Process Developer > Part IV: Testing and Deployment > Security Configurations > Configuring Your Application Server to Work with Process Server Security Roles
  

Configuring Your Application Server to Work with Process Server Security Roles

Setting up secure access to Process Server includes the following steps:
Mapping Roles to Users and Groups
Each application server has a different set of steps for configuring security for deployed applications. You must familiarize yourself with your application server environment to understand how to configure the security methods you need. However, here are some general guidelines and links to documentation.
Application Server
Setup Guidelines
Tomcat
Add a realm to server.xml, connecting to an existing "database" of usernames, passwords, and user roles.
See examples below.
For an LDAP-based database, add the Process Server security roles to your database and map them to groups.
Refer to Realm Configuration HOW-TO at the following URL (Tomcat 6.0):
http://tomcat.apache.org/tomcat-7.0-doc/realm-howto.html
JBoss
Refer to https://docs.jboss.org/author/display/AS71/Admin+Guide
Add a security domain and login module to your chosen configuration file. The security domain must be named the same as what was selected in the Process Server config-deploy utility. If the name was not changed in the utility, it defaults to "ActiveVOS". Add roles to one of the following: a set of user/role files, LDAP-based database, or JDBC-based database.
WebLogic
Login to the WebLogic console and set up the LDAP provider, if you have not already done so: (Navigate to Security Realms. In the default realm, select Providers > Authentication > Default Authenticator and change the Control Flag from REQUIRED to OPTIONAL. Add and configure your LDAP provider.)
For details, see Configuring Authentication Providers at http://download.oracle.com/docs/cd/E13222_01/wls/docs103/secmanage/atn.html
In your security realm, navigate to Roles and Policies. Expand Global Roles, select Roles, and enter the Process Server security roles.
For details, see Users, Groups, and Security Roles at http://download.oracle.com/docs/cd/E12840_01/wls/docs103/secwlres/secroles.html
WebSphere
Login to the WebSphere console and follow the links similar to this example:
Applications > Application types > WebSphere enterprise applications > Process Server
Look for the Security role to user/group mapping group. Map the existing Process Server security roles to groups.
Note: You must ensure that WebSphere application security is set up correctly. On the WebSphere Console navigation area, select Security > Secure administration, applications, and infrastructure. Then select the checkbox next to Enable Application Security and select Apply.
Tomcat Examples
tomcat\conf\server.xml (file-based configuration)
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="UserDatabase"/>
tomcat\conf\tomcat-users.xml file:
   <role rolename="abTaskClient"/>
   <role rolename="abServiceConsumer"/>
   <role rolename="abAdmin"/>
   <user username="admin" password="admin"
  roles="abAdmin, abTaskClient, abServiceConsumer"/>
tomcat\conf\server.xml (LDAP-based configuration)
<Realm className="org.apache.catalina.realm.JNDIRealm" debug="99"
   connectionName="uid=ldapadmin,ou=system"
   connectionPassword="password"
   connectionURL="ldap://<LDAP_Server_name>:<Port>"
   userSubtree="true"
   userBase="ou=users,o=xyzuser"
   userSearch="(uid={0})"
   roleSubtree="true"
   roleBase="ou=groups,o=xyzrole"
   roleName="cn"
   roleSearch="(uniqueMember={0})"
/>
JBoss Examples
Note: The following two examples are specific to JBoss 7.1.1; other versions require different configurations. Also, what you see here is just to indicate how you might configure JBoss. What you will actually declare will almost certainly be different. For all JBoss versions, you must review the JBoss documentation.
[Path] \configuration\ [file.xml] (file-based configuration)
The file name you will enter will be unique to your installation. The only part of the name that will be there is “configuration”. Here is an example: C:\servers\jboss-as-7.1.1.Final\standalone\configuration\standalone-full.xml
<security-domain name="ActiveVOS" >
  <authentication>
    <login-module code="RealmUsersRoles" flag="required">
      <module-option name="usersProperties"
             value="${jboss.server.config.dir}/application-users.properties"/>
      <module-option name="rolesProperties"
             value="${jboss.server.config.dir}/application-roles.properties"/>
      <module-option name="realm" value="ApplicationRealm"/>
      <module-option
            name="unauthenticatedIdentity"> anonymous
      </module-option>
    </login-module>
  </authentication>
</security-domain>

${jboss.server.config.dir}/application-roles.properties
admin=abTaskClient,abAdmin,abServiceConsumer

