Single Sign-On (SSO) on Pentaho Community Edition using CAS


 

You can have lots of different systems which are used by corporate users, customers and providers, so managing users for all those systems started to be quite complicated. So we decided to implement CAS as our single sign-on solution.

We started integrating CAS with some of our internal websites (mostly written on .Net), then we integrated it with several corporate WordPress blogs, and after a customer request, we integrated it with out business intelligence solution, Pentaho.

We are using the Community Edition of Pentaho, and the documentation for integrating CAS and Pentaho is only available for the Enterprise Edition. So after some googling and some spring magic, we have our SSO working with Pentaho. Please note that this tutorial doesn’t cover the installation and configuration of CAS, and that we have tried this on Pentaho Community Edition 3.10.0-STABLE, but probably will work on other versions.

This is how we did it:

1. Download required CAS and Spring Security libraries and add them the Pentaho:

– Download spring-security-cas-client-2.0.5.RELEASE.jar
– Download cas-client-core-3.2.1.jar
– Copy both jars to biserver-ce/tomcat/webapps/pentaho/WEB-INF/

2. Create the CAS configuration file applicationContext-spring-security-cas.xml

Create the file applicationContext-spring-security-cas.xml in biserver-ce/pentaho-solutions/system/ with this content:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE beans PUBLIC "-//SPRING//DTD BEAN//EN" "http://www.springsource.org/dtd/spring-beans.dtd">
 
<beans default-autowire="no" default-dependency-check="none"
default-lazy-init="false">
 
<bean id="filterChainProxy"
autowire="default" dependency-check="default" lazy-init="default">
<property name="filterInvocationDefinitionSource">
<value>
<![CDATA[CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
PATTERN_TYPE_APACHE_ANT
/**=securityContextHolderAwareRequestFilter,httpSessionContextIntegrationFilter,logoutFilter,casProcessingFilter,basicProcessingFilter,requestParameterProcessingFilter,anonymousProcessingFilter,pentahoSecurityStartupFilter,exceptionTranslationFilter,filterInvocationInterceptor,casSingleSignOutFilter]]>
</value>
</property>
</bean>
 
<bean id="serviceProperties"
autowire="default" dependency-check="default" lazy-init="default">
<property name="sendRenew" value="false" />
</bean>
 
<bean id="casProcessingFilter"
autowire="default" dependency-check="default" lazy-init="default">
<property name="authenticationManager">
<ref bean="authenticationManager" />
</property>
<property name="authenticationFailureUrl" value="/Login?login_error=2" />
<property name="defaultTargetUrl" value="/" />
<property name="filterProcessesUrl" value="/j_spring_cas_security_check" />
</bean>
 
<bean id="casSingleSignOutFilter" />
 
<bean id="casSingleSignOutHttpSessionListener" />
 
<bean id="exceptionTranslationFilter"
class="org.springframework.security.ui.ExceptionTranslationFilter"
autowire="default" dependency-check="default" lazy-init="default">
<property name="authenticationEntryPoint">
<ref local="casProcessingFilterEntryPoint" />
</property>
<property name="accessDeniedHandler">
<bean />
</property>
</bean>
 
<bean id="casProcessingFilterEntryPoint"
 
autowire="default" dependency-check="default" lazy-init="default">
<property name="loginUrl" value="http://localhost:8080/cas/login" />
<property name="serviceProperties">
<ref local="serviceProperties" />
</property>
</bean>
 
<bean id="authenticationManager"
autowire="default" dependency-check="default" lazy-init="default">
<property name="providers">
<list>
<ref bean="anonymousAuthenticationProvider" />
<ref bean="casAuthenticationProvider" />
</list>
</property>
</bean>
 
<bean id="casAuthenticationProvider">
<property name="userDetailsService">
<ref bean="userDetailsService" />
</property>
<property name="serviceProperties">
<ref local="serviceProperties" />
</property>
<property name="ticketValidator">
<ref local="ticketValidator" />
</property>
<property name="key" value="my_password_for_this_auth_provider_only" />
</bean>
 
<bean id="ticketValidator"
class="org.jasig.cas.client.validation.Cas20ServiceTicketValidator"
autowire="default" dependency-check="default" lazy-init="default">
<constructor-arg index="0" value="http://localhost:8080/cas" />
</bean>
 
<bean id="logoutFilter"
autowire="default" dependency-check="default" lazy-init="default">
<constructor-arg>
<list>
<bean />
<bean />
</list>
</constructor-arg>
<property name="filterProcessesUrl" value="/Logout" />
</bean>
 
</beans>

You should change the URLs in this file to match your Pentaho and CAS installation.

