Hello. Today I’m going to be discussing how to go about setting up SSO (Single Sign On) support for Pentaho using CAS (Central Authentication Service) and an LDAP (Lightweight Directory Access Protocol) Server. By doing this, you can allow Pentaho to utilize the same usernames and passwords as your other programs requiring authentication, removing the burden of having to track and maintain multiple usernames per employee, as well as allow CAS compatible programs to share session data so that end users only have to log in once for all of them. This guide is meant to focus more on setting up CAS than anything else, so if you need a test LDAP server (and are using Ubuntu) I would recommend following this tutorial for setting up OpenLDAP up to the section “Further Configuration”: https://help.ubuntu.com/11.04/serverguide/C/openldap-server.html
Special Thanks to Nilesh Patil, whose blog gave me a good basis to start from: http://pentahointegra.blogspot.com/2011/04/cas-with-pentaho-community-edition.html
Some security things to note before getting started. Single Sign On does not mean Single Sign Off, due to the different ways web-based applications can retain session data. Also note that this does not require an https connection, and thus is not ideal for things outside of a LAN or VPN connection. It is possible to do this set up using https, but it requires more steps. Addressing these sorts of issues will probably be the topic of a later post.
This guide is accurate for Pentaho CE 3.8 and CAS Server 3.4.8.
Installing CAS Server
- Download the most recent CAS Server from http://www.jasig.org/cas/download and unzip it.
- In the newly created directory, navigate to the modules directory, which will contain various jar and war files.
- Move the war file for the CAS server webapp (e.g. cas-server-webapp-3.4.8.war) to tomcat’s webapp directory. If using the standard one that is part of Pentaho, this directory would be biserver-ce/tomcat/webapps. Since war files automatically create a directory that shares the name of the war file, it might be a good idea to rename it to something more convenient before placing it in the webapps directory.
- If the tomcat server is not already running, start it. The war file will be automatically inflated into its own directory.
- In a web browser, navigate to the subdirectory on the tomcat server, such as http://localhost:8080/cas-server-webapp-3.4.8/ which will bring you to the CAS main login screen if working correctly. The default authentication that CAS uses merely requires the username and password entered to match for a successful authentication.
Connecting Pentaho to CAS
- Download spring-security-cas-client-2.0.5.RELEASE.jar from a site such as http://www.jarvana.com/jarvana/browse/org/springframework/security/spring-security-cas-client/2.0.5.RELEASE/. Note that it needs to be this version of the jar file, as later versions do not contain the necessary classes.
- Download cas-client-core-3.1.10.jar from a site such as http://www.jarvana.com/jarvana/archive-details/org/jasig/cas/cas-client-core/3.1.10/cas-client-core-3.1.10.jar. A later version should also be sufficient for this.
- Move both of these jar files to biserver-cetomcatwebappspentahoWEB-INFlib.
- Edit the file applicationContext-spring-security.xml in the directory biserver-cepentaho-solutionssystem. Because of the widespread number of changes, the whole document will be reproduced here:
<?xml version=”1.0″ encoding=”UTF-8″?>
<!DOCTYPE beans PUBLIC “-//SPRING//DTD BEAN//EN” “http://www.springsource.org/dtd/spring-beans.dtd”>
<!–+
| Application context containing FilterChainProxy.
