Peter Laird's Blog

Peter Laird's Homepage
Peter Laird is the Managing Architect for the WebLogic Portal engineering team at BEA. Peter currently focuses on combining enterprise portal technology with emerging ideas such as Mashups and Service Oriented Architecture.

Be Careful with SaaS License Terms of Use

Over on my new blog (hint, hint, move your feed over there please) I just wrote up a post based on a detailed analysis I did with the Terms of Use of 8 different SaaS solutions. What I found is that not all licenses are created equal - some come with some serious baggage. I identified the offenders and explained what I don't like about their licenses.

peterlaird.blogspot.com

Please jump on over to the blog entry on my new blog account. Be sure to subscribe to the feed (you'll find the feed URL on the blog page):

• The Good, Bad. and the Ugly of SaaS Terms of Service, Licenses, and Contracts

Please do not create any more inbound links to my blog on dev2dev, as this site is retiring soon.

How Oracle, IBM, SAP, Microsoft, and Intuit are Responding to the SaaS Revolution

WARNING: I really mean it, this blog location is retiring shortly, please update your feed reader to point to the new location: http://feeds.feedburner.com/blogspot/plaird

In my previous blog entry, I discussed the possibility of a software giant failing to adapt to the SaaS revolution. I used the history of DEC as an example of how a highly successful company could miss a major shift in the market and capsize. This blog entry is a reference guide to what each of the major software vendors are doing in the SaaS space. I won't be sensational and predict the demise of any of these vendors. I think it's far too early to tell how the future will pan out.

I can say subjectively that I am impressed with Larry Ellison's pioneering efforts in the space. I can also say that SAP is currently the media whipping boy in the space, with delays in their Business ByDesign program costing them credibility. But this revolution is far from done, so let's not waste time trying to speculate the distant future.

This Blog Has Moved

The rest of this blog entry can be read here:  http://peterlaird.blogspot.com/2008/06/how-oracle-ibm-sap-microsoft-and-intuit.html

Please also do the following:

• Update your feed reader to this:  http://feeds.feedburner.com/blogspot/plaird
• Do not create anymore inbound links to dev2dev, create them to point to my new blog location
• I would appreciate it if you update any inbound links you created in the past

How to Survive the SaaS Revolution: Learning from the Death of DEC

The story of Digital Equipment Corporation goes something like this: it rose to power in the 60's and 70's by being an industry leader in minicomputers, competing against IBM which was pushing larger mainframes. DEC was a powerhouse of innovation and grew impressively to become the number two hardware vendor. However, the 80's saw DEC struggle because it missed a fundamental shift in the industry - the rise of the personal computer. This struggle eventually led to its demise - in the 90's the company succumbed and was acquired.

Today, large software vendors are being faced with a revolution of their own - the rise of Software as a Service (SaaS). SaaS has the potential to be as disruptive to the software industry as the PC revolution was to the hardware industry in the 80's. I don't think SaaS will necessarily produce the exact same results with the software industry, but I do believe that it shows what could happen. It demonstrates that even giants can fall.

This blog entry focuses on a single article from the NYTimes in 1983 which shows an interesting snapshot of DEC in the midst of failing to adapt. This will lead to a larger lesson about what software companies need to do to avoid the same fate.

My Blog has Moved

To continue reading this blog entry, you will need to navigate to my new blog location:

• How to Survive the SaaS Revolution: Learning from the Death of DEC

Please update your RSS reader to the new location. This site (dev2dev.bea.com) will be retired soon.

Action Required: Peter Laird's Blog is Moving, Please Update your Feed URL

As many of you know, BEA was acquired by Oracle. The good news: I am staying on board and look forward to my new role with the Oracle team. The bad news: the BEA dev2dev blogging site will be shut down shortly. Therefore, if you want to keep up with my posts on SaaS, Cloud Computing, mashups, portals, REST APIs, Greasemonkey, and other things you will need to update your RSS Reader. Otherwise, I am afraid, our relationship will end.

Please help me by doing the following:

• Change your RSS reader to look for my feed here:   http://feeds.feedburner.com/blogspot/plaird
• Do NOT create any new inbound links to dev2dev, please inbound to my blogspot account
• If you have created any inbound links to my blog in the past to dev2dev, please update to point to the new blog. I migrated all of my old entries.

Thanks!

And to all the dev2dev gang past and present (Kevin Farnham, Jon Mountjoy, Adam FitzGerald) - THANK YOU. dev2dev has been a great experience.

SaaS Soup: Navigating the "as a Service" Acronyms: CaaS, DaaS, DBaaS, PaaS, SaaS, XaaS

Ever wonder what all the "aaS" acronyms mean? Do you want to understand how they relate to each other? This blog entry will help. I have created a map of many of the "as a Service" terms you will see in IT and have grouped them according to category. I have also provided an explanation and links for further reading for each so you can quickly come up to speed on all. 

I put this together because I am working on the second edition of a visual map of the SaaS, PaaS, and Cloud Computing industries that I released last month. In order to make progress on that map, I found I needed to have a better understanding of all of the common categories in the "as a Service" market. The map in this blog entry has a different focus - instead of mapping out industry players I am mapping out industry terminology. Both maps complement each other.

Map of the "as a Service" Terms

This graphic shows the groupings of the "as a Service" terms that you may encounter in the IT industry. Click the map for a larger view.

Continue Reading this Blog Entry...on my new Blog Site

There is a lot more to read, but not all is included here. Unfortunately, this BEA blog site is about to be retired due to the BEA acquisition by Oracle. Therefore, I have moved my blog to a new location, and the full blog post is found there. Click the following link to continue:

Continued:  SaaS Soup: Navigating the "as a Service" Acronyms: CaaS, DaaS, DBaaS, PaaS, SaaS, XaaS

Also, this dev2dev blog site will be retired in a short time, so please help me by doing the following:

• Change your RSS reader to look for my feed here:   http://peterlaird.blogspot.com/feeds/posts/default
• Do NOT create any new inbound links to dev2dev, please inbound to my blogspot account
• If you have created any inbound links to my blog in the past to dev2dev, please update to point to the new blog. I migrated all of my old entries.

Thanks!

Twitter Microfeed Covering the SaaS/PaaS/Cloud Markets for those without a Cognitive Surplus

Most of you have probably seen Clay Shirky's material on the great Cognitive Surplus - the free time that everyone wastes by watching TV. Awesome stuff, but if you are trying to keep up with all the activity in the SaaS, PaaS and Cloud industries by definition you have no Cognitive Surplus. We are in information overload. Subscribing to specific feeds or Google Alerts can help isolate the signal from the noise, but sometimes even that can be challenging. Let me propose a solution: I have created a microfeed for this space on Twitter. This blog discusses how you can subscribe to this feed and stay in touch with the news in a very lightweight way.

Twitter and the 140 Character Budget

We had email, then we added instant messaging, and now we have Twitter. What is the trend here? Brevity. Stop with the 3 page emails and get to the point. Its all about time, and we don't have enough.

For those who haven't already taken the plunge into Twitter, let me explain its single most rewarding feature. It limits each message (tweet) to 140 characters. It forces brevity on the author, and this is a very good thing. Like telegrams of the past, authors need to choose their words (actually, characters) very carefully to get their point across in those precious 140.

For Twitter subscribers, this means you get messages that are short and to the point. What's not to love.

Twitter Microfeeds

Twitter began as a personal messaging platform. The message publishing box asks "What are you doing?" The intent is to keep your buddies apprised as to what you are doing throughout your day.

