customizations with configuration at the UI and data tiers 2. How do you allow different looks for each tenant, without requiring custom coding? In Apache Geronimo/WAS CE: Use different virtual hosts for different tenants In Apache Pluto: Use different style-sheets/skins for different tenants 6 developerWorks © 2007 IBM Corporation Software as a Service Our next challenge addressed is how did we provide different looks for 1st bank and Web bank without requiring custom coding? We achieved this by using virtual hosts in WAS CE and with themes, style sheets and skins in Apache Pluto. IBM Software Group Portal definition with tenant specific themes Bank1’s theme WEB-INF/pluto-portal-driver-config.xml 7 © 2007 IBM Corporation developerWorks Software as a Service Here we can see the Pluto-portal-driver-config.xml file in the upper left with the Customer portal page and 3 portlets for 1st Bank. Note the theme specification for these portlets in the file Pluto-bank1-theme.jsp. IBM Software Group Portal Look and Feel Definition for each tenant Navigation.jsp Defines the portal navigation WEB-INF/themes/pluto-bank1-theme.jsp Portlet-skin.jsp Controls the look and feel through inclusion of style sheets, navigation files and skin files Defines the layout of each portlet: its title and the min/max controls Bank1.css Define the styles used in the portlets as well as the styles used by the theme to define different parts of the portal page Font Definition 8 developerWorks © 2007 IBM Corporation Software as a Service The theme file Pluto-bank1-theme.jsp controls the look and feel through the inclusion of style sheets, navigation files and skin files. The skin file defines the layout, title color and controls for each portlet. The style sheet defines the styles in the portlets and portal pages. And the navigation file defines the portal navigation, for example top tabs or left hand links. With these configuration elements it is possible to provide customized look and feel for different tenant banks hosted on a single instance of WAS-CE. IBM Software Group Technical Challenge for: Shared web services and database schema 3. How do you share web services and the database layer between multiple tenants? Parameterize operations in shared WSDL interfaces with a tenant id parameter. Add a tenant id column to shared database tables and Use XML columns in DB2 V9.1 to store customized data for different tenants. 9 developerWorks © 2007 IBM Corporation Software as a Service Our last technical challenge addresses how to share web services and the database layer between 1st bank and Web bank. In order to share the web services, we parameterize the services by including a tenant id parameter in all operations. To share the database schema we include a tenant id column in each table. In order to provide for flexibility in tenant data configuration, we use the pureXML capability of DB2 Express-C. IBM Software Group Common Web Service Definition Language (WSDL) with tenant id parameter 10 © 2007 IBM Corporation developerWorks Software as a Service This is the WSDL interface for three of the shared web services with the tenant id parameter called bank id. IBM Software Group Tenant specific database customization using XML columns Common tables for all tenants SAASBNK.BANK (BANKID VARCHAR(10), ACCOUNTDATA XML); SAASBNK.CUSTOMERPROFILEDETAIL (BANKID VARCHAR(10), ACCOUNTDATA XML); SAASBNK.ACCOUNTXML (BANKID VARCHAR(10), ACCOUNTDATA XML); First Bank’s AccountData XSD: <xsd:complexType name=“AccountData”> <xsd:account> <xsd:element name=“accid” nillable=“false” type=“xsd:short” /> <xsd:element name=“acctname” nillable=“false” type=“xsd:string” /> <xsd:element name=“description” nillable=“true” type=“xsd:string” /> <xsd:element name=“balance” nillable=“false” type=“xsd:decimal” /> <xsd:element name=“acctype” nillable=“false” type=“xsd:string” /> <xsd:element name=“bankid” nillable=“false” type=“xsd:string” /> <xsd:element name=“customerid” nillable=“false” type=“xsd:string” /> </xsd:account> </xsd:complexType> 11 developerWorks Web Bank’s AccountData XSD: <xsd:complexType name=“AccountData”> <xsd:account> <xsd:element name=“accid” nillable=“false” type=“xsd:short” /> <xsd:element name=“acctname” nillable=“false” type=“xsd:string” /> <xsd:element name=“description” nillable=“true” type=“xsd:string” /> <xsd:element name=“balance” nillable=“false” type=“xsd:decimal” /> <xsd:element name=“dateOpened” nillable=“false” type=‘xsd:date”/> <xsd:element name=“acctype” nillable=“false” type=“xsd:string” /> <xsd:element name=“bankid” nillable=“false” type=“xsd:string” /> <xsd:element