‘Micro’ Java EE on the cloud with ‘dockerized’ Payara

Thankfully I don’t have to write much because I have a screen cast.. Yay ! My second one [ trying to get better at this ;-) ]

The idea is to show you how easy it is to get up and running with Java EE on the cloud. I decided to use Payara and its docker images because I particularly like its micro version. This should be applicable to any other dockerized Java EE server though e.g. Weblogic 12c.

Here is list of the commands for your reference

General Docker setup

  • sudo yum update
  • sudo yum install -y docker
  • sudo service docker start
  • sudo usermod -a -G docker ec2-user
  • docker info

‘Dockerized’ Payara setup

  • docker search payara
  • docker pull payaradocker/payara-micro:
  • docker run –name pmc -d -p 8080:8080 -i -t payaradocker/payara-micro: /bin/bash
  • docker ps
  • docker attach –sig-proxy=false pmc
  • java -jar payara-micro- –port 8080 –deploy showcase-5.2.war

Useful links

Cheers amigos !

Posted in Cloud, Docker, Java, Java EE | Tagged , , , , , , , | Leave a comment

Quick tip: Exception handling in Message Driven Beans

Let’s do a quick review of exceptional handling with regards to Message Driven Beans.

The entry point into a MDB is the overridden onMessage method. It does not provide any scope for throwing checked exceptions and as a result, you will need to propagate unchecked exceptions (subclass of java.lang.RuntimeException) from your code if you want to handle error scenarios.

Types of exceptions

There are two categories of exceptions defined by the EJB specification and the container differentiates one from the other based on well stated semantics (again, in the EJB specification).

Application Exception

If you throw a checked exception (not possible for MDB but other EJBs can use this) which is not a java.rmi.RemoteException or it’s subclass, OR a RuntimeException (unchecked) which is annotated with @javax.ejb.ApplicationException, the container treats this as an Application Exception. As a result, it rolls back transaction if specified by the @javax.ejb.ApplicationException rollback attribute and retains the MDB instance for reuse – this is extremely important to note.

System Exception

If you throw a java.rmi.RemoteException (a checked exception) or it’s subclass, OR a RuntimeException (unchecked) which is not annotated with @javax.ejb.ApplicationException, the container treats it as a System Exception. As a result, it executes certain operations like transaction rollback and discards the MDB instance (this is critical).

What about the critical part ??

It is important to take into account, the discarding of the MDB instance. In case of System Exceptions, the container always discards the instance – so make sure that you are using these exceptions for their intended reason. In case you are using Application Exceptions and they are unchecked ones (they have to be in case of MDBs), make sure you annotate them with @javax.ejb.ApplicationException – this will ensure that the MDB instance itself is not discarded.

Under heavy loads, you would want to have as many MDBs in the pool as possible and you would want to avoid MDB instances being moved out of service. Sensible exception handling can help you realize this goal. It’as simple as annotating your exception class with @javax.ejb.ApplicationException and leaving the rest to the container :-)


The EJB (3.2) specification is a 465 page PDF which might look intimidating at the outset, but it’s a great resource nonetheless and not that hard to grasp. In case you want to understand Exception Handling semantics in further detail, please do check out Chapter 9 which is dedicated to this topic


Posted in Java, Java EE | Tagged , , , , | Leave a comment

Types of JMSContext in JMS 2.0

If you follow Java EE, the simplified API components in JMS 2.0 (Java EE 7) will not be unknown to you. One of the important interfaces which forms a part of the simplified API is the javax.jms.JMSContext interface.

JMSContext can be categorized in to two types depending on how it’s instance is obtained and managed (life cycle) – Container managed and Application managed

Application Managed

Let’s look at a code snippet

In this case, an instance of JMSContext was obtained using ConnectionFactory and hence needs to be closed by the application code. The container will not manage it’s lifecycle

Container Managed

If you use @Inject to allow the container to inject the JMSContext instance, the container assumes full responsibility for it’s lifecycle.

If you call close() on a container managed JMSContext, you will end up with this exception – javax.jms.IllegalStateRuntimeException: This method is not permitted on a container-managed (injected) JMSContext.


In the previous example, the container automatically uses the default Connection Factory (as per Java EE 7). You can also leverage @JMSConnectionFactory annotation (another useful addition to JMS 2.0) to specify a Connection Factory of your choice.