+–>
<beans default-autowire=”no” default-dependency-check=”none” default-lazy-init=”false”>
<!– ======================== FILTER CHAIN ======================= –>
<!– overridden from applicationContext-spring-security.xml to enable CAS –>
<bean id=”filterChainProxy” class=”org.springframework.security.util.FilterChainProxy” autowire=”default” dependency-check=”default” lazy-init=”default”>
<property name=”filterInvocationDefinitionSource”>
<value>
<![CDATA[CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
PATTERN_TYPE_APACHE_ANT
/**=securityContextHolderAwareRequestFilter,httpSessionContextIntegrationFilter,logoutFilter,casProcessingFilter,basicProcessingFilter,requestParameterProcessingFilter,anonymousProcessingFilter,pentahoSecurityStartupFilter,exceptionTranslationFilter,filterInvocationInterceptor,casSingleSignOutFilter]]>
</value>
</property>
</bean>
<!– ===================== HTTP REQUEST SECURITY ==================== –>
<bean id=”serviceProperties” class=”org.springframework.security.ui.cas.ServiceProperties” autowire=”default” dependency-check=”default” lazy-init=”default”>
<property name=”service” value=”http://localhost:8080/pentaho/j_spring_cas_security_check”/>
<property name=”sendRenew” value=”false”/>
</bean>
<!– replaces authenticationProcessingFilter in filterChainProxy above –>
<bean id=”casProcessingFilter” class=”org.springframework.security.ui.cas.CasProcessingFilter” autowire=”default” dependency-check=”default” lazy-init=”default”>
<property name=”authenticationManager”>
<ref bean=”authenticationManager”/>
</property>
<property name=”authenticationFailureUrl” value=”/public/casFailed”/>
<property name=”defaultTargetUrl” value=”/”/>
<property name=”filterProcessesUrl” value=”/j_spring_cas_security_check”/>
</bean>
<bean id=”casSingleSignOutFilter” class=”org.jasig.cas.client.session.SingleSignOutFilter”>
</bean>
<bean id=”casSingleSignOutHttpSessionListener” class=”org.jasig.cas.client.session.SingleSignOutHttpSessionListener”>
</bean>
<!– overridden from applicationContext-spring-security.xml –>
<bean id=”exceptionTranslationFilter” class=”org.springframework.security.ui.ExceptionTranslationFilter” autowire=”default” dependency-check=”default” lazy-init=”default”>
<property name=”authenticationEntryPoint”>
<ref local=”casProcessingFilterEntryPoint”/>
</property>
<property name=”accessDeniedHandler”>
<bean class=”org.springframework.security.ui.AccessDeniedHandlerImpl” />
</property>
</bean>
<bean id=”casProcessingFilterEntryPoint” class=”org.springframework.security.ui.cas.CasProcessingFilterEntryPoint” autowire=”default” dependency-check=”default” lazy-init=”default”>
<property name=”loginUrl” value=”http://localhost:8080/cas-server-webapp-3.4.8/login”/>
<property name=”serviceProperties”>
<ref local=”serviceProperties”/>
</property>
</bean>
<!– overridden from applicationContext-spring-security.xml –>
<bean id=”authenticationManager” class=”org.springframework.security.providers.ProviderManager” autowire=”default” dependency-check=”default” lazy-init=”default”>
<property name=”providers”>
<list>
<!–ref bean=”daoAuthenticationProvider” /–>
<ref bean=”anonymousAuthenticationProvider”/>
<ref bean=”casAuthenticationProvider”/>
</list>
</property>
</bean>
<bean id=”casAuthenticationProvider” class=”org.springframework.security.providers.cas.CasAuthenticationProvider”>
<property name=”userDetailsService”>
<ref bean=”userDetailsService”/>
</property>
<property name=”serviceProperties”>
<ref local=”serviceProperties”/>
</property>
<property name=”ticketValidator”>
<ref local=”ticketValidator”/>
</property>
<property name=”key” value=”my_password_for_this_auth_provider_only”/>
</bean>
<bean id=”ticketValidator” class=”org.jasig.cas.client.validation.Cas20ServiceTicketValidator” autowire=”default” dependency-check=”default” lazy-init=”default”>
<constructor-arg index=”0″ value=”http://localhost:8080/cas-server-webapp-3.4.8″/>
</bean>
<!– overridden from applicationContext-spring-security.xml to specify logoutSuccessUrl as CAS logout page –>
<bean id=”logoutFilter” class=”org.springframework.security.ui.logout.LogoutFilter” autowire=”default” dependency-check=”default” lazy-init=”default”>
<constructor-arg value=”http://localhost:8080/cas-server-webapp-3.4.8/logout”/>
<constructor-arg>
<list>
<bean class=”org.pentaho.platform.web.http.security.PentahoLogoutHandler”/>
