Release 2 (9.0.2)
Part Number A96114-01
 Home |
 Solution Area |
 Contents |
 Index |
| Oracle9iAS Single Sign-On Application Developer's Guide Release 2 (9.0.2) Part Number A96114-01 |
|
This chapter provides sample programs that illustrate how to enable partner applications for Single Sign-On.
The chapter covers the following topics:
The example that follows shows how to develop a partner application using PL/SQL APIs. The example incorporates three procedures: SAMPLE_SSO_PAPP.SSOAPP, SAMPLE_SSO_PAPP.SIGN_ON, and SAMPLE_SSO_PAPP.LOGOUT.
This procedure constructs the application URL. It requires authentication to access it. The procedure checks to see if the application cookie exists and user information can be retrieved; otherwise it redirects the user to the Single Sign-On server by generating a redirect URL.
This procedure gets the URLC token from the Single Sign-On server, decrypts it, and retrieves user information and the requested URL. It sets the application cookie and redirects the browser to the partner application URL.
This procedure implements the logout URL for the application.
/* papp.pks */ CREATE OR REPLACE PACKAGE sample_sso_papp IS PROCEDURE ssoapp; PROCEDURE sign_on(urlc IN VARCHAR2); PROCEDURE logout; END sample_sso_papp; / show errors package sample_sso_papp; /* papp.pkb */ set define on; set verify off; CREATE OR REPLACE PACKAGE BODY sample_sso_papp IS g_listener_token VARCHAR2(1000); g_requested_url VARCHAR2(1000); g_cancel_url VARCHAR2(1000); g_cookie_domain VARCHAR2(1000); p_html_str VARCHAR2(32000); g_cookie_path VARCHAR2(1000) := '/'; g_dad_name VARCHAR2(100) := '&partner_app_dad_name'; g_cookie_name VARCHAR2(1000) := g_dad_name; g_schema_name VARCHAR2(100) := user; PROCEDURE init_params AS l_host_name VARCHAR2(256); l_server_port VARCHAR2(256); l_protocol VARCHAR2(256); BEGIN begin htp.init; exception when others then null; end; l_host_name := owa_util.get_cgi_env('SERVER_NAME'); l_server_port := owa_util.get_cgi_env('SERVER_PORT'); -- the mod_plsql gateway will pass in the protocol in -- a new environment variable REQUEST_PROTOCOL. -- The SERVER_PROTOCOL, which the Apache Listener sets, -- and currently always sets to HTTP/1.0, will not be -- modified by the gateway. l_protocol := owa_util.get_cgi_env('REQUEST_PROTOCOL'); g_listener_token := l_host_name || ':' || l_server_port; if(l_protocol is null) or (length(l_protocol) = 0) then l_protocol := 'http'; end if; l_protocol := lower(l_protocol); g_requested_url := l_protocol || '://' || g_listener_token || '/pls/' || g_dad_name || '/' ||g_schema_name ||'.sample_sso_papp.ssoapp'; g_cancel_url := l_protocol || '://' || g_listener_token; g_cookie_domain := l_host_name; EXCEPTION when others then htp.p(SQLERRM);htp.nl; END init_params; /* Get user information */ FUNCTION get_user_info RETURN VARCHAR2 IS l_user_info VARCHAR2(1000); l_app_cookie owa_cookie.cookie; BEGIN l_app_cookie := owa_cookie.get(g_cookie_name); if (l_app_cookie.num_vals > 0) then l_user_info := l_app_cookie.vals(1); if l_user_info is not null then l_user_info := wwsec_sso_enabler.decrypt_cookie( g_listener_token, l_user_info); end if; else l_user_info := NULL; end if; return l_user_info; EXCEPTION WHEN OTHERS THEN htp.p('get_user_info: '||SQLERRM);htp.nl; END get_user_info; function gen_html_post_str ( l_gen_url IN VARCHAR2 ) RETURN VARCHAR2 IS l_htmlstr varchar2(1000); l_ls_url varchar2(1000); l_tname varchar2(100); l_tvalue varchar2(1000); l_len number; l_qindex number; l_eq_index number; BEGIN l_len := length(l_gen_url); l_qindex := instr(l_gen_url, '?'); l_eq_index := instr(l_gen_url, '='); l_ls_url := substr(l_gen_url, 0, l_qindex-1); l_tname := substr(l_gen_url, l_qindex+1, l_eq_index-l_qindex-1); l_tvalue := substr(l_gen_url, l_eq_index+1); l_htmlstr := '<HTML><BODY onLoad="document.LoginForm.submit();">' || '<FORM