Archived Content
This article is provided for historical perspective only, and may not reflect current conditions. Please refer to relevant product page for more up-to-date product information and resources.
Case Study


Governance Registry Brings Integrity to SaaS Platform

CAST Research Project Creates Extensible and Customizable SaaS Platform Using WSO2 Governance Registry

Being open to third-party extensions and customizations is an increasingly desirable property for software-as-a-service (SaaS) platforms. It is also a fundamental prerequisite for the emergence of an ecosystem around a SaaS platform. But what are the implications of such openness with respect to maintaining the platform's stability and reliability? Working to answer this question is the South-East European Research Centre (SEERC), a non-prot, multidisciplinary research center run by City College Thessaloniki, the International Faculty of the University of Sheeld in Greece (

In collaboration with CAS Software AG—the leading CRM expert in Germany, SEERC established the CAST research project, which focused on creating a cloud platform supporting the development and customization of SaaS enterprise applications by third parties ( In support of the project, CAST researchers developed methods and tools for the development, packaging and execution of enterprise applications on the CAST platform, and a suite of mechanisms for governing the platform and preventing threats to its integrity and performance.

At the center of the CAST cloud application platform is the CAST Registry & Repository, which is built on the WSO2 Governance Registry and serves to maintain the platform’s stability and reliability through eective governance.

CAST External Service Monitoring Gadget


Figure 1

Balancing Openness and Flexibility with Consistency

The ultimate goal of the recently completed CAST project was to deliver a commercially viable platform-as-a-service (PaaS) that not only supports the development and deployment of on-demand (SaaS) business applications, but does so in a way that facilitates the creation of a value network and ecosystem around the platform. Developers will be able to create their own business applications, combine these with existing applications being oered by the platform provider or third parties, integrate them with external systems through Web services, and oer the end result as a new SaaS solution.

However, researchers at SEERC's Information & Knowledge Management research group, led by Dr. Iraklis Paraskakis, quickly recognized the need to balance the exibility to extend and customize cloud applications with a system for ensuring a consistent level of stability, performance and reliability. Additionally, they wanted to keep the platform provider's eorts to manage the development and deployment process as low as possible.

"Since third-parties are out of the platform provider's control, how could we make sure that their applications would comply with all of the platform provider's policies and run smoothly, without stalling the platform? We knew we needed a mechanism to address this and other governance-related concerns," recalled Dimitrios Kourtesis, a researcher at SEERC. "We needed to prevent problematic a researcher at SEERC. "We needed to prevent problematic solutions, applications and services from being deployed to the platform's runtime infrastructure. We also had to ensure visibility over all assets in the platform and their interdependencies, keep track of the behavior of external services on which applications depend, and control the evolution of dierent software components."

Comparing Middleware Competitors

SEERC researchers determined that the CAST Registry & Repository system would serve as a central location in which the entities and artifacts necessary to the operation of the CAST platform would be stored, organized, and managed throughout their lifecycle. It also would provide a space and a set of functions for enabling the eective governance of entities and artifacts from creation to retirement.

Governance would be supported by providing specialized tools to assist the users of the system, such as platform administrators and solution developers, in performing standard quality assurance tasks, as well as tools to automate a number of quality controls by applying conformance checking and data validation in accordance with the platform governance rules.

Among the functions the CAST Registry & Repository would be designed to support were:

  • Central cataloging of solutions, applications, and external services, and storage of their associated artifacts in a platform-wide accessible location.
  • Versioning of managed entities and artifacts to reect signicant changes and to designate new states in development.
  • Controlling the evolution of managed entities and artifacts, by modeling lifecycle states and associating validation checks with state transitions.
  • Tracking dependencies among solutions, applications and services, and allowing for impact analysis.
  • Performing conformance checking to ensure that managed entities and artifacts comply with the platform provider's policies.
  • Monitoring of the external Web services on which applications are dependent to ensure appropriate levels of availability and performance, considering service-level agreements (SLAs).

Selecting the WSO2 Governance Registry

In evaluating products on which the CAST Registry & Repository would be built, SEERC researchers had two primary considerations. First, they determined that there were many best practices to be adopted from existing solutions for SOA governance. Second, they wanted to support a basic tenet of the CAST research project to use open source software wherever possible. These considerations narrowed the search to two candidates: the WSO2 Governance Registry and Mule Galaxy. Product testing then led SEERC to choose WSO2.

"The WSO2 Governance Registry was a more mature and stable product," Kourtesis explained. "It had the functionality we needed like the repository, dependency tracking, lifecycle management, and handlers for triggering our validators."

Another notable benet of the WSO2 Governance Registry was its extensible, OSGi-based architecture, which would facilitate the SEERC researchers' own development, as well as facilitate customization. The researchers also noted the product's attractive user interface; programmatic API with SOAP for remote registry operations; and an architecture that was comprehensive, understandable and clean.

"All considered, WSO2 Governance Registry provided the strongest basis for our cloud application platform," Kourtesis said.

Putting the Model into Practice

Today, the WSO2 Governance Registry delivers core functionality within the CAST Registry & Repository, including cataloging and storage, policy conformance checking and lifecycle management.

The initial implementation was completed in six months. During this time, SEERC researchers were able to customize the software and add a number of extensions. These have included a new widget for displaying validation errors indicating policy violations, a widget for displaying dependencies among solutions, applications and external services, new dashboard gadgets, new lifecycle managers, new media type handlers and lters to determine when a new software component has been added, and changes to the user interface (UI).

"Since our key objective was to help the platform provider in managing the platform and mitigating the risks associated with its complexity, we also created extensions to provide insight into the shared components and services," Kourtesis explained. "For example, we created a dependency tracking and impact analysis gadget that provides a visual display of the chain of services. If you want to change a service, you can select that service and see how many applications and solutions are aected by the change."

"The component-based OSGi design of the WSO2 Governance Registry has made development easier, and the components are versatile enough for us to reuse,"

CAST Impact Analysis Gadget


Figure 2

Another extension is a monitoring engine that polls external services to check if they are alive, responsive and reliable. It is one of the many instances where SEERC researchers have taken advantage of the WSO2 Governance Registry's support for the OSGi specication.

"The same OSGI container for the WSO2 Governance Registry also runs our SLA monitoring engine," noted Konstantinos Bratanis, another researcher at SEERC who worked on the CAST project. "We've also used OSGi components to create a custom notication mechanism and logic for rolebased access management."

Role-based access management "allows each developer to have his own space and each organization to have its own tree structure within the platform," Kourtesis said. "Developers can use it to kick-start the deployment process once local development is completed." This includes the ability to upload artifacts, check performance with policies, and test platform integration to ensure that all of the platform provider’s criteria are fullled.

Because WSO2 is 100% open source and supports open development, SEERC researchers were able to rely on the open source community, online documentation and mailing lists to address questions they had during their implementation.

Looking ahead, the results of the CAST project, which was co-funded by the EUREKA Eurostars program, will be fed into the development and commercial launch of a nextgeneration PaaS oering by CAS Software AG, the project's coordinator, within the next couple of years.

"The WSO2 Governance Registry has provided us the basis for the CAST Registry & Repository and has fullled our functional requirements," Kourtesis said. "We are excited to see our CAST platform simplify the concerns of enterprises looking to provide on-demand enterprise software applications."


Interested in similar content?