Package org.pentaho.platform.web.http.filters

Class ProxyTrustingFilter

java.lang.Object

org.pentaho.platform.web.http.filters.ProxyTrustingFilter

All Implemented Interfaces:

javax.servlet.Filter

public class ProxyTrustingFilter
extends Object
implements javax.servlet.Filter

This servlet is used to filter Servlet requests coming from another server for processing and sets authentication for the user passed in by the parameter _TRUST_USER_. It will conditionally look for the parameter in the HTTP Header too. It then passes the request down the servlet chain to be serviced. Only requests coming from a trusted host will be authenticated. Implement the filter and setup the trusted hosts by editing the web.xml file as follows.

  <filter>
    <filter-name>ProxyTrustingFilter</filter-name>
    <filter-class>org.pentaho.platform.web.http.filters.ProxyTrustingFilter</filter-class>
      <init-param>
        <param-name>TrustedIpAddrs</param-name>
        <param-value>192.168.10.60,192.168.10.61</param-value>
      </init-param>
  </filter>
 

In the above example, when a request coming from IP addresses 192.168.10.60 and 192.168.10.61 has the parameter _TRUST_USER_=name set, that user name will be authenticated.

An additional parameter, _TRUST_LOCALE_OVERRIDE_, and, optionally, header, can be specified containing a locale override that the user session should use.

NOTES:

It is easy to spoof the URL or IP address so this technique should only be used if the server running the filter is not accessible to users. For example if the BI Platform is hosted in a DMZ.

For this class to be useful, both Pentaho servers should be using the same database repository.

The sending server should be using the ProxyServlet enabled to generate the requests.

The user and locale parameters that this filter looks for can be configured in the init parameters, as well as whether to check the request headers.

The following shows the defaults used if these settings aren't provided.

   <init-param>
     <param-name>CheckHeader</param-name>
     <param-value>true</param-value>
   </init-param>
   <init-param>
     <param-name>RequestParameterName</param-name>
     <param-value>_TRUST_USER_</param-value>
   </init-param>
   <init-param>
     <param-name>HeaderName</param-name>
     <param-value>_TRUST_USER_</param-value>
   </init-param>
   <init-param>
   <init-param>
     <param-name>LocaleOverrideParameterName</param-name>
     <param-value>_TRUST_LOCALE_OVERRIDE_</param-value>
   </init-param>
   <init-param>
     <param-name>LocaleOverrideHeaderName</param-name>
     <param-value>_TRUST_LOCALE_OVERRIDE_</param-value>
   </init-param>
 

Author:

Doug Moran

See Also:

ProxyServlet

Constructor Summary

Constructors

Constructor	Description
ProxyTrustingFilter()

Method Summary

Modifier and Type	Method	Description
protected void	becomeUser(String principalName)
protected boolean	checkHeader()
void	destroy()
void	doFilter(javax.servlet.ServletRequest request, javax.servlet.ServletResponse response, javax.servlet.FilterChain chain)
protected void	doFilterCore(javax.servlet.http.HttpServletRequest request, String name)
protected String	getHeaderName()
protected String	getLocaleOverrideHeaderName()	Gets the name of the request header that will contain the trusted locale override
protected String	getLocaleOverrideParameterName()	Gets the name of the request parameter that will contain the trusted locale override.
org.apache.commons.logging.Log	getLogger()
protected String	getParameterName()
protected String	getTrustLocaleOverrideCode(javax.servlet.http.HttpServletRequest request)	Gets the trusted locale code override from the request, and optionally from the HTTP header.
protected String	getTrustUser(javax.servlet.http.HttpServletRequest request)	Gets the trusted user from the request, and optionally from the HTTP Header
void	init(javax.servlet.FilterConfig filterConfiguration)
protected void	initParameterCheckHeader()
protected void	initParameterLocaleOverride()
protected void	initParameterTrustedIpAddresses()
protected void	initParameterUser()
boolean	isEmpty(String str)
static void	main(String[] args)
protected String	normalizeHeaderName(String in)
protected void	setSystemLocaleOverrideCode(String localeOverrideCode)	Sets the system's locale override.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

ProxyTrustingFilter

public ProxyTrustingFilter()

Method Detail

getLogger

public org.apache.commons.logging.Log getLogger()

init

public void init(javax.servlet.FilterConfig filterConfiguration)
          throws javax.servlet.ServletException

Specified by:

init in interface javax.servlet.Filter

Throws:

javax.servlet.ServletException

initParameterTrustedIpAddresses

protected void initParameterTrustedIpAddresses()

initParameterCheckHeader

protected void initParameterCheckHeader()

initParameterUser

protected void initParameterUser()

initParameterLocaleOverride

protected void initParameterLocaleOverride()

doFilter

public void doFilter(javax.servlet.ServletRequest request,
                     javax.servlet.ServletResponse response,
                     javax.servlet.FilterChain chain)
              throws IOException,
                     javax.servlet.ServletException

Specified by:

doFilter in interface javax.servlet.Filter

Throws:

IOException

javax.servlet.ServletException

doFilterCore

protected void doFilterCore(javax.servlet.http.HttpServletRequest request,
                            String name)
                     throws javax.servlet.ServletException

Throws:

javax.servlet.ServletException

destroy

public void destroy()

Specified by:

destroy in interface javax.servlet.Filter

main

public static void main(String[] args)

Parameters:

args -

getHeaderName

protected String getHeaderName()

Returns:

the name of the request header that will contain the trusted user name

getParameterName

protected String getParameterName()

Returns:

the name of the request parameter that will contain the trusted user name

getLocaleOverrideHeaderName

protected String getLocaleOverrideHeaderName()

Gets the name of the request header that will contain the trusted locale override

getLocaleOverrideParameterName

protected String getLocaleOverrideParameterName()

Gets the name of the request parameter that will contain the trusted locale override.

checkHeader

protected boolean checkHeader()

Returns:

true if the filter should consult the http header for the trusted user and trusted locale override

getTrustUser

protected String getTrustUser(javax.servlet.http.HttpServletRequest request)

Gets the trusted user from the request, and optionally from the HTTP Header

Parameters:

request - The HttpServletRequest to examine for the trusted information

Returns:

The name of the trusted user

getTrustLocaleOverrideCode

protected String getTrustLocaleOverrideCode(javax.servlet.http.HttpServletRequest request)

Gets the trusted locale code override from the request, and optionally from the HTTP header.

Parameters:

request - The HttpServletRequest to examine for the trusted information

Returns:

The specified trusted locale code, if any; null, otherwise.

isEmpty

public boolean isEmpty(String str)

normalizeHeaderName

protected String normalizeHeaderName(String in)

becomeUser

protected void becomeUser(String principalName)

setSystemLocaleOverrideCode

protected void setSystemLocaleOverrideCode(String localeOverrideCode)

Sets the system's locale override.

Parameters:

localeOverrideCode - The locale override code.