<bean class=”org.springframework.security.ui.logout.SecurityContextLogoutHandler”/>
</list>
</constructor-arg>
<property name=”filterProcessesUrl” value=”/Logout”/>
</bean>
<!– ======================== AUTHENTICATION ======================= –>
<!– <bean id=”authenticationManager” class=”org.springframework.security.providers.ProviderManager”>
<property name=”providers”>
<list>
<ref bean=”daoAuthenticationProvider” />
<ref local=”anonymousAuthenticationProvider” />
</list>
</property>
</bean>
–>
<!– Automatically receives AuthenticationEvent messages –>
<bean id=”loggerListener”
class=”org.springframework.security.event.authentication.LoggerListener” />
<bean id=”basicProcessingFilter”
class=”org.springframework.security.ui.basicauth.BasicProcessingFilter”>
<property name=”authenticationManager”>
<ref local=”authenticationManager” />
</property>
<property name=”authenticationEntryPoint”>
<ref local=”basicProcessingFilterEntryPoint” />
</property>
</bean>
<bean id=”basicProcessingFilterEntryPoint”
class=”org.springframework.security.ui.basicauth.BasicProcessingFilterEntryPoint”>
<property name=”realmName” value=”Pentaho Realm” />
</bean>
<!– custom Pentaho begin –>
<bean id=”requestParameterProcessingFilter”
class=”org.pentaho.platform.web.http.security.RequestParameterAuthenticationFilter”>
<property name=”authenticationManager”>
<ref local=”authenticationManager” />
</property>
<property name=”authenticationEntryPoint”>
<ref local=”requestParameterProcessingFilterEntryPoint” />
</property>
</bean>
<bean id=”requestParameterProcessingFilterEntryPoint”
class=”org.pentaho.platform.web.http.security.RequestParameterFilterEntryPoint” />
<bean id=”pentahoSecurityStartupFilter”
class=”org.pentaho.platform.web.http.security.SecurityStartupFilter”>
<property name=”injectAnonymous” value=”true” />
</bean>
<!– custom Pentaho end –>
<bean id=”anonymousProcessingFilter”
class=”org.springframework.security.providers.anonymous.AnonymousProcessingFilter”>
<property name=”key” value=”foobar” />
<property name=”userAttribute” value=”anonymousUser,Anonymous” />
</bean>
<bean id=”anonymousAuthenticationProvider”
class=”org.springframework.security.providers.anonymous.AnonymousAuthenticationProvider”>
<property name=”key” value=”foobar” />
</bean>
<bean id=”httpSessionContextIntegrationFilter”
class=”org.springframework.security.context.HttpSessionContextIntegrationFilter” />
<!–
<bean id=”logoutFilter” class=”org.springframework.security.ui.logout.LogoutFilter”>
<constructor-arg value=”/index.jsp” />
<constructor-arg>
<list>
<bean class=”org.pentaho.platform.web.http.security.PentahoLogoutHandler” />
<bean
class=”org.springframework.security.ui.logout.SecurityContextLogoutHandler” />
</list>
</constructor-arg>
<property name=”filterProcessesUrl” value=”/Logout” />
</bean>
–>
<bean id=”securityContextHolderAwareRequestFilter”
class=”org.springframework.security.wrapper.SecurityContextHolderAwareRequestFilter” />
<bean id=”httpSessionReuseDetectionFilter”
class=”org.pentaho.platform.web.http.security.HttpSessionReuseDetectionFilter”>
<property name=”filterProcessesUrl” value=”/j_spring_security_check” />
<property name=”sessionReuseDetectedUrl” value=”/Login?login_error=2″ />
</bean>
<bean id=”httpRequestAccessDecisionManager” class=”org.springframework.security.vote.AffirmativeBased”>
<property name=”allowIfAllAbstainDecisions” value=”false” />
<property name=”decisionVoters”>
<list>
<ref bean=”roleVoter” />
</list>
</property>
</bean>
<!–
Note the order that entries are placed against the
objectDefinitionSource is critical. The FilterSecurityInterceptor will
work from the top of the list down to the FIRST pattern that matches
the request URL. Accordingly, you should place MOST SPECIFIC (ie
a/b/c/d.*) expressions first, with LEAST SPECIFIC (ie a/.*)
expressions last
–>
<bean id=”filterInvocationInterceptor”
class=”org.springframework.security.intercept.web.FilterSecurityInterceptor”>
<property name=”authenticationManager”>
<ref local=”authenticationManager” />
</property>
<property name=”accessDecisionManager”>
<ref local=”httpRequestAccessDecisionManager” />
</property>
<property name=”objectDefinitionSource”>
<value>
<!–
Note – the “=Nobody” below is saying that resource URLs with those
patterns not be available through a web call.
