CASifying Oracle BI Publisher Enterprise Edition 11g

Owned by Edvinas S.
Last updated: Feb 17, 2014Version comment
5 min read

Note

This method is NOT the best one and has some downsides/limitations (user attributes are not accessible), but it works!

Proper CASification would be configuring WebLogic Server to use CAS as a SAML Identity Provider.

 

Prerequisites (components that we are going to configure):

  • Oracle BI Publisher EE
  • Oracle WebLogic Server

  • Oracle Enterprise Manager

1. Oracle BI Publisher (xmlpserver.ear) modification

Locate xmlpserver.ear in BI installation (/bipublisher/Oracle_BI1/bifoundation/jee).

Add jars to xmlpserver.ear\xmlpserver.war\WEB-INF\lib\:

  • cas-client-core-3.2.1.jar
  • cas-client-obiee.jar (your jar with SecondCasHttpServletRequestWrapperFilter.class)
    SecondCasHttpServletRequestWrapperFilter.java 
    package org.jasig.cas.client.obiee.filter;
import java.io.IOException;
import java.security.Principal;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
public final class SecondCasHttpServletRequestWrapperFilter implements Filter {
    @Override
    public void init(FilterConfig filterConfig) throws ServletException {
    	// nothing to do
    }
    
    @Override
	public void destroy() {
        // nothing to do
    }
    @Override
	public void doFilter(final ServletRequest servletRequest, final ServletResponse servletResponse, final FilterChain filterChain) throws IOException, ServletException {
        filterChain.doFilter(new CasSSOUsernameParameterHttpServletRequestWrapper((HttpServletRequest) servletRequest), servletResponse);
    }
    final class CasSSOUsernameParameterHttpServletRequestWrapper extends HttpServletRequestWrapper {
        CasSSOUsernameParameterHttpServletRequestWrapper(final HttpServletRequest request) {
            super(request);
        }
        
        @Override
        public String getParameter(String name) {
        	if ("cas_assertion_username".equals(name)) {
        		Principal principal = getUserPrincipal();
        		
        		if (principal != null) {
        			return principal.getName();
				}
			}
        	
        	return super.getParameter(name);
        }
    }
}
 

     


Edit xmlpserver.ear\xmlpserver.war\WEB-INF\web.xml:

web.xml 
...
  <!-- CAS filters -->
  <filter>
    <filter-name>CAS Authentication Filter</filter-name>
    <filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class>
    <init-param>
      <param-name>casServerLoginUrl</param-name>
      <param-value>http://[cas-host]:6060/cas/login</param-value>
    </init-param>
    <init-param>
      <param-name>serverName</param-name>
      <param-value>http://[bi-host]:7001</param-value>
    </init-param>
  </filter>
  <filter>
    <filter-name>CAS Validation Filter</filter-name>
    <filter-class>org.jasig.cas.client.validation.Cas10TicketValidationFilter</filter-class>
    <init-param>
      <param-name>casServerUrlPrefix</param-name>
      <param-value>http://[cas-host]:6060/cas</param-value>
    </init-param>
    <init-param>
      <param-name>serverName</param-name>
      <param-value>http://[bi-host]:7001</param-value>
    </init-param>
  </filter>
  <filter>
    <filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
    <filter-class>org.jasig.cas.client.util.HttpServletRequestWrapperFilter</filter-class>
  </filter>
  
  <filter>
    <filter-name>secondCasHttpServletRequestWrapperFilter</filter-name>
    <filter-class>org.jasig.cas.client.obiee.filter.SecondCasHttpServletRequestWrapperFilter</filter-class>
  </filter>
  <!-- CAS filters END -->
  
  <filter>
    <filter-name>SecurityFilter</filter-name>
    <filter-class>oracle.xdo.servlet.security.SecurityFilter</filter-class>
    <init-param>
      <param-name>saw.cookie.id</param-name>
      <param-value>ORA_BIPS_NQID</param-value>
    </init-param>
  </filter>
...
web.xml second part 
...
  <filter-mapping>
    <filter-name>CAS Authentication Filter</filter-name>
    <url-pattern>/servlet/*</url-pattern>
  </filter-mapping>
  <filter-mapping>
    <filter-name>CAS Authentication Filter</filter-name>
    <url-pattern>/scheduler</url-pattern>
  </filter-mapping>
  <filter-mapping>
    <filter-name>CAS Authentication Filter</filter-name>
    <url-pattern>*.xdo</url-pattern>
  </filter-mapping>
    <filter-mapping>
    <filter-name>CAS Authentication Filter</filter-name>
    <url-pattern>*.xdm</url-pattern>
  </filter-mapping>
  <filter-mapping>
    <filter-name>CAS Authentication Filter</filter-name>
    <url-pattern>*.jsp</url-pattern>
  </filter-mapping>
  <filter-mapping>
    <filter-name>CAS Authentication Filter</filter-name>
    <url-pattern>/xdo/cache/*</url-pattern>
  </filter-mapping>
  <filter-mapping>
    <filter-name>CAS Authentication Filter</filter-name>
    <url-pattern>/xdo/tmp/*</url-pattern>
  </filter-mapping>
  <filter-mapping>
    <filter-name>CAS Authentication Filter</filter-name>
    <url-pattern>/xml/*</url-pattern>
  </filter-mapping>
  <filter-mapping>
    <filter-name>CAS Authentication Filter</filter-name>
    <url-pattern>/io/*</url-pattern>
  </filter-mapping>
  
