BIEE11g 集成开源CAS实现SSO

有关CAS及SSO的原理，请看以下文章：

 

－－－－20120824更新开始－－－－－－－

需要将web.xml中的如下部分去掉，否则在切换仪表盘TAB页的时候会报错！

另外，去掉如下部分之后，也解决了URL不包含saw.dll?bieehome后缀会报错的问题！

- <!--  该过滤器用于实现单点登出功能，可选配置。 
  --> 
- <filter>
  <filter-name>CAS Single Sign Out Filter</filter-name> 
  <filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class> 
  </filter>
- <filter-mapping>
  <filter-name>CAS Single Sign Out Filter</filter-name> 
  <url-pattern>/*</url-pattern> 
  </filter-mapping>

－－－－20120824更新结束－－－－－－－

 

 

 

SSO(Single Sign-on) in Action

http://www.blogjava.net/security/archive/2006/10/02/sso_in_action.html

 

有关自己搭建CAS服务器

请参考以下文章：

JAVA CAS单点登录(SSO) 教程

http://www.cnblogs.com/mylitboy/archive/2011/07/15/2155634.html

如果启用了CAS服务器启用了SSL，则需要在客户端(也就是BIEE应用所在服务器即weblogic)导入证书，导入证书的方法参见上面的文章。

 

 

下面主要介绍CAS与BIEE 11g的集成

 

由于CAS主要是通过添加filter来拦截请求实现的，所以我们需要手工的更改BIEE analytics应用的web.xml，加入需要的filter。

 

将analytics.war解包(使用7-zip或者Win-rar就可以)，然后修改WEB-INF下的web.xml

注：analytics.ear可以从$MV_HOME/Oracle_BI1/bifoundation/jee下找到,将analytics.ear解压之后得到analytics.war和analytics-ws.war

修改过的web.xml如下：

  <?xml version="1.0" encoding="UTF-8" ?> 
- <web-app xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" version="2.5">
- <filter>
  <filter-name>ApplCoreSessionIntegrationFilter</filter-name> 
  <filter-class>com.siebel.analytics.web.integration.ApplCoreSessionIntegrationFilter</filter-class> 
  </filter>
- <filter>
  <filter-name>HyperionCSSAuthenticatorFilter</filter-name> 
  <filter-class>com.siebel.analytics.web.integration.HyperionCSSAuthenticatorFilter</filter-class> 
  </filter>
- <filter>
  <filter-name>LoadBalancerHTTPFilter</filter-name> 
  <filter-class>com.siebel.analytics.web.integration.LoadBalancerHTTPFilter</filter-class> 
- <init-param>
  <param-name>oracle.bi.presentation.loadbalance.ServerKeySources</param-name> 
  <param-value>GET,POST,COOKIE,SESSION</param-value> 
  </init-param>
  </filter>
- <filter>
  <filter-name>AddStaticHeadersFilter</filter-name> 
  <filter-class>com.siebel.analytics.web.integration.AddStaticHeadersFilter</filter-class> 
- <init-param>
  <param-name>oracle.bi.presentation.staticheaders.1.name</param-name> 
  <param-value>Cache-Control</param-value> 
  </init-param>
- <init-param>
  <param-name>oracle.bi.presentation.staticheaders.1.value</param-name> 
  <param-value>max-age=3600</param-value> 
  </init-param>
  </filter>
- <!--   <filter>
    <filter-name>AddStaticServerVariables</filter-name>
    <filter-class>com.siebel.analytics.web.integration.AddStaticHeadersFilter</filter-class>
    <init-param>
      <param-name>oracle.bi.presentation.staticservervariables.1.name</param-name>
      <param-value>SERVERVARIABLE_NAME</param-value>
    </init-param>
    <init-param>
      <param-name>oracle.bi.presentation.staticservervariables.1.value</param-name>
      <param-value>SERVERVARIABLE_VALUE</param-value>
    </init-param>
  </filter>

  --> 
- <filter>
  <filter-name>FirewallFilter</filter-name> 
  <filter-class>com.siebel.analytics.web.integration.FirewallFilter</filter-class> 
- <!--  
	    Uncomment AllowedRequests param below to allow only SOAP requests and prohibit UI ones
	    Uncomment ProhibitedRequests param below  to prhibit SOAP requests and allow UI  ones	
	   