3. Edit pentaho-spring-beans.xml:

Edit the file biserver-ce/pentaho-solutions/system/pentaho-spring-beans.xml to make it look like this:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE beans PUBLIC "-//SPRING//DTD BEAN//EN" "http://www.springsource.org/dtd/spring-beans.dtd">
 
<beans>
<import resource="pentahoSystemConfig.xml" />
<import resource="adminPlugins.xml" />
<import resource="systemListeners.xml" />
<import resource="sessionStartupActions.xml" />
<import resource="applicationContext-spring-security.xml" />
<import resource="applicationContext-spring-security-cas.xml" />
<import resource="applicationContext-common-authorization.xml" />
<import resource="applicationContext-spring-security-hibernate.xml" />
<import resource="applicationContext-pentaho-security-hibernate.xml" />
<import resource="pentahoObjects.spring.xml" />
</beans>

Please note that we’ve added applicationContext-spring-security-cas.xml after applicationContext-spring-security.xml

4. Add CAS certificate to Java keyring in Pentaho server

If your CAS server is not running in the same machine as your Pentaho installation, you will need to import its certificate into the Java VM installation.

– Copy your .cert or .pem to Pentaho machine.
Execute keytool -import -trustcacerts -file your_cert.crt -alias CAS -keystore /usr/lib/jvm/java-6-sun/jre/lib/security/cacerts

Please change your CAS cert filename and the path to your JRE installation.

5. Add users to Pentaho database

Unfortunately, you will have to add users to Pentaho database (or using the administration console). The only thing you have to keep in mind is that the username in pentaho has to be the equal as the username in CAS.

6. Restart Pentaho and enjoy

After restarting Pentaho, when yo try to access it you will be redirected to CAS login form.

Advertisements

7 thoughts on “Single Sign-On (SSO) on Pentaho Community Edition using CAS

  1. Thank you very much for posting this. It was very useful. The problem I found with your post is that the “class” attribute is missing from all of the beans in your Spring config XML.

  2. Hi, thank you for the post. Its really nice. However I’m having problems after edit my applicationContext-spring-security-cas.xml file. I can open the CAS console but no the User console.
    “Error: HTTP Status-404
    type Status report
    message
    The description Requested resource () is not available.
    Apache Tomcat/6.0.29″
    Can anybody help me? Thank you

  3. Hi, I am trying to configure Pentaho-5.0 with CAS-4.0.
    As Ken already mentioned problem with applicationContext-spring-security-cas.xml file you are missing class definition in various beans which is giving errors. e.g.

    2015-05-27 07:56:17,529 ERROR [org.springframework.web.context.ContextLoader] Context initialization failed
    org.springframework.beans.factory.parsing.BeanDefinitionParsingException: Configuration problem: Failed to import bean definitions from rel
    ative location [applicationContext-spring-security-cas.xml]
    Offending resource: file [/mnt/biserver-ce/pentaho-solutions/system/pentaho-spring-beans.xml]; nested exception is org.springframework.bean
    s.factory.parsing.BeanDefinitionParsingException: Configuration problem: Unexpected failure during bean definition parsing
    Offending resource: file [/mnt/biserver-ce/pentaho-solutions/system/applicationContext-spring-security-cas.xml]
    Bean ‘exceptionTranslationFilter’; nested exception is org.springframework.beans.factory.parsing.BeanDefinitionParsingException: Configurat
    ion problem: Unnamed bean definition specifies neither ‘class’ nor ‘parent’ nor ‘factory-bean’ – can’t generate bean name
    Offending resource: file [/mnt/biserver-ce/pentaho-solutions/system/applicationContext-spring-security-cas.xml]
    Bean ‘exceptionTranslationFilter’
    -> Property ‘accessDeniedHandler’

    I am not a JAVA/SPRING expert so trying to figure out class definition from commercial Pentaho config files for property “accessDeniedHandler” in “accessDeniedHandler” bean.

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s