We need to do some funky auth redirection, while still keeping permissions in the JI database, and ensuring that the user never, ever sees a JI login screen. Because then their heads would asplode, or something, I don't know.
Anyway, I know I need a filter to interface with the weird auth service we're using, but it seems I also need to modify the authentication .. flow? The cookie we check to ensure authentication is different, and where it goes on failure (currently the login screen) is also different.
Ideas? TIA.
7 Answers:
The Reference Guide (see the left hand nav) covers many areas. Also the Acegi forums have a wealth of information about how to do things - the joys of open source! http://forum.springframework.org/forumdisplay.php?f=33
I have been working with our consultants who are helping customers implement JasperIntelligence and the authentication area always comes up. I have been finding that Acegi is awesome in terms of its ability to be customized and extended for funky requirements. B)
The key for you is in the applicationContext-security.xml, which controls Acegi in our environment. Below is the entry point for your security travels.
| Code: |
<bean id="filterChainProxy" class="org.acegisecurity.util.FilterChainProxy"><br />
<property name="filterInvocationDefinitionSource"><br />
<value><br />
CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON<br />
PATTERN_TYPE_APACHE_ANT<br />
/xmla=httpSessionContextIntegrationFilter,basicProcessingFilter,JIAuthenticationSynchronizer,anonymousProcessingFilter,basicAuthExceptionTranslationFilter,filterInvocationInterceptor<br />
/services/**=httpSessionContextIntegrationFilter,basicProcessingFilter,JIAuthenticationSynchronizer,anonymousProcessingFilter,basicAuthExceptionTranslationFilter,filterInvocationInterceptor<br />
/**=httpSessionContextIntegrationFilter,authenticationProcessingFilter,basicProcessingFilter,JIAuthenticationSynchronizer,anonymousProcessingFilter,exceptionTranslationFilter,filterInvocationInterceptor<br />
</value><br />
</property><br />
</bean><br />
<br />
<!-- ======================== AUTHENTICATION ======================= --><br />
<bean id="authenticationManager" class="org.acegisecurity.providers.ProviderManager"><br />
<property name="providers"><br />
<list><br />
<!-- not on by default <ref local="ldapAuthenticationProvider"/> --><br />
<ref local="daoAuthenticationProvider"/><br />
<ref local="anonymousAuthenticationProvider"/><br />
<!--ref local="jaasAuthenticationProvider"/--><br />
</list><br />
</property><br />
</bean><br />
</td></tr></tbody></table><br />
<br />
<br />
If you need to catch a custom cookie, you will need to create a filter to do the authentication and include the filter in the filter list in the filterChainProxy bean definition. Have a look at the Acegi source and our own MetadataAuthenticationProcessingFilter to see how you set the AuthenticationContext.<br />
<br />
If the authentication fails, the exceptionTranslationFilter catches that and what happens next depends on how that filter/bean is configured. In the web UI case, you will see in the config:<br />
<table align="center" border="0" cellpadding="3" cellspacing="1" width="90%"><tbody><tr><td><b>Code:</b></td></tr><tr><td><pre><br />
<br />
<bean id="exceptionTranslationFilter" class="org.acegisecurity.ui.ExceptionTranslationFilter"><br />
<property name="authenticationEntryPoint"><ref local="authenticationProcessingFilterEntryPoint"/></property><br />
</bean><br />
<br />
<br />
<bean id="authenticationProcessingFilterEntryPoint" class="org.acegisecurity.ui.webapp.AuthenticationProcessingFilterEntryPoint"><br />
<property name="loginFormUrl"><value>/login.html</value></property><br />
<property name="forceHttps"><value>false</value></property><br />
</bean><br />
</td></tr></tbody></table><br />
<br />
Note the loginFormUrl.<br />
<br />
Here is the configuration that sets where login success will take you.<br />
<br />
<table align="center" border="0" cellpadding="3" cellspacing="1" width="90%"><tbody><tr><td><b>Code:</b></td></tr><tr><td><pre><br />
<bean id="authenticationProcessingFilter" class="org.acegisecurity.ui.webapp.AuthenticationProcessingFilter"><br />
<property name="authenticationManager"><ref local="authenticationManager"/></property><br />
<property name="authenticationFailureUrl"><value>/loginerror.html</value></property><br />
<property name="defaultTargetUrl"><value>/loginsuccess.html</value></property><br />
<property name="filterProcessesUrl"><value>/j_acegi_security_check</value></property><br />
</bean><br />
</td></tr></tbody></table><br />
<br />
<br />
Hope that helps!<br />
<br />
<br />
Sherman<br />
JasperSoft |
In the MetadataAuthenticationProcessingFilter it uses the ExternalUserService class:
| Code: |
getExternalUserService().maintainInternalUser(userDetails);<br />
<br />
getExternalUserService().makeUserLoggedIn(userDetails.getUsername());</td></tr></tbody></table><br />
<br />
The cookie exist of a username and password(USERNAME: PASSWORD). To authenticate(login) this user I believe he has to make a UserDetails object, or add it to the UserDetail object. Or is there a other way to solve this?<br />
<br />
<br />
According to the acigi manual a implementation of the UserDetailService is needed to create a UserDetails object. Does jasperintelligence has a own implementation of the UserDetailService interface?<br />
<br />
<br />
Niels, |
Did anyone figured this out... I have in my application-context-security.xml:
<bean id="jaasAuthenticationProvider" class="org.acegisecurity.providers.jaas.JaasAuthenticationProvider">
<property name="loginConfig">
<value>/WEB-INF/login.conf</value>
</property>
<property name="loginContextName">
<value>dierbergsJAAS</value>
</property>
<property name="callbackHandlers">
<list>
<bean class="com.dierbergs.auth.JAAS.SSOCallbackHandler"/>
</list>
</property>
<property name="authorityGranters">
<list>
<bean class="com.dierbergs.auth.JAAS.SSOAuthorityGranter"/>
</list>
</property>
</bean>
and in my filter class I am able to get the username and password onto the login page... but I don't want it to go to the login page.. it should directly do the login and get him to the jasperserver page if the authencation is correct.. Please help me where do I need to change so that it doesn;t show the login page...
Hi,
I need to do something like this too. I have reports running on JasperServer. I need to access these reports from an extrernal web application (which also uses Acegi for its security). I am currently using DIRECT URLs to access the JasperServer reports. It is working great - simple, no extra changes or configuration. Except that I have to pass the login credentials as parameters in the URL like -
&j_acegi_security_check?&j_username=jasperadmin&j_password=jasperadmin
I dont want to do this since I am exposing the login credentials in the URL.
Is there another way to achieve this?
Thanks,
Sridevi
hey, thanks for your reply!
We are using the community version of JasperServer(JS) 3.0 version currently. And web services is not an option either.
I wanted to test the authentication on JS using Basic Authentication instead - set the encrypted credentials in the headers, and update the JS configuration to accept Basic Auth. Since JS uses Acegi for its security as well, I am hoping it would be pretty straightforward.
We installed JasperServer using the war file. So, I am not sure if we can update/modify/add code, other than the config files.
Appreciate any comments or ideas from the JasperServer team??
Thanks,
Sridevi
