An Oracle Application Server Single Sign-On authentication solution allows the user to log in once and to access all applications and application services across the enterprise. In a true Oracle Application Server Single Sign-On system, a user who logs into an Oracle application does not have to log in again before running another Oracle application. Using Oracle Application Server Single Sign-On facilities, you can implement a security solution for your BI Beans application that uses HTML-client deployment.
If you have the proper knowledge and ability, then you can implement a different single sign-on solution. BI Beans includes sample code for helping you implement Oracle Application Server Single Sign-On.
If you plan to use Oracle Application Server Single Sign-On with a BI Beans application, ensure that the following requirements are met:
A version of Oracle Application Server that is compatible with this version
of BI Beans has been properly installed and configured. This installation
includes the mod_oc4j
and mod_osso
modules.
Oracle Application Server Single Sign-On is limited to browser-based clients. Therefore, your BI Beans application must use thin beans in order to enable Oracle Application Server Single Sign-On.
The application or Oracle HTTP Server can be deployed as a partner application
in Oracle Application Server. If you use mod_osso
(as described
below), then mod_osso
serves as the partner application. If
you do not use mod_osso
, then the BI Beans application must
be a partner application in Oracle Application Server Single Sign-On.
Cookies must be enabled in the browsers of users of the BI Beans application.
The Oracle Application Server Single Sign-On implementation can be integrated with external systems that supply a community of users such as an Oracle Internet Directory (or OID -- Oracle's implementation of an LDAP service) or the Oracle database.
The mod_osso
module assists in the authentication of users of the application. The following list describes the sequence of steps for authenticating users in this manner:
A user requests a resource (such as a BI Beans application) from a browser.
Oracle HTTP Server receives the request and determines that the requested resource must be protected, based on the configuration in the server.
Oracle HTTP Server employs its module called mod_osso
. This
module runs as a partner application that manages communication between
the Oracle Application Server Single Sign-On Server and the BI Beans application.
The mod_osso
module intercepts every request for a protected
resource. The mod_osso
module inserts the user identity in
every HttpServletRequest
object so that the application can
access the identity using the getRemoteUser
method.
The mod_osso
module checks for the existence of a cookie
that the module might have already created for this user. If the cookie
exists, then the mod_osso
module retrieves the user's identity
and uses this information to log the user in for access to the requested
resource. If the cookie does not exist, then the mod_osso
module
redirects the request to the Oracle Application Server Single Sign-On Server.
If the Oracle Application Server Single Sign-On Server receives the redirected
request, then that Server checks for the existence of its own login cookie,
to determine if it has authenticated this user previously. If the login
cookie does not exist, then the Server authenticates the user (by prompting
for a user name and password) and creates a cookie to remind itself later
that it has already authenticated this user. If the login cookie does exist,
then the Server creates another cookie to remind itself later that it has
already authenticated this user. In either case, the Server sends a message
back to the mod_osso
module in which the Oracle Application
Server Single Sign-On Server returns the user's encrypted identity.
The mod_osso
module uses the information in this message to
make its own cookie and displays the appropriate resource in the browser.
When the user is successfully authenticated, the user name is returned and
the cookie (where authenticated identities are stored) is updated in the client
browser. The mod_osso
module passes the user name to the application
that requested authentication, and Oracle HTTP Server loads the requested application.
If authentication is not successful, then an exception is thrown. For subsequent
transactions, Oracle Application Server Single Sign-On uses the authentication
information that is stored in the cookie.
The following figure illustrates an Oracle Application Server Single Sign-On authentication system for a BI Beans application, as described in this topic.
Perform the following steps to enable the use of Oracle Application Server Single Sign-On with a BI Beans application:
Ensure that you have met the requirements that are outlined above.
Using JDeveloper, create a BI Beans application using thin beans.
In JDeveloper, use the BI Servlet Generation wizard to generate a servlet application with pages that allow users to log in and to log out.
Use sample code that is provided with BI Beans. After you run the BI Servlet
Generation wizard, search for a file with a name such as BIControllerx.java
,
where x is an integer.
In this file, uncomment the code for the preRequestProcess
method. This code allows the application to retrieve the user name.
Uncomment the code for the handlePageEvent
method to handle
users globally logging out. When users log out, the application redirects
the browser to a URL that is defined by the Oracle Application Server Single
Sign-On Server.
Once the application is deployed to the OC4J servlet engine, you must
edit two files. For the purpose of example, assume that the deployed application
name is webapp1
.
Edit the httpd.conf
file to include the following code:
<Location /webapp1> AuthType Basic require
valid-user </Location>
Edit the orion-web.xml
file in the IAS-Home/j2ee/home/applications/your-application-path/WEB_INF
directory to include the following code:
<login-config-props> <auth-method>SSO</auth-method>
</login-config-props>
Test that application by running it in a browser using the following URL:
http://host-name:port-number/your-application-path/mypackage.BIController1
where mypackage
is the package name and BIController1
is the application name.
For complete information, refer to the Oracle Application Server Single Sign-On documentation.