Hitachi Vantara Pentaho Community Forums
Results 1 to 10 of 10

Thread: embedding dashboard in sso

  1. #1

    Default embedding dashboard in sso

    i have configured liferay and pentaho to authenticate with cas .
    i'm trying to embed pentaho dashboard in liferay using the iframe portlet .
    All is working , if i login in liferay i can access pentaho without having to login again .
    However if i try to access a pentaho dashboard without accessing the pentaho's login page it does not work .
    I think i know why .
    if i access the login page of pentaho and i'm already logged on liferay , i get a automatically a pentaho session .
    At this point i can access the dashboard without problem .
    Instead if i try to access directly the dashboard the pentaho session does not exists and pentaho does not try to authenticate with cas .

    I don't undestand why this doen not work .
    The spring security filter chain is almost the same ( i have checked the spring security chain filter ) .

    So , i would be very grateful is someone coul explain me why it doesn't work and if i can implement a srping security filter to make it work .

    thanks for any answer

  2. #2
    Join Date
    Nov 2011
    Posts
    1,229

    Default

    What version of Pentaho are you using ?
    Pedro Vale
    --
    CTools Product Development
    http://www.webdetails.pt

  3. #3

    Default

    i'm using the last version on pentaho ce 6.0.1 .

  4. #4
    Join Date
    Nov 2011
    Posts
    1,229

    Default

    what are the two chains your requests are hitting ?
    Pedro Vale
    --
    CTools Product Development
    http://www.webdetails.pt

  5. #5

    Default

    the spring security filter chains i'm using are defined as follow :

    <bean id="filterChainProxy" class="org.springframework.security.util.FilterChainProxy">
    <property name="filterInvocationDefinitionSource">
    <!--
    You can safely remove the first pattern starting with /content/dashboards/print, if you're not using
    Enterprise Dashboards or not allowing printing of Dashboards,
    -->
    <value>
    <![CDATA[CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
    PATTERN_TYPE_APACHE_ANT
    /api/repos/dashboards/print=securityContextHolderAwareRequestFilter,httpSessionPentahoSessionContextIntegrationFilter,httpSessionContextIntegrationFilter,httpSessionReuseDetectionFilter,logoutFilter,casProcessingFilter,authenticationProcessingFilter,basicProcessingFilter,requestParameterProcessingFilter,anonymousProcessingFilter,exceptionTranslationFilter,filterInvocationInterceptor
    /webservices/**=securityContextHolderAwareRequestFilterForWS,httpSessionPentahoSessionContextIntegrationFilter,httpSessionContextIntegrationFilter,casProcessingFilter,basicProcessingFilter,anonymousProcessingFilter,exceptionTranslationFilterForWS,filterInvocationInterceptorForWS
    /api/**=securityContextHolderAwareRequestFilterForWS,httpSessionPentahoSessionContextIntegrationFilter,httpSessionContextIntegrationFilter,casProcessingFilter,basicProcessingFilter,anonymousProcessingFilter,exceptionTranslationFilterForWS,filterInvocationInterceptorForWS
    /plugin/**=securityContextHolderAwareRequestFilterForWS,httpSessionPentahoSessionContextIntegrationFilter,httpSessionContextIntegrationFilter,casProcessingFilter,basicProcessingFilter,anonymousProcessingFilter,exceptionTranslationFilterForWS,filterInvocationInterceptorForWS
    /**=securityContextHolderAwareRequestFilter,httpSessionPentahoSessionContextIntegrationFilter,httpSessionContextIntegrationFilter,httpSessionReuseDetectionFilter,logoutFilter,casProcessingFilter,authenticationProcessingFilter,basicProcessingFilter,requestParameterProcessingFilter,anonymousProcessingFilter,exceptionTranslationFilter,filterInvocationInterceptor]]>
    </value>
    </property>
    </bean>

    if i try to access the home page of pentaho all is working ( https://pentaho601cas:8443/pentaho/Home )
    if i try to access the dashlet ( https://pentaho601cas:8443/pentaho/a...neratedContent ) tomcat tell me that i can't access that resource and i have to authenticate ( see the image attached )
    so i think that in the first case the chain used is :

    /**=securityContextHolderAwareRequestFilter,httpSessionPentahoSessionContextIntegrationFilter,httpSessionContextIntegrationFilter,httpSessionReuseDetectionFilter,logoutFilter,casProcessingFilter,authenticationProcessingFilter,basicProcessingFilter,requestParameterProcessingFilter,anonymousProcessingFilter,exceptionTranslationFilter,filterInvocationInterceptor]]>

    and in the dashboard's case is :

    /api/**=securityContextHolderAwareRequestFilterForWS,httpSessionPentahoSessionContextIntegrationFilter,httpSessionContextIntegrationFilter,casProcessingFilter,basicProcessingFilter,anonymousProcessingFilter,exceptionTranslationFilterForWS,filterInvocationInterceptorForWS


    ok , i hope my explanation is clear .

