有关CAS及SSO的原理,请看以下文章:
----20120824更新开始-------
需要将web.xml中的如下部分去掉,否则在切换仪表盘TAB页的时候会报错!
另外,去掉如下部分之后,也解决了URL不包含saw.dll?bieehome后缀会报错的问题!
- <!-- 该过滤器用于实现单点登出功能,可选配置。
-->
- <filter>
<filter-name>CAS Single Sign Out Filter</filter-name>
<filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class>
</filter>
- <filter-mapping>
<filter-name>CAS Single Sign Out Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
----20120824更新结束-------
SSO(Single Sign-on) in Action
http://www.blogjava.net/security/archive/2006/10/02/sso_in_action.html
有关自己搭建CAS服务器
请参考以下文章:
JAVA CAS单点登录(SSO) 教程
http://www.cnblogs.com/mylitboy/archive/2011/07/15/2155634.html
如果启用了CAS服务器启用了SSL,则需要在客户端(也就是BIEE应用所在服务器即weblogic)导入证书,导入证书的方法参见上面的文章。
下面主要介绍CAS与BIEE 11g的集成
由于CAS主要是通过添加filter来拦截请求实现的,所以我们需要手工的更改BIEE analytics应用的web.xml,加入需要的filter。
将analytics.war解包(使用7-zip或者Win-rar就可以),然后修改WEB-INF下的web.xml
注:analytics.ear可以从$MV_HOME/Oracle_BI1/bifoundation/jee下找到,将analytics.ear解压之后得到analytics.war和analytics-ws.war
修改过的web.xml如下:
<?xml version="1.0" encoding="UTF-8" ?>
- <web-app xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" version="2.5">
- <filter>
<filter-name>ApplCoreSessionIntegrationFilter</filter-name>
<filter-class>com.siebel.analytics.web.integration.ApplCoreSessionIntegrationFilter</filter-class>
</filter>
- <filter>
<filter-name>HyperionCSSAuthenticatorFilter</filter-name>
<filter-class>com.siebel.analytics.web.integration.HyperionCSSAuthenticatorFilter</filter-class>
</filter>
- <filter>
<filter-name>LoadBalancerHTTPFilter</filter-name>
<filter-class>com.siebel.analytics.web.integration.LoadBalancerHTTPFilter</filter-class>
- <init-param>
<param-name>oracle.bi.presentation.loadbalance.ServerKeySources</param-name>
<param-value>GET,POST,COOKIE,SESSION</param-value>
</init-param>
</filter>
- <filter>
<filter-name>AddStaticHeadersFilter</filter-name>
<filter-class>com.siebel.analytics.web.integration.AddStaticHeadersFilter</filter-class>
- <init-param>
<param-name>oracle.bi.presentation.staticheaders.1.name</param-name>
<param-value>Cache-Control</param-value>
</init-param>
- <init-param>
<param-name>oracle.bi.presentation.staticheaders.1.value</param-name>
<param-value>max-age=3600</param-value>
</init-param>
</filter>
- <!-- <filter>
<filter-name>AddStaticServerVariables</filter-name>
<filter-class>com.siebel.analytics.web.integration.AddStaticHeadersFilter</filter-class>
<init-param>
<param-name>oracle.bi.presentation.staticservervariables.1.name</param-name>
<param-value>SERVERVARIABLE_NAME</param-value>
</init-param>
<init-param>
<param-name>oracle.bi.presentation.staticservervariables.1.value</param-name>
<param-value>SERVERVARIABLE_VALUE</param-value>
</init-param>
</filter>
-->
- <filter>
<filter-name>FirewallFilter</filter-name>
<filter-class>com.siebel.analytics.web.integration.FirewallFilter</filter-class>
- <!--
Uncomment AllowedRequests param below to allow only SOAP requests and prohibit UI ones
Uncomment ProhibitedRequests param below to prhibit SOAP requests and allow UI ones
-->
- <!-- <init-param>
<param-name>oracle.bi.presentation.AllowedRequests</param-name>
<param-value>SOAP</param-value>
</init-param>
<init-param>
<param-name>oracle.bi.presentation.ProhibitedRequests</param-name>
<param-value>SOAP</param-value>
</init-param>
-->
</filter>
- <!-- <filter-mapping>
<filter-name>FirewallFilter</filter-name>
<servlet-name>SAWBridge</servlet-name>
</filter-mapping>
-->
- <!-- <filter-mapping>
<filter-name>AddStaticServerVariables</filter-name>
<servlet-name>SAWBridge</servlet-name>
</filter-mapping>
-->
- <!-- ======================== 单点登录开始 ========================
-->
- <!-- 用于单点退出,该过滤器用于实现单点登出功能,可选配置
-->
- <listener>
<listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class>
</listener>
- <!-- 该过滤器用于实现单点登出功能,可选配置。
-->
- <filter>
<filter-name>CAS Single Sign Out Filter</filter-name>
<filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class>
</filter>
- <filter-mapping>
<filter-name>CAS Single Sign Out Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
- <!-- 该过滤器负责用户的认证工作,必须启用它
-->
- <filter>
<filter-name>CASFilter</filter-name>
<filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class>
- <init-param>
<param-name>casServerLoginUrl</param-name>
<param-value>https://sso.test.com:8443/cas-server-webapp-3.5.0/login</param-value>
- <!-- 这里的server是服务端的IP
-->
</init-param>
- <init-param>
<param-name>serverName</param-name>
<param-value>http://demo.us.oracle.com:9704</param-value>
</init-param>
</filter>
- <filter-mapping>
<filter-name>CASFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
