[Mondrian] XMLA Security roles

Pedro Casals pcasalsfradera at yahoo.com
Wed Feb 28 13:20:16 EST 2007

Thanks Julian,

I'll write a callback to process the http header (and go thru jpivot xmla client to see if I can put this header). The firts question right now is: A callback should implement the XmlaRequestCallback interface. But where and how do I define the callback? Could you give me an example, please?

thanks in advance


----- Mensaje original ----
De: Julian Hyde <julianhyde at speakeasy.net>
Para: Mondrian developer mailing list <mondrian at pentaho.org>
Enviado: miércoles, 28 de febrero, 2007 11:17:31
Asunto: RE: [Mondrian] XMLA Security roles


From: Pedro Casals

I cannot make security roles work properly when making a query through XMLA (it works OK if the query is done through mondrianQuery tag).
In mondrian.xmla.impl.DefaultXmlaServlet.handleSoapBody I can see this code:
            // use context variable `role' as this request's XML/A role
            XmlaRequest xmlaReq = new DefaultXmlaRequest(xmlaReqElem,
                                       (String) context.get(CONTEXT_ROLE));

However, I do not see where this context is filled besides in handleSoapHeader. handleSoapHeader function only puts this keys: CONTEXT_XMLA_SESSION_ID, CONTEXT_XMLA_SESSION_STATE. 
I think you're right. Whoever wrote DefaultXmlaServlet put in a hook to use the sugested role if it is present... but it is up to the XMLA client to set it as an attribute in the HTTP header.
One question more: If security is not implemented I would do it. I have read XMLA 1.1 spec and I could not see where to define the role in the SOAP message. Should it be defined as a restriction? 
The XMLA request should specify the user (probably has part of the HTTP header, NOT par of the XML). I know Pentaho Spreadsheet Services does this, for example.
The XmlaHandler should then resolve the user to a role (to be precise, the user and the schema resolve to a role -- a user might run under different roles in different schemas). We have discussed extending XmlaHandler to use a plugin user-to-role resolver running off JNDI or JAAS or extra information we might add extra fields to datasources.xml to define authentication and access-control lists.
(I can't find that discussion right now... anyone??)
Mondrian mailing list
Mondrian at pentaho.org

LLama Gratis a cualquier PC del Mundo. 
Llamadas a fijos y móviles desde 1 céntimo por minuto. 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.pentaho.org/pipermail/mondrian/attachments/20070228/1dd09d98/attachment.html 

More information about the Mondrian mailing list