–>
<![CDATA[
CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
A/docs/.*Z=Anonymous,Authenticated,ea_admin
A/mantlelogin/.*Z=Anonymous,Authenticated,ea_admin
A/mantle/mantleloginservice/*Z=Anonymous,Authenticated,ea_admin
A/mantle/.*Z=Authenticated,ea_admin
A/welcome/.*Z=Anonymous,Authenticated,ea_admin
A/public/.*Z=Anonymous,Authenticated,ea_admin
A/login.*Z=Anonymous,Authenticated,ea_admin
A/ping/alive.gif.*Z=Anonymous,Authenticated,ea_admin
A/j_spring_security_check.*Z=Anonymous,Authenticated,ea_admin
A/getimage.*Z=Anonymous,Authenticated,ea_admin
A/getresource.*Z=Anonymous,Authenticated,ea_admin
A/admin.*Z=Admin,uidai_admin
A/auditreport.*Z=Admin,uidai_admin
A/auditreportlist.*Z=Admin,uidai_admin
A/versioncontrol.*Z=Admin,uidai_admin
A/propertieseditor.*Z=Admin,uidai_admin
A/propertiespanel.*Z=Admin,uidai_admin
A/subscriptionadmin.*Z=Admin,uidai_admin
A/resetrepository.*Z=Admin,uidai_admin
A/viewaction.*solution.admin.*Z=Admin,uidai_admin
A/scheduleradmin.*Z=Admin,uidai_admin
A/publish.*Z=Admin,uidai_admin
A/logout.*Z=Anonymous
A/solutionrepositoryservice.*component=delete.*solution=system.*Z=Nobody
A/solutionrepositoryservice.*solution=system.*component=delete.*Z=Nobody
.*system.*pentaho.xml.*=Nobody
.*system.*applicationcontext.*.xml.*=Nobody
.*system.*pentahoobjects.spring.xml.*=Nobody
.*system.*pentahosystemconfig.xml.*=Nobody
.*system.*adminplugins.xml.*=Nobody
.*system.*plugin.properties.*=Nobody
.*system.*publisher_config.xml.*=Nobody
.*system.*sessionstartupactions.xml.*=Nobody
.*system.*systemlisteners.xml.*=Nobody
.*system.*hibernate.*=Nobody
.*system.*birt/.*=Nobody
.*system.*dialects/.*=Nobody
.*system.*google/.*=Nobody
.*system.*jasperreports/.*=Nobody
.*system.*jfree/.*=Nobody
.*system.*kettle/.*=Nobody
.*system.*logs/.*=Nobody
.*system.*metadata/.*=Nobody
.*system.*mondrian/.*=Nobody
.*system.*olap/.*=Nobody
.*system.*quartz/.*=Nobody
.*system.*simple-jndi/.*=Nobody
.*system.*smtp-email/.*=Nobody
.*system.*ui/.*=Nobody
.*system.*analysistemplate.tpl.*=Nobody
.*system.*../.*=Nobody
A/.*Z=Authenticated,ea_admin
]]>
</value>
</property>
</bean>
</beans>
- Restart the server and navigate to the Pentaho home page in a web browser (http://localhost:8080/pentaho). If successful, it will redirect you to the CAS login page, and once authenticated redirect back to the main body of pentaho.
Connecting CAS to LDAP
- Download Spring-ldap-1.3.1.jar from a site such as http://www.jarvana.com/jarvana/archive-details/org/springframework/ldap/spring-ldap/1.3.1.RELEASE/spring-ldap-1.3.1.RELEASE-all.jar or similar version.
- Download cas-server-ldap-3.0.5.jar or similar from a site such as http://developer.jasig.org/repo/content/repositories/m1/cas/jars/
- Download LdapTemplate-1.0.2.jar or similar version from a site such as http://mvnrepository.com/artifact/net.sf.ldaptemplate/ldaptemplate/1.0.2
- Place all of these jar files in the CAS Server’s WEB-INF/lib directory (In this case, biserver-ce/tomcat/webapps/cas-server-webapp-3.4.8/WEB-INF/lib).
