Authentication for Direct URL

[skolluri]

Hi,

I am trying to user Direct URL to access a JasperServer report from another web application. I got some good info on Direct URLs earlier on the forum and thanks to everyone who answered! I found some postings on the authentication mechanism as well,but I couldnt quite understand. So, here I am again...I hope someone can answer and explain to me this time (pleeaaseee!)

I have reports running on JasperServer. I need to access these reports from an extrernal web application (which also uses Acegi for its security). I am currently using DIRECT URLs to access the JasperServer reports. It is working great - simple, no extra changes or configuration. Except that I have to pass the login credentials as parameters in the URL  like -

&j_acegi_security_check?&j_username=jasperadmin&j_password=jasperadmin

I dont want to do this since I am exposing the login credentials in the URL and it is not very secure. We are using the community version of JasperServer(JS) 3.0 version currently. And web services is not an option either.

Is there another way to achieve this?

Can I use Basic Authentication instead - set the encrypted credentials in the headers, and update the JS configuration to accept Basic Auth. Since JS uses Acegi for its security as  well, I am hoping it would be pretty straightforward.  I am just learning Acegi, so i am a bit confused. Will that be a safe?

We installed JasperServer using the war file. So, I am not sure if we can update/modify/add code, other than the config files.

I really need this soon. Appreciate any comments or ideas from the JasperServer team??


Thanks,

Sridevi

[deepthirohini86]

Hi Sridevi,

Sorry for this much delay to reply you , i am new to this forum.

I am also faced the same problem , but i gave some solution.

 

Do the following :

 *) In file jasperserver/WEB-INF/jsp/login_welcome.jsp

   you need to comment the front end design for that file and you need to write one function

function setusernamepassword() {
        var queryString=window.top.location.search.substring(1);
        alert(queryString);
        var querystring_split=queryString.split("&");
        var username_details=querystring_split[0].split("=");
        var password_details=querystring_split[1].split("=");

      // write the decrypt code for user name and password and set it to the

       document.fmLogin.j_username.value=username_details[1];

        alert("username:"+username_details[1]);

        document.fmLogin.j_password.value=password_details[1];

}

call this function into the validatePassword().

If you do the following changes u can pass the http url itself without showing the login page.

*) Then from your application where you are calling, encrypt the user name and password,

then in the function setusernamepassword() you need to decrypt it.

 

If you are having any trouble kindly ask me.

 

########

If you are changing any code in the jsp file then no need to recompile the jasper server.

 

With Regards,

Rohini A.M

 

 

 

[skolluri]

Hi Rohini,

Thanks for sharing your solution for this problem. That is a neat solution. I ended up writing a filter to do exactly the same thing as you are doing.

 

I wrote a filter, and added it to a jar and put the jar file in ../jasperserver/WEB-INF/lib directory.

 

This filter replaces the "RequestParameterAuthenticationFilter" that was JasperServer's filter, which basically takes the username and password from the query string and adds it to the Authentication object. I basically updated that code, to decrypt the username and password after taking it from the query string, but before adding it to the Authentication object - just like you did in the java script function.

Thanks again for sharing your solution!

 

Sridevi

[deepthirohini86]

Hi sridevi,

Can you share me in deeply about this solution.

I am new to acegi scripts. What steps i need to follow,

 

Actually now how you are adding the jasper server to your application,by url or by some other things.

 

What filter i need to write, how i need to achieve without hack , kindly help me.

 

 

 

Regards,

Rohini A.M

 

[swood]

Have a look at the FAQ  http://jasperforge.org/plugins/mwiki/index.php/Jasperserver/FAQ#Security_between_JasperServer_and_other_applications

and more detailed info

http://jasperforge.org/plugins/mwiki/index.php/Jasperserver/AuthenticationConfiguration

 

Sherman

Jaspersoft

[deepthirohini86]

Hi sridevi,

In which programming you are encrypting the username and password. By using which function in java you are decrypting.

 

Kindly tell me.

 

[anaganirakesh]

Hi

1)In file jasperserver/WEB-INF/jsp/login_welcome.jsp is not available to comment the front end design for that file and you need to write one function

Toset the user name & password  previously i passed the login credentials through url like

&j_acegi_security_check?&j_username=jasperadmin&j_password=jasperadmin,but i don't want to expose credentilas in url ,i need to hide the user name and password ,but in my jasper server login_welcome.jsp page is not available even though i created my own login _welcome.jsp but when i run the js it is giving error like 404 ( /jasper server) is not available

2) can you please tell me where i need to put the below menction code ,i think we need to write in ( application context security.xml , or application context security.web )

 

can you please tel  me the solution ASAP

Regards,

Rakesh

 

 

Code:

<bean id="filterChainProxy" class="org.acegisecurity.util.FilterChainProxy">    <property name="filterInvocationDefinitionSource">        <value>            CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON            PATTERN_TYPE_APACHE_ANT            /**=httpSessionContextIntegrationFilter,authenticationProcessingFilter,        basicProcessingFilter,anonymousProcessingFilter,exceptionTranslationFilter,                                filterInvocationInterceptor        </value>    </property></bean>        <bean id="exceptionTranslationFilter"                class="org.acegisecurity.ui.ExceptionTranslationFilter">                <property name="authenticationEntryPoint">                        <ref local="authenticationProcessingFilterEntryPoint"/>                </property>        </bean>             <bean id="authenticationProcessingFilterEntryPoint"                class="org.acegisecurity.ui.webapp.AuthenticationProcessingFilterEntryPoint">                <property name="loginFormUrl">                        <value>/login.html</value></property>                <property name="forceHttps">                        <value>false</value></property>        </bean><bean id="authenticationProcessingFilter"                class="org.acegisecurity.ui.webapp.AuthenticationProcessingFilter">                <property name="authenticationManager">                        <ref local="authenticationManager"/></property>                <property name="authenticationFailureUrl">                        <value>/loginerror.html</value></property>                <property name="defaultTargetUrl">                        <value>/flow.html?_flowId=listReportsFlow</value>                </property>                <property name="filterProcessesUrl">                        <value>/j_acegi_security_check</value></property>        </bean><bean id="authenticationManager"                 class="org.acegisecurity.providers.ProviderManager">                <property name="providers">                        <list>                                <ref local="daoAuthenticationProvider"/>                                <ref local="anonymousAuthenticationProvider"/>                                <!--ref local="jaasAuthenticationProvider"/-->                        </list>                </property>        </bean>            <bean id="daoAuthenticationProvider"                class="org.acegisecurity.providers.dao.DaoAuthenticationProvider">                <!-- <property name="userDetailsService">                        <ref bean="inMemoryDaoImpl"/></property> -->                <property name="userDetailsService">                        <ref bean="userAuthorityService"/></property>        </bean><bean id="initialDirContextFactory"             class="org.acegisecurity.providers.ldap.DefaultInitialDirContextFactory">            <constructor-arg value="ldap://monkeymachine:389/dc=acegisecurity,dc=org"/>            <property name="managerDn">                    <value>cn=manager,dc=acegisecurity,dc=org</value></property>             <property name="managerPassword">                    <value>password</value></property>        </bean>                                 <bean id="userSearch"            class="org.acegisecurity.providers.ldap.search.FilterBasedLdapUserSearch">            <constructor-arg index="0">                <value></value>            </constructor-arg>            <constructor-arg index="1">                 <value>(uid={0})</value>            </constructor-arg>            <constructor-arg index="2">                <ref local="initialDirContextFactory" />            </constructor-arg>                        <property name="searchSubtree">                <value>true</value>            </property>                    </bean>                                <bean id="ldapAuthProvider"             class="org.acegisecurity.providers.ldap.LdapAuthenticationProvider">            <constructor-arg>                <bean                       class="org.acegisecurity.providers.ldap.authenticator.BindAuthenticator">                      <constructor-arg>                             <ref local="initialDirContextFactory"/>                      </constructor-arg>                      <property name="userDnPatterns"><list>                             <value>uid={0},ou=people</value></list>                      </property>                </bean>            </constructor-arg>            <constructor-arg>        <bean        class="org.acegisecurity.providers.ldap.populator.DefaultLdapAuthoritiesPopulator">             <constructor-arg><ref local="initialDirContextFactory"/></constructor-arg>             <constructor-arg><value>ou=groups</value></constructor-arg>             <property name="groupRoleAttribute">                   <value>ou</value></property>       </bean>       </constructor-arg>      </bean>    <!-- We would finally wire this into the authentication manager via: -->        <bean id="authenticationManager" class="org.acegisecurity.providers.ProviderManager">                <property name="providers">                        <list>                               <ref local="ldapAuthProvider"/>                               <ref local="anonymousAuthenticationProvider"/>                        </list>                </property>        </bean> <bean id="jaasAuthenticationProvider"                class="org.acegisecurity.providers.jaas.JaasAuthenticationProvider">                <property name="loginConfig">                        <value>/WEB-INF/login.conf</value>                </property>                <property name="loginContextName">                        <value>FileLogin</value>                </property>                <property name="callbackHandlers">                        <list>                                <bean class="org.acegisecurity.providers.jaas.JaasNameCallbackHandler"/>                                <bean class="org.acegisecurity.providers.jaas.JaasPasswordCallbackHandler"/>                        </list>                </property>                <property name="authorityGranters">                        <list>                                <bean class="org.appfuse.web.JaasAuthorityGranter"/>                        </list>                </property>          </bean>

[anaganirakesh]

anaganirakesh
Wrote:

Hi 1)In  jasperserver/WEB-INF/jsp/login_welcome.jsp is not available to comment the front end design for that file and you need to write one function 2)To set the user name & password  previously i passed the login credentials through url like &j_acegi_security_check?&j_username=jasperadmin&j_password=jasperadmin, but i don't want to expose credentilas in url ,i need to hide the user name and password ,but in my jasper server login_welcome.jsp page is not available even though i created my own login _welcome.jsp but when i run the js it is giving error like 404 ( /jasper server) is not available 3) can you please tell me where i need to put the below menction code ,i think we need to write in ( application context security.xml , or application context security.web )   can you please tel  me the solution ASAP Regards, Rakesh     Code:

[sm5.nsit]

Hey I want to achive the same i.e. to access reports on jasper server through direct url. but i am facing some problem. can you share any link to help me with the same. 
Thanks :)