17-10 Oracle Fusion Middleware Application Security Guide 8. Proceed to Adding Providers to a WebLogic Domain for OSSO . 17.1.2.3.2 Protecting URLs and Logout Dynamically without mod_osso Applications that use dynamic directives require no entry in mod_osso.conf because mod_osso protection is written directly into the application as one or more dynamic directives. Dynamic directives are HTTP response headers that have special error codes that enable an application to request granular functionality from the single sign-on system without having to implement the intricacies of the single sign-on protocol. Upon receiving a directive as part of a simple HTTP response from the application, mod_ osso creates the appropriate single sign-on protocol message and communicates it to the single sign-on server. OracleAS supports dynamic directives for Java servlets and JSPs. The product does not currently support dynamic directives for PLSQL applications. The JSPs that follow show how such directives are incorporated. Like their static counterparts, these sample dynamic applications generate user information: ■ Example 17–1, SSO Authentication with Dynamic Directives ■ Example 17–2, SSO Logout with Dynamic Directives Example 17–1 SSO Authentication with Dynamic Directives The home.jsp includes ssodynauth.jsp that uses the request.getUserPrincipal.getName method to check the user in the session. If the user is absent, it issues dynamic directive 499, a request for simple authentication. The key lines are in boldface. home.jsp include file=ssodynauth.jsp page content goes here ssodynauth.jsp response.setHeaderCache-Control, no-cache; response.setHeaderPragma, no-cache; response.setHeaderExpires, 0; Check for user String ssoUser = null; try ssoUser = request.getRemoteUser; ssoUser = request.getUserPrincipal .getName ; ssoUser = ssoUser.trim ; Tip: If the interception of requests is not working properly, consider placing the include statement for mod_osso.conf before the LoadModule weblogic_module statement in the httpd.conf. Note: After adding dynamic directives, be sure to restart the Oracle HTTP Server, and the proceed to Adding Providers to a WebLogic Domain for OSSO . Configuring Single Sign-On using OracleAS SSO 10g 17-11 } catchException e { ssoUser = null; } If user is not authenticated then generate dynamic directive for authentication ifssoUser == null || ssoUser.length 1 { response.sendError499, Oracle SSO; return; } Example 17–2 SSO Logout with Dynamic Directives To achieve global logout also known as single log-out, applications are expected to first invalidate sessions and then make a call to OSSO logout. The logout.jsp issues dynamic directive 470, a request for OSSO logout. The osso-return-logout is set by the application to specify the return URL after logout. The key lines for SSO logout with dynamic directives appear in boldface in the following example. In 11g, the SSOFilter handles session synchronization. logout.jsp page session=false response.setHeaderOsso-Return-Url, http:my.oracle.com; HttpSession session = null; session = request.getSession; if null = session { necessary for achieving SLO session.invalidate; } response.sendError470, Oracle SSO; See Also: Oracle Identity Management Application Developers Guide 10g 10.1.4.0.1 Part Number B15997-01 on Oracle Technology network at: http:www.oracle.comtechnologysoftwareproductsi ashtdocs101401.html See Also: ■ Synchronizing the User and SSO Sessions: SSO Synchronization Filter on page 17-16 ■ Oracle Identity Management Application Developers Guide 10g 10.1.4.0.1 Part Number B15997-01 on Oracle Technology Network at: http:www.oracle.comtechnologysoftwareproduct siashtdocs101401.html Note: After adding dynamic directives, be sure to restart the Oracle HTTP Server, and the proceed to Adding Providers to a WebLogic Domain for OSSO .