Richard Seroter's Architecture Musings

Category: BizTalk

Applying Role-Based Security to BizTalk Feeds From RSSBus
I recently showed how one could use RSSBus to generate RSS feeds for BizTalk service metrics on an application-by-application basis. The last mile, for me, was getting security applied to a given feed. I only have a single file that generates all the feeds, but, I still need to apply role-based security restraints on the data.

This was a fun exercise. First, I had to switch my RSSBus installation to use Windows authentication, vs. the Forms authentication that the default installation uses. Next I removed the “anonymous access” capabilities from the IIS web site virtual directory. I need those steps done first because I plan on checking to see if the calling user is in the Active Directory group associated with a given BizTalk application.

Now the interesting part. RSSBus allows you to generate custom “formatters” for presenting data in the feed. In my case, I have a formatter which does a security check. Their great technical folks provided me a skeleton formatter (and way too much personal assistance!) which I’ve embellished a bit.

First off, I have a class which implements the RSSBus formatter interface.
```
public class checksecurity : nsoftware.RSSBus.RSBFormatter
```
Next I need to implement the required operation, “Format” which is where I’ll check the security credentials of the caller.
```
public string Format(string[] value, string[] param)
{
   string appname = "not_defined";
   string username = "anonymous";
   bool hasAccess = false;
	
   //check inbound params for null
   if (value != null && value[0] != null)
   {
     appname = value[0];
     //grab username of RSS caller
     username = HttpContext.Current.User.Identity.Name;
     if (HttpContext.Current != null)
     {
        //check cache
	if (HttpContext.Current.Cache["BizTalkAppMapping"] == null)
        {
          //inflate object from XML config file
          BizTalkAppMappingManager appMapping = LoadBizTalkMappings();

          //read role associated with input BizTalk app name
          string mappedRole = appMapping.BizTalkMapping[appname];

          //check access for this user
          hasAccess = HttpContext.Current.User.IsInRole(mappedRole);

          //pop object into cache with file dependency
          System.Web.Caching.CacheDependency fileDep = 
               new System.Web.Caching.CacheDependency
                   (@"BizTalkApplicationMapping.xml");
          HttpContext.Current.Cache.Insert
                   ("BizTalkAppMapping", appMapping, fileDep);
         }
        else
         {
          //read object and allowable role from cache
          string mappedRole = 
               ((BizTalkAppMappingManager)
                    HttpContext.Current.Cache["BizTalkAppMapping"])
                       .BizTalkMapping[appname];

         //check access for this user
         hasAccess = HttpContext.Current.User.IsInRole(mappedRole);
          }
     }
  }
  if (hasAccess == false) 
        throw new RSBException("access_violation", "Access denied.");
            
  //no need to return any value
  return "";
}
```
A few things to note in the code above. I call a function named “LoadBizTalkMappings” which reads an XML file from disk (BizTalkApplicationMapping.xml), serializes it into an object, and returns that object. That XML file contains name/value pairs of BizTalk application names and Active Directory domain groups. Notice that I use the “IsInRole” operation on the Principal object to discover if this user can view this particular feed. Finally, see that I’m using web caching with a file dependency. After the first load, my mapping object is read from cache instead of pulled from disk. When new applications come on board, or a AD group account changes, simply changing my XML configuration file will invalidate my cache and force a reload on the next RSS request. Neato.

That’s all well and good, but how do I use this thing? First, in my RSSBus web directory, I created an “App_Code” directory and put my class files (formatter and BizTalkApplicationMappingManager) in there. Then they get dynamically compiled upon web request. The next step is tricky. I originally had my formatter called within my RSSBus file where my input parameters were set. However, I discovered that due to my RSS caching setup, once the feed was cached, the security check was bypassed! So, instead, I put my formatter request in the RSSBus cache statement itself. Now I’m assured that it’ll run each time.

So what do I have now? I have RSS urls such as http://server/rssbus/BizTalkOperations.rsb?app=Application1 which will only return results for “Application1” if the caller is in the AD group defined in my XML configuration file. Even though I have caching turned on, the RSSBus engine checks my security formatter prior to returning the cached RSS feed. Cool.

