Authentication Based on Request - ignored role mapping

[rasaw]

TLDR: role mapping defined in 'webapps/jasperserver-pro/WEB-INF/applicationContext-externalAuth-template-mt.xml' is ignored, users do not receive ROLE_SUPERUSER or ROLE_ADMINISTRATOR. Even setting the default role to ROLE_SUPERUSER for testing purpose does not work. What is the proper place?

More details:

I successfully authenticate users via this guide https://community.jaspersoft.com/documentation/jasperreports-authentication-cookbook/v56/authentication-based-request

In server logs I can see roles are received as well:

2023-02-15T17:07:58,726  WARN LoggerListener,http-nio-0.0.0.0-8080-exec-9:67 - Authentication event SessionFixationProtectionEvent: woa941658; details: com.external.sso.jasper.CustomExternalUserDetails@65e69aec: Username: woa941658; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_SUPERUSER_EXT

ROLE_SUPERUSER_EXT <-- this is the role I pass from external source, tried multiple names.

Somewhere below that I can see the following, however I am unable to find source code for that message/ is it relevant?

2023-02-15T17:07:58,729 DEBUG ExternalDataSynchronizerImpl,http-nio-0.0.0.0-8080-exec-9:88 - Authentication token: com.external.sso.jasper.CustomExternalAuthenticationToken@ffffffc4: Principal: com.external.sso.jasper.CustomExternalUserDetails@65e69aec: Username: woa941658; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_SUPERUSER_EXT; Credentials: [PROTECTED]; Authenticated: true; Details: com.external.sso.jasper.CustomExternalUserDetails@65e69aec: Username: woa941658; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_SUPERUSER_EXT; Not granted any authorities

 

Mapping in applicationContext-externalAuth-template-mt.xml:

<bean id="mtExternalUserSetupProcessor" class="com.jaspersoft.jasperserver.multipleTenancy.security.externalAuth.processors.MTExternalUserSetupProcessor" parent="abstractExternalProcessor">
<property name="permittedExternalRoleNameRegex" value="[A-Za-z0-9_]+"/>

<property name="organizationRoleMap">
<map>
                <!-- Example of mapping customer roles to JRS roles -->
                <entry>
                    <key>
                        <value>ROLE_ADMIN_EXTERNAL_ORGANIZATION</value>
                    </key>
                    <value>ROLE_ADMINISTRATOR</value>
            </entry>
            <entry>
                    <key>
                        <value>ROLE_ADMINISTRATOR_EXT</value>
                    </key>
                    <value>ROLE_ADMINISTRATOR</value>
            </entry>

            <entry>
                    <key>
                            <value>ROLE_SUPERUSER_EXT</value>
                    </key>
                            <value>ROLE_SUPERUSER</value>
                </entry>
            </map>
        </property>

        <property name="userAuthorityService">
            <ref bean="${bean.internalUserAuthorityService}"/>
        </property>
        <property name="defaultInternalRoles">
            <list>
                <value>ROLE_USER</value>
            </list>
        </property>

        <property name="externalAuthProperties" ><ref bean="externalAuthProperties"/></property>
    </bean>

I tried passing directly JasperServer roles as well with no luck.

Any hints?

[Michael Bielkiewicz]

If you pass a role with an exact same name as an already existing base role (such as ROLE_SUPERUSER) into Jasper via SSO, the default behavior in the code is to append "_EXT" to your role name. My guess is that when you tried to pass ROLE_SUPERUSER, our system saw the conflict and added _EXT when syncing the user. I assume the user has a different role name in your system - you should be able to pass that role name and use the mapping to map said role to ROLE_SUPERUSER however it's been awhile since I've messed with the role mapping. Respond here if you've tried that and I can try to continue to help out by digging in the code a bit. And remember, all of our source code is open so you can, in theory, download it from our site and check it yourself (if you are so inclined). Good luck.