EJB design: Configure Oracle 10g Single Sign-On to work with J2EE.

  1. Today's enterprise-wide systems are becoming increasingly sophisticated with a variety of operating systems and software development platforms. This presents the constant challenge of integration, which requires creative ways of configuring products from multiple vendors to work in tandem. This article presents another useful tip in this quest for integration. The Oracle 10g Application Server (10gAS) family of products provides a wide range of components for enterprise portals, content management, and application security. One useful component for Web applications is the Oracle Single Sign-On (SSO) authentication module, which is functionally similar to Netegrity SiteMinder from Computer Associates. Oracle SSO Oracle SSO is implemented using the: • mod_osso Apache module • SSO J2EE components • SSO database repository • SSO PL/SQL components SSO uses Oracle Internet Directory (OID), which is an Oracle database based LDAP compliant directory server. This integration has been tested with Oracle 10gAS. For the companies using Oracle 10gAS as well as Java, this article presents a simple yet effective method for using Oracle SSO running on Linux, Windows, Solaris or any other supported platform for Java base web applications running Oracle 10g Application Server. The method In this setup, mod_osso will make sure a valid user is logged in before the mod_proxy module proxies to the Java applications. If nobody is logged in when accessing the protected page, SSO will redirect the browser to a login page, authenticate the user, and then redirect back to the page initially requested. This setup will guarantee that somebody is logged in using SSO before the user is allowed to reach the Java application. This method means application users need to be set up in OID beforehand because SSO uses OID to validate user credentials. Proxy setup The first step is to set up the mod_proxy of Apache in Oracle 10gAS to channel requests to Java applications on any J2EE server. Using the Oracle 10gAS Enterprise Manager (EM) console or by directly editing $ORACLE_HOME/Apache/Apache/conf/httpd.conf, add the following entries: ProxyPass /myapp/ http://j2ee_server:port/myapp/ ProxyPass /myapp http://j2ee_server:port/myapp/ ProxyPassReverse /myapp/ http://j2ee_server:port/myapp/ ProxyPassReverse /myapp http://j2ee_server:port/myapp/ In the above example as well as in the rest of the article, please, replace myapp, j2ee_server:port, and 10gashost:port as it applies to your situation. SSO setup The second step is to set up Oracle SSO to protect the application's URL. Using EM console or by directly editing $ORACLE_HOME/Apache/Apache/conf/mod_osso.conf, add the following lines just before the : require valid-user AuthType Basic require valid-user AuthType Basic Please note that if you directly edit httpd.conf or mod_osso.conf without using the EM console, you must apply the changes to the DCM repository using: $ORACLE_HOME/bin/emctl stop iasconsole $ORACLE_HOME/dcm/bin/dcmctl updateConfig -ct ohs -v -d $ORACLE_HOME/bin/emctl start iasconsole It is important to restart Apache after the configuration. The easiest way, again, is to use EM console. Alternatively, use: $ORACLE_HOME/opmn/bin/opmnctl restartproc ias-component=HTTP_Server Java application The Java application will be accessible through 10gAS using the following URL: http://10gashost:port/myapp/ In the application, use HTTP header Osso-User-Dn to identify the current application user, e.g.: String loginDn = httpRequest.getHeader("Osso-User-Dn"); // more attributes /* httpRequest.getHeader("Osso-User-Guid"); httpRequest.getHeader("Osso-Subscriber"); httpRequest.getHeader("Osso-Subscriber-Dn"); httpRequest.getHeader("Osso-Subscriber-Guid"); httpRequest.getHeader("Accept-Language"); */ The User DN format used in SSO/OID should be: cn=userid,cn=users,dc=yourdomain,dc=com If the application detects that the Osso-User-Dn header is not set, then the browser is attempting to access the application directly and not through 10gAS. In such a situation, as a good usability practice, we suggest that the application redirect the browser to the correct URL, which will take care of the SSO authentication for the Java application. To let users log out of SSO directly from the Java application, use the following link: http://10gashost:port/osso_logout?p_done_url=http://10gashost:port/ The p_done_url specifies the URL to redirect to after the logout. Users will access the Java application using: http://10gashost:port/myapp/
  2. Thanks alot Saqib. I have been desperately looking for such help on Oracle SSO. I tried Oracle stuff, google and other search engines, but i wasn't able to help my cause. Thanks alot for your such prolific article, this has really helped me to work with SSO with J2EE. You Rule!!!
  3. Thanks Saqib, I followed your steps and I have manged to make SSO integration. however, once the request redirected back to the application, the CSS is lost and some links within the application is mapped to the original application url and others to the SSO server url.
  4. Oracle sso with tomcat[ Go to top ]


    Application Server: Tomcat 5
    SSO server : Oracle Single Sign On (SSO)
    Application : J2EE Web application


    I have created a web application and deployed in Tomcat application server. Now I want to provide Single Sign On feature to that web application. For that I have Installed Oracle single sign on server on one machine. I have read about the external application component of Oracle Single Sign On. I want that,When user access my web application URL it should redirect to single sign on login window. Once single sign on authenticate that user with OID it should redirect to user to the application's home page.

    I want to integrate the tomcat web application as a external application in Oracle SSO.

    What kind of configuration I need to implement above scenario ?

    Note: User will access the web application URL from browser.

    Thanks in advance. Your help will be appreciated.