Is this the most practical application in the world? Nah. But, RSS can play an interesting role inside enterprises when tracking operational performance and this was a fun way to demonstrate that. And now, I have a secure way of allowing business personnel to see the levels of activity through the BizTalk systems they own. That’s not a bad thing.

Technorati Tags: BizTalk, RSSBus
January 17, 2008
Year in Review, MVP Status Awarded
I was going to use this, my 100th post on WordPress, and first of 2008, to highlight my favorite posts from last year. But upon my return from vacation yesterday, I discovered that I had been granted an MVP award for my efforts in 2007, so, I also want to throw a quick thanks to the Microsoft folks. Achieving an MVP was one of my silent goals for the year, so I’m jazzed that my contributions were considered useful enough to warrant this.

I had lots of fun learning new BizTalk things in 2007, and these were a few of the ones that I enjoyed writing the most …
- Message debatching
  - SQL Adapter debatching. Turned out to be something a few folks were trying to do.
  - Debatching flat file and persisting headers. I wish XML debatching kept headers the same way flat files do.
- Building a complete BizTalk + certificates scenario. It was great to get this working from end to end and finally prove it out.
- Figuring out orchestration message synchronization. Interesting to see how the message objects get changed in an orchestration.
- BAM stuff
  - BAM and “group” shapes. Small gotcha about using scopes vs. group shapes.
  - BAM security and deployment. Finally began to understand how a production BAM system would look.
  - BAM data archiving explained. Nice to dig into the BAM archiving process and gain confidence in how the plumbing works.
- Ordered Delivery
  - Ordered delivery scenarios. Neat to see how ordered delivery can be used.
  - Using ordered delivery to prevent web service call timeouts. One way to handle bursts of inbound data that could cause SOAP timeouts on downstream calls.
- BizTalk maps
  - How code is generated in the scripting functoid. I didn’t realize that parameter “types” are fairly irrelevant in a scripting functoid.
  - Using global variables. Good to know that a map can have “state” during its execution.
- Scripts and tools
  - Solution structure generation script. I’d recommend every BizTalk shop agreeing on a common artifact structure.
  - Query service metrics on a per-application basis. Cool way to see the activity for a given application.
  - SSO Configuration Store tool. My favorite tool of the year. So easy for me to use SSO to store values now.
  - BizTalk code review checklist. Each BizTalk shop should also agree on what their BizTalk practices and coding standards are.
  - Send port duplicator. Always fun to build tools that save a few mouse clicks.
- BizTalk and SOA Software. I’ll probably be spending time this year working on my company’s SOA governance and maturity plan and SOA Software plays a big role in that.
  - Securely storing SOA Software access passwords. Neat way to use encryption algorithms, SSO and singletons to make my code reusable.
- BizTalk and static objects. Interesting findings about static objects in the BizTalk environment.
- BizTalk and InfoPath Forms Services 2007. I like InfoPath Forms Services and bet that many folks haven’t given InfoPath a second look since disregarding the 2003 release.
This year you’ll see fewer BizTalk-related posts as I continue my descent into broad systems architecture, but, I’ll try and keep you all entertained nonetheless.

Technorati Tags: BizTalk, SOA, MVP
January 7, 2008
Building an RSSBus Feed for BizTalk Server
A few months back, I demonstrated how to build a SQL query against the BizTalk databases which returned application-level activity metrics. Now that the RSSBus Server has moved further along in its release cycle, I went ahead and built a more full-featured RSS feed out of BizTalk.

Within the RSSBus infrastructure, one can build an “.rsb” file, which can be syndicated as RSS.

So what’s contained in this “.rsb” file that makes my RSS feed so exciting? Let’s look. First off, I can specify input parameters to my feed, which are received via the URI itself. Notice that you can also specify a default value, and, a restricted list of values. In my case below, I’m only accepting activity metrics for one, two, seven and fourteen days back.
```
<rsb:info 
title="BizTalk Operations" description="BizTalk Operations Feed">
  <input name="app" default="App1" 
desc="This is the name of the BizTalk application to query">
  <input name="interval" default="1" 
desc="The number of historical days to show" values="1,2,7,14">
  <input name="servicefilter" default="" 
desc="Keyword filter of results">
  <input name="typefilter" default="all" 
desc="Show all service types/just messaging/just orchestration" 
required="false">
 </rsb:info>
```
What I’m trying to do here is have a single “feed” file, which can actually serve RSS data for a wide variety of applications and scenarios. Instead of having to create a new RSS feed for each newly deployed BizTalk “application”, I can simply generate a new URI and not deploy a single new object.