ACTION="' || l_ls_url || '" METHOD="POST" NAME="LoginForm">' || '<INPUT TYPE="HIDDEN" NAME="' || l_tname || '" VALUE="' || l_tvalue || '">' || '</FORM></BODY></HTML>'; return l_htmlstr; EXCEPTION l_gen_redirect_url := wwsec_sso_enabler.generate_redirect ( p_lsnr_token => g_listener_token, p_url_requested => g_requested_url, p_url_cancel => g_cancel_url, p_forced_auth => wwsec_sso_enabler.SIMPLE_AUTH ); htp.p('Redirecting to the SSO Server for authentication...'); -- -- The l_gen_redirect_url is usually large url which might -- get truncated by the browser. -- Instead of using owa_util.redirect_url, we will use -- HTTP POST for sending redirect. -- For moblie application etc. it may not be possible to use HTTP -- POST since it may not support html hidden form parameter. -- owa_util.redirect_url(l_gen_redirect_url); -- l_html_str := gen_html_post_str(l_gen_redirect_url); htp.p(l_html_str); ELSE owa_util.mime_header('text/html', FALSE); htp.p('Expires: ' 'Thu, 29 Oct 2000 17:04:19 GMT'); htp.p('Pragma: ' 'no-cache'); htp.p('Cache-Control: ' || 'no-cache'); owa_util.http_header_close; htp.htmlOpen; htp.headOpen; htp.title('PL/SQL based SSO Partner Application'); htp.headCLose; htp.bodyOpen; htp.p('Congratulations! It is working!<br>'); htp.p('User Information: '); htp.p(l_user_info || '<br>'); wwsec_sso_enabler.get_enabler_config ( p_lsnr_token => g_listener_token, p_site_token => l_unused1, p_site_id => l_unused2, p_ls_login_url => l_unused3, p_ls_logout_url => l_sso_logout_url, p_url_cookie_version => l_unused4, p_encryption_key => l_unused5, p_ipaddr_check => l_unused6 ); htp.p('<A HREF="' || l_sso_logout_url || '?p_done_url=">Logout</A>'); htp.bodyClose; htp.htmlClose; END IF; EXCEPTION WHEN no_data_found OR wwsec_sso_enabler.CONFIG_MISSING_EXCEPTION THEN htp.p('Error in application: missing application registration information'); htp.p('<br>'); htp.p('Please register this application as described in the installation' || 'guide'); htp.nl; WHEN others THEN htp.p('Error in application:' || sqlerrm); htp.nl; END ssoapp; PROCEDURE sign_on ( urlc IN VARCHAR2 ) IS l_url_requested VARCHAR2(2000); l_sso_user_name VARCHAR2(1000); l_user_dn VARCHAR2(1000); l_user_guid VARCHAR2(1000); l_subs_name VARCHAR2(1000); l_subs_dn VARCHAR2(1000); l_subs_guid VARCHAR2(1000); l_ip_address VARCHAR2(100); l_sso_time_remaining NUMBER; l_nls_lang VARCHAR2(100); l_nls_territory VARCHAR2(100); l_cookie VARCHAR2(5000); BEGIN init_params; -- Process URLC token wwsec_sso_enabler.parse_url_cookie ( p_lsnr_token => g_listener_token , p_enc_url_cookie => urlc , p_url_requested => l_url_requested , p_sso_username => l_sso_user_name , p_sso_user_dn => l_user_dn , p_sso_user_guid => l_user_guid , p_subscriber_name => l_subs_name , p_subscriber_dn => l_subs_dn , p_subscriber_guid => l_subs_guid , p_user_ipaddress => l_ip_address , p_sso_timeremaining => l_sso_time_remaining , p_nls_language => l_nls_lang , p_nls_territory => l_nls_territory ); -- Set application cookie -- This program will set few variables for displaying -- This cookie must be encrypted for production application owa_util.mime_header('text/html', FALSE); htp.p('Expires: ' || 'Thu, 29 Oct 2000 17:04:19 GMT'); htp.p('Pragma: ' || 'no-cache'); htp.p('Cache-Control: ' || 'no-cache'); l_cookie := l_sso_user_name || '/' || l_subs_name; owa_cookie.send ( name => g_cookie_name, value => wwsec_sso_enabler.encrypt_cookie( g_listener_token, l_cookie), path => g_cookie_path, domain => g_cookie_domain ); owa_util.redirect_url(l_url_requested); owa_util.http_header_close; -- Redirect user to the requested application url htp.htmlOpen; htp.headOpen; htp.p(''); htp.headClose; htp.htmlClose; EXCEPTION WHEN OTHERS THEN htp.p(sqlerrm); END sign_on; PROCEDURE logout AS l_img_blob blob; BEGIN init_params; owa_util.mime_header('image/gif', FALSE); owa_cookie.send ( name => g_cookie_name, value => '', path => g_cookie_path, domain => g_cookie_domain ); select image_blob into l_img_blob from wwsec_image_config$; htp.p('Content-Length: ' || dbms_lob.getlength(l_img_blob)); htp.p('Expires: Thu, 29 Oct 2000 17:04:19 GMT'); htp.p('Pragma: no-cache'); htp.p('Cache-Control: no-cache'); owa_util.http_header_close; wpg_docload.download_file(l_img_blob); EXCEPTION WHEN OTHERS THEN htp.p(sqlerrm); END logout; END sample_sso_papp; / show errors package body sample_sso_papp
