Introduction
This document is meant to provide a brief overview of the Spring Security implementation as configured in the Sugar BA Server. For more detailed information, see the Security section of the Advanced BI Platform Documentation.
Important Files
File | Purpose |
---|
web.xml | - contains context-param contextConfigLocation which points to pentaho-spring-beans.xml
- adds Spring Security Filter Chain Proxy filter using targetBean filterChainProxy
|
pentaho-spring-beans.xml | - imports security centric spring xml config files
|
applicationContext-spring-security.xml | - defines filterChainProxy which maps filter beans to URL patterns
- defines custom applicationEventMulticaster to ensure order of listeners is preserved
- provide support for anonymous session handling
- adds listeners to start session upon successful authentication event
- httpSessionReuseDetectionFilter
- requestParameterProcessingFilter
- attempt authentication using provided manager when username and password credentials are present
- httpSessionPentahoSessionContextIntegrationFilter
- Provides persistance of PentahoSession between requests for an authenticated user
- Stores Pentaho session in PentahoSessionHolder before filter chain is executed
- Stores Pentaho session in HttpSession after chain is executed
- Limits use of session creation and access to preserve resources
- httpSessionContextIntegrationFilter
- Persists SecurityContext between requests in HttpSession
- defines logoutFilter which uses PentahoLogoutHandler to invalidate PentahoSession and Spring's SecurityContextLogoutHandler to invalidate HttpSession and clear SecurityContext
- securityContextHolderAwareRequestFilter
- Adds securityContextHolderAwareRequestWrapper which uses SecurityContext defined Authentication object for responses to isUserInRole() and getRemoteUser()
- another instance is added for web service requests to /webservices/* and /api/*
- exceptionTranslationFilter
- used to handle AccessDeniedException and AuthenticationExceptions thrown in the filter chain and redirect accordingly
- uses authenticationProcessingFilterEntryPoint for /*, basicProcessingFilterEntryPoint for /webservices/* and /api/*
- filterInvocationInterceptor and filterInvocationInterceptorWS map resource URL patterns to roles
|
applicationContext-spring-security-superuser.xml | - uses in memory user map to provide fallback in case repo credentials are lost
- Provides superAuthenticationProvider which uses DaoAuthenticationProvider to access in memory user map provided by superUserDetailsService
|
applicationContext-common-authorization.xml | - provides custom RoleVoter impl that will strip off the user specified prefix from config attributes before comparing with authorities
|
applicationContext-pentaho-security-jackrabbit.xml | - defines UserRoleListService using userRoleDaoProxy bean provided by repository.spring.xml which wraps the default JCR DAO implementation with transaction management and method level security
- UserRoleListService uses tenantedUserNameUtils and tenantedRoleNameUtils beans defined in repository.spring.xml which are used to derive a user's tenant and user name from a user id and visa-versa
|
applicationContext-spring-security-jackrabbit.xml | - defines authenticationProvider and userDetailsService beans which use userRoleDaoTxn defined in repository.spring.xml, which in turn wraps the default JCR DAO implementation with transaction management (but not method level security)
|