But the Twitter community being who they are have found creative uses for this messaging platform. Microfeeds (a term I prefer to Twitter Feeds), are one such use. The idea being that there is utility in getting short alerts on news throughout your day without being disruptive. This doesn't replace the full RSS scan you do when you have the time, but helps to keep you informed when you cannot spare time to do even that. Coupled with the option to receive your Twitter messages via SMS on your phone, it is also a way to stay informed even while you are out and about.

There are at least two ways to publish a Twitter microfeed:

• Using an automated service like TwitterFeed to watch an RSS/ATOM feed and pump the first 140 characters of each entry to Twitter
• Hand crafting the feed to fine tune each message

The former is the most timely and easiest, but can be very noisy if you are aggregating many feeds, and may not convey a lot of information in the message since it just grabs the title and maybe a few more characters from the entry. A handcrafted approach assures the readers that they are getting quality messages.

Introducing the SaaS/PaaS/Cloud Microfeed

That was all very abstract. What is important to know is that I have created a handcrafted microfeed for S/P/C and encourage you to try it. I plan to be very selective in posting the following types of information in the space:

• Major deals, acquisitions
• Product launches
• Call for Papers for upcoming conferences
• Notice of upcoming events, like webinars
• Insightful blog posts

For an SLA, I will attempt to stay under 20 messages per week, with a target load of 2-3 per day. But as we go along, please give me feedback as to content and quantity.

As a sample, here is the feed as it currently stands right now:

Subscribing to the ondemand Microfeed

The Twitter account being used for this microfeed is:

• ondemand

For those already on Twitter, just follow that account and be sure to enable device updates for it. For new users, follow these instructions:

1. Create a Twitter account, using whatever name you like
2. Skip the email search wizard
3. Search for the "ondemand" user using the search box
4. Click the Follow button

To subscribe your phone to get an SMS message whenever a new post appears, do the following:

1. Click Settings in the upper right
2. Click Devices
3. Enter your phone number, and be sure to check the box to approve SMS
4. Click the Home link at the top of the page.
5. Click on the Following link on the right hand side of the page
6. Click the on button for device updates for ondemand

Twitter Clients

There are many ways to stay on top of this Twitter microfeed. I am optimizing for readability on SMS but really any client will do.

• The traditional Twitter website user interface
• Enable device updates for the ondemand account, and you will receive SMS messages
• Thwirl - a powerful desktop client
• Facebook integration

Understanding the Cloud Computing/SaaS/PaaS markets: a Map of the Players in the Industry

NOTE: the dev2dev blog server is being retired. My blog entries have been migrated to a new site. Please do not create any more inbound links to this page - instead link to this same entry on the new blog site:

http://peterlaird.blogspot.com/2008/05/understanding-cloud-computingsaaspaas.html

The Cloud Computing/SaaS/PaaS space is loaded with interesting vendors, and the space is booming. If you are trying to navigate this world and need a guide, this blog entry will help. We have assembled a visual map of the industry, showing how the major players fit into the overall space. It will give you an overview of who's who, and what types of solutions are being offered.

I was greatly assisted by Kent Dickson, VP of Product Management for SaaS at BEA, in building this map. Steve Bobrowski, Director of SaaS Evangelism, also contributed comments. Thanks to both!

Defining the Markets

Before we look at the map, we need to define the major areas that we are covering. Note that in many ways these markets overlap so trying to differentiate which solution is in which is not a meaningful exercise. Needless to say, drawing out the map is a subjective effort, and not all solutions fit neatly into their assigned bucket. The purpose of the visual map is not to address subtleties, but to draw the industry in general terms.

Cloud Computing

Cloud computing refers to the virtualization of the data center, such that server machines are not thought of individually but as just a commodity in a greater collection of server machines. Cloud computing solutions in general strive to eliminate the need for an application deployer to be aware of the actual physical machines that are used to host the application. Some have called this idea “hardware as a service”.

Solutions that are most closely associated with the Cloud Computing market are indicated with the icon on the map.

Software as a Service (SaaS)

An application that is delivered through the SaaS model typically is done so:

• Over the internet,
• Remotely by a third party, with little/no opportunity to bring that application in-house
• With a usage-based pricing model

Solutions that are most closely associated with the SaaS market are indicated with the icon on the map.

Platform as a Service (PaaS)

When a vendor offers a Platform as a Service, they are offering an integrated platform to build, test, and deploy custom applications. The PaaS is offered to you in a SaaS model (remote, usage-based). Dion Hinchliffe recently published a comprehensive whitepaper on this topic.

The PaaS market is indicated with the icon in the map view.

Core Cloud Services

After defining the 3 markets, there remains a set of solutions that contribute to all as fundamental building blocks. In other words, these solutions address cross cutting concerns.

In the map they are marked with a distinct icon to set them apart.

The Visual Map

Below is the visual map as promised. You will find a larger version hosted here. An explanation of each category and a full clickable URL list of the solutions is offered below the map.

If you wish to make changes, the original mind map drawing file assets are located here. Please post comments with your thoughts, or use this map as a basis for your own vision of the industry. Please give credit back to the original source (see Creative Commons) if you do.

Defining the Solution Groupings

In the map, we grouped solutions according to the problems they aim to solve. This section details the intent of each category.

Please note that for every category, there are more vendors that could be included. We are not attempting to provide a comprehensive list of every player in the industry. THINKStrategies created the SaaS Showplace if that is what you are looking for.

This map only shows solutions that are both 1) available in some form today, and 2) have significant mindshare in the industry. Feedback is appreciated if you disagree with any solution that was included or excluded.

Left Side

Cloud Providers - vendors who provide server hardware in commodity form, as a virtualized cloud

Cloud Deployment - solutions surrounding the deployment of applications to a virtualized cloud

Virtual Appliances - packaging and virtualization format solutions for provisioning applications into a cloud

Topology Management - solutions focused on the coordination of many virtual appliances (app, DB, network) in the cloud to form a full deployment

Billing, Contract Management - solutions that provide metering, billing, pricing, and contract management to help charge for use of a system

Security - solutions focused on solving security requirements in these markets

Data - services that deliver/retain data for applications

Hosters 2.0 - Hosting Service Providers with SaaS focus. Perhaps a controversial grouping and impossible to define, these hosters tend to appear over and over in these markets

Nerd Stuff - geeky topics fall into this category. MapReduce is mechanism for solving large computing tasks, like Google Search indexing

Right Side

On Demand Apps - the heart of the SaaS market, only a few depicted here but we could add "...and a cast of thousands". These are the end application products offered for consumption in a SaaS model

Integration as a Service - service solutions that help in integrating multiple systems, possibly multiple SaaS systems

Content as a Service - hosted content repositories

BPM and Workflow - service based offerings for managing workflow and process

Platform as a Service - incarnations of the PaaS concept

Reference Solutions List (with clickable links)

