4 Replies Latest reply: Nov 17, 2011 5:48 PM by 623479 RSS

    Custom Authentication

    876881
      Hello,

      I'm trying to set up a custom authentication using the Hyperion Shared Services Java API. I have a few questions about the API.

      1. I'm not sure to know where the API is. I've added common/CSS/11.1.2.0/lib/css.jar to customAuth.jar as an external jar, was is the right thing to do?

      2. In order to test my modifications, do I need to relaunch the configuration with EPM System Configurator, and restart Hyperion, or can I simply use the 'deployement' part in the Hyperion Console (web interface)?
      EPM System Configurator keeps telling me that the ports of Foundations and Planning are already in use, even after shutting down all of the Oracle and Hyperion services.

      Anyway, when I try to log on Hyperion Planning, I got the following error:
      ClassCastException: UnsatisfiedLinkError
      I guess it didn't manage to cast my CustomAuthenticationImpl to a CSSCustomAuthenticationIF. My class is exactly the same as in the documentation.

      I copied customAuth.jar to common/CSS/11.1.2.0/lib/ and to the WEB-INF/lib directories of HyperionPlanning.ear and interop.ear.

      thanks in advance
        • 1. Re: Custom Authentication
          876881
          I was not using the right option to deploy the .ear. There is a button "update" for this purpose. Unlock the configuration to enable it.

          I am facing a new problem though. How to build a wrapper around the existing authentication? i.e. How to call the original authentication module in the custom one? If one calls the authenticate method in the custom module, it will call the custom module recursively. I've tried to match the passwords by myself, but the getPassword() method of the CSSNativeUserIF class returns Null.
          • 2. Re: Custom Authentication
            876881
            I was not using the right option to deploy the .ear. There is a button "update" for this purpose. Unlock the configuration to enable it.

            I am facing a new problem though. How to build a wrapper around the existing authentication? i.e. How to call the original authentication module in the custom one? If one calls the authenticate method in the custom module, it will call the custom module recursively. I've tried to match the passwords by myself, but the getPassword() method of the CSSNativeUserIF class returns Null.
            • 3. Re: Custom Authentication
              876881
              I've solved my problem:
              CSSAPIAuthenticationImpl(new CSSSystem.getManager()) is the built-in authentication module.
              • 4. Re: Custom Authentication
                623479
                Hello,

                I am attempting to setup SSO for Shared Services and HFM and I want to create a custom Login Class. I've read the documentation I believe I'm on the right track. Listed below is the sample code that's provided. Can you tell me the steps you took to compile the .Jar file and any other steps that are required?

                Thanks
                Tony

                package com.hyperion.css.sso.agent;
                import java.io.ByteArrayInputStream;
                import java.io.UnsupportedEncodingException;
                import java.security.Principal;
                import java.security.cert.CertificateException;
                import java.security.cert.CertificateFactory;
                import java.security.cert.X509Certificate;
                import com.hyperion.css.CSSSecurityAgentIF;
                import java.util.HashMap;
                import java.util.Locale;
                import java.util.Map;

                import javax.servlet.http.HttpServletRequest;
                import javax.servlet.http.HttpServletResponse;
                /**
                * X509CertificateAuthImpl implements the CSSSecurityAgentIF interface It accepts
                * the X509 certificate of the authenticated user from the Web Server via a
                * header, parses the certificate, extracts the DN of the User and

                * authenticates the user.
                */
                public class X509CertificateSecurityAgentImpl implements CSSSecurityAgentIF
                {
                static final String IDENTITY_ATTR = "CN";
                String g_userDN = null;
                String g_userName = null;
                String hostAdrress= null;
                /**
                * Returns the User name (login name) of the authenticated user,
                * for example demouser. See CSS API documentation for more information
                */
                public String getUserName(HttpServletRequest req, HttpServletResponse res)
                throws Exception
                {
                hostAdrress = req.getServerName();
                String certStr = getCertificate(req);
                String sCert = prepareCertificate(certStr);
                /* Authenticate with a CN */
                parseCertificate(sCert);
                /* Authenticate if the Login Attribute is a DN */
                if (g_userName == null)
                {
                throw new Exception("User name not found");
                }
                return g_userName;
                }

                /**
                * Passing null since this is a trusted Security agent authentication
                * See Security API documentation for more information on CSSSecurityAgentIF
                */
                public String getPassword(HttpServletRequest req, HttpServletResponse res)
                throws Exception
                {
                return null;
                }
                /**
                * Get the Certificate sent by the Web Server in the HYPLOGIN header.
                * If you pass a different header nane from the Web server, change the
                * name in the method.
                */
                private String getCertificate(HttpServletRequest request)
                {
                String cStr = (String)request
                .getHeader(CSSConfigurationDefaults.HTTP_HEADER_HYPLOGIN);
                return cStr;
                }
                /**
                * The certificate sent by the Web server is a String.
                * Put a "\n" in place of whitespace so that the X509Certificate
                * java API can parse the certificate.

                */
                private String prepareCertificate(String gString)
                {
                String str1 = null;
                String str2 = null;
                str1 = gString.replace("-----BEGIN CERTIFICATE-----", "");
                str2 = str1.replace("-----END CERTIFICATE-----", "");
                String certStrWithNL = "-----BEGIN CERTIFICATE-----"
                + str2.replace(" ", "\n") + "-----END CERTIFICATE-----";
                return certStrWithNL;
                }
                /**
                * Parse the certificate
                * 1. Create X509Certificate using the certificateFactory
                * 2. Get the Principal object from the certificate
                * 3. Set the g_userDN to a certificate attribute value (DN in this sample)
                * 4. Parse the attribute (DN in this sample) to get a unique username
                */
                private void parseCertificate(String sCertificate) throws Exception
                {
                X509Certificate cert = null;
                String userID = null;
                try
                {
                X509Certificate clientCert = (X509Certificate)CertificateFactory
                .getInstance("X.509")
                .generateCertificate(
                new ByteArrayInputStream(sCertificate
                .getBytes("UTF-8")));
                if (clientCert != null)
                {
                Principal princDN = clientCert.getSubjectDN();
                String dnStr = princDN.getName();
                g_userDN = dnStr;
                int idx = dnStr.indexOf(",");
                userID = dnStr.substring(3, idx);
                g_userName = userID;
                }
                }
                catch (CertificateException ce)
                {
                throw ce;
                }
                catch (UnsupportedEncodingException uee)
                {
                throw uee;
                }
                } //end of getUserNameFromCert
                }// end of class