Single Sign On

JReport Server's web pages are built to work with an existing web application. In particular, it is possible to set up the web server so that a user of the website can login to an existing web application and have that login grant them access to JReport web pages. This is called the Single Sign On feature.

This is done by developers implementing the class defined by the JReport Server Java interface HttpExternalAuthorized and telling JReport Server to use that implementation.

The implementation can be aware of the application's technique for managing login state in the servlet session. This code can tell JReport Server which user is logged in. The implementation can redirect the user to the application's login workflow if the request is not from a logged in user.

This system gives the user one spot in the application to login. A successful login there will allow the user to run JReport Server web pages without doing another login dialog.

JReport Server is told to use the local implementation of ExternalAuthorized in two ways.

Use the command line to define a system property that registers the class.
The system property jrs.httpExternalAuthorized is used to hold the name of the class that implements HttpExternalAuthorized.

If the name of the class is DemoExternalAuthorized.java, then change the script file that starts up JReport Server to include the parameter string: -Djrs.httpExternalAuthorized=DemoExternalAuthorized.

The following shows an example:
1. Create a table by DDL as below in the database:
  CREATE TABLE jr_auth(auth_key varchar(64), auth_uid varchar(256) NOT NULL, PRIMARY KEY(auth_key))
  
  Insert testing data for an example:
  
  insert into jr_auth (auth_key, auth_uid) values('987654321', 'admin');
  
  Tip: jr_auth includes the inserted/updated data. auth_uid should be a JReport Server user name (the login user).
2. Configure the database connection in databaseCfg.ini under the folder <server_install_root>\help\samples\APISecurity\SSO.
  driver=com.mysql.jdbc.Driver dbUrl=jdbc:mysql://IP_Address:3306/test dbUser=root dbPassword=1234
3. Extract compile_tool.zip in <server_install_root>\help\samples\APISecurity\SSO to the same directory as DemoExternalAuthorized.java. Choose a compile tool according to your operating system, compile_tool.bat for Windows or compile_tool.sh for Linux. Configure the arguments in the corresponding file based on your environment. Then double-click the file to start compiling the Java code DemoExternalAuthorized.java.
4. Modify the JReport Server start shell script JRServer.bat in <server_install_root>\bin to add JDBC driver and the compiled class of DemoExternalAuthorized.java as the first item in the class path.
5. Add the JVM option -Djrs.httpExternalAuthorized=DemoExternalAuthorized in JRServer.bat.
6. You can change the web page displayed after login, by changing the URL under the sentence "Which web page do you want to visit after login?" in ssodemo.jsp in <server_install_root>\help\samples\APISecurity\SSO.
7. Move ssodemo.jsp to the public_html folder under JReport Server root directory.
8. Start JReport Server by running JRServer.bat. Access ssodemo.jsp and pass the parameters jrauth_key and jrauth_id from other pages. Then test the SSO demo by login.html in <server_install_root>\help\samples\APISecurity\SSO.
  
  Tip: Do not modify the two parameter names when using ssodemo.jsp we provided, or there will be exceptions. If you need to modify the parameter names, change them in all the three files: login.html, ssodemo.jsp, and DemoExternalAuthorized.java.

Use a Java API method call to register the class.

The Java API class HttpUserSessionManager has a method for setting the ExternalAuthrized object that JReport Server uses.

If the name of the package is com.mycorp.myHttpExternalAuthorized, then in a JSP page, connect to JReport Server, then pass an instance of the class object for myHttpExtneralAuthorized as the parameter in the method HttpUserSessonManager.setHttpExternalAuthorized().

<%@ page import="com.example.MyHttpExternalAuthorized" %>

        // initialize and connect to JReport Server
    initEnv(System.getProperties());
    HttpRptServer httpRptServer = HttpUtil.getHttpRptServer(request);

        // set the HttpExternalAuthorized object used by JReport Server
    httpRptServer.getHttpUserSessionManager().setHttpExternalAutorized(new myHttpExternalAuthorized());

There are examples of implementations of the ExternalAuthorized Java interface in the sample source files that come with JReport Server. Look in the folder <install_root>\help\samples\APISecurity\SingleSignOn. Read the comments in the source code for more information about Single Sign On and how the Java interface is used.

samples\APISecurity\SingleSignOn\CustomHttpExternalAuthorized.java
samples\APISecurity\SingleSignOn\com\example\MyExternalAuthorized.java

In that same SingleSignOn folder are several JSP pages that can be placed into the public_html\jinfonet folder and run as web applications to exercise and demonstrate how Single Sign On works. The file customIndex.jsp is the entry point page. It has comments inside it on how to run the demonstration.

Notes:

The set of application users does not need to be the same set of users that are registered in JReport Server. However, the Single Sign On protocol does require that the application code identify the logged in user to JReport Server using a registered JReport Server user name.
When the set of application users is different from the set of JReport Server users, then the application code for returning the logged in user will need a system to map the applications user to a JReport Server user.