  6. #6

    Default

    Name:  Schermata del 2016-01-17 10:59:21.jpg
Views: 166
Size:  16.2 KB

  7. #7
    Join Date
    Nov 2011
    Posts
    1,229

    Default

    Increase the spring log level to debug. You'll be able to understand which call is triggering authentication and why.

    There's a chance it's not the generatedContent call triggering the authentication, but one of the other requests the dashboard makes.
    Pedro Vale
    --
    CTools Product Development
    http://www.webdetails.pt

  8. #8

    Default

    i've increase the spring log level to debug . In both case ( pentaho/Home and pentaho/api/repos/ublic:Steel Wheelsashboards:CTools_dashboard.wcdf/generatedContent ) at some point i get org.springframework.security.AccessDeniedException: Access is denied .
    In the case of pentaho/Home the process continue with a call to j_spring_cas_security_check and then the authentication process is successfull .
    In the case of pentaho/api/repos/ublic:Steel Wheelsashboards:CTools_dashboard.wcdf/generatedContent instaead the process is interrupted and i get the authentication's dialog as in the image attached to the thread .
    is there anyone that can explain me why this different behaviour ? what is the spring security filter that trigger the j_spring_cas_security_check and why this does not happen in the dashboard's case .
    thanks for any answer .
    follow teh log of both cases :

    log of https://pentaho601cas:8443/pentaho/Home


    2016-01-31 14:04:47,836 DEBUG [org.springframework.security.ui.ExceptionTranslationFilter] Access is denied (user is anonymous); redirecting to authentication entry point
    org.springframework.security.AccessDeniedException: Access is denied
    at org.springframework.security.vote.AffirmativeBased.decide(AffirmativeBased.java:68)
    ......
    at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
    at java.lang.Thread.run(Thread.java:745)
    2016-01-31 14:04:47,844 DEBUG [org.springframework.security.ui.ExceptionTranslationFilter] Authentication entry point being called; SavedRequest added to Session: SavedRequest[https://pentaho601cas:8443/pentaho/Home]
    2016-01-31 14:04:47,845 DEBUG [org.springframework.security.context.HttpSessionContextIntegrationFilter] SecurityContextHolder now cleared, as request processing completed
    2016-01-31 14:04:48,009 DEBUG [org.springframework.security.util.FilterChainProxy] Converted URL to lowercase, from: '/j_spring_cas_security_check'; to: '/j_spring_cas_security_check'
    2016-01-31 14:04:48,009 DEBUG [org.springframework.security.util.FilterChainProxy] Candidate is: '/j_spring_cas_security_check'; pattern is /api/repos/dashboards/print; matched=false
    2016-01-31 14:04:48,009 DEBUG [org.springframework.security.util.FilterChainProxy] Converted URL to lowercase, from: '/j_spring_cas_security_check'; to: '/j_spring_cas_security_check'
    2016-01-31 14:04:48,009 DEBUG [org.springframework.security.util.FilterChainProxy] Candidate is: '/j_spring_cas_security_check'; pattern is /webservices/**; matched=false
    2016-01-31 14:04:48,009 DEBUG [org.springframework.security.util.FilterChainProxy] Converted URL to lowercase, from: '/j_spring_cas_security_check'; to: '/j_spring_cas_security_check'
    2016-01-31 14:04:48,009 DEBUG [org.springframework.security.util.FilterChainProxy] Candidate is: '/j_spring_cas_security_check'; pattern is /api/**; matched=false
    2016-01-31 14:04:48,009 DEBUG [org.springframework.security.util.FilterChainProxy] Converted URL to lowercase, from: '/j_spring_cas_security_check'; to: '/j_spring_cas_security_check'
    2016-01-31 14:04:48,009 DEBUG [org.springframework.security.util.FilterChainProxy] Candidate is: '/j_spring_cas_security_check'; pattern is /plugin/**; matched=false
    2016-01-31 14:04:48,010 DEBUG [org.springframework.security.util.FilterChainProxy] Converted URL to lowercase, from: '/j_spring_cas_security_check'; to: '/j_spring_cas_security_check'
    2016-01-31 14:04:48,010 DEBUG [org.springframework.security.util.FilterChainProxy] Candidate is: '/j_spring_cas_security_check'; pattern is /**; matched=true
    2016-01-31 14:04:48,010 DEBUG [org.springframework.security.util.FilterChainProxy] /j_spring_cas_security_check?ticket=ST-4-jguFZyDd9UUxvFmqHio6-cas412 at position 1 of 12 in additional filter chain; firing Filter: 'org.springframework.security.wrapper.SecurityContextHolderAwareRequestFilter[ order=1100; ]'
    2016-01-31 14:04:48,010 DEBUG [org.springframework.security.ui.savedrequest.SavedRequest] pathInfo: both null (property equals)
    2016-01-31 14:04:48,010 DEBUG [org.springframework.security.ui.savedrequest.SavedRequest] queryString: arg1=null; arg2=ticket=ST-4-jguFZyDd9UUxvFmqHio6-cas412 (property not equals)
    2016-01-31 14:04:48,011 DEBUG [org.springframework.security.wrapper.SavedRequestAwareWrapper] Wrapper not replaced; SavedRequest was: SavedRequest[https://pentaho601cas:8443/pentaho/Home]
    2016-01-31 14:04:48,015 DEBUG [org.springframework.security.util.FilterChainProxy] /j_spring_cas_security_check?ticket=ST-4-jguFZyDd9UUxvFmqHio6-cas412 at position 2 of 12 in additional filter chain; firing Filter: 'org.pentaho.platform.web.http.filters.HttpSessionPentahoSessionIntegrationFilter@adf629d'
    2016-01-31 14:04:48,016 DEBUG [org.springframework.security.util.FilterChainProxy] /j_spring_cas_security_check?ticket=ST-4-jguFZyDd9UUxvFmqHio6-cas412 at position 3 of 12 in additional filter chain; firing Filter: 'org.springframework.security.context.HttpSessionContextIntegrationFilter[ order=200; ]'
    2016-01-31 14:04:48,017 DEBUG [org.springframework.security.context.HttpSessionContextIntegrationFilter] HttpSession returned null object for SPRING_SECURITY_CONTEXT
    2016-01-31 14:04:48,018 DEBUG [org.springframework.security.context.HttpSessionContextIntegrationFilter] New SecurityContext instance will be associated with SecurityContextHolder
    2016-01-31 14:04:48,019 DEBUG [org.springframework.security.util.FilterChainProxy] /j_spring_cas_security_check?ticket=ST-4-jguFZyDd9UUxvFmqHio6-cas412 at position 4 of 12 in additional filter chain; firing Filter: 'org.pentaho.platform.web.http.security.HttpSessionReuseDetectionFilter@752aace8'
    2016-01-31 14:04:48,022 DEBUG [org.springframework.security.util.FilterChainProxy] /j_spring_cas_security_check?ticket=ST-4-jguFZyDd9UUxvFmqHio6-cas412 at position 5 of 12 in additional filter chain; firing Filter: 'org.springframework.security.ui.logout.LogoutFilter[ order=300; ]'
    2016-01-31 14:04:48,022 DEBUG [org.springframework.security.util.FilterChainProxy] /j_spring_cas_security_check?ticket=ST-4-jguFZyDd9UUxvFmqHio6-cas412 at position 6 of 12 in additional filter chain; firing Filter: 'org.springframework.security.ui.cas.CasProcessingFilter[ order=600; ]'
    2016-01-31 14:04:48,026 DEBUG [org.springframework.security.ui.cas.CasProcessingFilter] Request is to process authentication
    2016-01-31 14:04:48,027 DEBUG [org.springframework.security.providers.ProviderManager] Authentication attempt using org.springframework.security.providers.cas.CasAuthenticationProvider