Initially, the partner application redirects the user to the Single Sign-On server for authentication and, after successful authentication, sets its own application session cookie. Any future request first attempts to validate the application session cookie. If the application session cookie is not found, the partner application redirects the user to the Single Sign-On server. To avoid contacting the Single Sign-On server for authentication verification of every user request, all partner applications should maintain their own application session.
This section covers the following topics
The following program implements a generic bean that can be used in servlets and JavaServer pages (JSPs).
A servlet partner application can be implemented using one bean and three servlets.
SSOPartnerServlet application URL. This servlet will get the user information with the help of SSOEnablerServletBean. If the user information is found, it is used inside the application; otherwise, the browser redirects the user to the Single Sign-On server.
This bean is derived from SSOEnablerBean. It implements the necessary methods for servlet applications.
import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import oracle.security.sso.enabler.SSOEnablerException; public class SSOEnablerServletBean { /** Start configuration parameters * For production quality application, you should read these * parameters from database instead of harcoding them here. */ // Partner application session cookie name private static String m_cookieName = "SSO_PAPP_SERVLET_ID"; // Host name of the database private static String m_dbHostName = "wwssosvr.us.oracle.com"; // Port for database private static int m_dbPort = 9521; // Sehema name private static String m_dbSchemaName = "papp"; // Schema password private static String m_dbSchemaPasswd = "papp"; // Database SID name private static String m_dbSID = "orcl9i"; // Database connection pool size private static int m_dbPoolSize = 3; /* End of configuration parameters */ // Enabler object (Don't change) private SSOEnablerBean m_enablerBean = null; /** * Default constructor */ public SSOEnablerServletBean() { m_enablerBean = new SSOEnablerBean(); m_enablerBean.setAppCookieInfo(m_cookieName); m_enablerBean.setDbConnectionInfo(m_dbSchemaName, m_dbSchemaPasswd, m_dbHostName, m_dbPort, m_dbSID, m_dbPoolSize); } public String getSSOUserInfo(HttpServletRequest p_request, HttpServletResponse p_response) throws SSOEnablerException { return m_enablerBean.getSSOUserInfo(p_request, p_response); } public void setPartnerAppCookie(HttpServletRequest p_request, HttpServletResponse p_response) throws SSOEnablerException { m_enablerBean.setPartnerAppCookie(p_request, p_response); } public void removeServletAppCookie(HttpServletResponse p_response) throws SSOEnablerException { m_enablerBean.removeAppCookie(p_response); } public String getSingleSignOffUrl(HttpServletRequest p_request) throws SSOEnablerException { return m_enablerBean.getSingleSignOffUrl(p_request); } public void destroy() { m_enablerBean.destroy(); } }
This servlet is the main partner application servlet. To access it, the user must authenticate to the Single Sign-On server. This servlet redirects the unauthenticated user to the Single Sign-On server.