  <filter-mapping>
    <filter-name>CAS Validation Filter</filter-name>
    <url-pattern>/servlet/*</url-pattern>
  </filter-mapping>
  <filter-mapping>
    <filter-name>CAS Validation Filter</filter-name>
    <url-pattern>/scheduler</url-pattern>
  </filter-mapping>
  <filter-mapping>
    <filter-name>CAS Validation Filter</filter-name>
    <url-pattern>*.xdo</url-pattern>
  </filter-mapping>
    <filter-mapping>
    <filter-name>CAS Validation Filter</filter-name>
    <url-pattern>*.xdm</url-pattern>
  </filter-mapping>
  <filter-mapping>
    <filter-name>CAS Validation Filter</filter-name>
    <url-pattern>*.jsp</url-pattern>
  </filter-mapping>
  <filter-mapping>
    <filter-name>CAS Validation Filter</filter-name>
    <url-pattern>/xdo/cache/*</url-pattern>
  </filter-mapping>
  <filter-mapping>
    <filter-name>CAS Validation Filter</filter-name>
    <url-pattern>/xdo/tmp/*</url-pattern>
  </filter-mapping>
  <filter-mapping>
    <filter-name>CAS Validation Filter</filter-name>
    <url-pattern>/xml/*</url-pattern>
  </filter-mapping>
  <filter-mapping>
    <filter-name>CAS Validation Filter</filter-name>
    <url-pattern>/io/*</url-pattern>
  </filter-mapping>
  
  <filter-mapping>
    <filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
    <url-pattern>/servlet/*</url-pattern>
  </filter-mapping>
  <filter-mapping>
    <filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
    <url-pattern>/scheduler</url-pattern>
  </filter-mapping>
  <filter-mapping>
    <filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
    <url-pattern>*.xdo</url-pattern>
  </filter-mapping>
    <filter-mapping>
    <filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
    <url-pattern>*.xdm</url-pattern>
  </filter-mapping>
  <filter-mapping>
    <filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
    <url-pattern>*.jsp</url-pattern>
  </filter-mapping>
  <filter-mapping>
    <filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
    <url-pattern>/xdo/cache/*</url-pattern>
  </filter-mapping>
  <filter-mapping>
    <filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
    <url-pattern>/xdo/tmp/*</url-pattern>
  </filter-mapping>
  <filter-mapping>
    <filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
    <url-pattern>/xml/*</url-pattern>
  </filter-mapping>
  <filter-mapping>
    <filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
    <url-pattern>/io/*</url-pattern>
  </filter-mapping>
  
  <filter-mapping>
    <filter-name>secondCasHttpServletRequestWrapperFilter</filter-name>
    <url-pattern>/servlet/*</url-pattern>
  </filter-mapping>
  <filter-mapping>
    <filter-name>secondCasHttpServletRequestWrapperFilter</filter-name>
    <url-pattern>/scheduler</url-pattern>
  </filter-mapping>
  <filter-mapping>
    <filter-name>secondCasHttpServletRequestWrapperFilter</filter-name>
    <url-pattern>*.xdo</url-pattern>
  </filter-mapping>
    <filter-mapping>
    <filter-name>secondCasHttpServletRequestWrapperFilter</filter-name>
    <url-pattern>*.xdm</url-pattern>
  </filter-mapping>
  <filter-mapping>
    <filter-name>secondCasHttpServletRequestWrapperFilter</filter-name>
    <url-pattern>*.jsp</url-pattern>
  </filter-mapping>
  <filter-mapping>
    <filter-name>secondCasHttpServletRequestWrapperFilter</filter-name>
    <url-pattern>/xdo/cache/*</url-pattern>
  </filter-mapping>
  <filter-mapping>
    <filter-name>secondCasHttpServletRequestWrapperFilter</filter-name>
    <url-pattern>/xdo/tmp/*</url-pattern>
  </filter-mapping>
  <filter-mapping>
    <filter-name>secondCasHttpServletRequestWrapperFilter</filter-name>
    <url-pattern>/xml/*</url-pattern>
  </filter-mapping>
  <filter-mapping>
    <filter-name>secondCasHttpServletRequestWrapperFilter</filter-name>
    <url-pattern>/io/*</url-pattern>
  </filter-mapping>
  
  <filter-mapping>
    <filter-name>SecurityFilter</filter-name>
    <url-pattern>/servlet/*</url-pattern>
  </filter-mapping>
...

2. BI Publisher configuration

Don't forget to enable Local Super User.

3. Oracle Enterprise Manager configuration

  

Enable SSO and configure role memberships to have authenticated-role principal (users loged-in using CAS will only have this role).

4. Oracle WebLogic Server configuration

    

5. Restart Oracle WebLogic Server

Start, stop scripts - /bipublisher/user_projects/domains/bifoundation_domain/bin/

  • shutdown: if shutdown script doesn't work, you can shutdown through WLS GUI 
  • start: "nohup ./startWebLogic.sh &>/dev/null" - to run in background.