That’s it for now.. Cheers !

Posted in Java, Java EE | Tagged , , , , | Leave a comment

Java EE 7 in production . . . so far. . .

This is a quick post for folks who are searching for examples/instances of real world a.k.a production use of Java EE 7 . Please note that this list is courtesy two major sources –  JavaOne Conference (2014) talk delivered by Arun Gupta (check out the entire talk here) and Adam Bien’s blogs

  Let’s check them out……..

UNHCR ( UN Refugee Agency ) using  Java EE 7 on GlassFish 4


tipi.camp using Java EE 7 on Wildfly 8.1


more information here and here

ZEEF powering search with Java EE 7 on Wildfly 8.2


read more on Adam’s blog

Hubeo leveraging Java EE 7 on Wildfly 8.2


details on Adam’s blog

SAFSMS is a School management software using Java EE 7 on GlassFish


learn more here

DreamIT ( probably upgraded to Java EE 7 on GlassFish 4.1 already )


continue reading on Adam’s blog

IMO start up dynamics are quite different and more challenging in terms of many respects as compared to bigger organizations. Hence its rather heartening to witness the amount of faith being put into Java EE 7 by these companies and the way they are leveraging the stack.

Cheers !

Posted in Java, Java EE | Tagged , , , , | Leave a comment

Oracle IDM 11g R2 PS3: What’s new ??

Self Service and End User empowerment

Simplified Self Service UI

Better look and feel. More intuitive. Modern skin/widgets






Guided Access Catalog

Easier for end users. Displays steps to be performed much like e-commerce web sites




Front end

New skin
Changes to how UI customizations are to be made
Few Design console operations have been deprecated






Concept of a Home Organization

A user will be automatically added to an organization based on Home Organization Policy, which is nothing but a set of rules based on user attributes. OIM has default rules (OOTB) and one can build custom rules as well






Introduction of custom Admin Roles (in a simplified avatar)

More dynamic in nature as opposed to static Admin Roles in previous versions. Admin Roles are still there for backward compatibility but NOT recommended






No dependency on APM and OES

Need not deploy OES component for tweaking fine grained authorization

Temporal Grants for New and Existing Access

Users can specify start and end date while requesting access. This can be overridden by authoritative users and helps manage access more seamlessly

Self Service Capability Policy

Rules within this policy would help determine what operations can a user perform on his own profile. This is also driven by user attributes





Role Life cycle Management

When working with roles (adding members etc), a user will be able to see related statistics in a graphical fashion which can help him/her make a more informed decision w.r.t the action being executed on the Role




OIM Role categories are NOT recommended going forwards and usage of Catalog category attribute is advised.
Enhanced Password Policy Management

Enables common password policies for OIM and OAM. More flexibility in terms of defining Challenge Qs (system/user defined)



SoD replaced by Identity Audit capability

Needs to be explicitly enabled




Process forms are not required and hence not supported
Form Upgrade and FVC Utility have been dropped
Attestation is no more supported

Reporting and Auditing

Lightweight Audit Engine

A brand new audit engine has been introduced in PS3. This is synchronous in nature (unlike current engine which depends on JMS), pushes data into a single AUDIT_EVENT table. The new auditing engine also supports new entities

BI Publisher exposed via OIM

You can run Identity Audit (some of the reports) from OIM console itself


Approval layer

Introduction of Workflow Policies

Workflow Policies have replaced Approval Policies in PS3. However, in upgraded scenarios, Approval policies will continue to work








Running OIM without workflows (disabled state)

A system property can be toggled to disable SOA all together. Although the capability can be re-enabled, but the caveat is that it is NOT recommended/supported




Request Catalog

  • The out of the box search form in Catalog can be replaced by a custom form (taskflow) and configured with the help of a system property called Catalog Advanced Search Taskflow

Catalog Advanced Search Taskflow

  • Its possible to add more attributes to the catalog search form (via UI customization of course)

Displaying additional information for catalog entities

Displaying additional information for App Instance, Role and Entitlement (post checkout) can be driven with help of customized taskflows which can be configured by using system properties Catalog Additional Application Details Task Flow, Catalog Additional Role Details Task Flow and Catalog Additional Entitlement Details Task Flow respectively.