- Edit the deployerConfigContext.xml file in CAS Server’s WEB-INF directory (biserver-ce/tomcat/webapps/cas-server-webapp-3.4.8/WEB-INF/) and add to the end before the final </beans> tag:
<bean id=”contextSource” class=”org.jasig.cas.adaptors.ldap.util.AuthenticatedLdapContextSource”>
<property name=”pooled” value=”false”/>
<property name=”urls”>
<list>
<value>ldap://localhost:389</value>
</list>
</property>
<property name=”password” value=”secret”/>
<property name=”baseEnvironmentProperties”>
<map>
<entry key=”java.naming.security.authentication” value=”simple” />
</map>
</property>
</bean>
- In the same file, replace the Bean named SimpleTestUsernamePasswordAuthenticationHandler with this:
- <bean class=”org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler”>
<property name=”filter” value=”uid=%u” />
<property name=”searchBase” value=”ou=people,dc=datamensional-Virtualbox” />
<property name=”contextSource” ref=”contextSource” />
</bean> - In a web browser, navigate to the CAS login page or any app integrated with it. You should be able to log in using the credentials provided on the connected ldap server.
-
Download the most recent CAS Server from http://www.jasig.org/cas/download and unzip it.
-
In the newly created directory, navigate to the modules directory, which will contain various jar and war files.
-
Move the war file for the CAS server webapp (e.g. cas-server-webapp-3.4.8.war) to tomcat’s webapp directory. If using the standard one that is part of Pentaho, this directory would be biserver-ce/tomcat/webapps. Since war files automatically create a directory that shares the name of the war file, it might be a good idea to rename it to something more convenient before placing it in the webapps directory.
-
If the tomcat server is not already running, start it. The war file will be automatically inflated into its own directory.
-
In a web browser, navigate to the subdirectory on the tomcat server, such as http://localhost:8080/cas-server-webapp-3.4.8/ which will bring you to the CAS main login screen if working correctly. The default authentication that CAS uses merely requires the username and password entered to match for a successful authentication.
42 thoughts on “Pentaho SSO Setup using CAS and LDAP”
Great tutorial. I’ve followed these same instructions for CAS 3.4.10, but I’m having problems after CAS ticket is generated. I’m using SSL as directed by CAS on startup (tickets weren’t granted without SSL), and I’m having a problem getting redirected back to pentaho. I receive this error:
java.lang.RuntimeException: java.net.ConnectException: Connection timed out
org.jasig.cas.client.util.CommonUtils.getResponseFromServer(CommonUtils.java:295)
org.jasig.cas.client.validation.AbstractCasProtocolUrlBasedTicketValidator.retrieveResponseFromServer(AbstractCasProtocolUrlBasedTicketValidator.java:33)
org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate(AbstractUrlBasedTicketValidator.java:178)
org.springframework.security.providers.cas.CasAuthenticationProvider.authenticateNow(CasAuthenticationProvider.java:145)
org.springframework.security.providers.cas.CasAuthenticationProvider.authenticate(CasAuthenticationProvider.java:131)
org.springframework.security.providers.ProviderManager.doAuthentication(ProviderManager.java:188)
org.springframework.security.AbstractAuthenticationManager.authenticate(AbstractAuthenticationManager.java:46)
org.springframework.security.ui.cas.CasProcessingFilter.attemptAuthentication(CasProcessingFilter.java:94)
org.springframework.security.ui.AbstractProcessingFilter.doFilterHttp(AbstractProcessingFilter.java:259)
org.springframework.security.ui.SpringSecurityFilter.doFilter(SpringSecurityFilter.java:53)
org.springframework.security.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:390)
org.springframework.security.ui.logout.LogoutFilter.doFilterHttp(LogoutFilter.java:89)
org.springframework.security.ui.SpringSecurityFilter.doFilter(SpringSecurityFilter.java:53)
org.springframework.security.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:390)
org.springframework.security.context.HttpSessionContextIntegrationFilter.doFilterHttp(HttpSessionContextIntegrationFilter.java:235)
org.springframework.security.ui.SpringSecurityFilter.doFilter(SpringSecurityFilter.java:53)
org.springframework.security.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:390)
org.springframework.security.wrapper.SecurityContextHolderAwareRequestFilter.doFilterHttp(SecurityContextHolderAwareRequestFilter.java:91)
org.springframework.security.ui.SpringSecurityFilter.doFilter(SpringSecurityFilter.java:53)
org.springframework.security.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:390)
org.springframework.security.util.FilterChainProxy.doFilter(FilterChainProxy.java:175)
org.springframework.security.util.FilterToBeanProxy.doFilter(FilterToBeanProxy.java:99)
org.pentaho.platform.web.http.filters.SystemStatusFilter.doFilter(SystemStatusFilter.java:60)
org.pentaho.platform.web.http.filters.SetCharacterEncodingFilter.doFilter(SetCharacterEncodingFilter.java:113)
Do you know what might be causing this?
