Bookshelf Home | Contents | Index | PDF     

Implementation Guide for Oracle Self-Service E-Billing > Customizing User Management >

Configuring Oracle Self-Service E-Billing to use a Single Sign-on System

Spring Security provides hooks for single sign-on implementation, such as Central Authentication Service (CAS) or OpenID. And it also supports LDAP and Pre-Authentication. You can customize the Spring Security implementation for your system requirements. For more information on how to implement customized hooks, see the Spring Security documentation at

http://static.springsource.org/spring-security

Also consult your single sign-on system vender for information on integration with Spring Security.

The following procedure provides an example of how to integrate Oracle Self-Service E-Billing with CAS on Oracle WebLogic. The specific steps and files required for your SSO implementation will vary. For the Customer Service Representative and Web Services applications, additional examples of how to integrate Oracle Self-Service E-Billing with CAS is in the EDX_HOME/samples/sso directory.

To integrate Oracle Self-Service E-Billing with CAS on Oracle WebLogic (Example)

  1. Download the libraries required to support integrating your SSO implementation with the CAS server CAS Server 3.4.11 to the EDX_HOME\J2EEApps\ebilling\weblogic\ebilling-weblogic-6.2.ear\lib directory. These are open source resources and can be accessed from any public maven repository, CAS Web site, and so on. These can include files such as:
    • cas-client-core-3.1.10.jar
    • opensaml-1.1b.jar
    • spring-security-cas-3.1.0.RELEASE.jar
    • xmlsec-1.3.0.jar
  2. Add the JAR file paths to the MANIFEST.MF file found in the EDX_HOME\J2EEApps\ebilling\webcear\APP-INF\lib\xma-classpath.jar\META-INF\ directory, such as:

    ../../lib/xmlsec-1.3.0.jar ../../lib/opensaml-1.1b.jar ../../lib/spring-security-cas-3.1.0.RELEASE.jar ../../lib/cas-client-core-3.1.10.jar

  3. If there are any conflicts among third party library versions, then add the following statement to the weblogic-application.xml file found in the EDX_HOME\J2EEApps\ebilling\weblogic\ebilling-weblogic-6.2.ear\META-INF\ directory:

    <package-name>{jar path}package-name>

    For example:

    <package-name>org.opensaml.*</package-name>

  4. Add the following content to the web.xml file found in the EDX_HOME\J2EEApps\ebilling\weblogic\ebilling-weblogic-6.2.ear\ebilling-web-1.0-SNAPSHOT.war\WEB-INF directory:

    <filter>

    <filter-name>characterEncodingFilter</filter-name>

    <filter-class>org.springframework.web.filter.CharacterEncodingFilter</filter-class>

    <init-param>

    <param-name>encoding</param-name>

    <param-value>UTF-8</param-value>

    </init-param>

    </filter>

    <filter-mapping>

    <filter-name>characterEncodingFilter</filter-name>

    <url-pattern>/*</url-pattern>

    </filter-mapping>

    <listener>

    <listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class>

    </listener>

  5. Edit the session time out filter in the web.xml file:

    <param-value>(/j_spring_security_check|/nonAuth/logout.action|/j_spring_cas_security_logout).*</param-value>

  6. Edit the spring-security.xml file found in the EDX_HOME\config\security\ebilling\. Update the following:
    • Add a CAS entry point to the security:http statement:

    <security:http entry-point-ref="casEntryPoint" access-decision-manager-ref="accessDecisionManager">

    • Add a CAS custom filter to the security:http statement:

    <security:custom-filter position="CAS_FILTER" ref="casFilter" />

    • Add beans serviceProperties, casFilter, and casEntryPoint:

    <bean id="serviceProperties" class="org.springframework.security.cas.ServiceProperties">

    <property name="service">

    <value>

    https://your_server_name:7062/ebilling/j_spring_cas_security_check

    </value>

    </property>

    <property name="sendRenew" value="false"/>

    </bean>

    <bean id="casFilter" class="org.springframework.security.cas.web.CasAuthenticationFilter">

