Authentication from Third-Party Applications

Note: See also Web Services Security.

The Pentaho BI Server is able to use alternative authentication methods that are available through the Spring Security framework. These include Form, Basic (RFC 1945) and Digest (RFC 2617 and RFC 2069) in addition to a custom Pentaho authentication method called Request Parameter Authentication.

Here is a quick overview of the advantages and disadvantages of each.

Authentication Method	Advantages	Disadvantages
Basic	Can be non-interactive. Client prompt built into browsers. Widely supported. Can be paired with SSL to protect password.	Password is encoded but not encrypted.
Digest	Can be non-interactive. Client prompt built into browsers. Password is not sent as cleartext.	Less widely supported than Basic.
Request Parameter	Can be non-interactive. Very easy to use. Relies only on HTTP specification so it is widely supported.	Password is sent as cleartext and can be (and probably is) logged by web servers.
Form	Relies only on HTTP specification so it is widely supported. Allows cosmetic customization. Can be paired with SSL to protect password.	Requires creation of login page.

Of these, only Basic, Digest, and Request Parameter are suggested for use when authenticating from third-party applications. This is because these methods can be used in a non-interactive manner.

Basic Authentication Example

BasicAuthenticationExample.java

/*
 * $Header: /home/jerenkrantz/tmp/commons/commons-convert/cvs/home/cvs/jakarta-commons//httpclient/src/examples/BasicAuthenticationExample.java,v 1.4 2004/06/12 22:47:23 olegk Exp $
 * $Revision: 480424 $
 * $Date: 2006-11-29 06:56:49 +0100 (Wed, 29 Nov 2006) $
 * ====================================================================
 *
 *  Licensed to the Apache Software Foundation (ASF) under one or more
 *  contributor license agreements.  See the NOTICE file distributed with
 *  this work for additional information regarding copyright ownership.
 *  The ASF licenses this file to You under the Apache License, Version 2.0
 *  (the "License"); you may not use this file except in compliance with
 *  the License.  You may obtain a copy of the License at
 *
 *      http://www.apache.org/licenses/LICENSE-2.0
 *
 *  Unless required by applicable law or agreed to in writing, software
 *  distributed under the License is distributed on an "AS IS" BASIS,
 *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 *  See the License for the specific language governing permissions and
 *  limitations under the License.
 * ====================================================================
 *
 * This software consists of voluntary contributions made by many
 * individuals on behalf of the Apache Software Foundation.  For more
 * information on the Apache Software Foundation, please see
 * <http://www.apache.org/>.
 *
 * [Additional notices, if required by prior licensing conditions]
 *
 */

import org.apache.commons.httpclient.HttpClient;
import org.apache.commons.httpclient.UsernamePasswordCredentials;
import org.apache.commons.httpclient.auth.AuthScope;
import org.apache.commons.httpclient.methods.GetMethod;

/**
 * A simple example that uses HttpClient to perform a GET using Basic
 * Authentication. Can be run standalone without parameters.
 *
 * You need to have JSSE on your classpath for JDK prior to 1.4
 *
 * @author Michael Becke
 */
public class BasicAuthenticationExample {

    /**
     * Constructor for BasicAuthenticatonExample.
     */
    public BasicAuthenticationExample() {
        super();
    }

    public static void main(String[] args) throws Exception {
        HttpClient client = new HttpClient();

        // pass our credentials to HttpClient, they will only be used for
        // authenticating to servers with realm "realm" on the host
        // "www.verisign.com", to authenticate against
        // an arbitrary realm or host change the appropriate argument to null.
        client.getState().setCredentials(
            new AuthScope("www.verisign.com", 443, "realm"),
            new UsernamePasswordCredentials("username", "password")
        );

        // create a GET method that reads a file over HTTPS, we're assuming
        // that this file requires basic authentication using the realm above.
        GetMethod get = new GetMethod("https://www.verisign.com/products/index.html");

        // Tell the GET method to automatically handle authentication. The
        // method will use any appropriate credentials to handle basic
        // authentication requests.  Setting this value to false will cause
        // any request for authentication to return with a status of 401.
        // It will then be up to the client to handle the authentication.
        get.setDoAuthentication( true );

        try {
            // execute the GET
            int status = client.executeMethod( get );

            // print the status and response
            System.out.println(status + "\n" + get.getResponseBodyAsString());

        } finally {
            // release any connection resources used by the method
            get.releaseConnection();
        }
    }
}

Digest Authentication Example

Digest is the same as the above example but with the following changes.

// omitted (same as above)

HttpClient client = new HttpClient(); // same as above


// new lines
List authPrefs = new ArrayList(1);
authPrefs.add(AuthPolicy.DIGEST);
client.getParams().setParameter(AuthPolicy.AUTH_SCHEME_PRIORITY, authPrefs);

// omitted (same as above)

Request Parameter Authentication Example

Here's an example in a JSP.

<%@ taglib prefix="c" uri="http://java.sun.com/jstl/core" %>
<c:import url="http://mypentahoserver:8080/pentaho/ViewAction">
  <c:param name="solution" value="samples" />
  <c:param name="path" value="getting-started" />
  <c:param name="action" value="HelloWorld.xaction" />
  <c:param name="userid" value="joe" />
  <c:param name="password" value="password" />
</c:import>

References

http://kickjava.com/src/BasicAuthenticationExample.java.htm