Preparing Applications for Oracle Java Cloud Service - SaaS Extension Deployment
This section provides guidelines and considerations for developing applications, such as applications that use a JDBC data source, in order to deploy them on an Oracle Java Cloud Service - SaaS Extension instance.
Topics:
-
Understanding Application Library Behavior Changes on Oracle Cloud
-
Guidelines for Applications That Use Java EE or ADF Application Security
-
Guidelines for Applications When Accessing a Local File System
-
Guidelines for Applications When Accessing System Properties
You must follow these guidelines either when developing new applications targeted to an Oracle Java Cloud Service - SaaS Extension instance or when modifying existing applications targeted to an Oracle Java Cloud Service - SaaS Extension instance
Understanding Application Library Behavior Changes on Oracle Cloud
Unless the Oracle Java Cloud Service - SaaS Extension documentation explicitly states changes to the original behavior of application libraries in order to be compatible with Oracle Java Cloud Service - SaaS Extension, then the application library's default behavior is not changed.
An example of a default application library behavioral change is the Log4j Console Appender, which has changed on Oracle Cloud. See Guidelines for Applications When Using Log4j Appenders.
An example of unchanged behavior is the setting of Log4j or JDK log levels using application code. These application libraries have not changed on Oracle Cloud, so they should work as they do in on-premise environments.
Frequently Asked Questions for Oracle Java Cloud Service - SaaS Extension is the only section of Using Oracle Java Cloud Service that provides examples for application libraries whose behavior does not change on Oracle Cloud.
Guidelines for Applications That Use a JDBC Data Source
The association of an Oracle Java Cloud Service - SaaS Extension instance with a Database Cloud Service instance makes the database instance available to deployed applications as a JDBC data source. By default, the JNDI name of the data source is the same name given to the Database Cloud Service instance at provisioning time. For example, if the name of the Database Cloud Service service instance is javatrial1801db
, then the JNDI name of the Database Cloud Service instance will also be javatrial1801db
.
If your application is using a JDBC data source for database access, then all references within the application to the assigned data source must be configured or modified to use either:
-
The JNDI name of the data source assigned within the Oracle Java Cloud Service - SaaS Extension instance.
-
A used-defined alias for the JNDI name of data source assigned within the Oracle Java Cloud Service - SaaS Extension instance.
Using a JNDI Alias for a JDBC Data Source
You can create an alias for the JNDI name of the JDBC data source assigned to your Oracle Java Cloud Service - SaaS Extension instance. Therefore, if your application is using a data source for database access, then all references to the data source can use the alias JNDI name instead of having to use the actual JNDI name of the data source.
For example, if the JNDI name of the Database Cloud Service instance is javatrial1801db
, you can create an JNDI name alias for the data source named mycustomalias
, and then just use mycustomalias
in all references to the data source within the application.
Using an JNDI alias for a data source eliminates the need to update your applications if they need to be redeployed to another Oracle Java Cloud Service - SaaS Extension instance that is associated with a different Database Cloud Service. Instead, you only need to add same the JNDI alias referenced in your applications to the JDBC data source in the new Oracle Java Cloud Service - SaaS Extension instance.
Adding a JNDI Name Alias
You can create and manage JNDI name aliases for data sources using the javacloud.jar
CLI in the Oracle Java Cloud Service - SaaS Extension SDK.
Here is an example of using the CLI to add a JNDI name alias for a data source:
$ ./javacloud -u username@oracle.com -id usoracletrial08411 -si javatrial5334 -add-datasource-jndiname -jndiname mycustomalias
JNDI Name "mycustomalias" added to the data source : javatrial5334db
Here is an example of using the CLI to list your data source JNDI names:
$ ./javacloud -u username@oracle.com -id usoracletrial08411 -si javatrial5334 -list-datasource-jndinames
#=============================#
| Listing 2 DS JNDI Alias(es) |
| [Identity |
| Domain=usoracletrial08411, |
| Service |
| Instance=javatrial5334] |
#====#===============#========#
|S.NO| Jndi Alias |ReadOnly |
|====|===============|========|
|1 |javatrial5334db|true |
|----+---------------+--------|
|2 |mycustomalias |false |
+----+---------------+--------+
Guidelines for ADF Applications
Follow the guidelines in this topic whenever you use Oracle Java Cloud Service — SaaS Extension to deploy an ADF application.
If you are deploying an ADF application, you must configure or modify its weblogic.xml
deployment descriptor to use the <exact-match>
element, as described in the following example.
<library-ref> <library-name>jsf</library-name> <specification-version>1.2</specification-version> <exact-match>true</exact-match> </library-ref>
Additionally, to ensure an adequate pool of database connections, set the following properties:
-
jbo.doconnectionpooling=true
-
jbo.txn.disconnect_level=1
-
jbo.ampool.doampooling=true
Note:
This library reference is added automatically if an ADF application is deployed from JDeveloper to a Cloud server, providing that the deployment profile is set to use "Oracle Cloud" as the platform, and as long as this library reference do not already exist in the weblogic.xml
file.
