Extending OracleAS 10g SSO to IIS and ASP.NET via Apache MOD_PROXY and MOD_OSSO
By Jason Bennett
Sometimes it’s just fun to do things the hard way. My goal was to demonstrate how an ASP.NET application can be protected under the OracleAS 10g Single Sign-On umbrella without using the osso_proxy plugin for IIS provided by Oracle Corporation. As usual, I found a way to do it. Using Apache’s mod_proxy and OracleAS 10g’s mod_osso, we simply create a reverse proxy from Apache to IIS and protect the proxy redirect url pattern (a pattern in the URL that tells Apache to redirect this request to IIS) with mod_osso. The SSO specific HTTP headers such as HTTP_OSSO_USER_DN and HTTP_OSSO_SUBSCRIBER_DN are forwarded to IIS and retained for the life of the session. What’s the catch? This only works if you are accessing the ASP.NET page through the proxy URL. It’s a small catch, and it allows the integration of web based .NET applications with your SSO protected web based J2EE applications running under OracleAS 10g. The next few sections detail the steps required to perform this integration.
Create and Deploy an ASP.NET page
The first thing we need to do is create and deploy a simple ASP.NET page such as the following (testpage.aspx):
<%@ Page Language="C#" %>
<html>
<body>
<%if (Request.ServerVariables["HTTP_OSSO_USER_DN"] == null){%>
<B> You are not authenticated via OracleAS 10g SSO Server.</B>
<%}else{%>
<TABLE>
<TR><TD><B>Server Variable</B></TD><TD><B>Value</B></TD></TR>
<% foreach(string name in Request.ServerVariables){%>
<TR><TD> <%= name %> </TD><TD> <%= Request.ServerVariables[name] %> </TD></TR>
<%}%>
</TABLE>
<%}%>
</body>
</html>
Next, deploy the page to an IIS server (5.0 or 6.0).
Configure OracleAS 10g OHS (Apache 1.3) as a Reverse Proxy
The next step is to configure the OracleAS 10g OHS to act as a reverse proxy to IIS for any request containing a specific URL pattern such as ‘/asptest/’. To do this, we add the following lines to the httpd.conf file:
ProxyRequests off
ProxyPass /asptest/ http://<IIS server host>/<application virtual directory>/
ProxyPassReverse /asptest/ http://<IIS server host>/<application virtual directory>/
In my case it was:
ProxyRequests off
ProxyPass /asptest/ http://192.168.0.4/ASPApplications/
ProxyPassReverse /asptest/ http://192.168.0.4/ASPApplications/
(Note: mod_proxy must be loaded for this to work.)
Now, any request to OracleAS 10g OHS with a format like ‘http://<server>:<port>/asptest/<pagename>.aspx’ will be redirected to ‘http://<IIS server host>/<application virtual directory>/<pagename>.aspx’. The hostname and port in the browser will remain unchanged. It will appear to the user as if OracleAS 10g executed the ASP.NET page.
Register the Proxy URL Pattern with MOD_OSSO
Since our goal is to SSO enable the ASP.NET page, we need to register the proxy url pattern, ‘/asptest’ (or whatever you have chosen) with mod_osso. To do this, simply add lines similar to these to the mod_osso.conf file on the same OHS instance that you previously modified:
<Location /asptest>
require valid-user
AuthType Basic
</Location>
Restart the OHS and any request containing ‘/asptest/’ will require be required to authenticate to the OracleAS 10g SSO Server.
Execute the Page ……
Execute the page, http://<myserver>:<port>/asptest/testpage.aspx, through OracleAS 10g. After authenticating with a valid SSO user account, you should get these results along with many others including the SSO cookie:
Server Variable Value
HTTP_HOST 192.168.0.4
HTTP_USER_AGENT Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322)
HTTP_CHRONOS aggregate
HTTP_CLIENTIP 192.168.0.2
HTTP_ORACLE_CACHE_VERSION 9.0.4
HTTP_ORACLE_ECID 75708589919,1
HTTP_SSL_HTTPS off
HTTP_SURROGATE_CAPABILITY orcl="webcache/1.0 Surrogate/1.0 ESI/1.0 ESI-Inline/1.0 ESI-INV/1.0 ORAESI/9.0.4"
HTTP_OSSO_USER_GUID D2F642ED97E88476E030007F010077D7
HTTP_OSSO_USER_DN cn=portal,cn=users, dc=jbennett,dc=com
HTTP_OSSO_SUBSCRIBER DEFAULT COMPANY
HTTP_OSSO_SUBSCRIBER_DN dc=jbennett,dc=com
HTTP_OSSO_SUBSCRIBER_GUID D2F4E032B08D05C5E030007F010046F6
HTTP_X_FORWARDED_FOR 127.0.0.1
HTTP_X_FORWARDED_HOST jbennett:7778
HTTP_X_FORWARDED_SERVER jbennett
11:11:15 PM
|