Overview of Security

JasperReports Server ensures that people can access only the data they are allowed to see. The mechanisms that define organizations, users, roles, and repository resources work together to provide complete access control that includes:

Authentication – Restricts access to identified users and protects that access with passwords. Defines roles for grouping users and assigning permissions. Authentication is further explained in the next section.
Authorization – Controls access to repository objects, pages, and menus based on users and roles. Authorization is further explained in a following section.
Data level security (commercial version only) – Defines row and column level permissions to access your data. Row and column level permissions can be defined and enforced in Domains. For more information, refer to the JasperReports Server User Guide. If you implement Jaspersoft OLAP, you can use roles to secure your data at any level of an analysis schema’s hierarchy. For more information, refer to the Jaspersoft OLAP User Guide.

Administrators must keep security in mind at all times when managing organizations, user, roles, and resources, because the security settings behind each of these rely on the others.


The first part of security is to define user accounts and secure them with passwords. Users must log in with their user ID and password so that they have an identity in JasperReports Server. The server stores user definitions, including encrypted passwords, in a private database. Administrators create, modify, and delete user accounts through the administrator pages, as described in Managing Users.

JasperReports Server also implements roles that can be assigned to any number of users. Roles let administrators create groups or classes of users that are granted similar permissions. A user may belong to any number of roles and receive the privileges from each of them. The server stores role definition in its private database, and administrators create, modify, and delete roles through the administrator pages, as described in Managing Roles.

JasperReports Server relies on the open source Spring security framework; it has many configurable options for:

External authentication services such as LDAP (used by Microsoft Active Directory and Novell eDirectory)
Single sign-on using JA-SIG's Central Authentication Service (CAS)
Java Authentication and Authorization Service (JAAS)
Container security (Tomcat, Jetty)
Anonymous user access (disabled by default)

JasperReports Server also supports these encryption and authentication standards:

HTTPS, including requiring HTTPS
HTTP Basic
HTTP Digest

The Spring framework is readily extensible to integrate with custom and commercial authentication services and transports.

Authentication occurs by default through the web user interface, forcing login, and/or through HTTP Basic authentication for web services, such as Jaspersoft Studio and for XML/A traffic. The server can automatically synchronize with an external authentication service. The external users don’t need to be created manually in the server first. Both users and roles are created automatically in the server from their definitions in an external authentication service. For an overview of the authentication system and details about external authentication, see the JasperReports Server Authentication Cookbook.

Authorization Overview

With a user’s identity and roles established, JasperReports Server controls the user’s access in these ways:

Menu options and pages

The menus that appear in JasperReports Server depend on the user’s roles. For example, only users with the administrator role can see the Manage menu and access the administrator pages. By modifying the server’s configuration, you can modify access to menus, menu items, and individual pages. Refer to the JasperReports Server Source Build Guide and JasperReports Server Ultimate Guide for more information.

Organization scope

Users belong to organizations and are restricted to seeing resources within their organization. Organizations have their own administrators, but they see only the users, roles, and resources from their organization. When JasperReports Server is configured with multiple organizations, they are effectively isolated from each other, although the system admin can share resources through the Public folder. For more information, see Multiple Organizations in the Repository.

Resource permissions

Administrators can define access permissions on every folder and resource in the repository. Permissions can be defined for every role and every user, or they can be left undefined so they are inherited from the parent folder. For example, user may have read-write access to a folder where they create reports, but the administrator can also create shared reports in the same folder that are set to read-only. The possible permissions are: no access, execute only, read-only, read-delete, read-write-delete, and administer (see Permissions).

Permissions are enforced when accessing any resource either directly through the repository interface, indirectly when called from a report, or programmatically through the web services. Permissions are cumulative, meaning that a user has the most permissive access that is granted to any of the roles to which the user belongs.

Administrator privileges

JasperReports Server distinguishes between reading or writing a resource in the repository and viewing or editing the internal definition of a resource. For security purposes, granting a user read or write permission on a resource does not allow viewing or editing the resource definition. For example, users need execute or read permission on a data source to run reports that use it, but they cannot view the data source’s definition which includes a database password. Also, only administrators may interact with theme folders to upload, download, and activate CSS files that control the user interface.

Data-level security

Data-level security determines the data that can be retrieved and viewed in a report, based on the username and roles of the user who runs the report. For example, a management report could allow any user to see the management hierarchy, managers would see the salary information for their direct employees, and only human resource managers would see all salary values.

Data-level security in Domains is explained in the JasperReports Server User Guide. Data-level security through OLAP views is covered in the Jaspersoft OLAP User Guide.

Note: This type of security is only available in the commercial edition of JasperReports Server.

Profile attributes

Profile attributes are name-value pairs associated with a user, organization, or server.

User attributes provide additional information about the user and can also be used to restrict a user's access to data through Domain security files and OLAP schemas. For information on defining user attributes, see Editing User Attributes.

User, organization and server attributes can be used to derive the parameters of a data source. See Attributes in Data Source Definitions