Skip to main content
Pentaho Documentation

Set Up Multiple Authentication Providers

Spring security is a cascading security implementation that moves down through a list of security providers. If the first provider fails to authenticate, then the application looks to the next provider in the list to authenticate. If you are using multiple AuthenticationProviders at the same time, you must add each security provider to the applicationContext.spring.security.xml file. You must also add provider name values to the activeUserDetailsService beans in the pentahoObjects.spring.xml file. We recommend that you make a backup of these files before altering them.

ApplicationContext

Perform the following steps to add security providers to the ApplicationContext: 

  1. Stop the Pentaho Server and the solution repository.
  2. Navigate to the /pentaho-solutions/system directory and open the applicationContext-­spring-security.xml file with any text editor.
  3. Locate the following authenticationManager bean tags:

    <bean id="authenticationManager" class="org.springframework.security.authentication.ProviderManager">
        <constructor-arg>
          <util:list>
          </util:list>
        <constructor-arg>
    </bean>   
    
  4. Add your AuthenticationProvider information below the list tag. The example below adds the jackrabbit provider:
    <pen:bean class="org.springframework.security.authentication.AuthenticationProvider">
        <pen:attributes>
        <pen:attr key="providerName" value="jackrabbit"/>
        </pen:attributes>
    </pen:bean>   
    
  5. Then, add providerName information right beneath the jackrabbit information. LDAP is used in this example. You can add as many providers as needed:
    <pen:bean class="org.springframework.security.authentication.AuthenticationProvider">
        <pen:attributes>
        <pen:attr key="providerName" value="ldap"/>
        </pen:attributes>
    </pen:bean>
    
  6. After you are finished adding AuthenticationProvider information, save and close the file.

The following code block is a more complete example of the authenticationManager portion of the applicationContext-­spring-security.xml file:

<!-- ======================== AUTHENTICATION ======================= -->
<bean id="authenticationManager" class="org.springframework.security.authentication.ProviderManager">
    <constructor-arg>
      <util:list>
        <pen:bean class="org.springframework.security.authentication.AuthenticationProvider">
            <pen:attributes>
              <pen:attr key="providerName" value="jackrabbit"/>
            </pen:attributes>
        </pen:bean>
        <pen:bean class="org.springframework.security.authentication.AuthenticationProvider">
            <pen:attributes>
              <pen:attr key="providerName" value="ldap"/>
            </pen:attributes>
        </pen:bean>
      </util:list>
    </constructor-arg>
    <property name="authenticationEventPublisher">
      <ref bean="defaultAuthenticationEventPublisher" />
    </property>
</bean>

Add the Jackrabbit Provider

The jackrabbit provider is required in the activeUserDetailsService bean, even if you configure another provider. Perform the following steps to add the Jackrabbit provider to the activeUserDetailsService bean:

  1.  Navigate to the /pentaho-solutions/system directory and open the pentahoObjects.spring.xml file with any text editor.
  2. Locate the activeUserDetailsService bean tag:
<!-- Reference to a bean in one of the applicationContext-pentaho-security-*.xml; selected by configured provider-->
  <pen:bean id="activeUserDetailsService" class="org.springframework.security.core.userdetails.UserDetailsService">
     <pen:attributes>
        <pen:attr key="providerName" value="${security.provider}"/>
     </pen:attributes>
  </pen:bean>
  1. Replace ${security.provider} with the jackrabbit provider value. For example:
<pen:attr key="providerName" value="jackrabbit"/>

Add Another Provider

Perform the following steps to add more provider names:

  1. Duplicate the activeUserDetailsService bean shown in Substep 2 of the Add the Jackrabbit Provider section.
  2. Rename the bean ID, for example: bean id="activeUserDetailsService2"
  3. Replace the jackrabbit value with the new provider value. For example:
      <pen:attr key="providerName" value="ldap"/>
  1. Locate the following UserDetailsService bean tags:
<!-- A composite bean composed of the activeUserDetailsService and systemUserDetailsService -->
  <bean id="UserDetailsService" class="org.pentaho.platform.plugin.services.security.userrole.ChainedUserDetailsService">
    <constructor-arg>
        <list>
          <ref bean="activeUserDetailsService"/>
          <ref bean="systemUserDetailsService"/>
        </list>
    </constructor-arg>
  </bean>
  1. Add your bean ID to the list element. For example:
<!-- A composite bean composed of the activeUserDetailsService and systemUserDetailsService -->
  <bean id="UserDetailsService" class="org.pentaho.platform.plugin.services.security.userrole.ChainedUserDetailsService">
     <constructor-arg>
         <list>
            <ref bean="activeUserDetailsService"/>
            <ref bean="activeUserDetailsService2"/>
            <ref bean="systemUserDetailsService"/>
         </list>
     </constructor-arg>
 </bean>
  1. Restart the Pentaho Server and solution repository.  

Authentication Provider Examples

 Provider Name Short Description Application Context for AuthenticationProvider
Jackrabbit Default Pentaho security. applicationContext-spring-security-jackrabbit.xml
LDAP LDAP security applicationContext-spring-security-ldap.xml
JDBC JDBC security allows you to use your own security tables applicationContext-spring-security-jdbc.xml
Memory In memory authentication applicationContext-spring-security-memory.xml