Monday, December 25, 2017

OBIEE 12 with external images

In OBIEE 12 a security enhancement was made. As a result, with default installation we can't see added images based on "Image URL" (the image is empty).



 After we solve that problem we can't save the analysis with the scary note:

" Catalog object privilege validation failed for user to path XXXXXXXXX. You do not currently have sufficient privileges to save a report or dashboard page that contains HTML markup. Custom column format may contain HTML tags, only the following formats may currently be used: 'Plain text', 'Plain text (don't break spaces)'. "


For the first we should add the following 3 lines in instanceconfig.xml.
        <Security>
            <ClientSessionExpireMinutes>210</ClientSessionExpireMinutes>
            <ContentSecurityPolicy>
            <Enable>false</Enable>
            </ContentSecurityPolicy>
 

       </Security>


***** see better and secure option bellow.


For the second (saving) one more line. 
Both under the security section.


This is for version 12.2.1.3 - true value for EnableSavingContentWithHTML:
 (this option also returns the option of "Contains HTML Markup" in text object of dashboard)
         <Security>
            <ClientSessionExpireMinutes>210</ClientSessionExpireMinutes>
            <ContentSecurityPolicy>
            <Enable>false</Enable>
            </ContentSecurityPolicy>
            <EnableSavingContentWithHTML>true</EnableSavingContentWithHTML>
        </Security>

I didn't test it, but I believe this is for versions 12 under 12.2.1.3 - false value for CheckUrlFreshness:

         <Security>
            <ClientSessionExpireMinutes>210</ClientSessionExpireMinutes>
            <ContentSecurityPolicy>
            <Enable>false</Enable>
            </ContentSecurityPolicy>
            <CheckUrlFreshness>false</CheckUrlFreshness>
        </Security>
Next restart the presentation server (OBIPS)


As a result I can see images:



And the analysis can be saved.


***** a better and secure option
Following Gianni Ceresa advise, lets make it smarter. The <Enable>false<Enable> means we allow any source, and that is not very secure. It's better to allow specific sources.
For example the Pikachu picture comes from the site https://assets.pokemon.com
So I'll allow external sources only from that site. 

Instead of:

        <Security>
            <ClientSessionExpireMinutes>210</ClientSessionExpireMinutes>
            <ContentSecurityPolicy>
            <Enable>false</Enable>
            </ContentSecurityPolicy>
 

       </Security>



In ContentSecurityPolicy I will add a Directive with the value of the site.

        <Security>
            <ClientSessionExpireMinutes>210</ClientSessionExpireMinutes>
            <ContentSecurityPolicy>
                <PolicyDirectives>
                    <Directive>
                        <Name>img-src</Name>
                        <Value>https://assets.pokemon.com</Value>
                    </Directive>
                </PolicyDirectives>

            </ContentSecurityPolicy>
        </Security>

The picture that comes from URL: https://assets.pokemon.com/static2/_ui/img/chrome/external_link_bumper.png still works fine but if I try to use instead a picture of a Snorlax from the URL https://rankedboost.com/wp-content/plugins/ice/pokemon-go/Snorlax-Pokemon-Go.png it will not work:

As you might guess, it's not because OBIEE prefers Pikachu, but because I didn't allow anything from site https://rankedboost.com.
I'll add it to the Value like this:

        <Security>
            <ClientSessionExpireMinutes>210</ClientSessionExpireMinutes>
            <ContentSecurityPolicy>
                <PolicyDirectives>
                    <Directive>
                        <Name>img-src</Name>
                        <Value>https://assets.pokemon.com https://rankedboost.com</Value>
                    </Directive>
                </PolicyDirectives>

            </ContentSecurityPolicy>
        </Security>

Restart OBIPS and....


You can see a deeper dive into CSP here: https://gianniceresa.com/2016/10/google-map-in-an-obiee-12c-analysis/







Just a reminder to myself, Oracle BI12c: placing custom images in BI Server and reference using fmap from https://biapplications.wordpress.com.


Moshe, hope it helps. Best wishes for next year.

3 comments:

  1. Thanks Boris,
    It surely solved the issue.
    My deep appreciation for your knowledge, abilities and will.
    Thanks for the help over last 10 years.

    Moshe

    ReplyDelete
  2. Interesting post, I would add it's better to configure CSP to allow loading pictures from whitelisted domain instead of turning off CSP completely which open the door to XSS & co. Same file and almost the same amount of xml.

    ReplyDelete
    Replies
    1. Thank You. Updated following your advise.

      Delete