Cloud Computing,
   SaaS, and PaaS
       Industries
             2008

• Cloud Providers
  • ~ Amazon EC2
  • ~ IBM Blue Cloud
  • ~ Joyent
  • ~ GoGrid
  • ~ SunGrid
• On Demand Apps
  • ~ Oracle On Demand Apps
  • ~ Salesforce SFA
  • ~ Netsuite ERP
  • Google Apps
• Integration as a Service
  • ~ Boomi
  • ~ Mule OnDemand
  • ~ OpSource Connect (OSB)
  • ~ Amazon SQS
  • ~ Microsoft BizTalk Services
• Content as a Service
  • ~ SpringCM
  • ~ Clickability
  • ~ Xythos OnDemand
  • ~ GoogleBase
• BPM and Workflow
  • ~ ProcessMaker
  • BPM as a Service
    • ~ Appian Anywhere
    • ~ Skemma
    • ~ Intensil
• Platform as a Service
  (PaaS)
  • ~ Bungee Labs Connect
  • ~ Etelos
  • ~ Coghead
  • ~ Google App Engine
  • ~ Intuit QuickBase
  • ~ Salesforce force.com
  • ~ LongJump
  • ~ Apprenda SaaSGrid
  • ~ Oracle SaaS Platform
• Cloud Deployment
  • Virtual Appliances
    • Packaging
      • ~ rPath
      • ~ CohesiveFT
    • Formats
      • ~ VMWare
      • ~ Xen
      • ~ Parallels
    • ~ BEA Weblogic Server VE
  • Topology Management
    • ~ 3Tera AppLogic
    • ~ Elastra Cloud Server
• Billing, Contract Mgmt
  • ~ OpSource/LeCayla
  • ~ Aria
  • ~ eVapt
  • ~ Amazon DevPay
  • ~ Zuora
• Security
  • ~ OpenID
  • ~ OAuth
  • Security as a Service
    • ~ Ping Identity
• Data
  • Storage as a Service
    • ~ Amazon S3
    • ~ Box.net
    • ~ Google Base
  • Database as a Service
    • ~ Amazon SimpleDB
    • ~ Trackvia
    • ~ Microsoft SSDS
• Hosters 2.0
  • ~ OpSource
  • ~ Jamcracker
  • ~ Rackspace
• Nerd Stuff
  • ~ MapReduce
    • ~ Apache Hadoop
    • ~ Google MapReduce

Mining Twitter for the Enterprise: Survey your Customers' Candid Thoughts using a Social Web 2.0 Service

One BEA customer recently posted on Twitter: "hating weblogic". Another said: "F@#% you weblogic for not handling HTTP 500 errors properly."

Whether you personally participate in one of the numerous internet social platforms or not, some of your customers are out there. WebLogic isn't the only brand being discussed - name the brand and there are customers voicing their opinions on these platforms.

This blog entry focuses on Twitter, and shows how you can mine Twitter for feedback on your brand using a tool called TweetScan. Because of the very informal nature of Twitter, and it's low barrier to participate, it is a good channel of candid opinions on your brand. Companies like Comcast have already used TweetScan to identify and remedy customer relationship problems in a highly proactive manner. How is your brand perceived on Twitter?

What is Twitter?

Twitter is a service that allows you to publicly post messages in small doses - 140 characters or less. The basic idea is to answer the question What are you doing? but you can use those 140 characters to say whatever you want.

While blogs are a great source of public opinion, they tend to be more filtered because they require more effort to produce. Twitter lowers the barrier to post dramatically, and therefore is a better medium for capturing those minor annoyances and random thoughts we all have throughout our day. There is also less of a imperative to post something interesting - your readers only need to invest the time to read 140 characters and not paragraphs of a blog entry.

Me and Twitter

I am a reluctant poster to Twitter. Do people really care that I just ate dinner or that I am about to watch a movie? Not really, apparently, as I don't have too many followers. Granted, I haven't been at it that long, but is this time well spent?

Is participating in Twitter worth your time?

I really don't know, and certainly am not an expert. But I suspect it depends on how you view Twitter specifically, or the other social platforms in general. Are you using it to get something done, improve your social life, for pure entertainment, or what.

Sarah Perez  talks through the issue in her blog Real People Don't Have Time for Social Media, and an e-consultancy article "Social media's inconvenient truth" expands on it.

   "But there's an inconvenient truth that proponents of these sites tend to ignore - the average person just doesn't have the ability to participate fully in social media."

TweetScan - Improving the Signal to Noise Ratio for Observers

The silver lining is you don't have to participate to acquire great value from these social computing tools. Lots of people are using Twitter as a medium for publishing their unfiltered thoughts. As simply an observer, you can use these platforms to great advantage. But how?

A problem that cannot be ignored is the amount of noise on these platforms. While Twitter is a wealth of information on customers' opinions and comments, much of this is chaff - "sitting on toilet listening to lily Allen". But buried within the mountain of irrelevance are some nuggets of useful information - "Angry at BEA. Why doesn't WebLogic play nice in OSGi?".

With just plain old Twitter, its impossible to separate the crud from the gold. TweetScan is the solution - it is a search engine built on top of Twitter to help you find the diamonds in the rough, especially when you are focused on a searchable keyword like your product brand.

Monitoring your Customer's View of your Brand

Savvy marketing and customer relationship people have started to take advantage of TweetScan to help manage their PR and to capture raw customer data. Michael Arrington's adventure with Comcast is the most famous.

Michael Arrington was having trouble with his Comcast internet account. Calls to their service center didn't provide a relief, and so he fired off some Twitter posts in anger. Being who he is, others picked up on this and triggered a fire storm of net activity. Then something wonderful happened:

"And this brings me to the point of this post. Within 20 minutes of my first Twitter message I got a call from a Comcast executive in Philadelphia who wanted to know how he could help. He said he monitors Twitter and blogs to get an understanding of what people are saying about Comcast, and so he saw the discussion break out around my messages."

As far as PR and customer relationships go, this is a fantastic show of force by Comcast. But not everyone who posts to Twitter is a famous net personality like Michael. It is fair to assume that Comcast cannot afford to provide the same level of response to the average joes out there. At least one on one. Instead, Comcast can monitor the Twitter channel and detect general patterns in service problems. Michael sums up how this can benefit Comcast (and its customers):

"Well before most people they have identified blogs, and particularly Twitter, as an excellent early warning system to flag possible brand implosions."

A few more references to using Twitter like this:

• Blip.TV - Blip.TV used TweetScan to eavesdrop on its customers and detected and resolved a service problem using this approach.
• Using Twitter as a Research Tool - Krishna De talks about using Twitter derived information for research.

WebLogic on TweetScan

The brand I care about is WebLogic. As an architect on WebLogic Portal, I am heavily invested in this brand. Up until now, the primary way we received feedback on the product have been these channels:

• Monitoring the WebLogic newsgroups
• Customer support cases
• Direct interactions with customers

All of these have been effective, but it is interesting to see how TweetScan can provide a new channel for feedback. Here are some selected entries in the current search for "weblogic" on TweetScan, with a focus on the negative posts:

• hating weblogic
• FF3 handles the weblogic console much better than FF2
• Is banging his head on WebLogic Portal 10.2 compatibility problems with IE7
• reality is darker: call it WebLogic
• I've wasted a whole day thanks to proprietary oracle and weblogic jdbc
• weblogic 10 hates me... it's not like I slept with its sister or anything.. but Glassfish is looking pretty nice these days
• F@#% you weblogic for not handling HTTP 500 errors properly

We see negative comments on the newsgroups. But these Twitter posts are far more unfiltered and more of the flavor "how do you feel about weblogic", as opposed to the newsgroups/support cases which are "what is not working for you with weblogic". Now, most Twitter posts by definition don't have nearly enough information to really understand the underlying issue. But you get a flavor of what your customers are feeling, and you can always follow up for clarification by asking the user to clarify offline.