Thanks in advance,
F
I discovered the issue here: my instance is on EC2, and using the external ip address of the instance for CAS ticket validation service was timing out. Changing it to the internal ip address solved the issue.
Thanks again for your tutorial!
Thanks for your tutorial!
However, I edited applicationContext-spring-security.xml as your tutorial, I have an error when I start tomcat
Caused by: org.springframework.beans.factory.CannotLoadBeanClassException: Cannot find class [org.springframework.security.ui.cas.CasProcessingFilter] for bean with name ‘casProcessingFilter’ defined in file [C:Pentahobiserver-cepentaho-solutionssystemapplicationContext-spring-security.xml]; nested exception is java.lang.ClassNotFoundException: org.springframework.security.ui.cas.CasProcessingFilter
CasProcessingFilter. It exists in spring-security-cas-client-2.0.5.RELEASE.jar
Can you help me to fix this error?
Thanks
Quan
I downloaded wrong jar file. So it can’t find class org.springframework.security.ui.cas.CasProcessingFilter
Thanks
I ran into that same problem the first time I did this too. Not sure why later versions do not include the earlier version’s classes for the sake of deprecation, but the 2.0.5 is as recent as it can be.
I have this same problem, but I am using the correct jar file per the instructions. I am getting the same error.
Oddly enough, login with CAS works, so should I ignore this error?
I’ve confirmed that the jar file has CasProcessingFilter.class in it.
1. I ran Pentaho and it redirected to CAS page
2. Input username and password and click Login button
3. a ticket was generated and using j_spring_cas_security_check to validate this ticket as follow: http://localhost:8080/pentaho/j_spring_cas_security_check?ticket=ST-6-wAe7wrOoqa7a9gUOd60W-cas
Howerver, at this step, I have an error:
java.lang.RuntimeException: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
……
sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
….
I added the private key entry to my JVM, but it didn’t resolve this problem
Can you help me to resolve this problem?
Thanks
Quan
This particular implementation shouldn’t require anything involving certs, as it explicitly avoids SSL for the sake of simplicity. If you’re getting errors related to it, then my first thought would be that you have an https URL in the applicationContext-spring-security.xml file. Barring that, you could just try activating the SSL in tomcat (http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html). My own setup when I last did this had SSL activated since I was also testing it with PHPcas, which requires an https URL, so that might be the reason why you are getting that error and I did not.
I plan on writing a follow up article to this one at some point that will get into setting up pentaho and CAS to use https, but for now try those suggestions.
Thanks Gerrit Goewey, I resolved it
I added certs for JVM and I resolved this problem
Regards
Quan
I have an error when I login CAS successfully
it doesn’t redirect to pentaho home, it redirects to page http://localhost:8080/pentaho/public/casFailed
Do I need to config LDAP for pentaho?
I resolved above problem
Hi quan,
I have the same problem.
After login via CAS , it redirect me to http://localhost:8080/pentaho/j_spring_cas_security_check?ticket=ST-1437649690-PHkea73PY6r1aDXeMO01zaIME2a5Dgkp and it says http://localhost:8080/pentaho/public/casFailed .
Can you please explain steps how you fixed this.
Thanks a lot.
Usually, ending up at the casFailed page is due to the username used to log into CAS not existing in Pentaho. I talk about it a bit more in my follow-up notes post (https://www.datamensional.com/2012/02/pentaho-sso-with-cas-and-ldap-tips-and-notes/) but basically, make sure anybody who is supposed to have access to Pentaho has their username stored in Pentaho.
Hey Gerrit ,
Thanks a lot for a quick reply.
I referred your blog about tips and notes and tried, but doesnt really fixed my problem.
I am using django-mama-cas as a cas server.
I already have user in it which i have in pentaho, also gave privileges to users like admin, BA.
I am using biserver-ce-5.1.
is LDAP really required?
is it really as version issues?
Looking forward for your precious help.
