Versions Compared

Old Version 4

changes.mady.by.user Former user

Saved on

compared with

New Version Current

changes.mady.by.user Former user

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migrated to Confluence 4.0

Introduction

This document is meant to provide a brief overview of the Spring Security implementation as configured in the 5.x BA Platform. For more detailed information, see the Security section of the Advanced BI Platform Documentation.

Related Files

File

Purpose

web.xml

  • contains context-param contextConfigLocation which points to pentaho-spring-beans.xml
  • adds Spring Security Filter Chain Proxy filter using targetBean filterChainProxy

pentaho-spring-beans.xml

  • imports security centric spring xml config files

applicationContext-spring-security.xml

  • defines filterChainProxy which maps filter beans to URL patterns
  • defines custom applicationEventMulticaster to ensure order of listeners is preserved
  • provide support for anonymous session handling
  • adds listeners to start session upon successful authentication event
  • httpSessionReuseDetectionFilter
    • prevents multiple logins
  • requestParameterProcessingFilter
    • attempt authentication using provided manager when username and password credentials are present
  • httpSessionPentahoSessionContextIntegrationFilter
    • Provides persistance of PentahoSession between requests for an authenticated user
    • Stores Pentaho session in PentahoSessionHolder before filter chain is executed
    • Stores Pentaho session in HttpSession after chain is executed
    • Limits use of session creation and access to preserve resources
  • httpSessionContextIntegrationFilter
    • Persists SecurityContext between requests in HttpSession
    • defines logoutFilter which uses PentahoLogoutHandler to invalidate PentahoSession and Spring's SecurityContextLogoutHandler to invalidate HttpSession and clear SecurityContext
  • securityContextHolderAwareRequestFilter
    • Adds securityContextHolderAwareRequestWrapper which uses SecurityContext defined Authentication object for responses to isUserInRole() and getRemoteUser()
    • another instance is added for web service requests to /webservices/* and /api/*
  • exceptionTranslationFilter
    • used to handle AccessDeniedException and AuthenticationExceptions thrown in the filter chain and redirect accordingly
    • uses authenticationProcessingFilterEntryPoint for /*, basicProcessingFilterEntryPoint for /webservices/* and /api/*
  • filterInvocationInterceptor and filterInvocationInterceptorWS map resource URL patterns to roles

applicationContext-spring-security-superuser.xml

  • uses in memory user map to provide fallback in case repo credentials are lost
  • Provides superAuthenticationProvider which uses DaoAuthenticationProvider to access in memory user map provided by superUserDetailsService

applicationContext-common-authorization.xml

  • provides custom RoleVoter impl that will strip off the user specified prefix from config attributes before comparing with authorities

applicationContext-pentaho-security-jackrabbit.xml

  • defines UserRoleListService using userRoleDaoProxy bean provided by repository.spring.xml which wraps the default JCR DAO implementation with transaction management and method level security
  • UserRoleListService uses tenantedUserNameUtils and tenantedRoleNameUtils beans defined in repository.spring.xml which are used to derive a user's tenant and user name from a user id and visa-versa

applicationContext-spring-security-jackrabbit.xml

  • defines authenticationProvider and userDetailsService beans which use userRoleDaoTxn defined in repository.spring.xml, which in turn wraps the default JCR DAO implementation with transaction management (but not method level security)