Now arguably the only way this solution will work is if we aren’t actually hitting the BizTalk databases each time a person refreshes their RSS feed. I don’t want that additional load on our production system. So, what are my caching options? As it turns out (thanks to the spectacularly helpful RSSBus techs who helped me out), the caching capabilities are quite robust. Here’s my caching declaration in my “.rsb” file ..
```
<rsb:cache duration="120" 
file="cache\\cache_[_input.app | tofilename]_
[_input.interval | tofilename]_[_input.servicefilter | tofilename]_
[_input.typefilter | tofilename].xml" />
```
The first time this feed is hit (or when the cache duration has been exceeded), a cache file is created and named according to the URI parameters. So if I hit this feed for application “ABC” and a “7 day” duration, filtered by all services with “SOAP” in the name, and only wanted “messaging” services, my cache file on disk would be named “cache_ABC_7_SOAP_messaging.xml”. If someone else makes the same RSS request within the cache duration interval, then RSSBus will return the cached data (stored in the file) instead of actually querying my BizTalk databases again. As you would expect, I have many cache files on my system at any one time to reflect the many RSS query permutations.

Then, within my “.rsb” file, I use the RSSBus “sqlCall” connector and format all the results. The “<rsb:match>” keyword is in place to suppress resulting values that don’t contain the input “service filter” value. I then use the “<rsb:select>” and “<rsb:case>” keywords to do a switch statement based on the “type filter” value. This allows me to show only orchestration services, messaging (send/receive) services, or both.

So what’s the result? To demonstrate the RSSBus server to some colleagues, I utilized our newly deployed MOSS 2007 infrastructure to add RSS data to my personal site. After putting together the RSS query URI just the way I want it, I take that URI and apply it to the RSS webpart on my site.

I chose to show both the feed AND description since I put the BizTalk activity count in the item description. After saving my web part changes, I can now see my RSS data from our “development” server.

Now I can provide URLs to the business owners of our various BizTalk applications and they can see regular performance metrics for their system. RSSBus provides a pretty unique platform for building and maintaining RSS feeds from a wide variety of sources. Providing operational metrics from enterprise systems may be one way that my company actually uses RSS to further business objectives.

My last step is to add security to a given feed query, and the RSSBus folks are helping me through that right now. I’d like to be able to restrict viewership of a given feed based on Active Directory group membership. I’ll report back on the results.

Technorati Tags: BizTalk, RSSBus
December 31, 2007
Oracle ODBC Driver Problems After Database Upgrade

Given that my posts on BizTalk + Oracle integration are consistently my most popular, I thought I’d add another one to the mix.

The first BizTalk application that my company deployed required BizTalk to poll an Oracle 8i database. When BizTalk was first installed here, we followed the documented instructions and installed the Oracle 9.2 client, and specifically, the Oracle 9.2.0.54 version of the ODBC driver. For the most part, everything has been smooth sailing.

Recently, we took that application down for to fix a bug in the Oracle view, and while that work was being done, the underlying Oracle database was upgraded from 8i to 9i. No big deal, right? Well, after the bug had been fixed in the Oracle view, and we turned the application back on in our “test” environment, we noticed some very bizarre behavior.

After some initial investigation, I saw that the value (of type varchar2) being pulled from the Oracle database appeared to be truncated! Only seven characters (out of eight) were being pulled, and, every other value came in empty. Yowza.

So where to begin troubleshooting this? The first place we looked was the database itself. Had anything changed? Oracle 9i has significantly more Unicode support, so we checked to see if data was improperly converted from 7-bit ASCII to Unicode. The data appeared to be intact and unmolested.

Given that no changes had occurred on the BizTalk application itself, it seemed unlikely that BizTalk was the culprit. We checked a few basic things such as the “maxLength” value (identical in both BizTalk schema and Oracle view), and also confirmed that the BizTalk binding configuration had not changed.