name=“customerid” nillable=“false” type=“xsd:string” /> </xsd:account> </xsd:complexType> © 2007 IBM Corporation Software as a Service Here you can see a bankid column in each of the shared database tables. For ease of configurability and flexibility in accessing the data, we store the tenantspecific data in a single XML column which is stored in a hierarchical structure rather than as a large object. The xml column can contain multiple XSDs, allowing for each tenant to store their data in a different format. In our example we see that Web Bank stores a ‘date opened’ element in their account data xml column while 1st Bank does not. IBM Software Group Value for YOU 1. Simplified install, and support for more tenants using less hardware due to: Shared middleware instance Lower middleware footprint 2. Shared management of SaaS applications for all tenants 3. Lower up-front and operational costs due to: 1. 2. 3. Free open-source middleware Capability to run on commodity hardware Little or no code changes for tenant specific customizations 4. Open standards based, portable and vendor neutral application code 5. Option of migrating to enterprise-level IBM middleware (e.g. WebSphere Portal Server) for greater scalability in number of concurrent requests For more technical details on our sample solution: See the attached source code and deployment instructions in the demo launch page Additional information on WAS CE and DB2 Express-C: http://ibm.com/developerworks/kickstart 1 developerWorks © 2007 IBM Corporation Software as a Service Implementing a SaaS solution using WAS-CE, DB2 Express-C, openLDAP and the technical implementation guidelines outlined in this demo provides a number advantages: First, you’ll simplify your install and support more tenants using less hardware due to the shared middleware instance and small footprint of that middleware. Because the middleware is shared, you’re able to share the management of your application and infrastructure, further reducing cost and complexity. The middleware we’ve talked about today is free, and is designed to run on commodity hardware. This results in lower up-front and operational costs. Our architecture also requires little or no code changes to support tenant-specific customizations. All of the middleware we used is based on open standards and is portable between operating system platforms. While you are free to use WAS CE and DB2 Express-c without a license fee, support for these products is available from IBM. And finally, when greater scalability and availability is required, you have the option of migrating your solution to IBM’s enterprise-level middleware. For more technical details on our sample solution you can download the source code and deployment instructions from the demo launch page. Further information on WAS CE and DB2 Express-C is available from the developerWorks Kickstart site at http://ibm.com/developerworks/kickstart. IBM Software Group Ready to Go Further With IBM? Learn more. Deploy faster. Market your SaaS Solution Join the SaaS Community Register for PartnerWorld http://www.ibm.com/partnerworld/join Select Software as a Service as an interest area Network with other SaaS business partners at SaaSpace.com Visit the Virtual Innovation Center (VIC) Take the SaaS Education Courses Fill out the VIC Project Profile for a no-charge technical assessment and custom enablement road-map Qualify for the SaaS Specialty Receive additional marketing resources and benefits www.ibm.com/partnerworld/saas developerWorks © 2007 IBM Corporation Software as a Service IBM has innovative resources and programs to help you manage change & become relevant in the Software as a Service market. Whether you’re an ISV, System Integrator or Reseller, we can provide education, support and benefits to help you grow revenue and differentiate yourself. The first step will be to join the SaaS community. You will automatically be kept aware of new SaaS technical benefits and workshops and get the enablement help that you need to transform your application for delivery in the IBM Software as a Service model. Then, as a member of IBM SaaS community, you can register at the Virtual Innovation Center (VIC) where you will get personalized access to product support and education to help build your Software as a Service knowledge and skills. As an Advanced level member of PartnerWorld, you have the opportunity to gain access to additional marketing and sales support by qualifying for the Software as a Service (SaaS) specialty. For more information, Visit our main site at www.ibm.com/partnerworld/saas.