How to switch off authentication in JasperIntel?

[william_ferguson_au]

We don't want to use the JasperIntel UI (in general) as report scheduling etc will be performed via a WebService. But we do want users to be able to retrieve their reports without having to authenticate to the JasperIntel application as they will already have autheticated to another application.

 

Our plan is to generate a token for each report and use that token to create a path within the repository (or hopefully filesystem) at which the report results will be stored.

 

Is there some way I can switch off authentication requirements for "/fileview/*" Requests but not for anything else?

 

 

William

[swood]

All security configuration is in /WEB-INF/applicationContext-security.xml.

 

See the filterInvocationInterceptor bean definition in that configuration file and the line:

 

/fileview/**=ROLE_USER

 

Make that

 

/fileview/**=ROLE_ANONYMOUS,ROLE_USER

 

and move it higher in the list.

 

 

 

Sherman

JasperSoft

[william_ferguson_au]

Thanks Sherman, that work nicely.

 

But I don't understand why you also suggested moving it higher in the list of URIs. It isn't maked by anything above it so it shouldn't matter right?

 

In any case, it worked fine by just adding in the ROLE_ANONYMOUS entry.

 

To keep the names of the generated results human comprehensible and to provide the token level security I mentioned above, we will be creating a new folder in the repository for each ReportJob based on the token. Each such folder would then contain one generated report output for each time that schedueld ReportJob is executed.

 

Are you aware of any limitations we might encounter by having so many folders created within the Repository?

 

William

[kadimulam]

Hi,

I am working on the similar requirement. I checked '/WEB-INF/applicationContext-security.xml', but i didnt find '/fileview/**=ROLE_USER' in that file. However i found '/fileview/**=ROLE_USER,ROLE_ADMINISTRATOR'. I am using JasperServer 3.0.
 

Could you please help me in doing this customization?

Thanks

Kiran

[swood]

I can't remember why I suggested moving it higher in the list. It will have worked fine just changing it.

 

We are seeing some issues related to performance with large numbers of resources in the repository. Our checking of permissions on resources and folders is not as efficient as it could be. This will slow down screens that show resources or folders from across the repository, like view reports or analysis views, or folders that have large numbers of resources in them (over 100 say). We are working to improve this in the next release. The release candidate is out in a week or so, but we are still working on the performance in this area.

 

Sherman

Jaspersoft

[swood]

Just add ROLE_ANONYMOUS to the fileview entry.

 

Sherman

Jaspersoft

[theodan]

 

 

Post Edited by theodan at 05/31/2009 23:19

[gshukert]

We want to allow anonymous access to reports online. Which property should we change to ROLE_ANONYMOUS?

I've changed flow.html, fileview, and jrpxml but get the message below. (It does not take me to the login page as before)

Error Message:  Access denied: You do not have permission to take the requested action.

[lucianc]

gshukert
Wrote:

We want to allow anonymous access to reports online. Which property should we change to ROLE_ANONYMOUS? I've changed flow.html, fileview, and jrpxml but get the message below. (It does not take me to the login page as before) Error Message:  Access denied: You do not have permission to take the requested action.

I'm not sure what exactly you changed (what's that jrpxml?), but you'll need to also add viewReportFlow=ROLE_USER,ROLE_ADMINISTRATOR,ROLE_ANONYMOUS to the list of flow permissions configured in the flowVoter bean.  And then make sure that ROLE_ANONYMOUS has read permissions to all resources used by the reports (data suorces, images, etc).

Regards,

Lucian

[jconkey]

I'm also trying to switch off authentication, in Jasper 3.7.0 CE. I want to provide single sign on through an Apache proxy, so when the request reaches the jasperserver, I want it to act as if a ROLE_USER is logged in.