So, next we looked at the connection to Oracle itself. Was the ODBC connection the troublemaker here? I decided to open Visual Studio.NET, and using the Server Explorer, create a connection to my Oracle database by reusing the existing Oracle ODBC DSN. Sure enough, when I viewed the Oracle view in question, I saw truncated (and missing) values! I knew positively that the underlying data was right, so the connection was the piece that was distorting my data.

I confirmed this by going to a different environment (with the Oracle 10g client installed) and using Visual Studio.NET to browse the Oracle database table. Using the 10g client, the data appeared correctly.

So, in our development environment, our administrators tried downgrading our Oracle ODBC driver to 9.2.0.0.0. When we did that, the data also appeared correctly. However, I wasn’t comfortable downgrading, and suggested moving one Oracle ODBC version past the Microsoft-recommended 9.2.0.54. We installed the 9.2.0.65 version of the ODBC driver, and once again, everything looked perfect. After that, one of the DBAs suggested skipping 9.2.0.65 (due to a few noteworthy bugs) and jump to 9.2.0.8 (with the latest DST patch).

So what the heck caused this? I still don’t have a great answer. The only change to this system was the database upgrade, but the DBAs were fairly confident that existing connections should not have been affected. The set of tubes known as the internet turned up very few results. There was some information on Oracle ODBC and Unicode, and some other gripes with the 9.2.0.54 driver, but nothing that explained why the ODBC connection to the database mangled my result set.

Moral of the story? When troubleshooting these sorts of scenarios, check off each area that could have caused the problem, and use multiple environments (with different configurations) to isolate the problem. Then when all else fails, upgrade Oracle drivers!

Technorati Tags: BizTalk, Oracle

December 21, 2007
Changing Roles

It’s been just about a year since I left Microsoft to take my current job, and after some success in my initial role, I’m switching teams and responsibilities.

I was brought into this company to help establish our BizTalk practice. After participating in 10 projects, teaching 8 classes (to 110+ colleagues), creating a few tools and frameworks, and writing up some best practices and checklists, it was time for new challenges.

So, I’ve moved into our Solutions Architecture team as a Solutions Architect. My job now is to execute architecture reviews, help define and guide architectural principles, design and model new systems, research and introduce new technologies, and more. While I’ll remain the “BizTalk guy” here for a while, that’s no longer my central technology each and every day.

Blog-wise, expect to continue seeing various tidbits and demonstrations of BizTalk concepts (because it’s still fun for me), but I’ll probably start peppering in other architectural topics that are on my mind.

Technorati Tags: biztalk, architecture, SOA

December 18, 2007
InfoPath 2007 Scenarios With BizTalk Server 2006 R2
I’m a fan of InfoPath, but one barrier to entry has been the need to install the client software on user machines. We have one deployed solution that uses it (as part of ESB Guidance), but I wanted to explore the new Forms Services capability and see how I can use that to simplify BizTalk workflow use cases. In this post, I will examine a few common use cases, and demonstrate how I built them. The theme of the solution is the workflow around system support incident management.

InfoPath Setup

To build this solution, first I needed schemas with which to generate the necessary InfoPath forms. So, within a new BizTalk project I created an “Incident” schema that looked like this:

Next, I have a “Survey” schema which the system owner will fill out after the incident has been successfully resolved.

After deploying the BizTalk solution, I went ahead and built a Web Service using the BizTalk Web Services Publishing Wizard so that incidents can be sent from InfoPath directly back to the running BizTalk workflow process.

Now, I can go ahead and build the necessary InfoPath forms. When designing the form, I’ve chosen to support both the InfoPath rich client AND, InfoPath Forms Services.

The form itself is fairly basic. It simply uses the XSD schema as a data source and allows for capture of incident data.

The first tricky part was getting the “Submit” action to work. On my first iteration building this, the rich client could submit to the web service just fine, but the Forms Services version kept giving me “an error occurred accessing the data source.” So, I had to learn all about UDC files and SharePoint data connections (thanks to the InfoPath Team Blog and Mark Bower‘s posts). So, my InfoPath form’s “submit action” now points to a SharePoint-managed data connection.

