rasaw Posted February 15, 2023 Posted February 15, 2023 TLDR: role mapping defined in 'webapps/jasperserver-pro/WEB-INF/applicationContext-externalAuth-template-mt.xml' is ignored, users do not receive ROLE_SUPERUSER or ROLE_ADMINISTRATOR. Even setting the default role to ROLE_SUPERUSER for testing purpose does not work. What is the proper place?More details:I successfully authenticate users via this guide https://community.jaspersoft.com/documentation/jasperreports-authentication-cookbook/v56/authentication-based-requestIn server logs I can see roles are received as well:2023-02-15T17:07:58,726 WARN LoggerListener,http-nio-0.0.0.0-8080-exec-9:67 - Authentication event SessionFixationProtectionEvent: woa941658; details: com.external.sso.jasper.CustomExternalUserDetails@65e69aec: Username: woa941658; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_SUPERUSER_EXTROLE_SUPERUSER_EXT <-- this is the role I pass from external source, tried multiple names.Somewhere below that I can see the following, however I am unable to find source code for that message/ is it relevant?2023-02-15T17:07:58,729 DEBUG ExternalDataSynchronizerImpl,http-nio-0.0.0.0-8080-exec-9:88 - Authentication token: com.external.sso.jasper.CustomExternalAuthenticationToken@ffffffc4: Principal: com.external.sso.jasper.CustomExternalUserDetails@65e69aec: Username: woa941658; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_SUPERUSER_EXT; Credentials: [PROTECTED]; Authenticated: true; Details: com.external.sso.jasper.CustomExternalUserDetails@65e69aec: Username: woa941658; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_SUPERUSER_EXT; Not granted any authorities Mapping in applicationContext-externalAuth-template-mt.xml:<bean id="mtExternalUserSetupProcessor" class="com.jaspersoft.jasperserver.multipleTenancy.security.externalAuth.processors.MTExternalUserSetupProcessor" parent="abstractExternalProcessor"><property name="permittedExternalRoleNameRegex" value="[A-Za-z0-9_]+"/><property name="organizationRoleMap"><map> <!-- Example of mapping customer roles to JRS roles --> <entry> <key> <value>ROLE_ADMIN_EXTERNAL_ORGANIZATION</value> </key> <value>ROLE_ADMINISTRATOR</value> </entry> <entry> <key> <value>ROLE_ADMINISTRATOR_EXT</value> </key> <value>ROLE_ADMINISTRATOR</value> </entry> <entry> <key> <value>ROLE_SUPERUSER_EXT</value> </key> <value>ROLE_SUPERUSER</value> </entry> </map> </property> <property name="userAuthorityService"> <ref bean="${bean.internalUserAuthorityService}"/> </property> <property name="defaultInternalRoles"> <list> <value>ROLE_USER</value> </list> </property> <property name="externalAuthProperties" ><ref bean="externalAuthProperties"/></property> </bean>I tried passing directly JasperServer roles as well with no luck.Any hints?
Michael Bielkiewicz Posted February 16, 2023 Posted February 16, 2023 If you pass a role with an exact same name as an already existing base role (such as ROLE_SUPERUSER) into Jasper via SSO, the default behavior in the code is to append "_EXT" to your role name. My guess is that when you tried to pass ROLE_SUPERUSER, our system saw the conflict and added _EXT when syncing the user. I assume the user has a different role name in your system - you should be able to pass that role name and use the mapping to map said role to ROLE_SUPERUSER however it's been awhile since I've messed with the role mapping. Respond here if you've tried that and I can try to continue to help out by digging in the code a bit. And remember, all of our source code is open so you can, in theory, download it from our site and check it yourself (if you are so inclined). Good luck.
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now