Thanks a lot
When I made my original CAS implementation it was for a client so they could use their internal LDAP with Pentaho and other web applications. Any protocol that the CAS server can accept should be fine though. As far as version, the main jasig CAS client is the one officially supported by Pentaho. This doesn’t mean that another version won’t work, but you will probably need a different version of the spring security client that can communicate with that version of the server. My best advice is to look at the documentation on the specific CAS server and look for anything that varies from my instructions here. Sorry I can’t give you a more specific solution, but good luck!
I don’t understand key property. Can you help me to explain key property?
Thanks
Quan
I have an error when I login CAS successfully
it doesn’t redirect to pentaho home, it redirects to page http://localhost:8080/pentaho/public/casFailed
Do I need to config LDAP for pentaho?
This is a result of having a valid login in LDAP without an equivalent user within Pentaho. If you add that user with the Authenticated or higher role in the enterprise or admin console, they will no longer go to the casFailed page.
So how do we achieve automatic mapping of roles in LDAP to Pentaho? why i am asking this is because , if you have morethan 1000 users you should not create them in pentaho manually there must be some mechanism which would pull the users and roles in pentaho.
Pls guide me for above scenario , what all files i need to go and change or write custom code in it.
Thanks,
Amit
Hi Amit,
in my post I included a link to an ETL I designed to do just that. There may be a more integrated way of transferring users, but I haven’t come across it yet personally.
Thanks Gerrit for your reply,
Another thing I am desperate to know is like CAS server suppose I am using another third party server called Quest One for authorization then how do I do the Authorization. what all files I need to work on. If you have integrated pentaho with a different third party server and
if could you pls share any knowledge that would be really great.
i followed the steps and Implemented CAS with LDAP in pentaho…..now whenever i open http://localhost:8080/pentaho i am redirected to CAS page , after authentication ,i am redirected back to pentaho , i want to know what is the role of LDAP here, and how to verify if LDAP server is working or not.
When LDAP is working, you can go into the equivalent user inside of the Enterprise console and change the password without it actually effecting the password you use to login, since that is being supplied by LDAP. Do keep in mind that an equivalent user with a role assigned does have to exist within Pentaho for the sake of granting access to the directories and solutions that are on there. Of course, if you have thousands of potential users, setting them all through the enterprise console is impractical. That is a subject for the sequel though.
problem–> Error in sending client credentials to pentaho from servlet through CAS server.
earlier,when i have not integrated pentaho comunity edition with CAS, i used to send client credentials to pentaho from a servlet directly
code snippet below—>
Credentials defaultcreds = new UsernamePasswordCredentials(“USER_NAME”,”PASSWORD”);
HttpClient client =new HttpClient();
client.getState().setCredentials(null,null, defaultcreds);
client.getState().setAuthenticationPreemptive(true);
and also i am calling pentaho server directly from this servlet,code snippet below—->
else if(request.getParameter(“mode”)!=null && request.getParameter(“mode”).equals(“MY_MODE”))
{
String pentahoServerURL = “http://192.123.19.27:8082”;
It was working fine , but when i have integrated pentaho with the CAS server its not working,i am unable to see the report,instead its showing the error—->
HTTP Status 401 – No AuthenticationProvider found for org.springframework.security.providers.UsernamePasswordAuthenticationToken
type Status report
message No AuthenticationProvider found for org.springframework.security.providers.UsernamePasswordAuthenticationToken
description This request requires HTTP authentication (No AuthenticationProvider found for org.springframework.security.providers.UsernamePasswordAuthenticationToken).
Apache Tomcat/6.0.29
When i am opening the page http://localhost:8082/pentaho , the page is redirected to CAS authentication page , when i enter right username and password,it is again redirecting to the pentaho page and i am able to access pentaho….
please help me out..
i am trying to send the credentials to an SSO implemented pentaho server from a java file but i am getting an error HTTP status code 302.
The contents of the java file are—->
String pentahoServerURL = “http://localhost:8081”;
Credentials defaultcreds = new UsernamePasswordCredentials(“username”,”password”);
HttpClient client =new HttpClient();
client.getState().setCredentials(null,null, defaultcreds);
response.setHeader(“content”,”0;URL=http://localhost:8081/pentaho”);
Hi karan,
Sorry for not getting back to your questions sooner. I have not tried to send credentials to pentaho directly through a servlet before, so I’m afraid I can’t give too much advice specifically on this problem yet. My gut feeling on this matter is that since integrating with CAS effectively disables pentaho’s own login methods, you will probably have to send the credentials to the CAS server instead to authenticate. As long as the servlet can properly store the security ticket information to hand off to Pentaho, you should be able to do this. The CAS homepage (http://www.jasig.org/cas) is probably the best place to start for more information on how to do this.