And to be clear, this list is fairly typical of ANY brand you search on. Pick a brand, and do the search, and you find a litany of complaints and negative comments. This is normal. Check your pride at the door before searching on your brand. Twitter posts on brands usually err on the side of being flames, not praises.

SaaS Podcast Links and Notes - Key Insights into the World of SaaS, Platform as a Service (PAAS), On Demand

About two months ago I had 14 hours to spend alone in a car - I was meeting some friends out in Telluride and decided to drive it from my home near Boulder Colorado. Fortunately, I prepared myself. I stocked up on a collection of tech podcasts and made productive use of the time as I rolled through the beautiful mountains. Because I am the architect for BEA's SaaS Platform (code name Genesis), a fair number of the podcasts were focused on SaaS. This blog entry recaps the key insights from some of those SaaS podcasts. Links are provided to the original audio.

SaaS at BEA

For those that know me as an architect on WebLogic Portal, this blog entry may seem odd. What does SaaS have to do with WLP, or even BEA?

The answer is I took on responsibility for the BEA SaaS Platform architecture a few months back and have been hard at work defining that (and not blogging, if you notice the gap in posts). The idea at BEA is to provide a platform for building SaaS applications that includes features like metering and billing, multi-tenancy, and cloud provisioning.

If you pay attention to the space, you will notice that 2008 appears to be the year of Platform as a Service (PAAS). Perhaps I will explain what is going on with that in a future blog entry. This post is focused on podcasts. For those of you are interested in learning about SaaS, I have provided links to podcasts that I found very helpful in understanding the business of SaaS.

The Podcasts

Here is the collection of podcasts that I would recommend.

Podcast Notes:

• Compliance/security issues were expected to prevent the adoption of SaaS, but are actually helping.
• SaaS vendors are savvy on compliance, and implement it as well/better than IT can.
• SaaS vendors have been certified on compliance standards such as SAS-70.

Further Reading:

• How the Rise of SaaS Relates to SOX, SAS 70 and Your Legal Contracts - Amanda Finch

Podcast Notes:

• SaaS and IT
  • SaaS growing faster than Gartner thinks, because Gartner just interviews IT.
  • A fair amount of SaaS is sponsored directly by the business, outside of IT.
  • However, more SaaS solutions are now targeting IT instead of trying to work around IT
• Microsoft SaaS Strategy
  • They are very cautious, so much to lose
  • Microsoft Live solution is an experiment
  • They can’t alienate their all important VAR sales channel
• Channel sales and Offering SaaS products
  • Role of the sales channel changes
  • Historically have helped to implement complexity
  • SaaS removes complexity
  • Channel partners must evolve into advisors, not just implementors
• Business buyers of SaaS are trying to figure out the sourcing model for apps
  • Outsourcing is changing from major deals (outsourcing entire IT dept) to focused SaaS deals
  • “Outtasking” more appropriate name for this

Further Reading:

• SaaS IT Management - Michael Cote

Podcast Notes:

• Industry is ready for SaaS
  • Cost conscious, especially now with possible recession in the US
  • Outsourcing of IT functions is now a proven model
  • Internet bandwidth is in place to support this (to the office, home)
  • 75% of IT budget locked in maintenance, not a successful model
  • TCO is proven to be lower with SaaS
• How ISVs need to adapt when selling a SaaS solution:
  • Technology – must adopt web application model for delivering product
  • Revenue model – subscription model requires longer time to receive revenue
  • Must continually invest in the relationship – not a one time sale
  • Lower switching costs mean more competitive market

Further Reading:

• Suddenly SaaS is a CIO's Best Friend - John Soat
• Why IT Now Sees SaaS as a Savior - Jeff Kaplan

Podcast Notes:

• Per user pricing is the obvious, but is not a totally effective billing model
  • Easy to turn into a compete-on-price model with competitors
    • If the other guy charges $20 less per user, it's too easy for the customer to focus on that.
  • All users are not equal, some will use the system every day, some twice a year
  • Key is to bill based on added value – transactional events
  • One of Lecayla’s tenants offers a hybrid model to their customers
    • User based for frequent users
    • Transaction based for infrequent users
• Vendors with existing perpetual license products are afraid of cannibalization
  • Can avoid by pricing based on type of usage as well as transactional
  • Example: BI vendors make a ton of money off of end of quarter financial roll ups
    • Low transaction volume, but high value transactions and very time sensitive
    • Priced out of low end markets that are high transaction volume, low value per transaction
    • Can continue on-premise model for former, SaaS for the latter
  • Enforce through contract

Further Reading:

• Properly Pricing Software-as-a-Service Within an Established Product Portfolio - THINKStrategies

Podcast Notes:

• SaaS barrier: Loss of control
  • Lack of workarounds if the software doesn’t provide what you need
    • Cannot just query the DB
  • Ops and SLAs are in the hands of the SaaS vendor
  • Internet connections aren’t as reliable as LAN
• SLA issues
  • Outages
  • Data security
  • Termination terms – how to extract the data
  • Compliance issues
  • Response times, backups

Further Reading:

• Microsoft Whitepaper: SaaS an Enterprise Perspective

Podcast Notes:

• Business Implications of SAAS Software
  • Cash flow
  • Down market opportunities (long tail)
  • SMB opportunities
• ASP vs. SAAS
  • ASP was all about hosting
  • ASPs did not manage application
  • No multi-tenancy with ASPs
  • ASPs had no application expertise
• Why time is right for SaaS
  • Cost of computing is low – web browser is the distribution
  • Long tail is reachable – new Geos, adjacent markets, low end
  • Computing clouds
• Business Service Providers
  • Combination of SOA and SAAS
  • BSP provides an end to end service
  • Vertically focused

Podcast Notes:

• What is SaaS?
  • SAAS is all about transfer of risk to the ISV
  • SAAS implies a subscription model/pay as you go
  • SAAS is served remotely, with little/no option to bring back in house
• What is ASP?
  • Software is purchased up front by the customer, not a subscription
  • Hosted remotely, but can be brought back in house
• Ajax/RIA is enabling more applications to become SaaS
  • SaaS requires a web application
  • RIA/Ajax allows more applications to become viable as web applications

WebLogic Portal: Exposing Portlets (JSR 168, WSRP, JSF, Struts, etc) as Enterprise Google Gadgets

Wondering how to expose Google Gadgets from WebLogic Portal? As promised, this is the second entry in a two part series talking about Google Gadgets. The first entry explained how to build a simple gadget. Now we will explore how to surface a Java portlet as a gadget using WebLogic Portal. Exposing a Google Gadget from any WLP portlet type (JSR 168, WSRP, JSP, Pageflow, JSF, Web Clip, etc) requires no coding - just a simple XML configuration file. This blog entry will show you exactly how to do it.

History of the Integration

As I mentioned in the first posting we have been doing demos of WLP portlets as Google Gadgets for a long time - since the second half of 2006 with our WLP 9.2 release. This was all possible because of a feature introduced in that release called Portlet Publishing. Portlet Publishing allows any WLP hosted portlet to be exposed as a URL. If you understand the basics of Google Gadgets, you can hopefully see how this feature can be used to turn any portlet into a gadget simply by referencing that portlet's URL in the gadget descriptor.

Early demos used a servlet to dynamically generate the appropriate Google Gadget descriptor on the fly. We even experimented with clever hacks to enable Single Sign On between iGoogle and WLP. We worked with the Google Gadget engineering team to explore ideas in this area.