Integration layer

REST services based in SCIM (Simple Cross Domain Identity Management) protocol

Finally! A standards based REST interface on top of OIM. Supports limited operations as of now, but its a good start






Remote Manager usage is NOT recommended any more and has been removed from a documentation standpoint (might be deprecated from future releases)

SPML support dropped
Callback Service support dropped
Simplified SSO Integration (without OAM)

Use basic HTTP (web) servers and integrate SSO with OIM on basis of HTTP headers


Orchestration Engine MBean

This is a nice addition which helps probe the Orchestration kernel (engine) related information (its actually is a standard JMX bean implementation). Its accessible via Enterprise Manager and exposes operations like pushing orchestration info to a file, finding event handlers, finding events per process etc. Also aids in debugging orchestration process failures



Enjoy !!!

Posted in Oracle Identity Governance, Oracle Identity Manager | Tagged , , , , | 2 Comments

Taking Ozark for a test drive…

Hey… my first screencast.. aka video blog ;-) Although it’s 20 minutes long, but I am pretty sure that actually writing a blog would have taken longer. Feels good… pretty efficient ha !

So what’s this about ?

Trying to experiment with Ozark, the Reference Implementation for MVC 1.0 which is a candidate for inclusion in the upcoming Java EE 8 Platform release..

The code is available on my github account (just in case!)


Posted in Java, Java EE | Tagged , , , | 1 Comment

True IDaaS . . . .

Pondering over the current state of IDaaS……

So what’s IDaaS to begin with ??

This post is not dedicated to defining IDaaS in depth. There are loads of other material you can read up if you are just interested in general theoretical stuff. But I’ll cover this briefly, just to set the tone…. I am not a sales rep, so let me keep this short and simple (just like an ideal program !) – IDaaS (Identity As A Service) is just a way to provide Identity Management solutions via a SaaS (Software As A Service) model. All your on-premise IDAM setup will be hosted in the cloud – that’s basically it. Of course its not black and white – there are pros and cons etc – but hey I am not Gartner or Forrester, so I am not going to deep dive into that stuff

What’s the perception of IDaaS today ?

For e.g. if I take a IDAM product from vendor X, deploy it in an IaaS (Infrastructure As A Service) provider Y (or even my own private cloud! doesn’t matter), does that make it an IDaaS solution ?

NO. I don’t think so. But this what I have been hearing… This is how people imagine IDaaS – IDAM product hosted in the cloud. From a customer perspective, it might be a big relief. Agreed ! No more infrastructure management cost and overhead and other good stuff like better pricing models etc….

But how does all this solve the problem from a technical standpoint??

Behind the scenes (from a technical implementation perspective) one still needs to go through the same set of processes – install, configure, deploy, provide HA, upgrade, migrate …. and the list just goes on …..
So, from what I see, everything is still the same, it’s just executed on some remote machine on the internet rather that the customer’s premise. In fact there are other things like exposing the customer’s internal systems to the cloud – of course they are going to be skeptical about this! One would need to resort to alternate solutions (none of which really makes sense to me.. I am not a networking wizard). We are introducing another variable. I was better off on-premise !

SO, is that really what we are looking for? Is that how we leverage the Cloud as we know it today in 2015 ?

Here is what I think…. [ and of course I am not perfect ;-) ]

True IDaaS cannot be realized without PaaS. This also implies that the IDAM product should be cloud and PaaS compatible (to an extent at least)

An IDAM SaaS product on top of PaaS = IDaaS. Yes. Think about things from a hardcore technical point of view – ease of deployment and installation, flexible configuration options, automatic scaling based on load (elastic), monitoring, developer friendly cloud tools, integration of continuous deployment and build tools and much more….

Let me explain it with an example. Think of Oracle Identity Manager implementation in a true IDaaS format.

