Jump to content

Recommended Posts

Posted

TLDR: role mapping defined in 'webapps/jasperserver-pro/WEB-INF/applicationContext-externalAuth-template-mt.xml' is ignored, users do not receive ROLE_SUPERUSER or ROLE_ADMINISTRATOR. Even setting the default role to ROLE_SUPERUSER for testing purpose does not work. What is the proper place?

More details:

I successfully authenticate users via this guide https://community.jaspersoft.com/documentation/jasperreports-authentication-cookbook/v56/authentication-based-request

In server logs I can see roles are received as well:

2023-02-15T17:07:58,726  WARN LoggerListener,http-nio-0.0.0.0-8080-exec-9:67 - Authentication event SessionFixationProtectionEvent: woa941658; details: com.external.sso.jasper.CustomExternalUserDetails@65e69aec: Username: woa941658; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_SUPERUSER_EXT

ROLE_SUPERUSER_EXT <-- this is the role I pass from external source, tried multiple names.

Somewhere below that I can see the following, however I am unable to find source code for that message/ is it relevant?

2023-02-15T17:07:58,729 DEBUG ExternalDataSynchronizerImpl,http-nio-0.0.0.0-8080-exec-9:88 - Authentication token: com.external.sso.jasper.CustomExternalAuthenticationToken@ffffffc4: Principal: com.external.sso.jasper.CustomExternalUserDetails@65e69aec: Username: woa941658; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_SUPERUSER_EXT; Credentials: [PROTECTED]; Authenticated: true; Details: com.external.sso.jasper.CustomExternalUserDetails@65e69aec: Username: woa941658; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_SUPERUSER_EXT; Not granted any authorities

 

Mapping in applicationContext-externalAuth-template-mt.xml:

<bean id="mtExternalUserSetupProcessor" class="com.jaspersoft.jasperserver.multipleTenancy.security.externalAuth.processors.MTExternalUserSetupProcessor" parent="abstractExternalProcessor">
<property name="permittedExternalRoleNameRegex" value="[A-Za-z0-9_]+"/>

<property name="organizationRoleMap">
<map>
                <!-- Example of mapping customer roles to JRS roles -->
                <entry>
                    <key>
                        <value>ROLE_ADMIN_EXTERNAL_ORGANIZATION</value>
                    </key>
                    <value>ROLE_ADMINISTRATOR</value>
            </entry>
            <entry>
                    <key>
                        <value>ROLE_ADMINISTRATOR_EXT</value>
                    </key>
                    <value>ROLE_ADMINISTRATOR</value>
            </entry>

            <entry>
                    <key>
                            <value>ROLE_SUPERUSER_EXT</value>
                    </key>
                            <value>ROLE_SUPERUSER</value>
                </entry>
            </map>
        </property>

        <property name="userAuthorityService">
            <ref bean="${bean.internalUserAuthorityService}"/>
        </property>
        <property name="defaultInternalRoles">
            <list>
                <value>ROLE_USER</value>
            </list>
        </property>

        <property name="externalAuthProperties" ><ref bean="externalAuthProperties"/></property>
    </bean>

I tried passing directly JasperServer roles as well with no luck.

Any hints?

  • Replies 1
  • Created
  • Last Reply

Top Posters In This Topic

Top Posters In This Topic

Posted

If you pass a role with an exact same name as an already existing base role (such as ROLE_SUPERUSER) into Jasper via SSO, the default behavior in the code is to append "_EXT" to your role name. My guess is that when you tried to pass ROLE_SUPERUSER, our system saw the conflict and added _EXT when syncing the user. I assume the user has a different role name in your system - you should be able to pass that role name and use the mapping to map said role to ROLE_SUPERUSER however it's been awhile since I've messed with the role mapping. Respond here if you've tried that and I can try to continue to help out by digging in the code a bit. And remember, all of our source code is open so you can, in theory, download it from our site and check it yourself (if you are so inclined). Good luck.

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×
×
  • Create New...