jconkey

I'm also trying to switch off authentication, in Jasper 3.7.0 CE. I want to provide single sign on through an Apache proxy, so when the request reaches the jasperserver, I want it to act as if a ROLE_USER is logged in. When I make the changes to applicationContext-security.xml suggested in this thread or related threads, I get this error: 2010-06-17 12:24:19,556 ERROR SearchAction,http-8080-Processor25:270 - SEARCH_ERROR: Can't load search result. java.lang.ClassCastException: java.lang.String at com.jaspersoft.jasperserver.search.filter.FolderFilter.hasRole(FolderFilter.java:101) at com.jaspersoft.jasperserver.search.filter.FolderFilter.addRoleAccessUrlsRestrictions(FolderFilter.java:81) at com.jaspersoft.jasperserver.search.filter.FolderFilter.applyRestrictions(FolderFilter.java:75) ... I made these changes: 1. gave access to ROLE_ANONYMOUS to the repository root. 2. modified the filterInvocationInterceptor bean to add ROLE_ANONYMOUS to URLs (I tried several combinations). e.g. /flow.html=ROLE_USER,ROLE_ADMINISTRATOR,ROLE_ANONYMOUS 3. modified the flowVoter bean to add ROLE_ANONYMOUS to the * row (I also tried adding to other rows) e.g. *=ROLE_USER,ROLE_ADMINISTRATOR,ROLE_ANONYMOUS 4. restarted jasperserver I also tried editing the anonymousProcessingFilter but just got errors. Does anyone know if the process is different in 3.7 from previous versions, and what the settings are? Thank you, Jason

To add to this discussion, a concrete example of a security vulnerability is with the search box. Just enter <script>alert(0)</script> and click search. You will see a javascript alert. Another, far more dangerous example, is to edit the description of a report, and put the same script tag there. You will see that whenever the report is listed, the javascript code is executed. Does anyone know if there are any fixes for this seemingly very serious security vulnerability? Thanks, Jason Post Edited by jconkey at 06/02/2010 17:40