When I make the changes to applicationContext-security.xml suggested in this thread or related threads, I get this error:

2010-06-17 12:24:19,556 ERROR SearchAction,http-8080-Processor25:270 - SEARCH_ERROR: Can't load search result.
java.lang.ClassCastException: java.lang.String
    at com.jaspersoft.jasperserver.search.filter.FolderFilter.hasRole(FolderFilter.java:101)
    at com.jaspersoft.jasperserver.search.filter.FolderFilter.addRoleAccessUrlsRestrictions(FolderFilter.java:81)
    at com.jaspersoft.jasperserver.search.filter.FolderFilter.applyRestrictions(FolderFilter.java:75)
...

I made these changes:

1. gave access to ROLE_ANONYMOUS to the repository root.

2. modified the filterInvocationInterceptor bean to add ROLE_ANONYMOUS to URLs (I tried several combinations).

e.g. /flow.html=ROLE_USER,ROLE_ADMINISTRATOR,ROLE_ANONYMOUS

3. modified the flowVoter bean to add ROLE_ANONYMOUS to the * row (I also tried adding to other rows)

e.g. *=ROLE_USER,ROLE_ADMINISTRATOR,ROLE_ANONYMOUS

4. restarted jasperserver

I also tried editing the anonymousProcessingFilter but just got errors.

Does anyone know if the process is different in 3.7 from previous versions, and what the settings are?

Thank you,
Jason

[lucianc]

jconkey
Wrote:

When I make the changes to applicationContext-security.xml suggested in this thread or related threads, I get this error: 2010-06-17 12:24:19,556 ERROR SearchAction,http-8080-Processor25:270 - SEARCH_ERROR: Can't load search result. java.lang.ClassCastException: java.lang.String     at com.jaspersoft.jasperserver.search.filter.FolderFilter.hasRole(FolderFilter.java:101)

Indeed, anonymousProcessingFilter is not compatible with some JasperServer screens.  That's because several places in the code assume that the current authenticated principal is a user object (com.jaspersoft.jasperserver.api.metadata.user.domain.impl.client.MetadataUserDetails), and anonymousProcessingFilter sets a String as auth principal.

The only solution is to extend the anonymous filter so that it uses a user object as principal.

Regards,

Lucian

[roeycohen]

 Hi, 

I'm also trying to remove authentication from my JasperServer.

I've edited the file:

C:\Program Files\jasperserver-pro-3.7\apache-tomcat\webapps\jasperserver-pro\WEB-INF\applicationContext-security.xml

added the ROLE_ANONYMOUS to all URLs and restarted the server.

 

when i entered all kind of urls, all of them redirected me the login page...

 

 

any ideas??

Thanks

Roey

[roeycohen]

 

 

Post Edited by roeycohen at 07/28/2010 08:58

[roeycohen]

lucianc
Wrote:

jconkey Wrote: ... The only solution is to extend the anonymous filter so that it uses a user object as principal. Regards, Lucian

 

 

how do i extended the anonymous filter?

[lasinir]

Okay.  I know we had this working under 3.5. but I recently upgraded to JS 3.7 CE (and my working version of 3.5 is formated ;).

I have tried all the solutions presented in this posting, (and still have the flowVoter bean change to add ROLE_ANONYMOUS  and /fileview/**=ROLE_ANONYMOUS,ROLE_USER setting) but none of these worked.

But then after gonig back almost 20 pages in forum post's I came across this obscure thread.

http://jasperforge.org/plugins/espforum/view.php?group_id=112&forumid=102&topicid=71124

And then after I made the change mentioned (adding the line in bold):

Change the entry in applicationContext-evetns-lgging.xml - Exactly what sherman told me to.

<bean id="accessContext"
          class="com.jaspersoft.jasperserver.api.logging.access.context.impl.AccessContextImpl">
        <property name="clientClassFactory" ref="mappingResourceFactory"/>
        <property name="loggingContextProvider" ref="${bean.loggingContextProvider}"/>
        <property name="userAuthorityService" ref="${bean.userAuthorityService}"/>
    </bean>

Then a restart of the services and bingo!.  anonymous access started working again.

Hope this helps some one. or more than one.

[usmansaleem]

Thanks, this last point really helped.

 

--Uzi