- <!-- 该过滤器负责对Ticket的校验工作,必须启用它
-->
- <filter>
<filter-name>CAS Validation Filter</filter-name>
<filter-class>org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter</filter-class>
- <init-param>
<param-name>casServerUrlPrefix</param-name>
<param-value>https://sso.test.com:8443/cas-server-webapp-3.5.0</param-value>
</init-param>
- <init-param>
<param-name>serverName</param-name>
<param-value>http://demo.us.oracle.com:9704</param-value>
</init-param>
</filter>
- <filter-mapping>
<filter-name>CAS Validation Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
- <!-- 该过滤器负责实现HttpServletRequest请求的包裹,
比如允许开发者通过HttpServletRequest的getRemoteUser()方法获得SSO登录用户的登录名
-->
- <filter>
<filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
<filter-class>org.jasig.cas.client.util.HttpServletRequestWrapperFilter</filter-class>
</filter>
- <filter>
<filter-name>CAS Assertion Thread Local Filter</filter-name>
<filter-class>org.jasig.cas.client.util.AssertionThreadLocalFilter</filter-class>
</filter>
- <filter-mapping>
<filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
- <!-- ======================== 单点登录结束 ========================
-->
- <filter-mapping>
<filter-name>LoadBalancerHTTPFilter</filter-name>
<servlet-name>SAWBridge</servlet-name>
</filter-mapping>
- <filter-mapping>
<filter-name>ApplCoreSessionIntegrationFilter</filter-name>
<servlet-name>SAWBridge</servlet-name>
</filter-mapping>
- <filter-mapping>
<filter-name>HyperionCSSAuthenticatorFilter</filter-name>
<servlet-name>SAWBridge</servlet-name>
</filter-mapping>
- <!--
<filter-mapping>
<filter-name>AddStaticHeadersFilter</filter-name>
<url-pattern>/res/*</url-pattern>
</filter-mapping>
-->
- <servlet>
<servlet-name>SAWBridge</servlet-name>
<servlet-class>com.siebel.analytics.web.SAWBridge</servlet-class>
- <init-param>
<param-name>oracle.bi.presentation.sawserver.Host</param-name>
<param-value>localhost</param-value>
</init-param>
- <init-param>
<param-name>oracle.bi.presentation.sawserver.Port</param-name>
<param-value>9710</param-value>
</init-param>
- <init-param>
<param-name>oracle.bi.presentation.biapplication</param-name>
<param-value>coreapplication</param-value>
</init-param>
</servlet>
- <servlet>
<description>Hyperion Related Content request handler</description>
<display-name>RelatedContent</display-name>
<servlet-name>RelatedContent</servlet-name>
<servlet-class>oracle.bi.server.workspace.RelatedContent</servlet-class>
- <init-param>
<param-name>oracle.bi.presentation.relatedContent.dimensionMappingFilePath</param-name>
<param-value>${oracle.domain.config.dir}/biinstances/${oracle.bi.application}/FRDimensionsMapping.properties</param-value>
</init-param>
- <init-param>
<param-name>oracle.bi.presentation.relatedContent.SAWServlet</param-name>
<param-value>saw.dll</param-value>
</init-param>
</servlet>
- <servlet-mapping>
<servlet-name>SAWBridge</servlet-name>
<url-pattern>/saw.dll/*</url-pattern>
</servlet-mapping>
- <servlet-mapping>
<servlet-name>RelatedContent</servlet-name>
<url-pattern>/RelatedContent</url-pattern>
</servlet-mapping>
- <login-config>
<auth-method>CLIENT-CERT</auth-method>
</login-config>
- <mime-mapping>
<extension>xsd</extension>
<mime-type>text/xml</mime-type>
</mime-mapping>
- <mime-mapping>
<extension>xml</extension>
<mime-type>text/xml</mime-type>
</mime-mapping>
- <mime-mapping>
<extension>js</extension>
<mime-type>text/javascript</mime-type>
</mime-mapping>
- <mime-mapping>
<extension>css</extension>
<mime-type>text/css</mime-type>
</mime-mapping>
- <mime-mapping>
<extension>png</extension>
<mime-type>image/png</mime-type>
</mime-mapping>
- <mime-mapping>
<extension>swf</extension>
<mime-type>application/x-shockwave-flash</mime-type>
</mime-mapping>
- <welcome-file-list>
<welcome-file>default.jsp</welcome-file>
</welcome-file-list>
</web-app>
注:sso.test.com为CAS Server所在服务器的域名,demo.us.oracle.com为BIEE服务所在服务器的域名。
大家请根据自己的实际情况进行更改!
修改完毕之后还需要将CAS client的jar包(如:cas-client-core-3.2.1.jar)放到WEB-INF下的lib目录
修改完毕之后,使用JDK自带的jar 进行重新打包,
例如:jar -cf analytics.war .
然后在将analytics.war及analytics-ws.war以及之前同级目录下的META-INF文件夹一同打包成analytics.ear
例如:jar -cf analytics.ear .
之后在到weblogic console中重新部署该应用,并启动。
另外,还需要在安全领域中新建一个Provider,用于连接CAS所连接的用户认证库(有可能是AD、LDAP或者数据库),此步骤非常重要,
因为BIEE还拿着CAS认证通过的用户名去该Provider里查询,如果不存在,则还是无法登录。
最后在到em里对BI启用SSO
如下图所示:
激活更改,重启opmn所有组件就OK了。
然后使用http://xxxxx:9704/analytics/saw.dll?bieehome访问BIEE即可!
注意:url一定要带后面的saw.dll?bieehome后缀,否则会报错!
本站文章版权归原作者及原出处所有 。内容为作者个人观点, 并不代表本站赞同其观点和对其真实性负责。本站是一个个人学习交流的平台,并不用于任何商业目的,如果有任何问题,请及时联系我们,我们将根据著作权人的要求,立即更正或者删除有关内容。本站拥有对此声明的最终解释权。