Wednesday, July 09, 2008

LDAP Search : Search for a user in Oracle Internet Directory

The need to search for a user's entry in Oracle Internet directory (OID) crops up very often in various situations.

You can easily do this using JNDI. You need to usually take care of these things before we proceed with the code :-

1. You have access to Oracle Internet Directory.

2. You know the Distinguished Name ( DN ) of the entry that is the immediate parent of all the users.

3. You know the attribute used to search. E.g.: cn, mail, sn, etc.

4. You know that the attribute used to search has been "indexed" by Oracle Internet Directory.
You can then adapt this piece of code to suit your needs & look for users - the lines marked in red are important :-

String strSearchString = "sandeep";

String strLDAPUrl = "ldap://localhost:389";

String strUserRootDN = "cn=Users,dc=test,dc=com";
String strFilter = "cn="+strSearchString ;

Hashtable env = new Hashtable();

env.put(Context.INITIAL_CONTEXT_FACTORY,"com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.PROVIDER_URL, strLDAPUrl);
env.put(Context.SECURITY_AUTHENTICATION, "simple");

// You know the credentials to search in OID
env.put(Context.SECURITY_PRINCIPAL, "cn=orcladmin");
env.put(Context.SECURITY_CREDENTIALS, "mySecretPassword");

try
{

DirContext ctx = new InitialDirContext(env);
Attributes attrs = ctx.getAttributes(strUserRootDN,strFilter,new String[]{"mail"});

Attribute attr = attrs.get("mail");
System.out.println(attr.get());

ctx.close();
}
catch (Exception e)
{
e.printStackTrace();
}
}
You can easily modify this piece of code to search for users in a group, etc.

Tuesday, July 08, 2008

Oracle Application Server 10.1.2 : SSO Session and Application Session

We had successfully configured an application deployed in Oracle AS 10.1.3.x to use Oracle AS 10.1.2 SSO. We were trying to develop "single sign off" and we hit a bug.

We just figured out that the Oracle AS 10.1.2 Session and the Java Application Session are different.

The Oracle AS 10.1.2 Session is maintained by the SSO_ID cookie. As long as the SSO_ID cookie is present in the browser, the Oracle AS SSO "session" is maintained. The SSO session is killed only if the SSO_ID cookie is destroyed. The SSO_ID cookie is "killed" only when we issue this dynamic directive:-

response.setError(499, "Oracle SSO");

However, the java application session ( a HTTP Session) still lingers on. Hence, in order to clear the java application session, we need to invalidate it explicitly using this :-

session.invalidate();

The moral of the story - for a true "Single Sign Off", we need to invalidate the SSO "session" and the Java Application Session.

Oracle AS 10.1.2 Logout using Dynamic Directives

You can log out a user from Oracle AS 10.1.2,by using these two dynamic directives :-

response.setHeader("Osso-Return-Url", "/Your_Application_Home_page");
response.setError(499, "Oracle SSO");


The first dynamic directive informs the Oracle AS Single Sign On Server about the page that needs to be displayed after logout.

The second dynamic directive informs the Oracle AS Single Sign On Server that the user needs to be logged out immediately.

The two dynamic directives need to be used together. If the first one is left out, the SSO Server simply redirects the user to the Oracle Application Server Home Page on which the application is deployed.

Friday, July 04, 2008

Oracle AS SSO : How to get important user information from SSO and OID

The Oracle AS 10.1.2 Single Sign on places useful user information in the HTTP request Headers. The partner application can access these request headers & get this useful information.

We can use this information provided by the Oracle AS 10.1.2 Single Sign on and query the underlying Oracle Internet Directory ( OID ) directly to obtain useful user information.

The three critical assumptions that we need to make at this point are :-

1. We are able to get the OSSO-User-Dn value from the request header.

2. We are able to connect to the OID anonymously, to read the user information ( so that we need to unnecessarily authenticate again. ).

3. We have access to the underlying OID ( usually, the OID is protected by a DMZ layer & ports may need to be opened at the firewall ).


