Skip to main content
Pentaho Documentation

Remove Security by Allowing Anonymous Access

You can bypass the built-in security on the BA Server by giving all permissions to anonymous users. An "anonymousUser" is any user, either existing or newly created, that you specify as an all-permissions, no-login user, and to whom you grant the Anonymous role.

The procedure below will grant full BA Server access to the Anonymous role and never require a login.

All of the files that you will be working with are located in the /pentaho/server/biserver-ee/pentaho-solutions/system directory. Before you begin, stop the BA Server.

applicationContext-spring-security.xml

  1. Open the applicationContext-spring-security.xml file with any text editor.
  2.  Make sure that a default anonymous role is defined. Match your bean definition and property value to the example below.
    <bean id="anonymousProcessingFilter" class="org.springframework.security.providers.anonymous.AnonymousProcessingFilter">
    <!-- omitted -->
        <property name="userAttribute" value="anonymousUser,Anonymous" />
    </bean>
    

These next steps allow Pentaho client tools to publish to the BA Server without having to supply a user name and password.

  1. Find these two beans in the same file from the previous step.
    • filterInvocationInterceptor
    • filterInvocationInterceptorForWS
  2. Locate the objectDefinitionSource properties inside the beans and match the contents to this code example.

Make sure that there is a carriage return between COMPARISON and \A/ as shown below.

<bean id="filterInvocationInterceptor" class="org.springframework.security.intercept.web.FilterSecurityInterceptor">
    <property name="authenticationManager">
        <ref local="authenticationManager" />
    </property>
    <property name="accessDecisionManager">
        <ref local="httpRequestAccessDecisionManager" />
    </property>
    <property name="objectDefinitionSource">
        <value>
            <![CDATA[ CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
\A/.*\Z=Anonymous,Authenticated ]]> </value>
    </property>
</bean>
  1. Save and close the applicationContext-spring-security.xml file.

pentaho.xml

  1. Open the pentaho.xml file with the text editor.
  2. Find the anonymous-authentication lines of the pentaho-system section, and define the anonymous user and role.
    <pentaho-system>
    <!-- omitted -->
        <anonymous-authentication>
            <anonymous-user>anonymousUser</anonymous-user>
            <anonymous-role>Anonymous</anonymous-role>
        </anonymous-authentication> <!-- omitted -->
    </pentaho-system>
    
  3. Save and close the pentaho.xml file.

repository.spring.properties

  1. Open the repository-spring.properties.xml with the text editor.
  2. Find the singleTenantAdminAuthorityName and replace the value with Anonymous.
  3. Find the singleTenantAdminUserName and replace the value with the name <your anonymous user>.
  4. Save the file and close the text editor.

pentahoObjects.spring.xml

  1. Find all references to the bean id="Mondrian-UserRoleMapper" and make sure that the only one that is uncommented (active) is this one:
<bean id="Mondrian-UserRoleMapper" 
        name="Mondrian-SampleUserSession-UserRoleMapper" 
        class="org.pentaho.platform.plugin.action.mondrian.mapper.
                            MondrianUserSessionUserRoleListMapper" 
        scope="singleton">
    <property name="sessionProperty" value="MondrianUserRoles" />
</bean>

If you have made any changes to pentahoObjects.spring.xml, save and close the file.

 You have now effectively worked around the security features of the BA Server. If you are using the relational metadata database model, refer to Remove Security from Metadata Domain Repository for the next few steps.