Class ProxyTrustingFilter

  • All Implemented Interfaces:

    public class ProxyTrustingFilter
    extends Object
    implements javax.servlet.Filter
    This servlet is used to filter Servlet requests coming from another server for processing and sets authentication for the user passed in by the parameter _TRUST_USER_. It will conditionally look for the parameter in the HTTP Header too. It then passes the request down the servlet chain to be serviced. Only requests coming from a trusted host will be authenticated. Implement the filter and setup the trusted hosts by editing the web.xml file as follows.


    In the above example, when a request coming from IP addresses and has the parameter _TRUST_USER_=name set, that user name will be authenticated.

    An additional parameter, _TRUST_LOCALE_OVERRIDE_, and, optionally, header, can be specified containing a locale override that the user session should use.


    It is easy to spoof the URL or IP address so this technique should only be used if the server running the filter is not accessible to users. For example if the BI Platform is hosted in a DMZ.

    For this class to be useful, both Pentaho servers should be using the same database repository.

    The sending server should be using the ProxyServlet enabled to generate the requests.

    The user and locale parameters that this filter looks for can be configured in the init parameters, as well as whether to check the request headers.

    The following shows the defaults used if these settings aren't provided.

    Doug Moran
    See Also:
    • Constructor Detail

      • ProxyTrustingFilter

        public ProxyTrustingFilter()
    • Method Detail

      • getLogger

        public org.apache.commons.logging.Log getLogger()
      • init

        public void init​(javax.servlet.FilterConfig filterConfiguration)
                  throws javax.servlet.ServletException
        Specified by:
        init in interface javax.servlet.Filter
      • initParameterTrustedIpAddresses

        protected void initParameterTrustedIpAddresses()
      • initParameterCheckHeader

        protected void initParameterCheckHeader()
      • initParameterUser

        protected void initParameterUser()
      • initParameterLocaleOverride

        protected void initParameterLocaleOverride()
      • doFilter

        public void doFilter​(javax.servlet.ServletRequest request,
                             javax.servlet.ServletResponse response,
                             javax.servlet.FilterChain chain)
                      throws IOException,
        Specified by:
        doFilter in interface javax.servlet.Filter
      • doFilterCore

        protected void doFilterCore​(javax.servlet.http.HttpServletRequest request,
                                    String name)
                             throws javax.servlet.ServletException
      • destroy

        public void destroy()
        Specified by:
        destroy in interface javax.servlet.Filter
      • main

        public static void main​(String[] args)
        args -
      • getHeaderName

        protected String getHeaderName()
        the name of the request header that will contain the trusted user name
      • getParameterName

        protected String getParameterName()
        the name of the request parameter that will contain the trusted user name
      • getLocaleOverrideHeaderName

        protected String getLocaleOverrideHeaderName()
        Gets the name of the request header that will contain the trusted locale override
      • getLocaleOverrideParameterName

        protected String getLocaleOverrideParameterName()
        Gets the name of the request parameter that will contain the trusted locale override.
      • checkHeader

        protected boolean checkHeader()
        true if the filter should consult the http header for the trusted user and trusted locale override
      • getTrustUser

        protected String getTrustUser​(javax.servlet.http.HttpServletRequest request)
        Gets the trusted user from the request, and optionally from the HTTP Header
        request - The HttpServletRequest to examine for the trusted information
        The name of the trusted user
      • getTrustLocaleOverrideCode

        protected String getTrustLocaleOverrideCode​(javax.servlet.http.HttpServletRequest request)
        Gets the trusted locale code override from the request, and optionally from the HTTP header.
        request - The HttpServletRequest to examine for the trusted information
        The specified trusted locale code, if any; null, otherwise.
      • isEmpty

        public boolean isEmpty​(String str)
      • normalizeHeaderName

        protected String normalizeHeaderName​(String in)
      • becomeUser

        protected void becomeUser​(String principalName)
      • setSystemLocaleOverrideCode

        protected void setSystemLocaleOverrideCode​(String localeOverrideCode)
        Sets the system's locale override.
        localeOverrideCode - The locale override code.