import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpServlet; import javax.servlet.ServletConfig; import javax.servlet.ServletException; import javax.servlet.UnavailableException; import java.io.PrintWriter; public class SSOPartnerServlet extends HttpServlet { SSOEnablerServletBean m_ssobean = null; public void init(ServletConfig p_config) throws ServletException { try { super.init(p_config); m_ssobean = new SSOEnablerServletBean(); } catch(Exception e) { throw new UnavailableException ( "Could not create SSOEnablerServletBean object"); } } /** * The HTTP GET request will show the application content of the user if he/she is already authenticated, otherwise he/she will be redirected to the Single Sign-On server */ public void doGet(HttpServletRequest p_request, HttpServletResponse p_response) throws ServletException { p_response.setContentType("text/html"); if(p_request == null || p_response == null) { throw new ServletException("Http objects are null"); } try { PrintWriter l_out = p_response.getWriter(); String l_userInfo = m_ssobean.getSSOUserInfo(p_request, p_response); if(l_userInfo != null) { String l_sso_logout_url = m_ssobean.getSingleSignOffUrl(p_ request); // Display some application content for the SSO user l_out.println("<HTML><HEAD><TITLE>Servlet based SSO Partner" + "Application</TITLE></HEAD><BODY>"); l_out.println("<H3><center>Servlet based SSO Partner" + "Application</center></H3>"); l_out.println("<P><center>User Information: " + l_userInfo + "<center><BR>"); // You may specify a URL value in p_done_url. // User can be redirected to this URL after Single Sign-Off // (Global Logout) l_out.println("<P><center><A HREF='"+l_sso_logout_url+ "?p_done_url='>Logout</A><center></P>"); l_out.println("</BODY></HTML>"); } else { // Display redirection to SSO server message l_out.println("<HTML><HEAD><TITLE>Servlet based SSO Partner" + "Application</TITLE></HEAD><BODY>"); l_out.println("<center>Please wait while redirecting to the SSO" + "Server...</center>"); l_out.println("</BODY></HTML>"); } } catch(Exception e) { try { p_response.getWriter().println("Error " + e.toString()); } catch(Exception e1) { throw new ServletException(e1.toString()); } } } public void destroy() { m_ssobean.destroy(); } }
This servlet parses the URLC token received from Single Sign-On server, sets the application cookie, and redirects the user to the requested web application URL (i.e. SSOPartnerServlet).
import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpServlet; import javax.servlet.UnavailableException; import javax.servlet.ServletException; import javax.servlet.ServletConfig; import java.io.PrintWriter; public class SSOSignOnServlet extends HttpServlet { SSOEnablerServletBean m_ssobean = null; public void init(ServletConfig p_config) throws ServletException { try { super.init(p_config); m_ssobean = new SSOEnablerServletBean(); } catch(Exception e) { throw new UnavailableException ( "Could not create SSOEnablerServletBean object"); } } /** * The HTTP Post will set application cookie from SSO server token and then redirect user to the Servlet based partner application */ public void doPost(HttpServletRequest p_request, HttpServletResponse p_response) throws ServletException { p_response.setContentType("text/html"); if(p_request == null || p_response == null) { throw new ServletException("Http objects are null"); } try { m_ssobean.setPartnerAppCookie(p_request, p_response); } catch(Exception e) { try { p_response.getWriter().println("Error " + e.toString()); } catch(Exception e1) { throw new ServletException(e1.toString()); } } } public void destroy() { m_ssobean.destroy(); } }
This servlet removes the application session of the partner application.
import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpServlet; import javax.servlet.UnavailableException; import javax.servlet.ServletException; import javax.servlet.ServletConfig; import java.io.PrintWriter; public class SSOPartnerLogoutServlet extends HttpServlet { SSOEnablerServletBean m_ssobean = null; public void init(ServletConfig p_config) throws ServletException { try { super.init(p_config); m_ssobean = new SSOEnablerServletBean(); } catch(Exception e) { throw new UnavailableException ( "Could not create SSOEnablerServletBean object"); } } public void doGet(HttpServletRequest p_request, HttpServletResponse p_response) throws ServletException { try { m_ssobean.removeServletAppCookie(p_response); } catch(Exception e) { throw new ServletException(e.toString()); } } public void destroy() { m_ssobean.destroy(); } }
The JSP partner application can be implemented using a Java bean for generating a redirection URL and processing the redirected URL parameter from the Single Sign-On server. A JSP page should embed this bean, which can be included in all JSP based applications that require Single Sign-On functionality.
papp.jsp page.
ssoinclude.jsp page. If the user information can be found, then it is used by the application. Otherwise, the browser redirects the user to the Single Sign-On server using SSOEnablerJspBean.
ssosignon.jsp page. This page sets the application cookie and redirects the user to the requested application URL using SSOEnablerJspBean.