  • Automated install: Ideally, I should be able to provision a cloud ready instance of Oracle IDM by using a simple GUI or a remote CLI rather than downloading 10 installer packages and hopping from machine to machine (on the cloud !!!)
  • Highly Available.. out of the box: I should be able to choose how many instances need to provisioned based on HA requirements, rather than going through a 2 month process for scaling out an instance.
  • On-demand scalability: I should be able to define policies based on which there should be automatic provisioning of additional instances based on load (think about OAM in cloud catering to millions of authentication requests in a day). I should be able to scale down on demand as well based on usage spikes (cost savings for the customer)
  • Simpler upgrades: Upgrading to the latest version should be simpler than what it is now. IMO upgrades are generally quite tricky but there should be some components which offer one click (ok maybe 3-5 clicks) upgrade
  • Monitoring: I should be able to monitor my IDAM components like Application Server, Database, LDAP directories etc
  • Developer friendly: MY development team should be able to leverage cloud ready dev tools (like IDEs etc) as well as automatic build tools (avoid manual intervention in deployment)

I am sure there are things I am missing.. but I hope you get the point.

PaaS is not a magic pill

Let’s not fool ourselves into thinking that way. Deep down, a lot depends on the core technology stack on top of which the IDAM product is implemented, since that what the PaaS product be closely tied to! e.g. For Oracle IDM, its Weblogic (As well as Webshpere). A lot depends on this container (or application server as we commonly call it). Hardcore SaaS products need to multi-tenant – without a doubt. The same applies for IDaaS products…. Dwelling into how Weblogic or Java EE supports cloud is another book in itself. So I’ll stop here.

End of rant, and I live happily ever after :-)

Until next time….
Stay curious !

Posted in Cloud, Oracle Identity Governance, Oracle Identity Manager | Tagged , , , , | Leave a comment

Java EE in embedded and micro avatars

I was reading up on Payara in general and was pleased to see them release a Micro version – which essentially enables you to launch Payara from command line [ java -jar payara-micro.jar ] without really setting up the entire application server. Basically, the payara-micro.jar IS your application server – it’s just that it can now fit in your pocket! More details on the Payara blog

Payara Micro CLI options

Payara Micro CLI options

Payara also offers embedded versions, both, Full Java EE 7 profile as well as the Web Profile.

I was wondering about …..

The differences b/w Payara Micro and Payara Embedded offerings ?

Payara Micro can be run in both embedded mode as well a CLI [ fat JAR from command line ] mode but the embedded versions need to be invoked from within another Java class .

from the Payara blog

from the Payara blog

I think the the micro version is cool but the embedded version also allows for some flexibility in terms of being able to bootstrap some configurations .. (and several other use cases maybe ?). Payara Micro is supposed to be implementing Java EE Web Profile with some additional functionality on top of it (as per blog post content). From what I observed, it offers Concurrency Utilities and Java EE Batch API as well (these are not required as part of Java EE Web Profile spec). Are there other differences? When should I use micro over Embedded Java EE Web Profile version ? Not quite sure

from the Payara blog

from the Payara blog

What positives can one extract out of these embedded and micro Java EE avatars ?

I know micro services are all the rage today but I am not knowledgeable to comment regarding them. Think of it this way – you have been itching to use Java EE 7 and found it to be perfect fit for that project at your workplace. But as usual, the sticking point is considering things like getting hold of a compliant application server (the runtime/container) – you might not be allowed to use that fancy piece of technology called Java EE 7 yet ! Your ideas crash [true story ;-)].

I think that’s about to change now. If you want to build that app where you can leverage all the Java EE goodies starting from EJB, CDI, REST to fancy stuff like Web Sockets and SSE, well just keep calm and build you WAR ! Don’t worry about the container – you need not procure an Application server and convince the entire management/architects etc. Now, the compliant runtime / container is just a simple JAR. Its more about creating the functionality and making it available for consumers rather than debating about app servers, compatibility, certification matrices etc.

Cloud…? what about cloud !

Not that tough! Imagine this – if you wanted to deploy a Java EE 7 application on cloud, you would need a PaaS provider which has support for Java EE 7 container (e.g. OpenShift). That’s fine. But do you realize that with a JAR as your application server, you do not really need to worry about a PaaS? Actually, all you need is IaaS (the infrastructure) e.g. a linux box with adequate RAM, disk etc should be enough to install Java and fire java -jar myappserver.jar … right ?

Testing and rapid prototyping

This one is a no brainer. Just like Embedded EJB containers made it simpler to test EJBs in isolation, having a pocket sized app server JAR should ease testing as well as rapid development/prototyping. Open up an IDE (preferably Netbeans), write your business logic, build your WAR and your are ready to rock

java -jar payara-micro.jar –deploy /home/abhi/Netbeans/MyJavaEE7App/dist/MyJavaEE7App.war

Cons ?

