#1 2014-10-22 12:58:28

tomharney
Member
Registered: 2014-03-11

Authentication Pass-through

Is it possible to create an authentication pass-through to ReportServer to auto login a user by adding a url parameter?

For example:  http://demo.raas.datenwerke.net/ReportS … abelincoln

I would prefer to keep the standard login available in addition to a pass-through.

What if I wanted to trust the application sending the request and not send the password, only the username?   I would prefer not to exchange passwords across the application.

It's not clear to me how I would force create a user session for that username.   Essentially, I want to create a seamless experience for my user.   They will log into another application and when they need to run a report I want them to be able to click on a link that opens a new window, sending them to ReportServer and automagically log them in.

Last edited by tomharney (2014-10-22 20:28:35)

Offline

#2 2014-10-23 10:29:58

Thorsten J. Krause
Guest

Re: Authentication Pass-through

Hi Tom,

this can be done rather easily with a script (that is accessible via url) that simply sets the current user. But keep in mind that such a script could be invoked by anyone who knows the right url.

The textbook approach to this problem would be to implement some kind of single-sign-on system. CAS (http://jasig.github.io/cas/4.0.0/index.html) for example we know works well with reportserver. If you dont't want to set up another system, but have some control over the application that redirects to reportserver you could also implement something simpler: The link to reportserver your application presents to the user contains a token-value. If a user accesses reportserver via such a link reportserver establishes a connection (not passing through the clients browser) directly to your application and validates the token. On success the user is logged in.

I hope that gives you an idea on what to do.

Cheers, 
Thorsten

#3 2014-10-23 19:47:24

tomharney
Member
Registered: 2014-03-11

Re: Authentication Pass-through

I'll consider the single-sign-on solution.  I would honestly prefer to go that route.   In the mean time, I need something that just works.  I'm not understanding the architecture of ReportServer.  I know it's Java based but I don't see how to set the current user.  Can you provide an example?   Is it in the login script (in groovy) for LDAP authentication?  If you could point me in the right direction, I'm sure I could figure it out.   I'd be happy to share my results with the community.

Offline

#4 2014-10-24 02:50:33

marcosfilho
Member
Registered: 2014-08-04

Re: Authentication Pass-through

Hi Tom,

We are using reportserver in my company and I had the same questions before.

you can take a look at this article. it is going to give you an idea: http://blog.datenwerke.net/2013/08/Repo … ation.html

also Im going to share a script that I used to bypass a user as an example

go to filesystem/bin/tmp/ and create a file called hook_user.groovy
upload the following content:

package pam

import net.datenwerke.rs.authenticator.client.login.dto.UserPasswordAuthToken
import net.datenwerke.rs.authenticator.client.login.pam.UserPasswordClientPAM
import net.datenwerke.security.client.login.AuthToken
import net.datenwerke.security.service.authenticator.AuthenticationResult
import net.datenwerke.security.service.authenticator.ReportServerPAM
import net.datenwerke.security.service.authenticator.hooks.PAMHook
import net.datenwerke.security.service.usermanager.UserManagerService
import net.datenwerke.security.service.usermanager.entities.User



import com.google.inject.Inject



final ShiroPAM shiroPAM = GLOBALS.injector.getInstance(ShiroPAM.class);
GLOBALS.services.callbackRegistry.attachHook("SHIRO_PAM", PAMHook.class, new PAMHook(){
	
	public void beforeStaticPamConfig(LinkedHashSet<ReportServerPAM> pams){
		pams.add(shiroPAM);
	}
	public void afterStaticPamConfig(LinkedHashSet<ReportServerPAM> pams){
		
	}
	
});


public class ShiroPAM implements ReportServerPAM {
	
	private final UserManagerService userManagerService;

	@Inject
	public ShiroPAM(UserManagerService userManagerService) {
		this.userManagerService = userManagerService;
	}
	
	@Override
	public AuthenticationResult authenticate(AuthToken[] tokens) {

        // So if you have an SSO solution, this authenticate method will be your point of extension. 

        String username = "root";
		
    	return new AuthenticationResult(true, userManagerService.getUserByName(username),true);
		
	}

	@Override
	public String getClientModuleName() {
		return null;
	}
}

- After that, open the terminal (ctrl + shift + t)
then:
cd filesystem/bin/tmp/
then:
exec -g hook_user.groovy

open a second browser and access reportserver. at this point you should be automatically logged as root.

ps: this works in the version RS2.2.0-5588-2014-10-14-18-13-40

I hope it helps  you

Last edited by marcosfilho (2014-10-28 01:06:52)

Offline

Board footer

Powered by FluxBB