A JSP application can be implemented with the following bean and JSP pages:
This bean uses the getSSOUserInfo method, which returns the user information when the application cookie is already set; otherwise, it redirects the user to the Single Sign-On server for authentication.
import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import oracle.security.sso.enabler.SSOEnablerException; public class SSOEnablerJspBean { /** Start configuration parameters * For production quality application, you should read these * parameters from database instead of harcoding them here. */ // Partner application session cookie name private static String m_cookieName = "SSO_PAPP_JSP_ID"; // Host name of the database private static String m_dbHostName = "wwssosvr.us.oracle.com"; // Port for database private static int m_dbPort = 9521; // Sehema name private static String m_dbSchemaName = "papp"; // Schema password private static String m_dbSchemaPasswd = "papp"; // Database SID name private static String m_dbSID = "orcl9i"; // Database connection pool size private static int m_dbPoolSize = 5; /* End of configuration parameters */ // Enabler object (Don't change) private SSOEnablerBean m_enablerBean = null; /** * Default constructor */ public SSOEnablerJspBean() { m_enablerBean = new SSOEnablerBean(); m_enablerBean.setAppCookieInfo(m_cookieName); m_enablerBean.setDbConnectionInfo(m_dbSchemaName, m_dbSchemaPasswd, m_dbHostName , m_dbPort , m_dbSID, m_dbPoolSize); } public String getSSOUserInfo(HttpServletRequest p_request, HttpServletResponse p_response) throws SSOEnablerException { return m_enablerBean.getSSOUserInfo(p_request, p_response); } public void setPartnerAppCookie(HttpServletRequest p_request, HttpServletResponse p_response) throws SSOEnablerException { m_enablerBean.setPartnerAppCookie(p_request, p_response); } public void removeJspAppCookie(HttpServletResponse p_response) throws SSOEnablerException { m_enablerBean.removeAppCookie(p_response); } public String getSingleSignOffUrl(HttpServletRequest p_request) throws SSOEnablerException { return m_enablerBean.getSingleSignOffUrl(p_request); } public void destroy() { m_enablerBean.destroy(); } }
This page embeds the SSOEnablerJsp bean. It should be included in all JSP pages where Single Sign-On functionality is required.
<%@ page language="java" import="oracle.security.sso.enabler.*" %> <jsp:useBean id="ssoObj" scope="page" class="SSOEnablerJspBean" /> <% String usrInfo = ssoObj.getSSOUserInfo(request, response); String logoutURL = ssoObj.getSingleSignOffUrl(request); if(usrInfo == null) { %> <center>Please wait while redirecting to the SSO Server...</center> <% }
%>
This page embeds the SSOEnablerJspBean for generating the redirection URL and processing the redirected URL parameter received from the Single Sign-On server.
<%@ page language="java" import="oracle.security.sso.enabler.*" %> <jsp:useBean id="ssoObj" scope="page" class="SSOEnablerJspBean" /> <% ssoObj.setPartnerAppCookie(request, response);
%>
This page is the main application page and requires Single Sign-On functionality. To retrieve user information, the page must include the ssoinclude.jsp page.
<%@ page buffer="5" autoFlush="true" %> <%@ include file="ssoinclude.jsp" %> <% if(usrInfo != null) { response.getWriter().println("<center><h2>Sample JSP Partner Application" + "</FONT></h2></center>"); response.getWriter().println("<center>User information :" + usrInfo +"</center>"); response.getWriter().println("<center><A HREF='" + logoutURL + "?p_done_url='>Logout</A><center></P>"); } else { response.getWriter().println("<center>User information not" + "found</center> "); }
%>
This JSP page removes the application session.
<%@ page language="java" import="oracle.security.sso.enabler.*" %> <jsp:useBean id="ssoObj" scope="page" class="SSOEnablerJspBean" /> <% try { ssoObj.removeJspAppCookie(response); } catch(Exception e) { %> <center> Error in ending JSP application session. Please quit your all browser windows. </center> <% return; } %> <center> You are logged off from JSP application session <br> <a href="papp.jsp">Login</a>
</center>
|
 Copyright © 2002 Oracle Corporation. All Rights Reserved. |
|