...
| Include Page |
|---|
| Formatting Warning Include |
|---|
| Formatting Warning Include |
|---|
|
| Code Block |
|---|
| xml |
|---|
| xml |
|---|
| title | applicationContext-spring-security.xml : Two Filter Chainsxml |
|---|
|
<bean id="filterChainProxy" class="org.springframework.security.util.FilterChainProxy">
<property name="filterInvocationDefinitionSource">
<value>
<![CDATA[CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
PATTERN_TYPE_APACHE_ANT
/webservices/**=securityContextHolderAwareRequestFilterForWS,httpSessionContextIntegrationFilter, \
digestProcessingFilter,anonymousProcessingFilter,exceptionTranslationFilterForWS,filterInvocationInterceptorForWS,pentahoSecurityStartupFilter
/**=securityContextHolderAwareRequestFilter,httpSessionContextIntegrationFilter,httpSessionReuseDetectionFilter,logoutFilter, \
authenticationProcessingFilter,basicProcessingFilter,requestParameterProcessingFilter,anonymousProcessingFilter, \
pentahoSecurityStartupFilter,exceptionTranslationFilter,filterInvocationInterceptor]]>
</value>
</property>
</bean>
|
...
Shown below is a single Pentaho service. It is a servlet that is exposed via two URLs. One is applicable for browsers (the first one) and one is applicable for web service clients (the second one). Note that both entry points (URLs) are protected; they each have a filter chain that is applicable.
| Code Block |
|---|
| xml |
|---|
| xml |
|---|
| title | web.xml: Two ways to get to the same servletxml |
|---|
|
<servlet>
<servlet-name>ViewAction</servlet-name>
<servlet-class>org.pentaho.ui.servlet.ViewAction</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>ViewAction</servlet-name>
<url-pattern>/ViewAction</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>ViewAction</servlet-name>
<url-pattern>/webservices/ViewAction</url-pattern>
</servlet-mapping>
|
...
The example below uses digest authentication.
| Code Block |
|---|
| xml |
|---|
| xml |
|---|
| title | applicationContext-spring-security.xml : Beans to process and prompt respectively for digest loginxml |
|---|
|
<bean id="digestProcessingFilter" class="org.springframework.security.ui.digestauth.DigestProcessingFilter">
<property name="userDetailsService"><ref bean="userDetailsService"/></property>
<property name="authenticationEntryPoint"><ref local="digestProcessingFilterEntryPoint"/></property>
</bean>
<bean id="digestProcessingFilterEntryPoint" class="org.springframework.security.ui.digestauth.DigestProcessingFilterEntryPoint">
<property name="realmName"><value>Pentaho Realm</value></property>
<property name="key"><value>p5nt5h5</value></property>
<property name="nonceValiditySeconds"><value>90</value></property>
</bean>
|
Exception Translation
| Code Block |
|---|
| xml |
|---|
| xml |
|---|
| title | applicationContext-spring-security.xml : When caller is not authenticated, prompt for digest loginxml |
|---|
|
<bean id="exceptionTranslationFilterForWS" class="org.springframework.security.ui.ExceptionTranslationFilter">
<property name="authenticationEntryPoint">
<ref local="digestProcessingFilterEntryPoint" />
</property>
<property name="accessDeniedHandler">
<bean class="org.springframework.security.ui.AccessDeniedHandlerImpl" />
</property>
</bean>
|
...
Technical Information:
Using SavedRequestAwareWrapper adversely affects web service calls. Why? Consider the following example. User requests a resource without Authorization header (a header required to authenticate via digest authentication). Server stores request and responds with 401. User is prompted with dialog for username and password. User enters username and password and submits. Server pulls saved request. DigestProcessingFilter asks request for Authorization header. Since request is the original request, no Authorization header is found and the user is prompted with dialog again.
| Code Block |
|---|
| xml |
|---|
| xml |
|---|
| title | applicationContext-spring-security.xml : Bean to inject user into HTTP servlet requestxml |
|---|
|
<bean id="securityContextHolderAwareRequestFilterForWS" class="org.springframework.security.wrapper.SecurityContextHolderAwareRequestFilter">
<property name="wrapperClass" value="org.springframework.security.wrapper.SecurityContextHolderAwareRequestWrapper" />
</bean>
|
...
Web services URLs are protected with different access rules.
| Code Block |
|---|
| xml |
|---|
| xml |
|---|
| title | applicationContext-spring-security.xml : Web services URLs are protected with different access rulesxml |
|---|
|
<bean id="filterInvocationInterceptorForWS" class="org.springframework.security.intercept.web.FilterSecurityInterceptor">
<property name="authenticationManager">
<ref local="authenticationManager" />
</property>
<property name="accessDecisionManager">
<ref local="httpRequestAccessDecisionManager" />
</property>
<property name="objectDefinitionSource">
<value>
<![CDATA[CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
\A/webservices/.*\Z=Admin]]>
</value>
</property>
</bean>
|
...