Hitachi Vantara Pentaho Community Forums
Results 1 to 4 of 4

Thread: How to Configure Pentaho for Siteminder?

  1. #1
    Join Date
    Jul 2007
    Posts
    12

    Default How to Configure Pentaho for Siteminder?

    If anybody has had success integrating Siteminder with Pentaho would you kindly help me out?
    I am stuck and would like to get a copy of your applicationContext-spring-security.xml file along with any other xml files that need to be changed.
    Beyond that, ANY instructions, advice, notes etc would be very welcome!

    This is for a 3.6 build on a Windows 2003 Server.

    Clearly there is no documentation on the web, Pentaho doesn't support Siteminder installs, Siteminder doensn't support Pentaho etc.

    Many thanks in advance.

    -- Mark Hogan

  2. #2
    Join Date
    Jul 2007
    Posts
    12

    Default Configure SiteMinder support in Spring Security for Pentaho 3.6

    Resolved - May 12, 2011
    I'm posting this solution to the forum in the hopes that it helps somebody. Clearly it is a specific implementation, it's here as-is, it works and fits into the Pentaho architecture cleanly as intended.

    Specific details:

    Our SSO uses the SM_UNIVERSALID header instead of the standard SiteMinder SM_USER header. Adjust the siteminderFilter in step 1 below accordingly.

    Generic details:

    The following Siteminder example is available from Spring Security at http://static.springsource.org/spring-security/site/docs/2.0.x/reference/preauth.html#d4e1923

    <bean id="siteminderFilter"
    class="org.springframework.security.ui.preauth.header.RequestHeaderPreAuthenticatedProcessingFilter">
    <security:custom-filter position="PRE_AUTH_FILTER" />
    <property name="principalRequestHeader" value="SM_USER"/>
    <property name="authenticationManager" ref="authenticationManager" />
    </bean>

    <bean id="preauthAuthProvider"
    class="org.springframework.security.providers.preauth.PreAuthenticatedAuthenticationProvider">
    <security:custom-authentication-provider />
    <property name="preAuthenticatedUserDetailsService">
    <bean id="userDetailsServiceWrapper"
    class="org.springframework.security.userdetails.UserDetailsByNameServiceWrapper">
    <property name="userDetailsService" ref="userDetailsService"/>
    </bean>
    </property>
    </bean>

    <security:authentication-manager alias="authenticationManager" />

    This is based on Spring Security's namespace configuration, which Pentaho 3.6 is not currently using.
    The necessary updates to the Pentaho applicationContext-spring-security.xml to leverage SiteMinder include:

    1. introduce the siteminderFilter from the example but REMOVE the <security:custom-filter... also, update the principalRequestHeader value of SM_USER, if necessary, to match the principal header that will be used

    <bean id="siteminderFilter"
    class="org.springframework.security.ui.preauth.header.RequestHeaderPreAuthenticatedProcessingFilter">
    <property name="principalRequestHeader" value="SM_USER"/ -->
    <property name="authenticationManager" ref="authenticationManager" />
    </bean>

    2. introduce the siteminderAuthProvider (renamed from the example’s preauthAuthProvider for clarity) from the example but REMOVE the <security:custom-authentication-provider... note that the ref="userDetailsService" will already reference the pentaho-provided userDetailsService (see applicationContext-spring-security-hibernate.xml)

    <bean id="siteminderAuthProvider" class="org.springframework.security.providers.preauth.PreAuthenticatedAuthenticationProvider">
    <property name="preAuthenticatedUserDetailsService">
    <bean id="userDetailsServiceWrapper"
    class="org.springframework.security.userdetails.UserDetailsByNameServiceWrapper">
    <!-- this userDetailsService matches the service in spring-security-hibernate.xml -->
    <property name="userDetailsService" ref="userDetailsService"/>
    </bean>
    </property>
    </bean>

    3. update the filterChainProxy's filterInvocationDefinitionSource property to add the siteminderFilter BEFORE the basicProcessingFilter in the comma-delimited list

    <bean id="filterChainProxy" class="org.springframework.security.util.FilterChainProxy">
    <property name="filterInvocationDefinitionSource">
    <value>
    <![CDATA[CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
    PATTERN_TYPE_APACHE_ANT
    /**=securityContextHolderAwareRequestFilter,httpSessionContextIntegrationFilter,httpSessionReuseDetectionFilter,logoutFilter,authenticationProcessingFilter,siteminderFilter,basicProcessingFilter,requestParameterProcessingFilter,anonymousProcessingFilter,pentahoSecurityStartupFilter,exceptionTranslationFilter,filterInvocationInterceptor]]>
    </value>
    </property>
    </bean>

    4. update the authenticationManager to add a reference to the preauthProvider in the providers list before the daoAuthProvider

    <bean id="authenticationManager" class="org.springframework.security.providers.ProviderManager">
    <property name="providers">
    <list>
    <ref bean="siteminderAuthProvider" />
    <ref bean="daoAuthenticationProvider" />
    <ref local="anonymousAuthenticationProvider" />
    </list>
    </property>
    </bean>
    From there, creating user accounts in Pentaho with the username matching the incoming header identified in the siteminderFilter will result in the user being automatically authenticated by Spring Security based on the SiteMinder header (no password necessary) and their assigned roles picked up by the existing Pentaho userDetailsService.

    Users who are successfully authenticated by SiteMinder but whose username is not configured in the Pentaho user store will be prompted to login as before. Once they are added to the Pentaho user store, they will no longer be prompted to login (unless they go to /pentaho/Login directly).

    Solution developed by:
    Marc Thornton
    Senior Architect, Information Management
    Bell Canada

  3. #3
    Join Date
    Apr 2009
    Posts
    337

    Default

    Sorry mods if you felt im re-opening an old thread.. but i actually tried to implement something as suggested here with Webseal security...but even after adding users in pentaho, similar to what comes from the principalRequestHeader (SM-USER) in the example, it is redirecting always to the login page! did i miss something? is there any other change apart from what is mentioned here?
    Regards,
    Madhu

  4. #4
    Join Date
    Apr 2009
    Posts
    337

    Default

    Ok. I just solved that one too.. it was an issue with an id mismatch between the username in header and the username in pentaho..
    Regards,
    Madhu

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
Privacy Policy | Legal Notices | Safe Harbor Privacy Policy

Copyright © 2005 - 2019 Hitachi Vantara Corporation. All Rights Reserved.