  --> 
- <!--       <init-param>
         <param-name>oracle.bi.presentation.AllowedRequests</param-name>
         <param-value>SOAP</param-value>
      </init-param>
      <init-param>
         <param-name>oracle.bi.presentation.ProhibitedRequests</param-name>
         <param-value>SOAP</param-value>
      </init-param>
      
  --> 
  </filter>
- <!--    <filter-mapping>
      <filter-name>FirewallFilter</filter-name>
      <servlet-name>SAWBridge</servlet-name>
   </filter-mapping>
   
  --> 
- <!--   <filter-mapping>
    <filter-name>AddStaticServerVariables</filter-name>
    <servlet-name>SAWBridge</servlet-name>
  </filter-mapping>


  --> 
- <!--  ======================== 单点登录开始 ======================== 
  --> 
- <!--  用于单点退出，该过滤器用于实现单点登出功能，可选配置
  --> 
- <listener>
  <listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class> 
  </listener>
- <!--  该过滤器用于实现单点登出功能，可选配置。 
  --> 
- <filter>
  <filter-name>CAS Single Sign Out Filter</filter-name> 
  <filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class> 
  </filter>
- <filter-mapping>
  <filter-name>CAS Single Sign Out Filter</filter-name> 
  <url-pattern>/*</url-pattern> 
  </filter-mapping>
- <!--  该过滤器负责用户的认证工作，必须启用它 
  --> 
- <filter>
  <filter-name>CASFilter</filter-name> 
  <filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class> 
- <init-param>
  <param-name>casServerLoginUrl</param-name> 
  <param-value>https://sso.test.com:8443/cas-server-webapp-3.5.0/login</param-value> 
- <!-- 这里的server是服务端的IP
  --> 
  </init-param>
- <init-param>
  <param-name>serverName</param-name> 
  <param-value>http://demo.us.oracle.com:9704</param-value> 
  </init-param>
  </filter>
- <filter-mapping>
  <filter-name>CASFilter</filter-name> 
  <url-pattern>/*</url-pattern> 
  </filter-mapping>
- <!--  该过滤器负责对Ticket的校验工作，必须启用它 
  --> 
- <filter>
  <filter-name>CAS Validation Filter</filter-name> 
  <filter-class>org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter</filter-class> 
- <init-param>
  <param-name>casServerUrlPrefix</param-name> 
  <param-value>https://sso.test.com:8443/cas-server-webapp-3.5.0</param-value> 
  </init-param>
- <init-param>
  <param-name>serverName</param-name> 
  <param-value>http://demo.us.oracle.com:9704</param-value> 
  </init-param>
  </filter>
- <filter-mapping>
  <filter-name>CAS Validation Filter</filter-name> 
  <url-pattern>/*</url-pattern> 
  </filter-mapping>
- <!-- 	该过滤器负责实现HttpServletRequest请求的包裹，
	比如允许开发者通过HttpServletRequest的getRemoteUser()方法获得SSO登录用户的登录名

  --> 
- <filter>
  <filter-name>CAS HttpServletRequest Wrapper Filter</filter-name> 
  <filter-class>org.jasig.cas.client.util.HttpServletRequestWrapperFilter</filter-class> 
  </filter>
- <filter>
  <filter-name>CAS Assertion Thread Local Filter</filter-name> 
  <filter-class>org.jasig.cas.client.util.AssertionThreadLocalFilter</filter-class> 
  </filter>
- <filter-mapping>
  <filter-name>CAS HttpServletRequest Wrapper Filter</filter-name> 
  <url-pattern>/*</url-pattern> 
  </filter-mapping>
- <!--  ======================== 单点登录结束 ======================== 
  --> 
- <filter-mapping>
  <filter-name>LoadBalancerHTTPFilter</filter-name> 
  <servlet-name>SAWBridge</servlet-name> 
  </filter-mapping>
- <filter-mapping>
  <filter-name>ApplCoreSessionIntegrationFilter</filter-name> 
  <servlet-name>SAWBridge</servlet-name> 
  </filter-mapping>
- <filter-mapping>
  <filter-name>HyperionCSSAuthenticatorFilter</filter-name> 
  <servlet-name>SAWBridge</servlet-name> 
  </filter-mapping>
- <!--   
   <filter-mapping>
      <filter-name>AddStaticHeadersFilter</filter-name>
      <url-pattern>/res/*</url-pattern>
   </filter-mapping>
   
