JasperReports Server Community Edition 7.1.0 CAS authenticaton deletes roles on every login

0

I already asked this quesiton on StackOverflow:  https://stackoverflow.com/questions/53891335/jasperreports-server-commun... got 0 responses so far.

I have successfully enabled CAS authentication according to the docuemtation at: https://community.jaspersoft.com/documentation/jasperreports-server-authentication-cookbook/configuring-jasperreports-server-cas

I have also read the Synchronization of Roles documentation at least ten times and I am still confused:  https://community.jaspersoft.com/documentation/jasperreports-server-authentication-cookbook/synchronization-roles

Why in the world is the Jasper Reports Server deleting internal roles assigned to external users? 

It seems that once a user gets created via CAS authentication the administrator should be able to grant that user internal roles. However, no matter what I do assigned internal roles get removed every time the user logs in. What is surprising is that when using the file: applicationContext-externalAuth-CAS.xml

...
    <bean id="externalUserSetupProcessor" class="com.jaspersoft.jasperserver.api.security.externalAuth.processors.ExternalUserSetupProcessor" parent="abstractExternalProcessor">
        <!--Default permitted role characters; others are removed. Change regular expression to allow other chars.
                    <property name="permittedExternalRoleNameRegex" value="[A-Za-z0-9_]+"/>-->
 
        <property name="userAuthorityService">
            <ref bean="${bean.internalUserAuthorityService}"/>
        </property>
        <property name="defaultInternalRoles">
            <list>
                <value>ROLE_USER</value>
            </list>
        </property>        
 
        <property name="externalAuthProperties" >
           <ref local="externalAuthProperties"/>
        </property>
    </bean>
...  

the server creates a "ROLE_USER_EXT" which makes sense according to the documentation and assigns that role as well as the "ROLE_USER" to anyone who successfully authenticates via CAS. Once EVERY OTHER logout the server removes the ROLE_USER but leaves the ROLE_USER_EXT intact so during every other login users get the message: "You do not have permission to view this page."

This should not be this difficult. I have configured at least 20 other apps to use CAS authentication and it has been smooth. This app has me baffled.

dmaldonado_1's picture
Joined: Jul 28 2017 - 11:21am
Last seen: 10 months 2 weeks ago

Hi, dmaldonado_1. 

I have configured succesfully CAS many times in Jasper Server 6.4 (communtiy and pro) and I haven't had this issue. Maybe our case is different because we use CAS mixed with DB authentication. Then, we get the external user roles by database query and we create a "organizationRoleMap" property to map external roles with internal roles and we avoid using the "defaultInternalRoles" node.

When you use the "defaultInternalRoles" with the ROLE_USER

sarpon - 9 months 3 weeks ago

Sorry, I sent the last one while I was writting by mistake. I rewrite the full message

Hi, dmaldonado_1. 

I have configured succesfully CAS many times in Jasper Server 6.4 (communtiy and pro) and I haven't had this issue. Maybe our case is different because we use CAS mixed with DB authentication. Then, we get the external user roles by database query and we create a "organizationRoleMap" property to map external roles with internal roles and we avoid using the "defaultInternalRoles" node.

When you use the "defaultInternalRoles" with the ROLE_USER it must assign the internal ROLE_USER, it must not create a ROLE_USER_EXT role. It looks a bad behavior. And deleting the internal ROLE_USER is still a worse behavior, it had never happened to us when we tryed to use the defaultInternalRoles.

Another behavior that you must know is that external user roles are reassigned every time the user logs in. You can only assign internal roles later because they are removed later. If you need dynamic role assignment, try to use mixed CAS + DB authentication, it worked really well for us.

Regards.

sarpon - 9 months 3 weeks ago

0 Answers:

No answers yet
Feedback