I then deployed this Incident form to my SharePoint server. When deploying forms in InfoPath 2007, you’ll see that Forms Services is mentioned.

Once deployed, I can go to the SharePoint document library’s Advanced Settings and set the form to open in the browser by default.

Next I built and deployed the “Survey” form which will be saved directly to the SharePoint library, so no extra submit action is needed.

BizTalk Setup

On the BizTalk side, I built a simple workflow to demonstrate the following use cases:
- Emailing a link to a InfoPath form existing in SharePoint
- Receiving submitted feedback from InfoPath back into BizTalk
- Emailing a link to a “new” document for someone to fill out and save in SharePoint
Also, to deal with the ridiculous InfoPath/SharePoint namespace bug, I decided to build a Jeff Lynch-style map so that now my promoted columns show up in the SharePoint document library.

To send the first email (asking the user to fill out the Incident Report), I need the correct URL to embed in the email message. Since I clearly need a Incident to refer to in this hyperlink, I first send the Incident to the SharePoint library. Because I dynamically set the file name, I have that value in my orchestration, and can use it for my email link. The link looks like:

http://myserver:89/sites/Richard/Incident%20Reporting/”+wssMessageName+”?OpenIn=Browser

The next hyperlink I need is for the “Survey” so that I can ask someone to create an entirely new form (that doesn’t already exist in the SharePoint document library). What does that look like?

http://myserver:89/sites/Richard/Satisfaction%20Survey/Forms/template.xsn?
SaveLocation=http://myserver:89/sites/Richard/Satisfaction%20Survey&
Source=http://myserver:89/sites/Richard/Satisfaction%20Survey&
OpenIn=Browser

Running the Scenario

Ok, so let’s kick this off and see how it looks. When I drop a file (to signify a system sending an incident report), I expect to see a message sent to SharePoint, AND, an email with a link to the same document. In my SharePoint library I see …

Notice that a form can be viewed either in the rich client or browser. In my email box I have a link to the web version of my Incident form. Clicking that link brings me to the form served up by InfoPath Forms Services.

Notice that I have both “save” and “submit” buttons available on the web form. The “submit” button will trigger the default submit action, which in my case, calls my BizTalk-generated web service.

Once the form submits, I then get a receipt (via my orchestration), and, a request to fill out a satisfaction survey. The email link creates a new empty form, that when saved, will appear in my SharePoint document library. Notice that I turned off “submit” in this form, since there is no submit action.

Summary

So, unlike with InfoPath 2003, InfoPath 2007 makes it very easy to design a form once, and have it surfaced up via the rich client, web browser, or mobile browser with no additional effort. From a BizTalk perspective, instead of emailing forms around and trying to keep track of them, we can now send links to web forms and be confident that any user, regardless of platform or software install, can participate in our workflow. This should make it much more compelling to use InfoPath + SharePoint in workflow solutions instead of doing custom development.

Technorati Tags: BizTalk, InfoPath, SharePoint
December 5, 2007
BizTalk Atomic Transaction Rollback of Variables
This week I’m delivering a BizTalk development class for my colleagues, and during my preparation of demonstrations, I spent a few extra minutes confirming the behavior of members variables and atomic transactions.

Atomic transactions in BizTalk don’t necessarily behave like some folks expect. For instance, if a BizTalk orchestration calls a component with ADO.NET code which updates a database, and then raises an error later in the atomic scope, this will NOT cause that database operation to be rolled back. In another example, if you place a “send” shape inside an atomic scope, and a later operation fails, BizTalk doesn’t roll back the send operation. It’s standard design to use BizTalk “compensation” to execute logic to roll back any operations performed in the atomic scope.

Darren’s excellent BizTalk book states that there are realistically three scenarios where a developer will use atomic transactions in a BizTalk orchestration:
- Using a class not marked as serializable
- Calling a COM+ component that’s participating in the orchestration transaction
- Minimizing persistence points
However, don’t assume that atomic transactions in BizTalk are completely neutered. There are cases that you would want to use an atomic transaction as a part of your actual process.

In this scenario, my orchestration has two variables. One references a custom .NET data object (Employee), and the other variable is a simple string. After receiving a message into the orchestration, I instantiate those variables with default values and print them out.

