2 Replies Latest reply: Oct 9, 2006 5:38 AM by 459769 RSS

    Application-to-application authentication using Calendar Web Services

    380399
      Calendar Web Services
      Application-to-application authentication
      (Proxy authentication)

      Abstract:

      Application-to-application authentication allows services to trust other services without having to authenticate the end-user making use of these services. The Calendar Web Services offers an application-to-application authentication mechanism called “Proxy Authentication”.

      What is Proxy Authentication?

      The Calendar Web Services Proxy Authentication is a solution that was developed by the Oracle Calendar team and is similar to what SSO would be to the web. Proxy Authentication allows any application developed using the Calendar Web Services Toolkit to establish a trusted authentication link to the Calendar Server via the Calendar Web Services.

      What do I need to get Proxy Authentication going?

      -     The Calendar Web Services Toolkit 9.0.4.2.X (Calendarlet.jar)
      -     The Calendar Web Services 9.0.4.2.X (OCAS)
      -     The Calendar Server 9.0.4.2.X (Calserv)
      -     Oracle Internet Directory 9.0.4.X (OID)

      Your collaboration suite deployment MUST be configured in a way where the Calendar Server is connected to the OID (done by default). This is fundamental given that Proxy Auth is designed to extensively use the OID security schemes.

      How to configure Proxy Authentication?

      You must have:
      1.     Access to the OID administrator account.
      2.     Access to the ldap tools ($ORACLE_HOME/ldap/bin).
      3.     Access to the Oracle Calendar Server administrator password.

      OID Configuration
      Create an entry for your application product in OID

      The following entry needs to be created:
      - cn=OracleContext
      - cn=Products
      - cn=MyApplicationProduct

      The MyApplicationProduct.ldif will look like:

      dn: cn= MyApplicationProduct, cn=Products, cn=OracleContext
      objectClass: orclContainer
      objectClass: top

      The command to add the entry is
      ./ldapadd -h HOSTNAME.COM -p OIDPORT -D "cn=orcladmin" -w PASSWROD -f ./MyApplicationProduct.ldif

      Where [HOSTNAME.COM] is the OID server hostname, [PASSWROD] is the password for the OID directory and [OIDPORT] is the OID port.

      Create an application entity for MyAppName in OID
      The following entry needs to be added to the OID:
      - cn=OracleContext
      - cn=Products
      - cn= MyApplicationProduct
      - orclApplicationCommonName=MyAppName

      The MyAppName.ldif will look like:

      dn: orclApplicationCommonName= MyAppName,
      cn= MyApplicationProduct, cn=Products,
      cn=OracleContext
      objectClass: orclApplicationEntity
      objectClass: top
      orclApplicationCommonName: MyAppName
      userpassword: test1

      The command to add the entry is
      ./ldapadd -h HOSTNAME.COM -p OIDPORT -D "cn=orcladmin" -w PASSWORD -f ./MyAppName.ldif

      Ensure the entry is properly configured
      Perform an LDAP search to locate the entry's distinguished name:

      "orclApplicationCommonName= MyAppName,
      cn= MyApplicationProduct, cn=Products,
      cn=OracleContext"

      ./ldapsearch -h HOSTNAME.COM -p OIDPORT -D "cn=orcladmin" -w PASSWROD
      -b "cn= MyApplicationProduct,cn=Products,cn=OracleContext"
      "objectclass=orclApplicationEntity" "c"

      Grant proxy privileges to the new application entity
      This creates an entry in OID:

      - dc=com
      - dc=oracle
      - dc=us
      - cn=OracleContext
      - cn=Products
      - cn=Calendar
      - cn=UserProxyPrivilege
      - uniquemember:
      orclApplicationCommonName= MyAppName,
      cn= MyApplicationProduct, cn=Products,
      cn=OracleContext

      From the $ORACLE_HOME/ocal/bin

      ./unioidconf -grantproxyprivilege \
      "orclApplicationCommonName= MyAppName,
      cn= MyApplicationProduct, cn=Products,
      cn=OracleContext"

      NOTE: you need the calendar server admin password.

      How to use Proxy Authentication?

      Once successfully done configuring your OID and Calendar Server, you must start the real work; coding. It is actually simple to implement.

      In your Java application, you will simply change the BasicAuth class with the ProxyAuth class. You then set the end-user identity, along with the proxy application name and proxy application password, you registered a moment ago.

      Ex:
      ProxyAuth auth = new ProxyAuth();

      auth.setApplicationName("orclApplicationCommonName=MyAppName, cn=MyApplicationProduct, cn=Products, cn=OracleContext");
      auth.setApplicationPassword(“test1”);
      auth.setName(myUserId);

      Your application will no longer need to pass the end-user’s password to the Calendar Web Services. From now on, it is your application’s responsibility to authenticate the end-user.

      Frederic Leblanc
        • 1. Re: Application-to-application authentication using Calendar Web Services
          459769
          Hi, I'm programming a PL/SQL program that outputs HTML, how can I use ProxyAuth without the Calendarlet.jar Java file?
          • 2. Re: Application-to-application authentication using Calendar Web Services
            459769
            I found the solution:

            Using the CalendaringResponse.getReceiveBuffer() and getSendBuffer() methods, the soap request looks something like this:

            Sendbuffer: <?xml version='1.0' encoding='UTF-8'?>
            <SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
            <SOAP-ENV:Header>
            <auth:ProxyAuth xmlns:auth="http://www.oracle.com/WebServices/Calendaring/Authentication/1.0/"><ApplicationName>orclApplicationCommonName=MyAppName,cn=MyApplicationProduct, cn=Products, cn=OracleContext</ApplicationName><ApplicationPassword>testpw1</ApplicationPassword><Name>king</Name></auth:ProxyAuth>
            </SOAP-ENV:Header>
            <SOAP-ENV:Body>
            <cwsl:Search xmlns:cwsl="http://www.oracle.com/WebServices/Calendaring/1.0/"><CmdId>MySearchCommandID-1</CmdId><vQuery><From>VEVENT</From><Where>DTEND &gt;= '20061007T220000Z' AND DTSTART &lt;= '20061014T215900Z'</Where></vQuery></cwsl:Search>
            </SOAP-ENV:Body>
            </SOAP-ENV:Envelope>