If the application needs to be deployed to both on-premise environments as well as an Oracle Java Cloud Service - SaaS Extension instance, and if the on-premise environments use different role names and JDBC data source JNDI names, then use the WebLogic Server release 10.3.6 deployment plan feature when deploying the application to the on-premise environments. This approach will support the configuration differences between the on-premise environment and the Oracle Java Cloud Service - SaaS Extension instance.
To learn more about deployment descriptors, JDBC data sources, and deployment plans, see:
Note:
The following references pertain only to on-premises customers who need to use a deployment plan when their enterprise role names are different. Java Cloud Service - SaaS Extension does not support these deployment plans.-
How to Create and Edit Deployment Descriptors in Oracle Fusion Middleware Fusion Developer's Guide for Oracle Application Development Framework
-
What You May Need to Know About JDBC Data Source for Oracle WebLogic Server in Oracle Fusion Middleware Fusion Developer's Guide for Oracle Application Development Framework
-
Using a Deployment Plan: Overview in Oracle Fusion Middleware Configuring and Using the Diagnostics Framework for Oracle WebLogic Server
Guidelines for Applications That Use Java EE or ADF Application Security
If an application uses Java EE or ADF application security for securing part or all of its pages (either programmatically or through its deployment descriptors), you must configure or modify the application to refer to the appropriate application roles.
The appropriate application roles are described in Securing Java EE Applications – Roles and Constraints and Securing ADF Applications – Roles and Constraints.
The current release of Oracle Java Cloud Service - SaaS Extension uses the second generation of the Identity Management System in Oracle Cloud. Therefore, applications that are deployed to the Oracle Java Cloud Service - SaaS Extension no longer need to prefix the principal name with the identity-domain-name
when defining enterprise role policies in ADF or Java EE applications.
Required Changes to ADF Applications Using Role-based Security
For currently deployed ADF applications that use role-based security, you no longer need to prefix the principal-name
with the identity-domain-name
when defining enterprise roles in the jazn-data.xml
deployment descriptor.
For role-based security with deployed ADF applications, you must either:
-
Modify the
jazn-data.xml
deployment descriptors by removing allidentity-domain-name
prefixing from the principal names. -
If you cannot modify your deployment descriptors, use the Security page to append the identity domain name to the enterprise role so that it exactly matches the principal name in the
jazn-data.xml
file.
The following example shows how the jazn-data.xml
deployment descriptor was typically configured for role-based security in previous releases of Oracle Java Cloud Service - SaaS Extension. Note that the identity domain name myidentitygroupfoo
prefixes the eastcoastsales
principle name.
...
<app-role>
<name>customer</name>
<class>oracle.security.jps.service.policystore.ApplicationRole</class>
<members>
<member>
<name>myidentitygroupfoo.eastcoastsales</name>
<class>weblogic.security.principal.WLSUserImpl</class>
</member>
</members>
</app-role>
...
The following example shows how the jazn-data.xml
deployment descriptor should be configured for role-based security in the current release of Oracle Java Cloud Service - SaaS Extension. Note that the eastcoastsales
principle name is no longer prefixed by an identity-domain-name
.
...
<app-role>
<name>customer</name>
<class>oracle.security.jps.service.policystore.ApplicationRole</class>
<members>
<member>
<name>eastcoastsales</name>
<class>weblogic.security.principal.WLSUserImpl</class>
</member>
</members>
</app-role>
...
For more information, see Securing ADF Applications – Roles and Constraints.
Required Changes to Java EE Applications Using Role-based Security
For currently deployed Java EE applications that use role-based security, you no longer need to prefix the principal-name
with the identity-domain-name
when defining enterprise roles in the weblogic.xml
deployment descriptor.
To use role-baseed security with currently deployed Java EE applications, you must either:
-
Modify the
weblogic.xml
deployment descriptors by removing allidentity-domain-name
prefixing from the principal names. -
If you cannot modify your deployment descriptors, use the Security page to append the identity domain name to the enterprise role so that it exactly matches the principal name in the
weblogic.xml
file.
The following example shows how the weblogic.xml
deployment descriptor was typically configured for role-based security in previous releases of Oracle Java Cloud Service - SaaS Extension. Note that the identity domain name myidentitygroupfoo
prefixes the WestCoastSales
principle name.
...
<wls:security-role-assignment>
<wls:role-name>sales</wls:role-name>
<wls:principal-name>myidentitygroupfoo.WestCoastSales</wls:principal-name>
</wls:security-role-assignment>
...
The following example shows how the weblogic.xml
deployment descriptor should be configured for role-based security in the current release of Oracle Java Cloud Service - SaaS Extension. Note that the WestCoastSales
principle name is no longer prefixed by an identity-domain-name
.
...
<wls:security-role-assignment>
<wls:role-name>sales</wls:role-name>
<wls:principal-name>WestCoastSales</wls:principal-name>
</wls:security-role-assignment>
...