We can proceed to write a simple JNDI code ( simple garden variety code, obtained from the Sun JNDI Tutorial Trail ) to get important user information from OID :-

DirContext objRootContext = null;
Hashtable objHashtable = null;
Attributes objUserAttributes = null;
Attribute objEmail = null;
Attribute objPhone = null;
String strEmail = null;
String strPhone = null;

objHashtable = new Hashtable();

// Let's get the User DN from Single Sign On.
// CRITICAL ASSUMPTION : We get the User DN value from the SSO.
strUserDN = request.getHeader(“Osso-User-Dn”);

// Let's connect to the OID used by Oracle AS Single Sign on
// CRITICAL ASSUMPTION : We can access the OID objHashtable.put(Context.INITIAL_CONTEXT_FACTORY,"com.sun.jndi.ldap.LdapCtxFactory");
objHashtable.put(Context.PROVIDER_URL,"ldap://localhost:389/");
objHashtable.put(Context.SECURITY_PRINCIPAL,strUserDN);
// CRITICAL ASSUMPTION : The OID should provide anonymous access.
objHashtable.put(Context.SECURITY_CREDENTIALS,"");

// Let's lookup the user from the root node.
objRootContext = new InitialDirContext(objHashtable);
objRootContext = (DirContext) objRootContext.lookup(strUserDN);

// Let's get all the attributes
objUserAttributes = objRootContext.getAttributes("");

// Let's pull out only the attributes we are interested in.
objEmail = objUserAttributes.get("mail");
objPhone = objUserAttributes.get("phone");

if(objEmail!=null)
{
strEmail = (String) objEmail.get();
}

if(objPhone!=null)
{
strPhone = (String) objPhone.get();
}
We can now comfortably get the user information & use it further downstream in our applications.

Oracle AS SSO : How to get the User DN in a Java Application?

The Oracle AS 10.1.2 Single Sign on places useful user information in the HTTP request Headers. The partner application can access these request headers & get this useful information.

The authenticated user's distinguished name ( DN ) is a very important attribute. The DN can be used to pull out more information about the user from Oracle Internet Directory - e.g : the email address, the phone number, etc.

You can easily get the user dn of the authenticated user from the request , by using this code snippet :-

String strUserDN = request.getHeader(“Osso-User-Dn”);
The DN can then be coupled with a simple JNDI Code to retrieve other attributes.

Thursday, July 03, 2008

Oracle AS 10.1.2 SSO Failure - Unable to process request

" Oracle SSO Failure - Unable to process request
Either the requested URL was not specified in terms of a fully-qualified host name or OHS single sign-on is incorrectly configured. "

We his this error immediately after registering a Partner Application with Oracle As 10.1.2 Single Sign on. It took sometime for us to understand the problem & fix it.

The solution to the problem is detailed in the Metalink Note:311921.1. I'll just provide a brief summary here for people who do not have access to Oracle Metalink.

The URL used to register the Partner Application with Oracle As 10.1.2 Single Sign On contains the fully qualified hostname - with the domain name.

E.g: http://host.domain.com/osso_login_success


However, the URL used to test the application did not contain the fully qualified hostname - we even tried with the IP Address in the URL

E.g: http://host/osso_login_success

or

E.g: http://10.10.10.10/osso_login_success


Oracle As 10.1.2 Single Sign On mandates that the URL registered as the Partner Application should be only used. We cannot use any other URL formats to access the application.

We then tried with the URL:-

E.g: http://host.domain.com/myAppContext


We used the URL used in the registration in our browsers & it worked.

Oracle AS 10.1.3 : Use Oracle AS 10.1.2 SSO

I was trying to configure Oracle Application Server 10.1.3.x to to use Oracle Application Server 10.1.2 Single Sign On.

I wanted to use Oracle Application Server 10.1.2 Single Sign On to protect an application deployed on Oracle Application Server 10.1.3.x. I checked out the available documents & Googled around a lot & collected this information. The information presented here isn't something new, but just a collection of information from various sources & my own experience.

The steps to achieve this are quite straight forward :-

0. Ensure that you have oss013 script in your Oracle App Server 10.1.3

You need to have the osso1013 script under the folder $ORACLE_HOME_1013/Apache/Apache/bin.

You will have this script only if you had selected the SOA Suite Advanced Instlallation type & opted for "J2EE and Web server"

1. Generate the Oracle AS Single Sign On Configuration File.

You can do this by running the ssoreg script present in the $ORACLE_HOME_1012/sso/bin. The syntax of the command is :-

ssoreg.bat
-oracle_home_path $ORACLE_HOME_1012
-config_mod_osso TRUE
-site_name Any_Name_for_your_application
-remote_midtier
-config_file .conf
-mod_osso_url http://your_1013_app_server_home_page:port
You can open a command window / terminal & execute this command from $ORACLE_HOME_1012/sso/bin.

You have completed this step successfully, if you see this message on your command window / terminal :-

Check /$ORACLE_HOME_1012/sso/log/ssoreg.log for details of this registration
SSO registration tool finished successfully.

