...
Form-based authentication lets developers customize the authentication user interface. While the J2EE specifications provide a standard way to specify the login page URL as well as URL authorization rules, there is still container-specific configuration to specify how to read usernames and passwords from a security datastore. This is one reason that the platform uses Acegi Security. The Acegi Security class that processes form posts is AuthenticationProcessingFilter.
Form-Based Authentication Walkthrough
What does the login process look like?
When using the PCI (without single sign-on (SSO)), the security flows look like this:
- User requests a resource under the
pentaho context (e.g. http://localhost:8080/pentaho/Home). - An Acegi Security filter finds no existing authentication and sends a redirect to the configured login page, but after saving the originally requested resource.
- User submits the login page.
- An Acegi Security filter processes the username and password (username/password combination is validated and roles are fetched).
- Acegi Security uses the roles along with the rules in
applicationContext-acegi-security.xml to grant or deny access to the requested resource. - If access is granted, Acegi Security sends a redirect to the user for the originally requested resource. Otherwise, Acegi Security sends an HTTP 403 code to the user.
- If access is granted, user requests (again) the resource under the
pentaho context and an Acegi Security filter finds an existing authentication and allows the request to proceed.
Login Handling
SecurityStartupFilter
...
| Code Block |
|---|
| xml |
|---|
| xml |
|---|
| title | applicationContext-acegi-security.xml |
|---|
|
<bean id="httpSessionReuseDetectionFilter"
class="org.pentaho.platform.web.http.security.HttpSessionReuseDetectionFilter">
<property name="filterProcessesUrl" value="/j_acegi_security_check" />
<property name="sessionReuseDetectedUrl" value="/Login?login_error=2" />
</bean>
|
...
Below are some screenshots of the login page in different states. To customize this page, including changing strings, see Customizing the Login Page.
| Panel |
|---|
| bgColor | #FFFFFF |
|---|
| title | Login Page |
|---|
|
 Image Removed
|
| Panel |
|---|
| bgColor | #FFFFFF |
|---|
| title | Blank Login Form |
|---|
|
 Image Removed
|
| Panel |
|---|
| bgColor | #FFFFFF |
|---|
| title | Login Form After Bad Credentials Submitted |
|---|
|
 Image Removed
This is the message that a user will get if a username and password combination is unrecognized.
|
| Panel |
|---|
| bgColor | #FFFFFF |
|---|
| title | Login Form After Generic Security Error |
|---|
|
 Image Removed
This is the message that a user will get if there is a generic security error, such as the security datastore being unavailable. The root cause will be in the log.
|
| Panel |
|---|
| bgColor | #FFFFFF |
|---|
| title | Login Form While Logged In |
|---|
|
 Image Removed
|
| Panel |
|---|
| bgColor | #FFFFFF |
|---|
| title | Login Form After Session Re-Use Detected |
|---|
|
 Image Removed
This is the message that a user will get if he or she attempts to login again without first logging out. See HttpSessionReuseDetectionFilter.
|
Logout Handling
ProPentahoLogoutHandler
...
| Code Block |
|---|
| xml |
|---|
| xml |
|---|
| title | applicationContext-acegi-security.xml |
|---|
|
<bean id="logoutFilter"
class="org.acegisecurity.ui.logout.LogoutFilter">
<constructor-arg value="/index.jsp" />
<!-- URL redirected to after logout -->
<constructor-arg>
<list>
<bean
class="comorg.pentaho.platform.web.http.security.ProPentahoLogoutHandlerPentahoLogoutHandler" />
<ref bean="rememberMeServices" />
<bean
class="org.acegisecurity.ui.logout.SecurityContextLogoutHandler" />
</list>
</constructor-arg>
<property name="filterProcessesUrl" value="/Logout" />
</bean>
|
...
| Code Block |
|---|
| xml |
|---|
| xml |
|---|
| title | applicationContext-acegi-security.xml |
|---|
|
<bean id="requestParameterProcessingFilter"
class="comorg.pentaho.platform.web.http.security.RequestParameterAuthenticationFilter">
<property name="authenticationManager">
<ref local="authenticationManager" />
</property>
<property name="authenticationEntryPoint">
<ref local="requestParameterProcessingFilterEntryPoint" />
</property>
</bean>
<bean id="requestParameterProcessingFilterEntryPoint"
class="comorg.pentaho.platform.web.http.security.RequestParameterFilterEntryPoint" />
|
...
| Code Block |
|---|
| xml |
|---|
| xml |
|---|
| title | applicationContext-acegi-security.xml |
|---|
|
<bean id="filterChainProxy"
class="org.acegisecurity.util.FilterChainProxy">
<property name="filterInvocationDefinitionSource">
<value>
<![CDATA[CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
PATTERN_TYPE_APACHE_ANT
/**=securityContextHolderAwareRequestFilter,httpSessionContextIntegrationFilter,httpSessionReuseDetectionFilter, \
httpSessionReuseDetectionFilter,logoutFilter,authenticationProcessingFilter, \
basicProcessingFilter,requestParameterProcessingFilter,rememberMeProcessingFilter, \
anonymousProcessingFilter,pentahoSecurityStartupFilter,switchUserProcessingFilter,exceptionTranslationFilter, \
exceptionTranslationFilter,filterInvocationInterceptor]]>
</value>
</property>
</bean>
|