Creating Your Own Security Data Access Object

Custom Security DAO

If the out-of-the-box security DAOs (memory, jdbc, and ldap) do not meet your needs, here are instructions for creating your own. Security Data Access Objects introduces the two key interfaces that fetch security data: UserDetailsService and IUserRoleListService. In order to implement a new security data access object, one needs to implement UserDetailsService, a Spring Security interface, and IUserRoleListService, a Pentaho interface.

Implement UserDetailsService

UserDetailsService defines a single method:

UserDetails loadUserByUsername(String username)

Given a username, it returns a UserDetails instance. A UserDetails object can return the username, password, authorities (also known as roles), account expired status, password expired status, account locked status, and account enabled status associated with the username passed to the loadUserByUsername method.

Implement IUserRoleListService

IUserRoleListService defines four methods:

Method

Purpose

GrantedAuthority[] getAllAuthorities()

Return all authorities (also known as roles) that should be known to Pentaho.

String[] getAllUsernames()

Return all usernames that should be known to Pentaho.

String[] getUsernamesInRole(GrantedAuthority authority)

Return the usernames that have been granted the given authority. Another way of stating this is, "What users are in the given role."

GrantedAuthority[] getAuthoritiesForUser(String username)

Return the authorities that have been granted to the given username. This list should be exactly the same as myUserDetailsService.loadUserByUsername(username).getAuthorities().

Configure Your UserDetailsService Implementation

Make a copy of pentaho-solutions/system/applicationContext-spring-security-jdbc.xml. Name the copy {{applicationContext-spring-security-mydao.xml. Replace the bean definition with an id of userDetailsService (keeping the same id) with your bean definition.

Configure Your IUserRoleListService Implementation

Make a copy of pentaho-solutions/system/applicationContext-pentaho-security-jdbc.xml. Name the copy {{applicationContext-pentaho-security-mydao.xml. Replace the bean definition with an id of jdbcUserRoleListService (renaming the id if you like) with your bean definition. Now change userRoleListService property of the bean definition with an id of pentahoUserRoleListService to refer to your new bean. For example, if you called your new bean myUserRoleListService, your userRoleListService property would look like this:

<property name="userRoleListService">
  <ref local="myUserRoleListService" />
</property>

Start Using Your Implementations

Edit pentaho-solutions/system/pentaho-spring-beans.xml and change the includes to reference your new applicationContext-spring-security-mydao.xml and applicationContext-pentaho-security-mydao files. It should look like this when you are done:

<beans>
  <import resource="pentahoSystemConfig.xml" />
  <import resource="adminPlugins.xml" />
  <import resource="systemListeners.xml" />
  <import resource="sessionStartupActions.xml" />
  <import resource="applicationContext-spring-security.xml" />
  <import resource="applicationContext-common-authorization.xml" />
  <import resource="applicationContext-spring-security-mydao.xml" />
  <import resource="applicationContext-pentaho-security-mydao.xml" />
  <import resource="pentahoObjects.spring.xml" />
</beans>