    log of https://pentaho601cas:8443/pentaho/a...s/Public:Steel WheelsDashboards:CTools_dashboard.wcdf/generatedContent




    2016-01-31 14:18:32,652 DEBUG [org.springframework.security.ui.ExceptionTranslationFilter] Access is denied (user is anonymous); redirecting to authentication entry point
    org.springframework.security.AccessDeniedException: Access is denied
    at org.springframework.security.vote.AffirmativeBased.decide(AffirmativeBased.java:68)
    ....
    at java.lang.Thread.run(Thread.java:745)
    2016-01-31 14:18:32,673 DEBUG [org.springframework.security.ui.ExceptionTranslationFilter] Authentication entry point being called; SavedRequest added to Session: SavedRequest[https://pentaho601cas:8443/pentaho/a...s/Public:Steel Wheels Dashboards:CTools_dashboard.wcdf/generatedContent]
    2016-01-31 14:18:32,674 DEBUG [org.springframework.security.context.HttpSessionContextIntegrationFilter] SecurityContextHolder now cleared, as request processing completed

  9. #9

    Default

    i have changed the filter chain of the pattern /api/** as follow :
    the last two elements was exceptionTranslationFilterForWS,filterInvocationInterceptorForWS and i've replaced that with exceptionTranslationFilter,filterInvocationInterceptor .
    Now the cas authentication is working also with
    the dashboard's case .
    the reason i think is that exceptionTranslationFilterForWS is configured only for basic authentication where as exceptionTranslationFilter is configured for global authentication processing ( including cas obviously ) .
    Probably there is a reason for this configuration .
    At this point this is my last question .
    Why the default configuration of the pattern
    /api/** use exceptionTranslationFilterForWS instead of exceptionTranslationFilter ( used for the pattern /** ) ?


  10. #10
    Join Date
    Feb 2011
    Posts
    14

    Default

    Can you please share with me the steps on how to implement SSO if I am using iFrame Portlet to integrate Pentaho Dashboard with Liferay?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
Privacy Policy | Legal Notices | Safe Harbor Privacy Policy

Copyright © 2005 - 2019 Hitachi Vantara Corporation. All Rights Reserved.