The use of pluggable authentication drivers with a BI Beans application is optional, is external to BI Beans, and must be registered and turned on if used. You can use one driver to handle authentication for the BI Beans Catalog, and another driver to handle authentication for the OLAP service.
When a user attempts to start an application and make a connection, the authentication driver (if registered), is invoked before the connection driver.
AuthenticationProvider
interface specificationA pluggable authentication driver must implement the AuthenticationProvider
interface from the oracle.dss.security
package.
public interface AuthenticationProvider { public void authenticate(Hashtable properties) throws BISecurityException; }
Incoming arguments to the authenticate
method allow information to be passed from the application to the authentication driver. The authenticate
method authenticates the user and, when successful, adds information to the incoming arguments.
By default, no authentication driver is used. If you implement a pluggable
authentication driver, the authenticate
method is invoked only
upon connection to a data store (such as the BI Beans Catalog or an OLAP data
source). The authentication driver is called first and can pass the required
user name and password to the BI Beans Catalog connection driver or to the OLAP
connection driver. The authentication driver can throw a BISecurityException
to the BI Beans runtime environment, if the authentication fails.
You can pass parameters from the authentication driver to the connection driver by setting additional properties in the hash table in the authenticate
method. The updated hash table is made available to the appropriate pluggable connection driver. For example, you can authenticate users with multiple names by allowing all users to connect to the data source using the same name. With this single name, there is only one connection to the data source.
If you will authenticate at the application-level (that is, during startup), then Oracle Application Server Single Sign-On or another such mechanism is invoked first, before the application starts to run. Once Oracle Application Server Single Sign-On has authenticated the user, it writes a cookie to the browser and allows the application to run.