Single sign-on

When JReport Enterprise Server is integrated into your system, it will implement a security check. If your system also checks security, you will have to pass through authentication twice. To deal with this problem, JReport Enterprise Server provides single sign-on APIs for you to pass login information from your external security system to the JReport Enterprise Server security system in order to avoid a second login requirement by JReport Enterprise Server after you have logged into your external system. You can either disable the JReport Enterprise Server security check or customize security for JReport Enterprise Server by implementing the interface - jet.server.api.http.HttpExternalAuthorized.

Interface ExternalAuthorized

The interface jet.server.api.ExternalAuthorized maintains externally authorized user sessions. It has the following methods:

• getExternalAuthorizedUser
  Gets and returns the externally authorized user ID. The user ID should be a valid user ID of the report server. Null will be returned if the authorized user info cannot be obtained from the userInfo object.
• askInvalidate
  Asks whether to invalidate an externally authorized user session (i.e. the session has expired). The report server calls this method before the session is invalidated. The server does not call this method if a user logs out.
• notifyLogout
  Notifies an external authorized user session logout. The report server calls this method after user logout.

Interface HttpExternalAuthorized

The interface jet.server.api.http.HttpExternalAuthorized extends jet.server.api.ExternalAuthorized. By this interface, the report server gets the user ID that was authorized by an external authenticator. It has the following methods:

• getExternalAuthorizedUser
  Gets the externally authorized user ID. Returns null if the authorized user info cannot be obtained from the HttpServletRequest object. The user ID should be a valid user ID of the report server.
• handleUnAuthenticatedRequest
  Handles unauthenticated requests. The report server calls this method before sending the HTTP unauthorized response (HTTP 401) to the client. This method allows you to send your response to the client to handle an unauthenticated request. If this method returns true, the report server will send the HTTP unauthorized response (HTTP 401) to the client. Otherwise the report server does nothing.

Implementation

For implementation in an integration environment, the following steps are required:

1. Write your HttpExternalAuthorized implementation.
2. Compile Java classes. Compiling requires the library JRESServlets.jar, which can be found in WEB-INF\lib directory.
3. Create a folder classes in the WEB-INF folder and then add the authentication classes in the classes folder.
4. Define the system property jrs.httpExternalAuthorized with your implementation by -D parameter.

   For example, assuming that the implementation of this interface is com.mycorp.HttpExternalAuthorizedImpl.class:
   -Djrs.httpExternalAuthorized=com.mycorp.HttpExternalAuthorizedImpl

Demos

The following demo programs are provided to illustrate the implementation of the HttpExternalAuthorized interface. These demos are available in <install_root>\help\server\en\samples.

• CustomHttpExternalAuthorized.java
  Demo for implementation of HttpExternalAuthorized.
• CustomServlet.java
  Demo to set implementation of HttpExternalAuthorized into the report server.
• customViewReport.jsp.zip
  The following demos are contained in the zip:
  • customNoAuth.jsp
    Demo to set implementation of HttpExternalAuthorized into the report server. No external authorized user name is submitted in this demo.
  • customParamAuth.jsp
    Demo to set implementation of HttpExternalAuthorized into the report server. External authorized user name is submitted by parameter in this demo.
  • customSessionAuth.jsp
    Demo to set implementation of HttpExternalAuthorized into the report server. External authorized user name is submitted by http session in this demo.
  • customViewReport.jsp
    Demo to work together with customNoAuth.jsp, customParamAuth.jsp and customSessionAuth.jsp to view a report.