Next, I have an atomic transaction which changes the value of both variables, prints them, and then throws an error. Immediately after the atomic scope, I print the variable values once more. As you can see here, I’ve also wrapped the atomic scope inside a long-running scope so that I can swallow the error and move on gracefully.

What do you expect to happen? Does the orchestration reset the member variable only, or also the custom .NET object’s member value?

As you can see, both variables start off with values of “started up”, inside the atomic scope the value switches to “changed status”, and after the exception is thrown within the atomic scope, the values get reset to their pre-atomic scope values. It makes perfect sense since changes occurring within the atomic scope don’t commit until the transaction is complete, but, it’s always useful to test it.

Now, this scope behavior does not extend much beyond this. If I add a function to my “Employee” class which writes a file to disk, and I call that operation within the atomic scope, the exception does NOT cause that operation to roll back. The file stays on my drive even after the orchestration has completed. That’s a scenario where compensation would be needed.

Technorati Tags: BizTalk
November 27, 2007
Presentations Available Online for Microsoft SOA/BPM Conference

If you missed the recent SOA & BPM Conference from Microsoft, you can now review nearly all of the presentation decks via the conference website.

Visit the presentation download page to grab PDF versions of material.

Technorati Tags: BizTalk

November 14, 2007
BizTalk In-Process Hosting Of WCF Http Services
After my post of various WCF scenarios, I received a couple questions about using the in-process host to receive WCF HTTP requests, so I thought I’d briefly show my configuration setup for making this work.

First off, I had created a “regular” IIS-hosted WCF web service and auto-generated a receive port and location. I decided to reuse that receive port, and created a new receive location for my in-process HTTP receive. I used the WCF-Custom adapter, which as you can see, runs only within an in-process host.

The first adapter configuration tab is where you identify the endpoint URL. This value is completely made-up. I chose an unused port (8910), and then created my desired URL.

Next, on the Binding tab, I set the wsHttpBinding as the desired type.

Next, I added a behavior for “serviceMetadata” to allow for easy discovery of my service contract.

That’s it for the receive location configuration. I need to enable the receive location in order to instantiate the WCF service host. If I try to browse to my service URL while the location is disabled, I get a “page cannot be displayed” error. Once I enable the location, and hit my made-up URL in the browser, I can see the service description. Note that if I had not created the serviceMetadata behavior, I would have received a “Metadata publishing for this service is currently disabled.” message when viewing my service in the browser.

So, now I can generate the necessary client-side objects and configuration to call this service. My client application’s configuration file has the following endpoint entry:
```
<endpoint 
   address="http://localhost:8910/incidentreporting/incident.svc"
   binding="wsHttpBinding" 
   bindingConfiguration="WSHttpBinding_ITwoWayAsyncVoid"
   contract="Service1" name="IncidentInProcSvc">
   <identity>
       <userPrincipalName value="myserver\user123" />
   </identity>
</endpoint>
```
You’ll notice my endpoint address matches the value in the receive location, and an “identity” node exists because my service configuration (in the receive location) identified clientCredentialType as “Windows” for message/transport security.

There you go. Pretty easy to “build” a service that is hosted within the BizTalk process, completely bypassing IIS, and leave the service consumer none the wiser.

UPDATE: You may notice that nowhere above did I build a contract into the service itself. I reused a contract in my client endpoint, but how would the service consumer know what to send to my service? This is probably where you’d decide to create a MEX endpoint. You’d point at the WS-Custom receive location in the WCF Publishing Wizard, and choose a schema(s) to represent the contract. Then users would point to the MEX service to generate their strongly-typed client components.

Technorati Tags: BizTalk, WCF
November 14, 2007
New Co-Worker Blog

One of my brightest co-workers decided to set up a blog this week, and I encourage you to check him out.

The first post for Victor Fehlberg’s Tech Postings (about Victor) goes over the process of setting up Terminal Services access to a shared BizTalk environment. Besides being a newly minted BizTalk guru, Victor’s our resident expert on DataFlux and is also a rock star on Java, RUP and UML, so expect a nice variety of interesting topics.

Welcome aboard, Victor.

Technorati Tags: BizTalk

November 13, 2007