Professional Documents
Culture Documents
Davide Zerbetto
2012/02/13 11:37
Table of Contents
1
2
3
4
5
ISecurityInfoProvider ..........................................................................................................................................................
ISecurityServiceSupplier .....................................................................................................................................................
How configure this connectors ...........................................................................................................................................
The Role management ........................................................................................................................................................
Connectors ...........................................................................................................................................................................
5.1 Internal Connector (default ) .........................................................................................................................................
5.2 LDAP based ...................................................................................................................................................................
5.3 eXo .................................................................................................................................................................................
5.4 liferay .............................................................................................................................................................................
5.5 Role based access rights ................................................................................................................................................
6 Change Password module ...................................................................................................................................................
6.1 Roles ..............................................................................................................................................................................
3
3
4
4
4
4
5
7
7
7
7
8
1 ISecurityInfoProvider
2 ISecurityServiceSupplier
3 How configure this connectors
4 The Role management
5 Connectors
5.1 Internal Connector (default )
5.2 LDAP based
5.3 eXo
5.4 liferay
5.5 Role based access rights
6 Change Password module
6.1 Roles
IN SpagoBI 3.0 you can directly manage users inside DBMS (it uses an InternalConnector), while with earlier versions it
stores only roles information to allow the administrator to set up the behavioral model. To retrive this infomations SpagoBI
uses 2 connectors to read:
Role and Attributes name.
User Profile in session.
1 ISecurityInfoProvider
This interface retrives all roles and user attrvibutes.
public
interface ISecurityInfoProvider {
SpagoBI invokes these methods in order to read the user's roles and attributes from the external system. The roles name and
description are inserted in SBI_EXT_ROLES table. The User attributes are displayed when the administrator displays the
attributes list. It's important to know that all the roles are handled by SpagoBI, not only the roles of a specific user. The roles
are filtered with a regular expression stored in SPAGOBI.SECURITY.ROLE-NAME-PATTERN-FILTER property
configuration ( you can change this using the funtion Tools->Manage Configuration).
2 ISecurityServiceSupplier
SpagoBI invokes these methods at the user login in order to read the user information: roles and attributes. The roles and
attributes are specifically related to the users. The checkAuthentication and checkAuthenticationWithToken methods are
used if SSO is disabled.
public
interface ISecurityServiceSupplier {
SpagoBIUserProfile createUserProfile(
String userId);
SpagoBIUserProfile checkAuthentication(
String userId,
String psw);
SpagoBIUserProfile checkAuthenticationWithToken(
String userId,
String token);
}
SPAGOBI.SECURITY.ROLE-TYPE-PATTERNS.DEV_ROLE-PATTERN=/spagobi/dev
SPAGOBI.SECURITY.ROLE-TYPE-PATTERNS.TEST_ROLE-PATTERN=/spagobi/test
SPAGOBI.SECURITY.ROLE-TYPE-PATTERNS.MODEL_ADMIN-PATTERN=/spagobi/modeladmin
SPAGOBI.SECURITY.ROLE-TYPE-PATTERNS.ADMIN-PATTERN=/spagobi/dev
In SpagoBI each role has a TYPE, each role type is used to authorize the functionality. The role types are:
The Role-Type-Patterns is usefull to set the default type to the new role. The administrator is able to change this with the
graphical user interface.