After this step, you should see Any_Name_for_your_application_osso.conf at $ORACLE_HOME/sso/bin.

You should also see your application registered as a Partner Application in the Oracle SSO Administration Page at :-

http://Your_1012_http_server_hostname:http_port/pls/orasso


The key points to remember at this step are :-

a. Ensure that the is Oracle Application Server 10.1.3 Home Page and not URL for your application
b. Always check the generated Log File to ensure that there are no errors.

2. Copy the generated Oracle AS Single Sign On Configuration File to the 10.1.3 Server.

You need to copy the generated Any_Name_for_your_application_osso.conf to your Oracle Application Server 10.1.3 system.

You can copy this to your $ORACLE_HOME_1013/Apache/Apache/bin folder.

3. Register the 10.1.3 Server with the 10.1.2 SSO.

You can navigate to the $ORACLE_HOME_1013/Apache/Apache/bin folder, open a command window / terminal and execute this command:

osso1013 Any_Name_for_your_application_osso.conf

You have completed this step successfully if you see this message on your command window / terminal :-

$ORACLE_HOME_1013/Apache/Apache/conf/httpd.conf successfully updated.
$ORACLE_HOME_1013/Apache/Apache/conf/mod_osso.conf successfully updated.
4. Protect your Application

You can now open mod_osso.conf under $ORACLE_HOME_1013/Apache/Apache/conf and add an entry to protect your application :-

<
Location /Your_app_context
>

require valid-user
AuthType Basic
>

5. Restart the HTTP Server

That's it !

You can now enter your application's URL & you can see the Single Sign On Page asking your to enter the credentials.

Tuesday, July 01, 2008

Oracle 10.1.3.x JavaSSO : LDAP Configuration Checklist

" In AS 10.1.3.x Oracle came up with the JavaSSO. Seems to be (from a high level perspective) a poor man's version of the SSO from the AS 10.1.2.x. "

Andreas

I have to agree with Andreas. The JavaSSO solution bundled with the Oracle Application Server 10.1.3.x is definitely a poor man's SSO, with a few basic options & very little available documentation.

I am with Oracle Application Server 10.1.3.x JavaSSO & was trying to configure it with an Oracle Internet Directory. I hit a lot of "gotchas" & had to spend a lot of time wading through the documentation to get it working.

I guess I need a small "checklist" to summarize the steps I took to get it to work :-

1. Configure the OID as a Security Provider in the OC4J.
2. Start the JavaSSO application ( it is switched off by default ).
3. Configure JavaSSO to use the OID Security Provider.
4. Configure your application's web.xml & list the security settings.
4. Deploy the Application - ensure that the "Enable JavaSSO" option is checked at deploy time. You can do it later too from the administration console.
5. Ensure that the deployed uses the OID Security Provider.
6. Configure the deployed application as a Partner Application in JavaSSO.


I'll provide more information on some of these steps in future posts.



BGInfo : Caputre your Winows server's configuration

" BGInfo automatically displays relevant information about a Windows computer on the desktop's background, such as the computer name, IP address, service pack version, and more. "


BGInfo is a damn cool utility for Windows ! It quickly captures your system's current configuration & sets the information as your Desktop background. The Tool is very easy to install & use.

I found this tool to be very useful when you work with Server systems on Windows. I have worked on a few Projects where the Server is usually a Desktop innocently lying unused in a corner. The system is then cannibalized & converted into a "Server" & the required software installed in it. Hence, its very important to capture certain important system parameters & verify that the software you are about to install is certified for the existing hardware / network / OS configuration. BGInfo comes to your rescue in such situations.

You can also use BGInfo as a command line utility - it ever accepts a few command line options. I found the command line option /RTF very useful. According to the BGInfo Help Information,

/rtf Causes BGInfo to write its output text to an RTF file. All formatting information and colors are included.

You can use it in this manner :-


bginfo /rtf:D:\myConfiguration.rtf


You can then navigate to the D:\ drive on your system to find a neat RTF file with all the required information.

Boot Time: 7/1/2008 10:01 AM

CPU: Dual 2.00 GHz Intel Core2 Duo

Default Gateway: 101.178.223.184

DHCP Server: 101.178.223.180

DNS Server: 101.178.223.181

Free Space: C:\ 40.12 GB NTFS, D:\ 33.89 GB NTFS

Host Name: MYCOMP-LAP

IP Address: 101.178.223.189

Logon Domain: mycomp-lap

Logon Server: mycomp -lap

User Name: mycomp



I found BGInfo to be very useful & use it on every Windows-based "Server" that I get my hands on !