Hi Gerrit,
Thanks for replying, but i am already sending the credentials to CAS(central authentication service) server through a servlet.
the process which is happening is->
I am calling the url of pentaho by the url request, now because CAS is integrated with pentaho, the credentials should go to CAS page instead and after authenticating, the control should be redirected to the pentaho page for any further processing.
Step by Step Process–>
earlier i was downloading a pentaho report by sending credentials to the pentaho page through http client credential method from a servlet which was perfectly working.
now i integrated the CAS server with pentaho ,when i manually open the pentaho page it is redirected to CAS page and when i key in the credentials, the page redirects back to the pentaho page successfully.
BUT when i pass the credentials through a servlet,there is an error code at my console i.e. status code 302 is printed.
When i read about status code 302, i get to know that it happens when we are going to URL A which is redirected to URL B in turn which is redirected again to URL A. I like to say that this is what it is happening i.e. when i am calling a pentaho page(URL A) it is redirected to CAS page(URL B) which in turn after authentication is redirected back to pentaho page(URL A), so i am struck at this point.
gimme an escape route…….:)
thank you.
KARAN
Hi Karan,
I asked someone that I set up CAS with once about this issue, and he told me that the commented out bean “daoAuthenticationProvider” found in applicationContext-spring-security.xml may be able to fix this issue. Uncomment it and see what happens. Sorry that I don’t have a more definitive answer, but the solution will most likely be related to that.
hi Gerrit,
Thanks for the reply, but i changed many things in my applicationContext-spring-security.xml but it did’nt work out in the end :(. If its possible could you please give me the contents of applicationContext-spring-security.xml ,it would be very encouraging and helpful.
Thanks for your help.
Karan
Hi
Thanks a lot for this blog, a complement of information to publish from report designer in a cassified BISERVER it is necessary to uncomment
in applicationContext-spring-security.xml
Patrick
ref bean=”daoAuthenticationProvider
hi patrick,
When i am uncommenting daoAuthenticationProvider in applicationContext-spring-security.xml,HTTP STATUS 404 is comming
description – The requested resource () is not available.
hi,
my cas implementation is perfect, and the process is working manually but when i am doing it in an automated way using servlet it is giving error
HTTP Status 401 – No AuthenticationProvider found for org.springframework.security.providers.UsernamePasswordAuthenticationToken
🙁
Hi, I am trying to integrate Spring saml 2 module with Pentaho BI. Is this possible? If so, where should I make changes? I am new to this.
Hi venkat,
Since the Pentaho BI server is built around the Spring Framework, I don’t see any reason why you wouldn’t be able to integrate it somehow. All of the XML files that define all of the bean configurations are found in the pentaho-solutions/system directory. The main one that has the include statements for all of the others is pentaho-spring-beans.xml, so that would be the best place to start looking, as many of the files are meant to be swapped out completely for different configurations, so you will want to start there to make sure you’re looking at a file that is actually being used. Since I’m yet to try something like that myself, all I can say is good luck!
Hi. My problem is in the next section:
Me says:
Unable to determine that the supplied credentials are authentic. But I am sure that the username and password are correct.
How should I configure the previous bean?
Thank you
Hi,
Please help me.
I followed exactly the steps above. CAS server starts but server Pentaho does not. “Error: HTTP Status 404” .
Thank you.
Hi,
Please help me with a solution.
I followed the steps above for the Pentaho 4.5. CAS server started but Pentaho not started.
Error: HTTP Status-404
type Status report
message
The description Requested resource () is not available.
Apache Tomcat/6.0.29
Thank you.
Hi, I am using Pentaho EE 6.1.0 i included same version jars in specified directory but it throws exceptions:
org.springframework.beans.factory.BeanCreationException: Error creating bean with name ‘casProcessingFilter’ defined in file [/home/myuser/Pentaho/server/biserver-ee/pentaho-solutions/system/applicationContext-spring-security.xml]:
Cannot resolve reference to bean ‘authenticationManager’ while setting bean property ‘authenticationManager’.
Please guide me about what am i missing. Waiting for your early reply.
Thanks