But in the end we decided not to productize the integration. This is due in large part because authoring the Google Gadget descriptor for a portlet is quite easy, and therefore an official feature wouldn't add tremendous value. Additionally, we were concerned about the supportability of such a feature, for example what would happen if the descriptor format changed. Also, the explorations around authentication were not enterprise quality approaches, and so not something we wanted to promote.

Therefore, at this time WLP does not offer a "Generate Google Gadget..." option in the IDE, or provide any other specific feature. However, as this blog entry will show, using the FULLY supported feature of Portlet Publishing, you can expose your portlets as gadgets with NO CODING required.

Portlet Publishing

Before we can talk about generating a Google Gadget, we need to take a look at Portlet Publishing. Once again, this feature exposes any WLP hosted portlet as a URL - an HTTP addressable end-point. The power of this feature is that any thing that can consume an HTTP end-point (e.g., an IFrame within any webpage) can be host to a WLP portlet. It is important to note that Portlet Publishing works for all WLP portlet types, like JSR 168, WSRP, JSF, Struts, Web Clipper, etc.

This means that with a single deployment of your portlet on WLP, it can be used over the following channels simultaneously:

• Directly embedded in a standard WLP portal/desktop
• Directly embedded in any JSP hosted on the WLP server (see the portalFacet JSP tag)
• Federated to external WSRP consumers (WSRP is a web services standard for consuming remote portlets)
• Federated to any consumer of HTTP, notably browsers via IFrames and XmlHttpRequests (which means ANY website on the planet)

In WLP 9.2 and WLP 10, Portlet Publishing was limited to the library instances of portlets. This meant user preferences were not supported through the HTTP channel. However, with WLP 10.2, Portlet Publishing has been augmented to allow for Desktop Instances (and thus user preferences) to be exposed over the HTTP channel. Consult the documentation for more details on this point.

To consume portlets published over the HTTP channel in any web page, you can inject the portlet into the HTML using one of these techniques:

• An inline frame (iframe) that points to the URL to the portlet
• DOM Injection - using simple JavaScript that WLP provides, you can dynamically inject the portlet into the page using Ajax (XmlHttpRequest)

Once again, consult the documentation for more details on these points.

Exposing your WLP Portlet as a Google Gadget

You have hopefully read my previous blog entry on how to build a simple Google Gadget. This section builds on that knowledge. Essentially, we will author a Google Gadget descriptor that points at a WLP portlet exposed over HTTP (via Portlet Publishing).

To make this entry as simple as possible, we will use the library definition form of the Portlet Publishing URL. For example, assume you have a portlet that is exposed at this URL:

http://wlp.bea.com/dvt/portlets/wlp/stackWLP.portlet

If you are unfamiliar with WLP, the .portlet file is a file based XML document that describes a portlet's meta data. In this case, it has been deployed in the portlets/wlp directory of the dvt webapp. When directly addressed, Portlet Publishing kicks in and serves up the portlet implementation associated with this .portlet file (this is the library definition approach to publishing).

You can now easily author a gadget descriptor that targets that URL, and thus exposes that portlet as a Google Gadget:

<?xml version="1.0" encoding="UTF-8" ?>

  <Module>

<ModulePrefs

title="WLP Portlet Gadget"

height="120"

author="Peter Laird"

  />

  <Content href="http://wlp.bea.com/dvt/portlets/wlp/stackWLP.portlet" type="url" />

</Module>

Copy this gadget descriptor to a public web server, and then add this gadget to your iGoogle portal as I showed in my previous post. And Presto!

The Fine Print

Some details to think about:

Titlebars: WLP will by default render a titlebar to the portlet, and so will iGoogle. To avoid nested titlebars, use the "light" decoration option with Portlet Publishing desktop portlet instances.

Authentication: if you have a cookie based web SSO solution in place, your users will automatically be logged into the WLP server even when the user navigates to iGoogle (by virtue of how iframes work). In other circumstances, you will need to provide a login screen within the portlet.

Add to Google button: it is often nice to have an "Add to Google" button on the portlet. This is easily done by just copying the URL pattern seen on other sites that provide such a button. You will essentially need to embed the URL to your gadget descriptor into the button link.

Preferences: you will need to decide what to do with preferences. WLP manages preferences on the server side. If your portlet is exposed over multiple channels, stick with that. However, if the portlet will ONLY be consumed as a Google Gadget, you may consider using the Google provided preference service.

JavaScript Libraries: Google provides a number of JavaScript libraries for Gadget developers. When developing a portlet that will only be exposed as a gadget, feel free to use these. However, if the portlet will be exposed over multiple channels (like on a WLP desktop), be aware that none of the Google libraries have been certified within WLP.

References

• WLP Portlet Publishing documentation - an amazingly powerful feature, allows WLP portlets to surface just about anywhere. Available since WLP 9.2.
• Google Gadget Developer documentation - excellent documentation covering gadgets in much greater depth than I have done here
• Google Gadget Ventures - get funding to develop your enterprise gadget
• Enterprise Gadget Handbook - Jonathan Sapir of LimitNone produced an extensive document discussing the merits of enterprise gadgets
• WLP Demo Server - running WLP server

Introduction to Google Gadgets

We have been showing how to expose WebLogic Portal portlets as Google Gadgets for almost two years now. Embarrassingly enough, we haven't written any blogs or articles on HOW to do it. We have answered email questions about it, but nothing public. This two part blog series will correct that omission. You will hopefully see that it is really quite simple to do. This first entry will talk about building a generic Google Gadget (without WLP), and then the following entry will show how to convert any WLP portlet into a gadget.

What are Google Gadgets, and iGoogle, please?

Google Gadgets are web based widgets/portlets/[insert your favorite web component term here] that are based on technology provided by Google specifically to make federating gadgets easy. To see gadgets in action, the best place to try them out is on the iGoogle portal.

Gadgets can really do anything. This example shows an eBay integrated gadget that allows a user to interact with their eBay account within the gadget:

The technology provided by Google can be lumped into these buckets

• An xml file format for describing a gadget (called the descriptor)
• A gadget preferences model - for storing user specific preferences for a gadget external to the gadget implementation
• Various JavaScript libraries for doing useful things
• An online directory of pre-built gadgets
• iGoogle - the reference platform for users to use gadgets
• Google Gadgets for your Webpage - a JavaScript mechanism for including a gadget on ANY web page

Several things are notably missing from what Google provides with regard to gadgets

• Gadget hosting - aside from a few official Google gadgets, all the gadgets are hosted independently by their creators
• Gadget validation - treat every gadget with suspicion; even though it is flying the colors of a well known brand it may be hosted by a guy in a basement.
• Authentication - there is no provided mechanism for gadgets to inherit authentication from the consuming page, notably no single sign on with iGoogle

Finally, note that there is another gadget technology offered by Google called Desktop Gadgets. There gadgets are targeted toward Google Desktop, and aren't related to the gadgets we are discussing.

The Google Gadget Phenomenon - why should you even care?

Google Gadgets and iGoogle were the fastest growing product offered by Google in 2006 and had strong growth again in 2007

“The star performer for [2007] was Google’s personalized start page service iGoogle which increased traffic in the 12 months to November by 267.64%.” (TechCrunch)

Useful Gadgets get heavily used:

“The Google gadget ecosystem received 960 million pageviews last week” (Niall Kennedy)

These metrics are largely based on use of gadgets and iGoogle in the consumer space. But consider how your enterprise can benefit from deploying Google Gadgets:

• A new channel to your customers within iGoogle
• Offered as a widget to your customers to place on their own web pages
• A new channel to your partners/employees within iGoogle

Building a Simple Google Gadget - as easy as falling off a bike?

