Interactive Login
When a user enters his or her The act of processing a submitted username and password and clicks submit on a login form, it is referred to as an interactive login. The act of processing that form post is called authentication. Note that authentication is a prerequisite to authorization. The Pentaho Professional BI Platform uses Acegi Security to process authentication requests. All of the authentication mechanisms mentioned below delegate to an AuthenticationManager, an Acegi Security type, to make the authentication decision. Out-of-the-box authentication mechanisms provided by the platform are form, basic, and request parameter.
The vast majority of the configuration contained in the applicationContext-acegi-security.xml is a standard Acegi Security setup and is well-documented in the Acegi Security documentation. Where the configuration strays from the Acegi Security documentation, it is documented below.
Form-Based Authentication
Form-based authentication lets developers customize the authentication user interface. While the J2EE specifications provide a standard way to specify the login page URL access requirementsas well as URL authorization rules, there is still is container-specific configuration to specify how to read usernames and passwords from a security datastore. This is one reason that the platform uses Acegi Security. The Acegi Security class that processes form posts is AuthenticationProcessingFilter.
Login Handling
SecurityStartupFilter
SecurityStartupFilter allows the Pentaho Professional BI Platform to obtain a user's credentials (java.security.Principal) and inject it into the Pentaho user session. This requires a new bean definition:
| Code Block | ||||||
|---|---|---|---|---|---|---|
| ||||||
<bean id="pentahoSecurityStartupFilter"
class="com.pentaho.security.SecurityStartupFilter" />
|
This bean is then added to the filterChainProxy bean (shown later).
HttpSessionReuseDetectionFilter
HttpSessionReuseDetectionFilter detects when an HTTP session which contains a authenticated user is attempting to authenticate again without logging out. Upon detecting this condition, the session is invalidated, the security context is cleared, and the user is redirected to sessionReuseDetectedUrl. This prevents reuse of an HTTP session which contains potentially sensitive, user-specific data. The filterProcessesUrl value should match the value of the same property in AuthenticationProcessingFilter.
Notice the login_error=2 parameter on the filterProcessesUrl? The login page should test for login_error=2 and print the appropriate message describing what just happened.
| Code Block | ||||||
|---|---|---|---|---|---|---|
| ||||||
<bean id="httpSessionReuseDetectionFilter" class="com.pentaho.security.HttpSessionReuseDetectionFilter">
<property name="filterProcessesUrl" value="/j_acegi_security_check" />
<property name="sessionReuseDetectedUrl" value="/Login?login_error=2" />
</bean>
|
Login Page
Below are some screenshots of the login page in different states. To customize this page, including changing strings, see Customizing the Login Page.
...
| Panel | ||||
|---|---|---|---|---|
| ||||
|
Logout Handling
ProPentahoLogoutHandler
ProPentahoLogoutHandler executes various cleanup tasks when the user logs out.
| Code Block | ||||||
|---|---|---|---|---|---|---|
| ||||||
<bean id="logoutFilter"
class="org.acegisecurity.ui.logout.LogoutFilter">
<constructor-arg value="/index.jsp" />
<constructor-arg>
<list>
<bean
class="com.pentaho.security.ProPentahoLogoutHandler" />
<ref bean="rememberMeServices" />
<bean
class="org.acegisecurity.ui.logout.SecurityContextLogoutHandler" />
</list>
</constructor-arg>
<property name="filterProcessesUrl" value="/Logout" />
</bean>
|
Logout Page
There is no logout page. The page to which a user is redirected after a logout is specified in the first constructor argument in the logoutFilter bean in applicationContext-acegi-security.xmlabove.
Basic Authentication
Basic authentication is part of the HTTP specification. It is simple but relatively inflexible. Acegi Security implements Basic authentication using BasicProcessingFilter and BasicProcessingFilterEntryPoint.
...
RequestParameterAuthenticationFilter provides security services for Pentaho Spreadsheet Services (PSS). It allows the user requesting access to provide his or her username and password on the query string of the URL. The credentials are unencrypted.
RequestParameterAuthenticationFilter
RequestParameterAuthenticationFilter provides security services for Pentaho Spreadsheet Services (PSS). If you are using PSS, add this filter, along with the associated RequestParameterFilterEntryPoint bean to your Spring config.
| Code Block | ||||||
|---|---|---|---|---|---|---|
| ||||||
<bean id="requestParameterProcessingFilter"
class="com.pentaho.security.RequestParameterAuthenticationFilter">
<property name="authenticationManager">
<ref local="authenticationManager" />
</property>
<property name="authenticationEntryPoint">
<ref local="requestParameterProcessingFilterEntryPoint" />
</property>
</bean>
<bean id="requestParameterProcessingFilterEntryPoint"
class="com.pentaho.security.RequestParameterFilterEntryPoint" />
|
FilterChainProxy
The FilterChainProxy with the Pentaho BI Platform filters is shown below.
| Include Page | ||||
|---|---|---|---|---|
|
| Warning | ||
|---|---|---|
| ||
Note that the |
| Code Block | ||||||
|---|---|---|---|---|---|---|
| ||||||
<bean id="filterChainProxy" class="org.acegisecurity.util.FilterChainProxy"> <property name="filterInvocationDefinitionSource"> <value> <![CDATA[CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON PATTERN_TYPE_APACHE_ANT /**=securityContextHolderAwareRequestFilter,httpSessionContextIntegrationFilter, \ httpSessionReuseDetectionFilter,logoutFilter,authenticationProcessingFilter, \ basicProcessingFilter,requestParameterProcessingFilter,rememberMeProcessingFilter, \ anonymousProcessingFilter,pentahoSecurityStartupFilter,switchUserProcessingFilter, \ exceptionTranslationFilter,filterInvocationInterceptor]]> </value> </property> </bean> |