<html><head><style type="text/css"><!-- DIV {margin:0px;} --></style></head><body><div style="font-family:times new roman, new york, times, serif;font-size:12pt"><DIV style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif">Thanks Julian,</DIV>
<DIV style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif"> </DIV>
<DIV style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif">I'll write a callback to process the http header (and go thru jpivot xmla client to see if I can put this header). The firts question right now is: A callback should implement the XmlaRequestCallback interface. But where and how do I define the callback? Could you give me an example, please?<BR></DIV>
<DIV style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif">thanks in advance</DIV>
<DIV style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif"> </DIV>
<DIV style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif">Pedro<BR></DIV>
<DIV style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif">----- Mensaje original ----<BR>De: Julian Hyde <julianhyde@speakeasy.net><BR>Para: Mondrian developer mailing list <mondrian@pentaho.org><BR>Enviado: miércoles, 28 de febrero, 2007 11:17:31<BR>Asunto: RE: [Mondrian] XMLA Security roles<BR><BR>
<DIV dir=ltr align=left><SPAN class=907585209-28022007><FONT face=Verdana color=#000080 size=2></FONT></SPAN> </DIV><FONT face=Verdana color=#000080 size=2></FONT><FONT face=Verdana color=#000080 size=2></FONT><FONT face=Verdana color=#000080 size=2></FONT><FONT face=Verdana color=#000080 size=2></FONT><BR>
<BLOCKQUOTE style="PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #000080 2px solid; MARGIN-RIGHT: 0px">
<DIV class=OutlookMessageHeader lang=en-us dir=ltr align=left>
<HR tabIndex=-1>
<FONT face=Tahoma size=2><B>From:</B> Pedro Casals<BR></FONT><BR>I cannot make security roles work properly when making a query through XMLA (it works OK if the query is done through mondrianQuery tag).</DIV>
<DIV style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif">
<DIV>In mondrian.xmla.impl.DefaultXmlaServlet.handleSoapBody I can see this code:</DIV>
<DIV> // use context variable `role' as this request's XML/A role<BR> XmlaRequest xmlaReq = new DefaultXmlaRequest(xmlaReqElem,<BR> (String) context.get(CONTEXT_ROLE));<BR></DIV>
<DIV>However, I do not see where this context is filled besides in handleSoapHeader. handleSoapHeader function only puts this keys: CONTEXT_XMLA_SESSION_ID, CONTEXT_XMLA_SESSION_STATE.<SPAN class=907585209-28022007><FONT face=Verdana color=#000080 size=2> </FONT></SPAN></DIV>
<DIV><SPAN class=907585209-28022007><FONT face=Verdana color=#000080 size=2></FONT></SPAN> </DIV></DIV></BLOCKQUOTE>
<DIV><SPAN class=907585209-28022007><FONT face=Verdana color=#000080 size=2>I think you're right. Whoever wrote DefaultXmlaServlet put in a hook to use the sugested role if it is present... but it is up to the XMLA client to set it as an attribute in the HTTP header.</FONT></SPAN></DIV>
<BLOCKQUOTE style="PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #000080 2px solid; MARGIN-RIGHT: 0px">
<DIV style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif"><SPAN class=907585209-28022007> </SPAN></DIV>
<DIV style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif">One question more: If security is not implemented I would do it. I have read XMLA 1.1 spec and I could not see where to define the role in the SOAP message. Should it be defined as a restriction?<SPAN class=907585209-28022007><FONT face=Verdana color=#000080 size=2> </FONT></SPAN></DIV>
<DIV style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif"><SPAN class=907585209-28022007><FONT face=Verdana color=#000080 size=2></FONT></SPAN> </DIV></BLOCKQUOTE>
<DIV><SPAN class=907585209-28022007><SPAN class=907585209-28022007><FONT face=Verdana color=#000080 size=2>The XMLA request should specify the user (probably has part of the HTTP header, NOT par of the XML). I know Pentaho Spreadsheet Services does this, for example.</FONT></SPAN></SPAN></DIV>
<DIV><SPAN class=907585209-28022007><SPAN class=907585209-28022007><FONT face=Verdana color=#000080 size=2></FONT></SPAN></SPAN> </DIV>
<DIV><SPAN class=907585209-28022007><SPAN class=907585209-28022007><FONT face=Verdana color=#000080 size=2>The XmlaHandler should then resolve the user to a role (to be precise, the user and the schema resolve to a role -- a user might run under different roles in different schemas). We have discussed extending XmlaHandler to use a plugin user-to-role resolver running off JNDI or JAAS or extra information we might add extra fields to datasources.xml to define authentication and access-control lists.</FONT></SPAN></SPAN></DIV>
<DIV><SPAN class=907585209-28022007><SPAN class=907585209-28022007><FONT face=Verdana color=#000080 size=2></FONT></SPAN></SPAN> </DIV>
<DIV><SPAN class=907585209-28022007><SPAN class=907585209-28022007><FONT face=Verdana color=#000080 size=2>(I can't find that discussion right now... anyone??)</FONT></SPAN></SPAN></DIV>
<DIV><SPAN class=907585209-28022007><SPAN class=907585209-28022007><FONT face=Verdana color=#000080 size=2></FONT></SPAN></SPAN> </DIV>
<DIV><SPAN class=907585209-28022007><SPAN class=907585209-28022007><FONT face=Verdana color=#000080 size=2>Julian</FONT></SPAN></SPAN></DIV>
<DIV>_______________________________________________<BR>Mondrian mailing list<BR>Mondrian@pentaho.org<BR><A href="http://lists.pentaho.org/mailman/listinfo/mondrian" target=_blank>http://lists.pentaho.org/mailman/listinfo/mondrian</A></DIV></DIV>
<DIV style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif"><BR></DIV></div><br>
<hr size=1><br><font face="Verdana" size="-2">LLama Gratis a cualquier PC del Mundo.<br>Llamadas a fijos y móviles desde 1 céntimo por minuto.<br><a href="http://us.rd.yahoo.com/mail/es/tagline/messenger/*http://es.voice.yahoo.com/">http://es.voice.yahoo.com</a></font></body></html>