This section discusses the express route to building a gadget. Steps to build:

1. Create a gadget implementation, which is nothing more than an HTML document served from a public web server.
2. Create a gadget XML descriptor, that refers to the gadget implementation.
3. Add the gadget to iGoogle.

Step 1: Create the Gadget Implementation

Save this HTML into a file on a public web server.

<html>

<body>

Hello World.

</body>

</html>

Step 2: Create the Gadget Descriptor

Save this XML into a file on a public web server (I have also hosted one publicly here for now: http://wlp.bea.com/blogs/simplestGadget.xml). You will need to update the href included in the body to the URL to your HTML document created by step 1.

<?xml version="1.0" encoding="UTF-8" ?>

<Module>

<ModulePrefs

title="Simplest Gadget"

directory_title="Simplest Gadget"

title_url="http://wlp.bea.com"

description="Very very simple gadget."

height="120"

author="Peter Laird"

/>

<Content href="http://wlp.bea.com/blogs/simplest.html" type="url" />

</Module>

Step 3: Add the gadget to iGoogle

Login to iGoogle, and then click the Add Stuff link, and then Add Feed or Gadget link. Provide the URL to the XML document created in step 2.

Step 4: Enjoy!

Next Steps

In the next blog post, I will show how to expose any WLP portlet as a Google Gadget. Stay tuned!

References

I only covered a small part of the Google Gadget technology. Their developer documentation is excellent, so please refer to it for more details:

• Google Gadget Developer Documentation
• Building Dynamic Google Gadgets in Java - a slide deck I have used to present Google Gadgets to Java developers

Deploying the ALBPM Workspace into WebLogic Portal

Customers that purchase both WebLogic Portal (WLP) and AquaLogic Business Process Management (ALBPM) will certainly want them to work together. Specifically, customers want to be able to deploy the ALBPM Workspace user interface as portlets on a WLP portal. This blog explains how to do that, and provides a script to help automate the most tedious steps.

Use Case

The ALBPM Workspace contains a total of 4 portlets. By default, they deploy in their own pre-built web application. But if you have both ALBPM and WLP in your environment, it would be useful to be able to deploy the portlets into WLP.

The four portlets are:

• Actions Menu: lists the operations the user can perform, like create a new process
• Views Menu: lists the various views available, like process inbox and bookmarks
• Worklist: displays the list as directed by the Views menu, like the list of active processes
• Instance Detail: shows the details of a specific process

A view of the completed Workspace on WLP:

Integration Implementation

Behind the scenes, there are some challenges to this project. First, when the user authenticates with WLP, they shouldn't have to also sign into ALBPM. Fortunately, ALBPM implemented an SSO mechanism in ALBPM 6.0. This can be enabled via a couple of checkboxes during the configuration of ALBPM (more on this later).

Second, the portlets and all supporting file based artifacts need to be brought into the WLP Web Project. While most of this is straightforward, it is an error prone operation. Also, merging in the necessary web.xml entries for the ALBPM workspace into the stock WLP web.xml is tricky. A simple error can create headaches. This part screams for an automated solution.

To make this integration as easy as possible, I have created a distribution that contains movies and an Ant script. The movies will to help guide you through the process. The Ant script removes a lot of tedious steps from the process.

Note: while this integration guide and script are deemed reliable, they are not officially supported. The official documentation is the supported source of information on this integration.

ALBPM 6.0 Workspace for WLP 10

There is official documentation to explain how to integrate the products. But sometimes seeing the integration is the best teacher. Therefore, the distribution that I have created includes a series of movies. Additionally, it contains an overview presentation on the process of integrating the products. Finally, the actual deployment of the ALBPM Workspace onto WLP is scripted via an Ant script that I provide.

I have hosted the files of the distribution in this location:

ALBPM 6.0 Workspace for WLP 10 Download Center

Note: to view the Flash FLV movies you will need an FLV player, such as the free FLVPlayer

ALBPM_for_WLP_slides.zip and ALBPM_for_WLP_slides_movie.zip

Start with these. One zip contains the Powerpoint presentation, the other contains a movie of me talking through the slides. This deck explains what the integration is all about, and the high level steps needed to perform the integration.

ALBPM_for_WLP_movie1.zip, ALBPM_for_WLP_movie2.zip, ALBPM_for_WLP_movie3.zip

These zip files contain detailed walk throughs of various parts of the integration. View these movies in order, and use the Pause button so you can follow along while you perform the integration on your machine.

ALBPM_for_WLP_script.zip

This zip contains the Ant script and associated files that will automate the ALBPM Workspace deployment into WLP. This script does a ton of file copying and also includes some new files (.portlets) to make this a smooth process. While you can do all of this by hand, the script gets the job done quickly and correctly.

Acknowledgements

I didn't complete this project by myself. The ALBPM Development and QA teams (Eduardo, Nico, Mariana, Alex, Mariano, and others) did a lot of work on sorting out the process to get the products integrated. Additionally, some folks from BEA Professional Services (Paddy in particular) helped get this going. THANKS!

Additional Resources

Need more information? Here are some good links to get you started:

• WLP Download - download WebLogic Portal (minimum version 10.0)
• ALBPM Download - download AquaLogic BPM (minimum version 6.0 MP1)
• ALBPM for WLP Official Documentation - official docs for integrating the products
• Alex Toussaint's Blog - ALBPM product manager's blog
• Jesper Joergensen's Blog - ALBPM product marketing blog
• Josh Lannin's Blog - WLP products manager's blog, check out the 5 part WLP futures series

Technorati tags: WebLogic AquaLogic Portal BPM

AquaLogic Commerce Services 5.1 for BEA Workshop 9.2

BEA released AquaLogic Commerce Services this year to help BEA customers with their commerce initatives. ALCS is a product that offers a storefront and comprehensive merchandising capabilities out of the box. If you need to build a commerce solution for your business, ALCS makes it quick and easy. This blog entry describes a supplemental distribution that allows BEA Workshop developers to get up and running easily on ALCS.

AquaLogic Commerce Services

This blog entry will not focus on the ALCS product itself, but if you have not seen it here is a quick overview. It is a full solution for developing commerce projects for the enterprise. ALCS provides a fully customizable commerce solution that offers many features for both developers and merchandisers.

Features at a Glance

• Complete storefront delivered in the box - a powerful web shopping experience
• Merchant Tools - catalog management, promotion management, analytics
• CSR Tools - order management, fulfillment
• SEO - world class SEO capabilities to drive customers to your door step
• Ajax one page checkout - fast track your customers through the checkout process
• Developer friendly - productive development experience based on Velocity and Spring MVC technologies
• Extensibility - highly customizable and extensible architecture offers complete control over the solution
• SOA foundation - features exposed via web services, and integrated into the BEA SOA story
• Scalability - built on enterprise Java technology, ALCS can scale to meet the demands of the largest commerce projects

For more detailed information on the features in the product, please check out the product information page.

Introducing ALCS 5.1 for WLW 9.2

One of the benefits of ALCS for BEA customers is that it deploys to WebLogic Server and integrates with WebLogic Portal. It fits in with the products that you already know and love. This makes deployment consistent with other projects you have deployed on the WebLogic stack.