  --> 
- <servlet>
  <servlet-name>SAWBridge</servlet-name> 
  <servlet-class>com.siebel.analytics.web.SAWBridge</servlet-class> 
- <init-param>
  <param-name>oracle.bi.presentation.sawserver.Host</param-name> 
  <param-value>localhost</param-value> 
  </init-param>
- <init-param>
  <param-name>oracle.bi.presentation.sawserver.Port</param-name> 
  <param-value>9710</param-value> 
  </init-param>
- <init-param>
  <param-name>oracle.bi.presentation.biapplication</param-name> 
  <param-value>coreapplication</param-value> 
  </init-param>
  </servlet>
- <servlet>
  <description>Hyperion Related Content request handler</description> 
  <display-name>RelatedContent</display-name> 
  <servlet-name>RelatedContent</servlet-name> 
  <servlet-class>oracle.bi.server.workspace.RelatedContent</servlet-class> 
- <init-param>
  <param-name>oracle.bi.presentation.relatedContent.dimensionMappingFilePath</param-name> 
  <param-value>${oracle.domain.config.dir}/biinstances/${oracle.bi.application}/FRDimensionsMapping.properties</param-value> 
  </init-param>
- <init-param>
  <param-name>oracle.bi.presentation.relatedContent.SAWServlet</param-name> 
  <param-value>saw.dll</param-value> 
  </init-param>
  </servlet>
- <servlet-mapping>
  <servlet-name>SAWBridge</servlet-name> 
  <url-pattern>/saw.dll/*</url-pattern> 
  </servlet-mapping>
- <servlet-mapping>
  <servlet-name>RelatedContent</servlet-name> 
  <url-pattern>/RelatedContent</url-pattern> 
  </servlet-mapping>
- <login-config>
  <auth-method>CLIENT-CERT</auth-method> 
  </login-config>
- <mime-mapping>
  <extension>xsd</extension> 
  <mime-type>text/xml</mime-type> 
  </mime-mapping>
- <mime-mapping>
  <extension>xml</extension> 
  <mime-type>text/xml</mime-type> 
  </mime-mapping>
- <mime-mapping>
  <extension>js</extension> 
  <mime-type>text/javascript</mime-type> 
  </mime-mapping>
- <mime-mapping>
  <extension>css</extension> 
  <mime-type>text/css</mime-type> 
  </mime-mapping>
- <mime-mapping>
  <extension>png</extension> 
  <mime-type>image/png</mime-type> 
  </mime-mapping>
- <mime-mapping>
  <extension>swf</extension> 
  <mime-type>application/x-shockwave-flash</mime-type> 
  </mime-mapping>
- <welcome-file-list>
  <welcome-file>default.jsp</welcome-file> 
  </welcome-file-list>
  </web-app>

 

注：sso.test.com为CAS Server所在服务器的域名，demo.us.oracle.com为BIEE服务所在服务器的域名。

大家请根据自己的实际情况进行更改！

 

修改完毕之后还需要将CAS client的jar包(如：cas-client-core-3.2.1.jar)放到WEB-INF下的lib目录

 

 

修改完毕之后，使用JDK自带的jar 进行重新打包，

例如：jar -cf analytics.war .

然后在将analytics.war及analytics-ws.war以及之前同级目录下的META-INF文件夹一同打包成analytics.ear

例如：jar -cf analytics.ear .

 

之后在到weblogic console中重新部署该应用，并启动。

 

另外，还需要在安全领域中新建一个Provider，用于连接CAS所连接的用户认证库(有可能是AD、LDAP或者数据库)，此步骤非常重要，

因为BIEE还拿着CAS认证通过的用户名去该Provider里查询，如果不存在，则还是无法登录。

 

 

最后在到em里对BI启用SSO

如下图所示：

 

 

激活更改，重启opmn所有组件就OK了。

 

然后使用http://xxxxx:9704/analytics/saw.dll?bieehome访问BIEE即可！

 

注意：url一定要带后面的saw.dll?bieehome后缀，否则会报错！