For more information, see Securing Java EE Applications – Roles and Constraints.
Guidelines for Applications When Accessing System Properties
You can access most system properties from application code by using getters and setters.
Examples of the system properties you can access (get
or set
) by using application code are:
-
Any custom properties. (That is, any properties not defined by WebLogic Server or Java EE.)
-
The following HTTP proxy properties are getable:
-
http.proxyHost
-
http.proxyPort
-
https.proxyHost
-
https.proxyPort
-
-
The following categories of system properties are not available to be either
get
orset
. Attempting to do so will result in an access control exception.-
Java system properties related to the Java Security Manager.
-
Java system properties related to WebLogic Server security.
-
Java system properties related to the JVM specification.
-
Note:
All system properties that are set using application code in Oracle Java Cloud Service - SaaS Extension are not persisted when the service is restarted. Therefore, it is the responsibility of the application setting and getting them to persist them. A security exception will be raised if the application is trying access a property that is not allowed.
Guidelines for Applications When Using Log4j Appenders
The Oracle Java Cloud Service - SaaS Extension supports Log4j so deployed applications can use packaged Log4j libraries to log their messages. There are no limitations on the Log4j appender that is configured for applications, provided those appenders do not violate any security requirements.
Oracle recommends the two most commonly-used appenders:
-
ConsoleAppender – Logs that are written through this appender get redirected to the Oracle Java Cloud Service - SaaS Extension logs, which already contain JDK logs, along with certain WebLogic Server log messages. By using the ConsoleAppender, you can use the Oracle Java Cloud Service - SaaS Extension's CLI-based tools or the Oracle Java Cloud Service - SaaS Extension Control to query the service logs to find the Log4j logs as well.
-
FileAppender or any of its subclasses – The log files need to be written to a unique volume that can be read and written to, such as
/customer/scratch/${weblogic.Name}/log4j.log
, so that different managed servers do not end up using the same path. See Guidelines for Applications When Accessing a Local File System. The whitelist tool validates when thelog4j.properties
orlog4j.xml
configuration files are used to initialize Log4j. The whitelist will provide a warning if it cannot find the expected path for writing the logs.
This sample log4j.properties
file shows the path where log files are written as /customer/scratch/${weblogic.Name}/log4j.log
, which is inside the supported read/write area. It also shows how the dynamic portion ${weblogic.Name}
ensures that each managed server finds a different path.
# Copyright (c) 2011, 2013, Oracle and/or its affiliates. All rights reserved. # Root logger option log4j.rootLogger=ALL, file, out # Direct log messages to a log file log4j.appender.file=org.apache.log4j.RollingFileAppender log4j.appender.file.file=/customer/scratch/${weblogic.Name}/log4j.log log4j.appender.file.append=true log4j.appender.file.layout=org.apache.log4j.PatternLayout log4j.appender.file.layout.ConversionPattern=%d{yyyy-MM-dd HH:mm:ss} %-5p %c{1}:%L - %m%n # Direct log messages to stdout log4j.appender.out=org.apache.log4j.ConsoleAppender log4j.appender.out.layout=org.apache.log4j.PatternLayout log4j.appender.out.layout.ConversionPattern=%d{yyyy-MM-dd HH:mm:ss} %-5p %c{1}:%L - %m%n
Note:
Oracle Cloud does not affect Log4j's mechanism for locating its own configuration files; therefore, the location of Log4j properties files should be by default found on the system CLASSPATH
. Please refer to the Log4j documentation for configuration file information.
Guidelines for Applications When Accessing a Local File System
Oracle Java Cloud Service - SaaS Extension allows local file system access to deployed applications through standard java.io.File
APIs. The root path on the local file system is /customer/scratch/
, and under this directory deployed applications can freely read from and write to any necessary files, such as Log4j configuration files.
For guidelines, see Guidelines for Applications When Using Log4j Appenders.
You can get the value of your /customer/scratch/
directory by using the system property java.scratch.dir
, as follows:
System.getProperty("java.scratch.dir")
To facilitate portability, your on-premise environment can use a different path for the same java.scratch.dir
property. (See Guidelines for Applications When Accessing System Properties.)
The /customer/scratch
volume is shared among all the managed servers in an Oracle Java Cloud Service - SaaS Extension instance; therefore, these managed server can see the same physical file with the same path. Therefore, the application code running from different managed servers can read the same file using the same path. However, if the application needs to write data to this volume, the application instances running in different managed servers need to find a unique path under the volume to write to.
To manage this, applications can read a dynamic {weblogic.Name}
system property to get the name of the managed server and append this name with the volume to get a unique path for writing. For example, applications running on a managed server name myMS1
, would be configured to write to a /customer/scratch/${weblogic.Name}/myMS1/
directory.
Note:
The Oracle Java Cloud Service - SaaS Extension SDK has a sample application named "File Browser" that can be used to manage all the files in your /customer/scratch/
directory. The sample application also shows how java.io.*
APIs can be used to read and write files. See Accessing the Local File System.