However, for the ALCS 5.1 release the development environment out of the box is not aligned with the BEA Workshop IDE. This will get sorted out for the next release of ALCS. Until then, I have created a supplemental solution for ALCS 5.1 that allows for easy integration with BEA Workshop 9.2.

Called ALCS 5.1 for WLW 9.2, the supplemental download has the following features:

• Script target to reprovision the ALCS sample application into the Workshop project structure (aka WTP)
• Script target to reskin the sample store from "Snap it Up" to "Avitek Digital" (credit to Dan Tortorici!)
• Script target to add in prominent disclaimer/promotion announcements to the store

The download available on dev2dev CodeShare includes ample instructions and a presentation that provides more context.

DOWNLOAD ALCS 5.1 for WLW 9.2

Additional Resources

To get started with ALCS, also consult the following documentation:

• ALCS Product Documentation: top level link to the ALCS technical documentation
• Developers Guide: a comprehensive developers guide
• ACLS 5.1 Download: link to download a free evaluation of ALCS
• ALCS Marketing Center: materials to help convince your boss to use ALCS
• Wendy Bales' blog: great thoughts from the ALCS product manager

Technorati tags: WebLogic AquaLogic Commerce ALCS Workshop

WebLogic Security: Configuring the Database Authentication Providers (SQL, Custom, DBMS)

I have gotten a lot of WebLogic security related questions offline as a result of my last blog post. A couple of people have asked for more details behind the WebLogic SQL Authenticator (a database authentication provider) that I mentioned. This blog entry will give deep background into your options when it comes to authenticating users from a database repository. I will finish by explaining how to configure the SQL Authenticator.

First, a bit of terminology. When looking in the WebLogic Server documentation for a database authentication provider you will find at least a few names:

• Database Base Management System (DBMS) authentication providers
• SQL Authenticator
• SQL Authentication provider
• RDBMS Authentication providers
• Read-only SQL Authentication provider
• Custom DBMS Authentication provider

We all love choice, but what's up with all these names? Are they all the same thing, or does WLS provide multiple provider implementations?

In short, WebLogic does provide multiple database authentication provider implementations. This blog entry will sort out specifically what providers are available to you when authenticating from a database. We will look inside the WebLogic providers to understand what features are supported by which provider. After we have that covered, I will describe how to configure a SQL Authenticator provider in the WLS Console and how to provision the database.

Peter's Best Practice: Use a Database Backed Authentication Provider!

Before we dive into the details, I want to take a moment to congratulate you on reading more about this topic. I have worked at BEA many years, and I have been involved in many customer production escalations. When it comes to Authentication repositories, my experience tells me that you are safest performance-wise with a database backed authentication store. While customers have certainly been successful with other types of authentication repositories, if you want to minimize risk the database approach trumps all others. A database backed repository has few moving parts, and the query necessary to authenticate a user is a simple SELECT. So if you want my opinion, I say go with a database when you have the option.

The Official Flavors of WebLogic Database Authentication Providers

Back to the topic at hand - what are the WebLogic database authentication providers? The official documentation source, edocs.bea.com, will get us started. The docs explain what is provided for you:

Weblogic Security Providers

The documentation is reflected by the WebLogic Console, which provides the following dropdown of authentication providers to choose from. Notice that the three database authentication provider types appear.

While the above descriptions provide some information about the difference between these providers, we can do better. Because you are a developer, you probably want the inside story. Today is your lucky day!

Inside the WebLogic Database Authentication Providers

To get the inside story let's head straight for the source - the authentication provider configuration files. You will find them here:

• BEA_HOME/WL_HOME/server/lib/mbeantypes/cssWlSecurityProviders.jar

If you open up this JAR, you will find 4 files of interest: DBMSAuthenticator.xml, CustomDBMSAuthenticator.xml, ReadOnlySQLAuthenticator.xml, and SQLAuthenticator.xml. Three of those map directly to the official authentication provider implementations, so those are obviously their configuration files. The fourth, DBMSAuthenticator - what is that? If you look into the XML files, you find that DBMSAuthenticator is the base class for the rest of the providers. By looking at the Extends attribute on the MBeanType element, you can derive the class hieararchy of the providers, shown below.

Now that you understand how the providers are related, how do you know which one you want? WLS/CSS authentication providers have two components - the JAAS code that actually performs the authentication at runtime, and then a set of management "mbeans" that the provider chooses to implement. Every management feature that a provider can support is surfaced as an mbean interface. The key to understanding what a provider can do for you is to look at the mbean interfaces that it implements. Each interface is optional, meaning a provider may choose what features it can support.

Here is the list of mbeans for authentication providers which provide the manageability around users and groups:

SSPI MBean Quick Reference

• GroupReader Read data about groups.
• GroupMemberLister List a group's members.
• MemberGroupLister List the groups containing a user or a group.
• UserReader Read data about users.
• UserPasswordEditor Change a user's password.
• GroupEditor Create a group. If the group already exists, an exception is thrown.
• GroupRemover Remove groups.
• UserEditor Create, edit and remove users.
• UserRemover Remove users.

Mapping out our providers into a table and the mbeans they implement shows the vast difference in manageability. You will want to select a provider based on your requirements for managing users and groups from WLS.

Using the CustomDBMSAuthenticator

This provider is obviously not for use in situations when manageability from WLS is important. It offers no management support. What it does offer is a lowest common denominator approach to integrating a database user repository. Employ this provider when you need to surface just authentication capabilities to WLS, and nothing else. You simply need to implement a plugin that answers the most basic of questions.

• CustomDBMSAuthenticatorPlugin Javadoc - explains what needs to be implemented
• Sample CustomDBMSAuthenticator provider - the MedRecDBMSPlugin from the MedRec sample (found in your install at BEA_HOME/WL_HOME/samples/server/medrec/src/security/com/bea/medrec/security)

Configuring the SQL Authenticator

You are more likely to be using the Read-only SQL Authentication provider or the most powerful SQL Authentication provider. These providers give you manageability from the WLS Console (and WLP Console if using WLP). They are easy to instantiate - the UI surfaces the options you need to configure. I won't go into all the options, but it is important to see that you can change the SQL for each operation if you have a custom schema. The SQL for these providers is designed to be modified to allow you to retrofit a custom database schema. But you can also use the default schema if you are provisioning a brand new user repository (see below for the schema).

After configuring the provider, any deltas versus the defaults will be persisted into config.xml. You can see below, I updated the Datasource of course (this is required) but I also made an arbitrary change to the Create Group SQL. See how it wrote the update into config.xml.

<sec:authentication-provider xsi:type="wls:sql-authenticatorType">
  <sec:control-flag>
    SUFFICIENT
  </sec:control-flag>
  <wls:enable-group-membership-lookup-hierarchy-caching>
    false
  </wls:enable-group-membership-lookup-hierarchy-caching>
  <wls:data-source-name>
    p13nDataSource
  </wls:data-source-name>
  <wls:sql-create-group>
    INSERT INTO GROUPS VALUES ( 'arbitrary change' , ? )
  </wls:sql-create-group>
</sec:authentication-provider>

The Default Schema DDL for the SQL Authenticator

You can define whatever schema you want to store users and groups when using the SQL Authenticators. But if you are starting fresh, why not just use the default schema and the default settings on the provider. I would highly recommend this approach.

