Building a Single Sign-On Module for the BIRT Report Viewer - Part 2

This is the second post of the BIRT SSO Series wherein I describe the implementation of a single sign-on module for the Eclipse BIRT Report Viewer. This post gets straight into the details of server configuration. It is recommended that you first read the introduction in Part 1 to get acquainted with the background and the premises on which this solution is built.

Part 2: Server & Environment Configuration

I had noted in Part 1 that I hosted my report server under a sub-path of the top level domain. For this there needs to be a form of inter-process communication enabled via mod_jk in order for Apache to pipe requests and responses to and from Tomcat. _modjk is easy to compile from source, if your particular Linux distribution does not happen to supply it from its package repository.

You’ll need the apxs tool in order to compile the extension. On a Fedora system, this is available in the httpd-devel package. Once you’ve downloaded and extracted the tomcat-connectors source bundle, cd into the native folder and issue the command:

1
2
$ ./configure --with-apxs=/usr/sbin/apxs
$ make

Then copy the _apache-2.0/modjk.so file into /usr/lib[64]/httpd/modules. Edit your httpd.conf file and add the following lines:

httpd.conf
1
LoadModule jk_module modules/mod_jk.so
JkWorkersFile conf/workers.properties

Then create a new file /etc/httpd/conf/workers.properties and add the following lines:

/etc/httpd/conf/workers.properties
1
worker.list=worker1
worker.worker1.port=8009
worker.worker1.host=localhost
worker.worker1.type=ajp13

This configuration assumes that your Tomcat server is running on the same machine as Apache, but it is not a necessary condition. I’m running my Drupal application under a vhost and so the JkMount directive is placed inside the vhost directive. If your application is deployed directly, then it should go into the workers.properties file described above.

1
2
3
4
ServerName yourdomain.com
...
...
JkMount /birt/* worker1

Your Tomcat _CATALINABASE/server.xml file should contain the following lines:

CATALINA_BASE/server.xml
1
2
3
4
5
6
7
8
9
10
<!-- Define a SSL HTTP/1.1 Connector on port 8443
This connector uses the JSSE configuration.
When using APR, the connector should be using the OpenSSL style configuration described in the APR documentation -->

<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
SSLEnabled="true" maxThreads="150" scheme="https" secure="true"
keystoreFile="${user.home}/.keystore" keystorePass="changeit"
clientAuth="false" sslProtocol="TLS" />


<!-- Define an AJP 1.3 Connector on port 8009 -->
<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" enableLookups="false"/>

Your tomcat-users.xml file should have the manager and admin roles defined, something like:

CATALINA_BASE/tomcat-users.xml
1
2
3
4
5
<tomcat-users>
<role rolename="manager"/>
<role rolename="admin"/>
<user username="root" password="password" roles="admin,manager"/>
</tomcat-users>

Finally, the BIRT SSO module requires that the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files be downloaded and made available to the JRE on which it will be run. For Java 1.7, the policy files are available at: http://www.oracle.com/technetwork/java/javase/downloads/jce-7-download-432124.html.

NOTE: Although the instructions tell you to install the jar files in _JAVAHOME/lib/security in case you’re running tomcat on a JDK, they must actually be put in _JAVAHOME/jre/lib/security. In case you’re running on a JRE directly, the instructions on the site should work.

This concludes the server and environment setup required for the module to work. Part 3 of this series delves into the details of the module implementation.