Domain Security Not Working

mdjj · December 10, 2008

Has anyone else had problems getting Domain Security to work?

We're trying to restrict what a user can see based on the Charity they are with.

We've set up some users in jasperserver with an additional attribute of Charity (defined in the jiprofileattribute table). We can use the data from this in a scriptlet and applying this to a report it works fine. However, when we try and apply the security xml to a domain the data never gets restricted and the log outputs :

16:58:05,734 DEBUG securiytyCheck,http-8081-Processor25:157 - filterPresentation
ObjectBySecurity: No relevantItemGroupAccessLists
16:58:05,734 DEBUG SemanticLayerSecurityResolverImpl,http-8081-Processor25:515 -
Evaluating JoinTree_1_List for resourceId: JoinTree_1
16:58:05,797 DEBUG SemanticLayerSecurityResolverImpl,http-8081-Processor25:522 -
Evaluating

                        authentication.getPrincipal().getAttributes().any{
                            it.getAttrName() in ['Charity']
                        }

                    . got: null
16:58:05,828 DEBUG JdbcTableDataSet,http-8081-Processor25:83 -

The security xml looks like :

<securityDefinition xmlns="http://www.jaspersoft.com/2007/SL/XMLSchema"
                    version="1.0" itemGroupDefaultAccess="granted">
    <resourceAccessGrants>
        
        
        
        <resourceAccessGrantList id="JoinTree_1_List" label="ListLabel" resourceId="JoinTree_1">
            <resourceAccessGrants>
                 <resourceAccessGrant id="JoinTree_1_Row_Access_Grant_Charity">
                    <principalExpression>
                        <![CDATA[
                        authentication.getPrincipal().getAttributes().any{
                            it.getAttrName() in ['Charity']
                        }
                        ]]>
                    </principalExpression>
                    <filterExpression>charity.charityCode in ('CharityX')</filterExpression>
                </resourceAccessGrant>

            </resourceAccessGrants>
        </resourceAccessGrantList>
    </resourceAccessGrants>

</securityDefinition>

Have looked and relooked at the documentation and we seem to be following what's suggested.
Have we missed something fundamental or has anyone got any suggestions?

swood · December 30, 2008

getAttributes() works in the principalExpression. Luke got this working for you, right?

Sherman

Jaspersoft

mdjj · January 2, 2009

Yep thanks Luke got this working.

My next question was around dynamic filtering. Is it possible to change the filter expression based on a groovy expression or something similar.

I would like to do something like :

<resourceAccessGrant id="JoinTree_1_Row_Access_Grant_Charity">
<principalExpression><![CDATA[authentication.getPrincipal().getAttributes().any{ it.getAttrName() in ['Charity']}]]></principalExpression>
<filterExpression>charity.charityCode in ('<![CDATA[authentication.getPrincipal().getAttributes().find{it.getAttrName().equals('Charity')}.getAttrValue()]]>')</filterExpression>
</resourceAccessGrant>

Where the attribute value is used in the filter expression. Because our users will all have the same role but will have a different attribute set in their security profile we want to restrict what they see based on this attribute. From all the examples I've seen each value of the attribute is coded into the security file so you filter on charity1, charity2 etc.

I've tried this but filterExpression doesn't seem to handle scripting???

swood · January 12, 2009

You can use an "groovy" expression in the filterExpression, like groovy('an expression'), to generate SQL elements.

Sherman

Jaspersoft

rkm258 · January 28, 2009

Swood,

Can you please explain how dynamic values can be used in filterExpression.

I have a requirement where, i need to search for a value in User Profile Attribute value

like <filterExpression>user.user_id in (${user_hierarchy})</filterExpression>

where user_hierarchy (a user profile attribute) is a comma separated list of userid's

In all the documentation that i have seen only static values are used in the filterExpression

Thank You

Ram

pw1971 · April 8, 2009

Did you manage to get the dynamic values to work?

Thanks.

andrewsok · April 8, 2009

Dynamic values are available in filterExpression since v.3.5 (released recently).

In 3.5 you can do the following:

Code:

Post Edited by Andrew Sokolnikov at 04/08/09 22:02

Post Edited by Andrew Sokolnikov at 04/08/09 22:03

pw1971 · April 9, 2009

Do you know how to retrieve the tenantId from the jasperserver JIUser table. I have tried the below but it doesn't allow access to any of the data. Changing it to <filterExpression>OwnerID in ('2')</filterExpression> allows the data to be displayed.

Code:

<securityDefinition xmlns="http://www.jaspersoft.com/2007/SL/XMLSchema" version="1.0" itemGroupDefaultAccess="granted">  <resourceAccessGrants>    <resourceAccessGrantList id="Point_Array" label="Point_Array" resourceId="Point_Array">      <resourceAccessGrants>        <resourceAccessGrant id="Point_Array1">          <principalExpression>authentication.getPrincipal().tenantId != null</principalExpression>          <filterExpression>OwnerID in (groovy('authentication.principal.tenantId.toUpperCase()'))</filterExpression>        </resourceAccessGrant>      </resourceAccessGrants>    </resourceAccessGrantList>  </resourceAccessGrants></securityDefinition>

rkm258 · April 9, 2009

Hi,

The tenantid column in JIUser relation is not of String type, i don't think u can use toUpperCase() method on it. Try converting the value to a String and then applying toUpperCase().

Also i saw that u used ownerID in ('2'), just wondering if ur ownerid is of type int

Quick Question:

1. I'am new to Groovy, Does groovy expression groovy('expression') return only String values ?

2. If i have a 'User Profile Attribute' say

attrName 10,20,21,11,13

if want a filterExpression to perform the SQL operation

userID in (10,20,21,11,13) i.e userID in (attrName), How should the filterExpression be defined ?

Ram

Post Edited by Rama Mukkamalla at 04/09/09 13:45

Post Edited by Rama Mukkamalla at 04/09/09 13:50

pw1971 · April 9, 2009

I have also tried it without the toUpperCase() method but it didn't allow access to the data. OwnerID is of type Int. I'm also new to groovy and don't know the answer to your question :-(

Thanks.

andrewsok · April 10, 2009

pw1971,

For the type conversion you may use groovy as well :

<filterExpression>OwnerID in (groovy('new Integer(authentication.getPrincipal().getTenantId()'))</filterExpression>

Your tenantId though needs to be a string representation of an integer, i.e. '123' is Ok, 'My123' is not (again, you may use groovy substring(), etc. functions to extract numeric portion of id for the filter).

rmukkamalla,

1) No, it returns whatever type is, for example groovy('123') will return java.lang.Integer(123)

2) Attributes are name-value pairs, lets say you have name:MyNumbers and value:10,20,21,11,13, then you do:

<filterExpression>userId in (groovy('authentication.getPrincipal().getAttributes().find{ it.attrName == "MyNumbers" }.attrValue'))</filterExpression>

Andrew S.

Domain Security Not Working

Recommended Posts

Link to comment

Share on other sites

Top Posters In This Topic

Popular Days

Top Posters In This Topic

Popular Days

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Create an account or sign in to comment

Create an account

Sign in

Products

Explore