I am probably being optimistic right now. There will definitely be issues, caveats and cons when it comes to embedded/micro Java EE approach [I am sure the experts are at it right now !], but hey, guess I am too excited to think about them. I will discover some when I play around a little more :-)

Not to forget Wildfly Swarm !

Wildfly Swarm is another step towards harnessing the power of Wildfly application server from the comfort of a fat JAR. You can learn more from this blog post by Arun Gupta

Until next time…

Posted in Cloud, Java, Java EE | Tagged , , , , , , , | 2 Comments

I know you love purging the OIM cache ;-)

I know you love PurgeCache.sh – even if you don’t, aren’t you curious about what it does ?

Oracle IDM uses OSCache from the OpenSymphony project for in memory caching of objects in order to avoid repetitive calls to database and improve performance (of course !). In case you are not familiar with caching in general, I am pretty sure that as someone working on OIM, you would have executed PurgeCache.sh at some point in your career – so there it is ! If you have ever purged OIM’s cache, you have indirectly used OSCache.. yay !

How is it implemented ?

  • OIM uses a facade/wrapper over the core OSCache caching APIs
  • XLCacheProvider is essentially used as the generic interface which is implemented by a class called OSCacheProvider (this is OIM specific). You should be able to see an entry of this class in oim-config.xml (caching categories config section). It’s FQDN is oracle.iam.platform.utils.cache.OSCacheProvider
  • This class implements the contract put forth in the XLCacheProvider interface and leverages internal OSCache APIs
  • It caters to operations like adding to cache, removing entry from a cache, purging the entire cache etc. It also supports the notion of cache categories or groups. Sounds familiar ? The category is something which you provide as an input to PurgeCache script e.g. MetaData, User, Catalog, LookupValues etc. Please note that these are constant values and need to provided as it is

What categories of objects does OIM cache ?

Well there is lots, from adapters, to application instance details, resource bundles etc Actually, the list is pretty long ;-)

How does OIM use this Cache ?

Pretty straightforward actually. The caching logic is implemented within the core server business logic itself and items from different categories (mentioned above) are explicitly pushed into the cache by calling the high level APIs e.g. look up related calls, user search details, MDS data etc (just the tip of the iceberg)

How much control/visibility do we have over the cache ?

From what I know, not much apart from disabling/enabling the cache per category and configuring things like expiry time etc (all via oim-config.xml) and of course purging it ;-)

From what I have observed, we cannot

  • introspect the cache
  • validate it contents
  • confirm whether out favorite PurgeCache is in fact working ;-)

Why ? Simply because it does not expose the internal interfaces of the OSCache API to us (figuring out how and why is left to you as homework) and as of now I am not aware of how to hook into an in memory OSCache instance (maybe its possible ?)

So that brings me to another question

Should we plug in our own caching implementation ?

Sounds risky doesn’t it ? Well that’s why I haven’t heard people doing it. But it should definitely be theoretically possible

  • Provide a custom implementation of XLCacheProvider interface
  • Package it as a JAR into APP-INF/lib folder within oim.ear (OIM_HOME/server/apps)
  • change the provider attribute in the cacheConfig tag within oim-config.xml to reflect your custom implementation.

Some more thoughts

  • If I decide to play with this, I’ll certainly opt for the JCache API [JSR 107] in order to implement this. At least this is a standard API !
  • Maybe even expose cache metrics as read only attributes over a RESTful interface ? I think this should be useful (from a geeko-meter perspective !)

What do you think ?? :-)

Until next time… Hack away!

Posted in Java, Oracle Identity Manager | Tagged , , | Leave a comment

Packt celebrates International Day Against DRM !

2015 Banner

To demonstrate their continuing support for Day Against DRM, Packt is offering all its DRM-free content at $10 for 24 hours only on May 6th – with more than 3000 eBooks and 100 Videos available on www.packtpub.com.

Hurry up since this is a special 24 hour flash sale where all eBooks and Videos will be $10 until tomorrow.

Cheers !

Posted in Books | Tagged , , , | Leave a comment