Hi,

I am writing some code to handle the xmla security header:

<Header>
<Security xmlns="
http://schemas.xmlsoap.org/ws/2002/04/secext">
<UsernameToken>
<Username>MICHELE</Username>
<Password
Type="PasswordText">ROSSI</Password>
</UsernameToken>
</Security>
<BeginSession mustUnderstand="1"
xmlns="urn:schemas-microsoft-com:xml-analysis" />
</Header>

Such header is sent out by XMLA clients such as SimbaO2X (Excel plugin).
My idea is to pass user credentials down to the connection manager and use
them to create new connections.

I also think that connections should be associated with sessions.
I am thinking of a Map that associates session IDs with OlapConnection
objects.

I can put all this logic directly in DefaultXmlaServlet or (probably) in a
"XmlaRequestCallback" class.
Which option do we want to go for?

I also have in mind another more specific bit of functionality: hiding
username / password in the session ID returned to the xmla client.
This can be useful especially in the case of a server going down and
forgetting a particular session id.
(Your user leaves Excel open for a couple of days and when he tries to use
the Pivot again he gets an error if the server has been bounced in the
meantime).

The other use case could be http load balancers.
As Excel does not send any cookies most load balancers would fail to apply
the "sticky session" policy and could redirect different xmla requests to
different cluster members.
Only one of those members would know about the specified session ID (in
other words only one of those servers would have an OlapConnection object
stored under the given session id) but the others could re-obtain the
credentials by de-crypting the session id.

I can make the encrypted session ID very secure - even to "clear text"
attacks.
I will discuss the details only if we think it's a feature worth having.

Michele

_______________________________________________
Mondrian mailing list
Mondrian (AT) pentaho (DOT) org
http://lists.pentaho.org/mailman/listinfo/mondrian