    <property name="authenticationManager" ref="authenticationManager"/>

    </bean>

    <bean id="casEntryPoint" class="org.springframework.security.cas.web.CasAuthenticationEntryPoint">

    <property name="loginUrl" value="https://your_server_name:8443/cas-server-webapp-3.4.11/login"/>

    <property name="serviceProperties" ref="serviceProperties"/>

    </bean>

    • Set the service value to the URL of your Oracle Self-Service E-Billing application. Set the login URL value to the URL of your CAS server login.
    • Update the authentication provider:

    <security:authentication-provider ref="casAuthenticationProvider" />

    • Add the bean casAuthenticationProvider:

    <bean id="casAuthenticationProvider" class="org.springframework.security.cas.authentication.CasAuthenticationProvider">

    <property name="authenticationUserDetailsService">

    <bean class="org.springframework.security.core.userdetails.UserDetailsByNameServiceWrapper">

    <constructor-arg ref="userDetailsService" />

    </bean>

    </property>

    <property name="serviceProperties" ref="serviceProperties" />

    <property name="ticketValidator">

    <bean class="org.jasig.cas.client.validation.Saml11TicketValidator">

    <constructor-arg index="0" value="https://your_server_name:8443/cas-server-webapp-3.4.11" />

    </bean>

    </property>

    <property name="key" value="an_id_for_this_auth_provider_only"/>

    </bean>

    • Add a custom filter for single logout:

    <security:custom-filter ref="requestSingleLogoutFilter" before="LOGOUT_FILTER"/>

    <security:custom-filter ref="singleLogoutFilter" before="CAS_FILTER"/>

    • Remove the following:

    <security:logout logout-success-url="/nonAuth/logout.action"/>

    <security:form-login login-page="/nonAuth/login.action" default-target-url="/reporting/reportStart.action" authentication-failure-url="/nonAuth/login.action?login_error=1"/>

    • Add the filter definitions:

    <!-- This filter handles a Single Logout Request from the CAS Server -->

    <bean id="singleLogoutFilter" class="org.jasig.cas.client.session.SingleSignOutFilter"/>

    <bean id="requestSingleLogoutFilter"

    class="org.springframework.security.web.authentication.logout.LogoutFilter">

    <constructor-arg value="https://your_server_name:8443/cas-server-webapp-3.4.11/logout?service=https://your_server_name:7062/ebilling"/>

    <constructor-arg>

    <bean class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler"/>

    </constructor-arg>

    <property name="filterProcessesUrl" value="/j_spring_cas_security_logout"/>

    </bean>

    • Set the URL of your CAS server.
  7. Install the certification file for both the SSO system and Oracle Self-Service E-Billing if SSL connection is enabled.
  8. Configure Oracle Self-Service E-Billing to work in SSO enabled mode, which turns on and off the appropriate UI features. Make the following edits in the globalConfig.xma.xml file, found in the EDX_HOME/xma/config/modules folder:
    • Turn on the global configuration flags for SSO. Change the following property values to true:

    <property name="ebillingSingleSignOnEnabled"><value>false</value></property>

    <property name="csrSingleSignOnEnabled"><value>false</value></property>

    • If you use Web Services, then set the following SSO flag to true:

    <property name="ebillingWebServiceSingleSignOnEnabled"><value>false</value></property>

    • Add a URL for single sign-out. The default value for CAs is j_spring_cas_security_logout:

    <property name="singleSignOutUrl"><value>j_spring_cas_security_logout</value></property>

    • Add a home page link for the Billing and Payment application and the CSR application:

    <property name="ebillingHomePageUrl"><value>http://localhost:7001/portlet</value></property>

    <property name="csrHomePageUrl"><value>http://localhost:7001/portlet</value></property>

    
Implementation Guide for Oracle Self-Service E-Billing Copyright © 2014, Oracle and/or its affiliates. All rights reserved. Legal Notices.