Learn OAuth authentication with a Oracle product

First lets go through some basis of OAuth 2.0.

•Limitations before Oauth

–If Apps store the user’s password then the apps have full access to user’s account

–The user’s password will be exposed in a case of compromised apps.

–Limited option to revoke the access to apps i.e. the user may have to change the password to restrict the apps access to their account

•To address this limitation several services implemented similar to Oauth, however they were not compatible with each other. So, there was an expectation to have an open standard that can be followed.

•Following are some Token based frameworks

–Google AuthSub

–Yahoo: BBAuth(Browser Based Auth)

•OAuth is an authorization protocol.

•OAuth 2.0 focuses on client developer simplicity while providing specific authorization flows for web applications, desktop applications, mobile phones, and living room devices.

•OAuth 2.0 is the industry-standard protocol for authorization. OAuth 2.0 supersedes the work done on the original OAuth protocol created in 2006. This specification and its extensions are being developed within the IETF(Internet Engineering Task Force) OAuth Working Group.

•Oauth provides password-less token exchange meaning only token will be used without sharing the password

•Scope : It is an option to limit the application’s access of a user account. There can be more than one scope 

•Resource owner
  Resource owner has the capability to grant access to the protected resource. There are  

  scenarios where this entity is a person(i.e. end-user)

•Resource server

  The protected resource is hosted in this entity. The client will access the protected resource   in this entity by using access tokens. This entity will accept the protected resource request if   client has valid access token.

•Client

  As the name states this is the entity that request the protected resource for resource owner.   This is   possible only after have its authorization. The application could be running   anywhere like a desktop, server, mobile or any other device.

•Authorization server

  This entity provided the access token to the client who has successfully authenticated and   received authorization.

Oracle BPEL Performance Tuning

Oracle BPEL is a stateful component that can be used for Orchestration purpose. As the service is a stateful one the service instance information is persisted. So tuning the service instance state information persistence helps in improving the performance.
Following are some of the configuration that can be used to improve the performance.

• Service auditing
• Service level of persistence
• Other thread related tuning.

I will shortly go through these points will additional information.

BPEL Transaction behaviour for a Synchronous Webservice call

Recently I came across an issue in the Oracle community site related to behaviour of transactions in BPEL component. The issue was when a BPEL component is having a database call followed by a synchronous webservice call. Though the database call is part of the XA transaction that is started when BPEL instance is created, the database changes are not getting rolled back incase of Exception after the webservice call. This happens only when the nonBlockingInvoke property is set to TRUE for the webservice invoke activity. If nonBlockingInvoke property is set to FALSE the database changes are getting rolled back as expected.

In one of the old Oracle documentation it is mentioned that, the invoke activity of a synchronous service with nonBlockingInvoke property set to true, will create a "New Transaction". That could be the reason why the previous database adapter call has got commited before the Webservice invocation. So rollback of database changes has not happened.

It was interesting to know this. The key takeaway is to be careful to check whether the properties we define while implementations meets the requirement expectation. Please feel free to share your experience if you have faced similar issue.

OSB Performance Tuning options

Oracle Service Bus can be used for Service Virtualization, Routing, Mediation, Validate, etc purposes. As Oracle service bus services are stateless, it helps the OSB services in terms of performance. There are various tuning options to improve the performance of a service like having proper thread managements(using work manager), leveraging Coherence cache, following best pratices in XQuery trasformations, etc. As part of this blog I would be covering some of the OSB XQuery tuning options.

1. Use absolute XPath in feasible places, as it is faster.
2. Avoid using wildcards in xpaths. Instead using appropriate namespaces will help in improving the performance. When appropriate namespaces are used the unwanted content can be ignored thereby improving the trasformation performance.
3. Assign read-only content that is part of a xml to a context variable,  if it needs to be used multiple times. Having it in the variable avoid the processing of the XPath to fetch the value every time.
4. Avoid use of double front slashes in XPaths
The double front slash // need to be used ONLY if the exact xpath is unknown. Because if // is used then the full xml object will be searched for finding the matching patterns by the XQuery processing engine. As the full xml object need to searched it will consume more time.
5. Use indexed XPaths
If you know of the exact position to pick the value from XML then specifying the indexes will make the processing faster. If index is not specified then it might take more time. This scenario applies when the exact position is known. For example if it is know that the second OR X occurence of element need to be picked.
6. Extract frequently used parts of a large XML document as intermediate variables within a FLWOR expression

I would continuosly update the blog with other OSB performance tuning options. Keep watching this blog for more updates.