It doesn't look like we officially document the default database schema so let me show you what it is. I list the Oracle DDL below, but you can find the official DDL for your database vendor in the following location in the WLS 10 install (and a similar location for other versions):

• BEA_HOME/wlserver_10.0/common/p13n/db/DB_VENDOR/p13n9_create_tables.sql

CREATE TABLE USERS (
    U_NAME VARCHAR(200) NOT NULL,
    U_PASSWORD VARCHAR(50) NOT NULL,
    U_DESCRIPTION VARCHAR(1000))
;
ALTER TABLE USERS
   ADD CONSTRAINT PK_USERS
   PRIMARY KEY (U_NAME)
;
CREATE TABLE GROUPS (
    G_NAME VARCHAR(200) NOT NULL,
    G_DESCRIPTION VARCHAR(1000) NULL)
;
ALTER TABLE GROUPS
   ADD CONSTRAINT PK_GROUPS
   PRIMARY KEY (G_NAME)
;
CREATE TABLE GROUPMEMBERS (
    G_NAME VARCHAR(200) NOT NULL,
    G_MEMBER VARCHAR(200) NOT NULL)
;
ALTER TABLE GROUPMEMBERS
   ADD CONSTRAINT PK_GROUPMEMS
   PRIMARY KEY (
      G_NAME, 
      G_MEMBER
   )
;
ALTER TABLE GROUPMEMBERS
   ADD CONSTRAINT FK1_GROUPMEMBERS
   FOREIGN KEY ( G_NAME )
   REFERENCES GROUPS (G_NAME)
   ON DELETE CASCADE
;

A Few Details for WebLogic Portal Customers

This thread got started because I was discussing in my last blog how WLP 9.2+ by default uses the WebLogic SQL Authenticator. You can, of course, add more authentication providers and remove the SQL Authenticator if you like. When installing WLP, the installer (or you can use the createdb script) will lay down the default SQL Authenticator schema into the WLP schema. Therefore, by default, WLP uses just a single schema for both authentication and Portal operations. This is the most convenient option, but you can change this by switching out the configured datasource.

More Information

For further reading, I suggest these links:

• Security Fundamentals - official WebLogic security primer
• WebLogic Server SSPI - the CSS security architecture
• SSPI Provider Samples - reading aboout the SSPI is good, but coding is even better. Try building your own ATN provider.
• Foundations of WLP Security - official doc about how WLP integrates into WLS Security
• Implementing SSO with the WLS SSPI - my dev2dev blog on SSO with Identity Asserters
• JAAS Fundamantals - a dev2dev article by Bill Kemp and Rich Helton

Technorati tags: J2EE WebLogic Security Authentication SQLAuthenticator

Discussion on WebLogic Security: Authentication Providers, Internal LDAP, JAAS, WebLogic Portal, Profile

This blog entry comes from an email thread I had with a fellow BEA colleague. We traded a number of emails - he asked a lot of great questions about how WebLogic Portal (WLP) supports various security features. Since WLP relies heavily on WebLogic Server for those features, my answers apply to WebLogic in general and not just Portal. I am posting the email thread here because I think that this discussion might be of interest to others.

Before I show the thread, I should provide a glossary of abbreviations and concepts:

• WLS: WebLogic Server, the J2EE application server that most people associate with the name "WebLogic"
• WLP: WebLogic Portal, the J2EE portal product built on top of WLS
• CSS: in this context, not cascading style sheets. Common Security Service is the componentized security package that WLS uses for security.
• SSPI: the pluggable security subsystem provided by CSS to WLS
• ATN: authentication, which refers to the process of verifying who a user is (with a password perhaps)
• ATZ: authorization, which refers to the process of deciding whether the authenticated user has the privilege to perform a certain action
• UUP: a WLP feature that aggregates profile information for a user from a variety of backend sources using a plugin architecture
• Internal LDAP: an LDAP repository embedded in CSS historically used for some default SSPI providers

Discussion Thread

From: Colleague

Quick follow-up to our discussion in the hall at BEAWorld, you said that WLP wants to stop using the internal LDAP server altogether and use the database instead. I forgot, though, did you say that had already happened in a previous release, or is that slated for the next release?

From: PJL

Yes and no.

For ATN, WLP does not use internal LDAP. WLP switched to the WLS/CSS provided SQLAuthenticator in WLP 9.2. This does not mean that customers must use it, it is merely the default. A customer may choose to toss the SQL ATN provider and plug in an LDAP, Active Directory, etc. provider instead.

Here is the WLS doc reference to SQL Authenticator: Configuring RDBMS Authentication Providers

As for ATZ (WLP entitlements and delegated administration), we rely on the default ATZ provider from WLS, which in turn uses the internal LDAP store. Currently, we are tightly bound to the default ATZ provider for various reasons, and so WLP therefore has a hard dependency on internal LDAP. This is not ideal, and so WLP wants to eliminate the internal LDAP dependency.

The forthcoming solution to this problem is for WLS to support a database as the backend store for the default ATZ provider. They should have this in the next WLS version (but no promises folks!), and so we will pick it up in a future release beyond Flatirons (the next WLP release).

From: Colleague

Right, makes sense. A couple more questions:

Can customers configure more than one ATN provider, e.g. extranet users in SQL and employees in Active Directory, is that a supported WLP configuration?

Do documents stored in WLP's virtual content repository (VCR) use the default ATZ provider as well?

Where does the Unified User Profile (UUP) fit into this picture?

From: PJL

>> Can customers configure more than one ATN provider, e.g. extranet users in SQL and employees in AD, is that a supported WLP configuration?
Yes, and you can do logic like AND and OR via the JAAS control flags (this is WLS/CSS doing that, not WLP).

>> Do documents stored in WLP's virtual content repository (VCR) use the default ATZ provider as well?
Yes, Entitlements defined on VCR documents are stored in the default ATZ provider. The documents and metadata themselves are in the WLP database if the BEA Repo is being used, or in third party systems like Documentum or Sharepoint.

>> Where does the Unified User Profile (UUP) fit into this picture?
Profile is the third leg to this: ATN, ATZ, and Profile. For WLP, all three are independent, and linked together just by username. So ATN could come from Active Directory, whereas profile can be aggregated from, for example, a mainframe, LDAP, and Siebel via UUP. WLP passes the UUP plugins the username that was authenticated, and then each plugin is responsible for retrieving the correct profile info.

From: Colleague

One piece I'm still a bit fuzzy on is how groups fit into this whole picture, I've been reading this section on edocs:

Adding and Managing Groups (WLP docs)

It sounds like WLP periodically syncs group info from the providers into some local store, which I'm guessing is the default RDBMS. Is that correct?

From: PJL

Good question.

Actually WLP doesn't really maintain its own group mapping. The ATN providers provided by WLS are responsible for doing that. We do some caching of the group tree because it can be expensive to build, so that is what those docs are talking about. But we don't write that in-memory cached tree out to the database or file system.

To see how an ATN provider is involved in group membership, look at how the SQL Authenticator gets configured as an example:

SQL Authenticator Configuration help

You can see that it has methods for managing group relationships. How this happens at runtime is a deeper dive into the WLS/CSS SSPI ...

WLS/CSS authentication providers have two components - the JAAS code that actually performs the authentication, and then a set of "mbeans" that the provider chooses to implement. Most of the mbeans are optional to implement. Here is the list for ATN providers which provide the manageability around users and groups:

SSPI MBean Quick Reference

• GroupEditor Create a group. If the group already exists, an exception is thrown.
• GroupMemberLister List a group's members.
• GroupReader Read data about groups.
• GroupRemover R