Changing authentication procedure

[sarahmei]

I need to figure out the current authentication flow in JI, and reading Spring indirection code is driving me batty. Is there a nice code-level diagram somewhere I can look at that isn't in Open Office format?

 

We need to do some funky auth redirection, while still keeping permissions in the JI database, and ensuring that the user never, ever sees a JI login screen. Because then their heads would asplode, or something, I don't know.

 

Anyway, I know I need a filter to interface with the weird auth service we're using, but it seems I also need to modify the authentication .. flow? The cookie we check to ensure authentication is different, and where it goes on failure (currently the login screen) is also different.

 

Ideas? TIA.

[swood]

There is a lot of documentation on Acegi Security at http://acegisecurity.org/

The Reference Guide (see the left hand nav) covers many areas. Also the Acegi forums have a wealth of information about how to do things - the joys of open source! http://forum.springframework.org/forumdisplay.php?f=33

 

 

 

I have been working with our consultants who are helping customers implement JasperIntelligence and the authentication area always comes up. I have been finding that Acegi is awesome in terms of its ability to be customized and extended for funky requirements. B)

 

The key for you is in the applicationContext-security.xml, which controls Acegi in our environment. Below is the entry point for your security travels.

 

Code:

    <bean id="filterChainProxy" class="org.acegisecurity.util.FilterChainProxy">
        <property name="filterInvocationDefinitionSource">
            <value>
                CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
                PATTERN_TYPE_APACHE_ANT
                /xmla=httpSessionContextIntegrationFilter,basicProcessingFilter,JIAuthenticationSynchronizer,anonymousProcessingFilter,basicAuthExceptionTranslationFilter,filterInvocationInterceptor
                /services/**=httpSessionContextIntegrationFilter,basicProcessingFilter,JIAuthenticationSynchronizer,anonymousProcessingFilter,basicAuthExceptionTranslationFilter,filterInvocationInterceptor
                /**=httpSessionContextIntegrationFilter,authenticationProcessingFilter,basicProcessingFilter,JIAuthenticationSynchronizer,anonymousProcessingFilter,exceptionTranslationFilter,filterInvocationInterceptor
            </value>
        </property>
    </bean>

    <!-- ======================== AUTHENTICATION ======================= -->
    <bean id="authenticationManager" class="org.acegisecurity.providers.ProviderManager">
        <property name="providers">
            <list>
                <!-- not on by default <ref local="ldapAuthenticationProvider"/>  -->
                <ref local="daoAuthenticationProvider"/>
                <ref local="anonymousAuthenticationProvider"/>
                <!--ref local="jaasAuthenticationProvider"/-->
            </list>
        </property>
    </bean>

 

 

If you need to catch a custom cookie, you will need to create a filter to do the authentication and include the filter in the filter list in the filterChainProxy bean definition. Have a look at the Acegi source and our own MetadataAuthenticationProcessingFilter to see how you set the AuthenticationContext.

 

If the authentication fails, the exceptionTranslationFilter catches that and what happens next depends on how that filter/bean is configured. In the web UI case, you will see in the config:

Code:

[code] <bean id="exceptionTranslationFilter" class="org.acegisecurity.ui.ExceptionTranslationFilter"> <property name="authenticationEntryPoint"><ref local="authenticationProcessingFilterEntryPoint"/></property> </bean> <bean id="authenticationProcessingFilterEntryPoint" class="org.acegisecurity.ui.webapp.AuthenticationProcessingFilterEntryPoint"> <property name="loginFormUrl"><value>/login.html</value></property> <property name="forceHttps"><value>false</value></property> </bean>

 

Note the loginFormUrl.

 

Here is the configuration that sets where login success will take you.

 

Code:

[code] <bean id="authenticationProcessingFilter" class="org.acegisecurity.ui.webapp.AuthenticationProcessingFilter"> <property name="authenticationManager"><ref local="authenticationManager"/></property> <property name="authenticationFailureUrl"><value>/loginerror.html</value></property> <property name="defaultTargetUrl"><value>/loginsuccess.html</value></property> <property name="filterProcessesUrl"><value>/j_acegi_security_check</value></property> </bean>

 

 

Hope that helps!

 

 

Sherman

JasperSoft

[Grazy Mos]

I am writing my own filter that has to catch a custom cookie. After the cookie is succefully catched he needs to try to login that user.

 

 

In the MetadataAuthenticationProcessingFilter it uses the ExternalUserService class:

Code:

getExternalUserService().maintainInternalUser(userDetails);
            
getExternalUserService().makeUserLoggedIn(userDetails.getUsername());

 

The cookie exist of a username and password(USERNAME: PASSWORD). To authenticate(login) this user I believe he has to make a UserDetails object, or add it to the UserDetail object. Or is there a other way to solve this?

 

 

According to the acigi manual a implementation of the UserDetailService is needed to create a UserDetails object. Does jasperintelligence has a own implementation of the UserDetailService interface?

 

 

Niels,

[vsoneta]

Did anyone figured this out... I have  in my  application-context-security.xml:

 

<bean id="jaasAuthenticationProvider" class="org.acegisecurity.providers.jaas.JaasAuthenticationProvider">
        <property name="loginConfig">
            <value>/WEB-INF/login.conf</value>
        </property>
        <property name="loginContextName">
            <value>dierbergsJAAS</value>
        </property>
        <property name="callbackHandlers">
            <list>
                <bean class="com.dierbergs.auth.JAAS.SSOCallbackHandler"/>              
            </list>
        </property>
        <property name="authorityGranters">
            <list>
                <bean class="com.dierbergs.auth.JAAS.SSOAuthorityGranter"/>
            </list>
        </property>
    </bean>
 

 

and in my filter class I am able to get the username and password onto the login page... but I don't want it to go to the login page.. it should directly do the login and get him to the jasperserver page if the authencation is correct.. Please help me where do I need to change so that it doesn;t show the login page...

[swood]

You need to add in a custom filter that does the SSO login. Probably what you have set up authenticates against JAAS, requiring the user name and password to be entered.

 

Sherman

Jaspersoft

[skolluri]

Hi,

I need to do something like this too. I have reports running on JasperServer. I need to access these reports from an extrernal web application (which also uses Acegi for its security). I am currently using DIRECT URLs to access the JasperServer reports. It is working great - simple, no extra changes or configuration. Except that I have to pass the login credentials as parameters in the URL  like -

&j_acegi_security_check?&j_username=jasperadmin&j_password=jasperadmin

 

I dont want to do this since I am exposing the login credentials in the URL.

Is there another way to achieve this?

 

Thanks,

Sridevi

[developerdude]

 IIRC, one of the changes to 3.5 is to support password encryption in the URL.

 

Beyond that, you could use the web services instead.

[skolluri]

hey, thanks for your reply!

We are using the community version of JasperServer(JS) 3.0 version currently. And web services is not an option either.

I wanted to test the authentication on JS using Basic Authentication instead - set the encrypted credentials in the headers, and update the JS configuration to accept Basic Auth. Since JS uses Acegi for its security as  well, I am hoping it would be pretty straightforward.

We installed JasperServer using the war file. So, I am not sure if we can update/modify/add code, other than the config files.

Appreciate any comments or ideas from the JasperServer team??

 

Thanks,

Sridevi