${jboss.server.config.dir}/application-users.properties
admin=admin
[Path] \configuration\[Path](LDAP-based configuration)
The file name you will enter will be unique to your installation. The only part of the name that will be there is “configuration”. Here is an example: C:\servers\jboss-as-7.1.1.Final\standalone\configuration\standalone-full.xml.
<security-domain name="ActiveVOS">
  <authentication>
    <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule"
            flag="optional">
      <module-option name="java.naming.provider.url"
            value="ldap://myserver:3268"/>
      <module-option name="bindDN"
            value="CN=admin,CN=Users,DC=myDomain,DC=myCompany,DC=local"/>
      <module-option name="bindCredential" value="admin"/>
      <module-option name="baseCtxDN"
            value="DC=myDomain,DC=myCompany,DC=local"/>
      <module-option name="baseFilter"
            value="(sAMAccountName={0})"/>
      <module-option name="rolesCtxDN"
            value="DC=myDomain,DC=myCompany,DC=local"/>
      <module-option name="roleFilter" value="(member={1})"/>
      <module-option name="roleAttributeID" value="memberOf"/>
      <module-option name="roleAttributeIsDN" value="true"/>
      <module-option name="roleNameAttributeID" value="cn"/>
      <module-option name="roleRecursion" value="2"/>
      <module-option name="searchScope" value="SUBTREE_SCOPE"/>
      <module-option name="allowEmptyPasswords" value="true"/>
      <module-option name="java.naming.referral"  value="follow"/>
      <module-option name="unauthenticatedIdentity" value="aeadmin"/>
    </login-module>
  </authentication>
</security-domain>
Process Developer Orchestration File Resources
As you develop orchestration projects, you accumulate many types of files, including BPEL, WSDL, XSD, HTML, XML, and others. In addition to these, Process Developer generates some project files that are hidden by default. The following is a list of resources that Process Developer can add to your project. Based on the descriptions of these files, you can decide if you want to add them to your source control repository.
Process Developer Resource
Description
.image
When you save a process, a screenshot of your process is automatically saved as multiple images in a folder named .image. When you deploy, Process Console uses these images to display the Detail Graph View of the process. Without this information, a default process graph is displayed that may not match the look of your process. We recommend that you preserve the .image folder and all files in it.
.archive_settings.properties
In the BPR Export wizard, you can make selections for the Web Service URL and other settings. These settings are stored in .archive_settings.properties. During subsequent uses of the BPR Export wizard in a project, the Process Developer uses information in this file.
merge_mappings.xml
(Human Tasks) When you create a task form for a People activity, you can map task input data to output data fields so that a consolidated list of fields are displayed in the form for the input and output fields that could be merged. The input-output mapping is stored in this XML file. Typically a mapping is created only through a one-time use; however, we recommend you preserve this file with your project.
.BPR, .BPRD,.project, .classpath
Business process archive files (BPRs) can be regenerated by using the Export wizard. However, if preserved, they are easily shared among team members because they are self-contained. An Ant file that you generate (.BPRD file), on the other hand, can contain a Web URL that points to a local host and port that other team members may need to modify.
The Eclipse files created, including .project and .classpath (if used), should be preserved with your project.
BPEL Standard Faults
The table below specifies the standard faults defined within the WS-BPEL specification. All these faults are named within the WS-BPEL namespace with a standard prefix bpel: corresponding to the following URI:
http://docs.oasis-open.org/wsbpel/2.0/process/executable
Fault Name
Description
ambiguousReceive
Thrown when a business process instance simultaneously enables two or more IMAs for the same partnerLink, portType, or operation but different correlation sets, and the correlations of multiple of these activities match an incoming request message
completionConditionFailure
Thrown if upon completion of a directly enclosed <scope> activity within <forEach> activity, it can be determined that the completion condition can never be true
conflictingReceive
Thrown when more than one inbound message activity is enabled simultaneously for the same partner link, port type, operation, and correlation sets.
conflictingRequest
Thrown when more than one inbound message activity is open for the same partner link, operation, and message exchange
correlationViolation
Thrown when the contents of the messages that are processed in an <invoke>, <receive>, <reply>, <onMessage>, or <onEvent> do not match specified correlation information.
invalidBranchCondition
Thrown if the integer value used in the <branches> completion condition of <forEach> is larger than the number of directly enclosed <scope> activities.
invalidExpressionValue
Thrown when an expression used within a WS-BPEL construct (except <assign>) returns an invalid value with respect to the expected XML Schema type.
invalidVariables
Thrown when an XML Schema validation (implicit or explicit) of a variable value fails
joinFailure
Thrown when the join condition of an activity evaluates to false and the value of the suppresJoinFailure attribute is yes
mismatchedAssignmentFailure
Thrown when incompatible types or incompatible XML infoset structure are encountered in an <assign> activity.
missingReply
Thrown when an inbound message activity executed, and the process instance or scope instance reaches the end of its execution without a corresponding <reply> activity being executed.
missingRequest
Thrown when a <reply> activity cannot be associated with an open inbound message activity by matching the partner link, operation, and message exchange tuple.
scopeInitializationFailure
Thrown if there is a problem creating any of the objects defined as part of scope initialization. This fault is always caught by the parent scope of the faulted scope.
selectionFailure
Thrown when a selection operation performed either in a function such as bpel:getVariableProperty or in an assignment, encounters an error.
subLanguageExecutionFault
Thrown when the execution of an expression results in an unhandled fault either in an expression language or query language.
uninitializedPartnerRole
Thrown when an <invoke> or <assign> activity references a partner link whose partnerRole endpoint reference is not initialized.
uninitializedVariable
Thrown when there is an attempt to access the value of an uninitialized variable, or in the case of a message type variable, one of its uninitialized parts.
unsupportedReference
Thrown when a WS-BPEL implementation fails to interpret the combination of the reference-scheme attribute and the content element or just the content element alone.
xsltInvalidSource
Thrown when the transformation source provided in a bpel:doXslTransform function call was not legal.
xsltStylesheetNotFound
Thrown when the named style sheet in a bpel:doXslTransform function call was not found.