Experts, We have a requirement to embed an external URL on the OAS login.jsp page. We have implemented the below steps to make it work, but it is still giving the CSP error mentioned below. login.jsp:1 Refused to load the script 'Required URL' because it violates the following Content Security Policy directive: "script-src'self' 'unsafe-inline' 'unsafe-eval'". Note that'script-src-elem' was not explicitly set, so'script-src' is used as a fallback. Steps followed - * Redeployed bi-security-login.war after making changes in login.jsp file * Opened communication between OAS and URL host name on the required port; telnet is working fine for this URL from the OAS application server. * Added URL entry in instanceconfig.xml file based on oracle document - Embedding External Content in Dashboards * Added URL host name in Safe Domains (OAS console - Safe domains) Thanks, Shailesh

Oracle Communities

Oracle Analytics and AI

Child Item

How to Embed an External URL in the login.jsp file of OAS 6.4

Experts,

We have a requirement to embed an external URL on the OAS login.jsp page. We have implemented the below steps to make it work, but it is still giving the CSP error mentioned below.

login.jsp:1 Refused to load the script 'Required URL' because it violates the following Content Security Policy directive: "script-src'self' 'unsafe-inline' 'unsafe-eval'". Note that'script-src-elem' was not explicitly set, so'script-src' is used as a fallback.

Steps followed -

Redeployed bi-security-login.war after making changes in login.jsp file
Opened communication between OAS and URL host name on the required port; telnet is working fine for this URL from the OAS application server.
Added URL entry in instanceconfig.xml file based on oracle document - Embedding External Content in Dashboards
Added URL host name in Safe Domains (OAS console - Safe domains)

Thanks,

Shailesh

Find more posts tagged with

Embedding

Accepted answers

Gianni Ceresa

You aren't trying to embed content in OAS, you are customizing the lightweight SSL login page.

Don't confuse that with OAS ("classic", aka /analytics, or DV). It is an independent deployment that isn't affected by anything that is documented on how to customize OAS.

I'm not even sure if customizing that WAR is officially supported (I did it to display a custom logo instead of Oracle, but never checked if it's officially supported). There is also no documentation on how to customize that piece because it isn't meant to be done (that's my reading of the lack of documentation: it has been asked a few times in the past since OBIEE 12.2.1.3 when it first become the default login method).

All comments

Gianni Ceresa

The login page of the lightweight SSO is not part of the DV deployment and it is also not part of the "classic" deployment.

The CSP settings you defined in 3. and 4. only applies there inside. You should look at the WebLogic level what kind of settings exists to manage CSP. It could be something to be configured inside the deployment (inside the WAR you modified) or directly in WebLogic. But it's a WebLogic things more than an Oracle Analytics question.

Shailesh Pandey-Oracle

Thank you @Gianni Ceresa for your input.

CSP for login.jsp file is controlled under the same file; there is a section in the file where we can whitelist content or URL, but after handling this error, we are getting some errors in require.js, which is also part of the bi-security-login war file only. As there is no official Oracle documentation to embed content in OAS, we are troubleshooting all JS files involved in the complete process.

Thanks,

Shailesh

Gianni Ceresa

You aren't trying to embed content in OAS, you are customizing the lightweight SSL login page.

Don't confuse that with OAS ("classic", aka /analytics, or DV). It is an independent deployment that isn't affected by anything that is documented on how to customize OAS.

Shailesh Pandey-Oracle

Hi @Gianni Ceresa

Yes, the approach is to call a web service that is hosted on another server; in an ideal scenario, this should work, but after OBIEE 12.2.1.3, as you said, major modifications have been made to tighten up the lightweight SSL login page (without any document to handle this). If this approach does not work, we probably need to create a new web service that will be hosted and deployed on our application's weblogic server.

Thanks,

Shailesh

Gianni Ceresa

What is your webservice call supposed to do? Is that your login/authentication mechanism?

As far as I know, in OAS the lightweight SSL must not be touched. It is required, it must be there the way it is and should not be turned off.

Maybe you can do what you need with your web service somewhere else? Or get the same result in a different way?

Shailesh Pandey-Oracle

Hi @Gianni Ceresa

Yes, we are trying to implement external authentication, in which a web service will help us to return the national ID of the user, and we are using that national ID as the username and password (through WL SQL authenticator) to allow the user to access the OAS application.

We are planning to create and deploy the same web service (to return a national ID) on our OAS application weblogic server if the above approach doesn't work.

Thanks,

Shailesh

Gianni Ceresa

You are playing with something that doesn't sound like "supported" officially (OAS did reduce massively the list of certified authenticators and authentication sources). The lightweight SSO login deployment is just meant to be a simple login form and nothing else.

You work for Oracle, you should consider taking this internally (this is a public forum) and get it solved internally. If then it does work and it is officially supported, you could consider documenting the solution as a MOS document or as a blog.

Shailesh Pandey-Oracle

Sure, Noted @Gianni Ceresa

Steve F-2

@Shailesh Pandey-Oracle - Gianni is correct, your approach of 'hacking' files is certainly not supported.

You can/should take a supported approach.

Configure Custom SSO Environments

Oracle Analytics Server's support for custom SSO starts where a custom asserter is working correctly to pass the authenticated user's UserID to the Weblogic chain of Oracle Analytics-certified authenticators.

Shailesh Pandey-Oracle

@SteveF-Oracle - We are not hacking files; we are just performing one POC on our test environment based on the customer requirement, knowing that this is not supported even though it will work.

Yes, I agree. Configuring a certified SSO is always an appropriate approach, which we have already added for some users.

Thanks,

Shailesh