Customizing Security in Deployment Kit

averma
edited February 11, 2022 in Analytics #1
Introducing Deployment Kit security<br />
By default Deployment Kit provides a basic security mechanism from the perspective of authentication and authorization. The default authentication module uses Tomcat to manage users that have access to Deployment Kit. These users can be administered easily using Deployment Kit Administration Tool. The authorization module determines what folders and reports a user has access to. In the default configuration, a user has a home folder that only he can view, and a public folder that is shared by everyone.<br />
Although this is sufficient for many needs, customers that wish to leverage their existing security solutions to handle authentication can create an iPortal Security Adaptor (IPSA). The class that implements the IPSA is defined by the SECURITY_ADAPTER_CLASS parameter in the application’s web.xml. When the Deployment Kit is configured to run using an IPSA, the IPSA is called when the it receives a request from a user in whose session has not been authenticated. The IPSA is responsible for providing the username, their home folder, extended credentials, etc. Some customers get this information from existing session context, others use encrypted cookies, and others have their own custom approach. The Deployment Kit uses the information gathered by the IPSA to pass to the AccessManager. The AccessManager is the authorization piece that ultimately is responsible for controlling access to folders and reports.<br />
<br />
<br />
Understanding Deployment Kit authentication and authorization<br />
The class that implements the access manager is defined by STANDALONE_ACCESS_MANAGER context parameter in the web.xml file (This file can be found under WEB-INF folder in your deployment). This class must implement com.actuate.iportal.security.AccessManager and should have the following methods defined in it:
    <br />
  • authenticate – The Login module calls this method to validate the current user’s security credentials. The Login module passes it the values of its user name, password, and environment attributes. authenticate( ) retrieves the credentials parameter sent by the browser to the calling page. The method should throw SecurityException should the credentials don’t match.<br />
  • checkPermission – This method validates that the current user can perform the requested operation on a file/folder. To properly deny access it should throw an AccessControlException.<br />
  • logout – Performs any desired clean-up operations<br />
<br />
Setting up custom security manager application<br />
This example implementation of Deployment Kit security contains an ExampleCorpAdmin web application used to manage users, roles and directories. It uses a MySQL database to store all the information in the following tables:<br />
    <br />
  • user – Stores username and password for all the users<br />
  • role – Stores all the roles<br />
  • directory – Stores the directories (relative to STANDALONE_REPOSITORY_PATH defined in web.xml)<br />
  • user_role – Defines the association between user and role<br />
  • directory_role – Defines association between role and directories<br />
<br />
Perform the following steps to setup the custom security manager application:
    <br />
  1. Copy mysql-connector-java-com-3.1.10-bin.jar to Server common lib folder (C:Program FilesActuate9iPortalcommonlib)<br />
  2. Copy ExampleCorpAdmin.war in your “C:Program FilesActuate9iPortalwebapps” folder. This deploys the web application in the Tomcat container that comes with Deployment Kit. This application is based on struts 1.2 standards and can be deployed in any application server of your choice that supports this framework.<br />
  3. To set up the MySQL Database instance you can either issues commands through the MySQL command line utility or use the MySQL Administrator.<br />
    If you are using the command line, launch the mysql utility, giving the name (and password, if needed) of a user with permission to create databases. For example, to use the default root user: % mysql --user=root --password=mypassword. Then issue the command: source iPortalDbBackup.sql.<br />
    When using the MySQL Administrator, Click on Restore and specify iPortalDbBackup.sql as the file to restore from. Click on Start Restore<br />
  4. This will create a new db instance “iportal” in your database.<br />
  5. Test your deployment by going to the following URL in your web browser: http://localhost:8700/ExampleCorpAdmin<br />
  6. You should see the following screen<br />
  7. You can click on any of these hyperlinks to manage users, roles and directories respectively.<br />
  8. Above instructions assumes that you did a typical install of Deployment Kit on a local machine running MySQL server. It also assumes that you are running MySQL database on a standard port on the same machine (i.e. localhost). If you would like to use a different database you will need to change data source parameters in web.xml.<br />
<br />
<br />
Setting up the example AccessManager in your existing Deployment Kit<br />
The AccessManager is responsible for authentication and authorization of users. The file custom_ipsa.jar contains a sample implementation (ExampleCorpSecurityAccessManager). Follow these instructions to use this implementation of security in your Deployment Kit application.<br />
    <br />
  1. Copy custom_ipsa.jar in your iportal WEB-INFlib folder (For a typical install it can be found in C:Program FilesActuate9iPortalwebappsiportalWEB-INF<br />
  2. Create a META-INF directory in the iPortal web application directory and then copy context.xml to the directory (For a typical install the directory should be created in C:Program FilesActuate9iPortalwebappsiportal). This file has data source settings and assumes standard MySQL server as a database server running on the same machine as Deployment Kit. Make changes to this file if you want to configure Deployment Kit to use different database settings. Note: You will need to edit this file to include the proper username and password for database access.<br />
  3. Edit web.xml and set the value for STANDALONE_ACCESS_MANAGER parameter to com.actuate.jrd.security.ExampleCorpSecurityAccessManager<br />
  4. From the Services control panel, restart the Deployment Kit server.<br />
  5. After the service has restarted login to Deployment Kit and use bill/actuate to login. (The user bill is defined in the database you had already setup in the previous step).<br />
<br />
Ashwini
Warning No formatter is installed for the format ipb