5 Connectors
If you have to write a new connetcor you must implement the previous Java Interface, create a JAR with implementation
class ad configure these properties:
SPAGOBI.SECURITY.PORTAL-SECURITYCLASS.className=it.eng.spagobi.security.InternalSecurityInfoProviderImpl
SPAGOBI.SECURITY.USER-PROFILE-FACTORYCLASS.className=it.eng.spagobi.security.InternalSecurityServiceSupplierImpl
SPAGOBI.SECURITY.PORTAL-SECURITY-INITCLASS.className=it.eng.spagobi.security.init.InternalSecurityInitializer
SpagoBI includes these connectors:
SPAGOBI.SECURITY.PORTAL-SECURITYCLASS.className=it.eng.spagobi.security.InternalSecurityInfoProviderImpl
SPAGOBI.SECURITY.USER-PROFILE-FACTORYCLASS.className=it.eng.spagobi.security.InternalSecurityServiceSupplierImpl
SPAGOBI.SECURITY.PORTAL-SECURITY-INITCLASS.className=it.eng.spagobi.security.init.InternalSecurityInitializer
<LDAP_AUTHORIZATIONS default=
"FALSE">
<CONFIG>
<USER_DN>cn=*,ou=People,dc=spagobi,dc=com
</USER_DN>
<ADMIN_USER>cn=Manager,dc=spagobi,dc=com
</ADMIN_USER>
<ADMIN_PSW>6ddbcdd70d086e75bdc121b16bd23f03
</ADMIN_PSW>
<ATTRIBUTES_ID name=
"nome">
description
</ATTRIBUTES_ID>
<ATTRIBUTES_ID name=
"cognome">
sn
</ATTRIBUTES_ID>
<ATTRIBUTES_ID name=
"userId">
cn
</ATTRIBUTES_ID>
<HOST>localhost
</HOST>
<PORT>389
</PORT>
<OBJECTCLASS>person
</OBJECTCLASS>
<SEARCH_ROOT>ou=People,dc=spagobi,dc=com
</SEARCH_ROOT>
<OU_ATTRIBUTE>ou
</OU_ATTRIBUTE>
<SEARCH_ROOT_GROUP>ou=Group,dc=spagobi,dc=com
</SEARCH_ROOT_GROUP>
<OBJECTCLASS_GROUP>organizationalUnit
</OBJECTCLASS_GROUP>
<ATTRIBUTES_ID_GROUP>description
</ATTRIBUTES_ID_GROUP>
<ATTRIBUTES_ID_GROUP>OU
</ATTRIBUTES_ID_GROUP>
</CONFIG>
</LDAP_AUTHORIZATIONS>
By default this connector expects spagobi.ldif schema If you have your LDAP schema check the ldap_authorizations.xml
and configure this. The ADMIN_PSW value must be encrypted: in order to do this, open a DOS/UNIX sheel and type
cd <your Tomcat home>/webapps/SpagoBI/WEB-INF/lib
and then
java -cp commons-codec-1.3.jar;spago-core-2.2.0.jar it.eng.spago.security.DefaultCipher encrypt <your password>
on UNIX/Linux systems.
For examles:"secret" == 6ddbcdd70d086e75bdc121b16bd23f03.
Note: check if the sbi.security.ldap-2.1.0.jar is present in /SpagoBI/WEB-INF/lib
5.3 eXo
If you install SpagoBI in eXo you must configure :
SPAGOBI.SECURITY.PORTAL-SECURITY-CLASS.className=it.eng.spagobi.security.ExoSecurityProviderImpl
SPAGOBI.SECURITY.USER-PROFILE-FACTORYCLASS.className=it.eng.spagobi.security.ExoUserProfileImpl
SPAGOBI.SECURITY.PORTAL-SECURITY-INITCLASS.className=it.eng.spagobi.security.init.ExoPortalSecurityProviderInit
Note: check if the sbi.security.exo-. ..jar* is present in /SpagoBI/WEB-INF/lib
5.4 liferay
to do...
With this management is possible add several controls on the new password and on the time when its necessary to change
it. SpagoBI has a new table with all this roles (the SBI_CONFIG) where there are insert all roles that SpagoBI manage. Pay
attention that the administrator is excluded from these controls.
6.1 Roles
The roles available today are:
len_min: defines a minimum lenght; it can be useful to check the minimum length of the password when the user
change it.
special_char: defines a set of special chars. If it's active the system check that almost one of them is presents in the
new password.
upper_char: checks that at least one character must been in upper case.
lower_char: check that at least one character must been in lower case.
number: defines that at least one character must been a number.
alphabetical: defines that at least one character must been a letter.
change_first: when this role is active the system forces a change password at the first login.
disactivation_time: defines a number of months after which the password become disbled (for unused).
expired_time: defines a number of days after whitch the change password is necessary.
If you desire to apply some of this roles you should setting the relative ACTIVE value to true (1) in SBI_CONFIG table
(apart from individual configurations).