[Mondrian] XMLA Security roles

Julian Hyde julianhyde at speakeasy.net
Wed Feb 28 16:30:07 EST 2007

There are no instructions! But I've found out a little by reading the
There are 3 classes which implement the callback interface, all of them
in the test suite.
If you implement your own callback, you may find it useful to also write
new classes


	mondrian.xmla.DefaultRequestCallback (which does nothing for
each method) and make your implementation derive from that. (This will
help protect your code against future changes to this interface.)

	mondrian.xmla.DelegatingRequestCallback which implements each
method by passing each request to a 'parent' callback object. This
implements the 'decorator' pattern, and allows people to chain

Put your callback into mondrian.xmla.impl package. Other people will use
it if it is useful!
To register a callback. Looks like callback class names are registered
in web.xml.  I imagine that the class needs a special constructor e.g. a
public constructor with no args. You should be able to figure all this
out by reading XmlaServlet.initCallbacks().
Hopefully you can deduce the rest. I'd be grateful if you could add
instructions on how to write and register a callback into the javadoc of
XmlaRequestCallback, so no one else has to ask this question.


From: mondrian-bounces at pentaho.org [mailto:mondrian-bounces at pentaho.org]
On Behalf Of Pedro Casals
Sent: Wednesday, February 28, 2007 10:20 AM
To: Mondrian developer mailing list
Subject: Re: [Mondrian] XMLA Security roles

Thanks Julian,
I'll write a callback to process the http header (and go thru jpivot
xmla client to see if I can put this header). The firts question right
now is: A callback should implement the XmlaRequestCallback interface.
But where and how do I define the callback? Could you give me an
example, please?

thanks in advance

----- Mensaje original ----
De: Julian Hyde <julianhyde at speakeasy.net>
Para: Mondrian developer mailing list <mondrian at pentaho.org>
Enviado: miércoles, 28 de febrero, 2007 11:17:31
Asunto: RE: [Mondrian] XMLA Security roles



From: Pedro Casals

I cannot make security roles work properly when making a query through
XMLA (it works OK if the query is done through mondrianQuery tag).
In mondrian.xmla.impl.DefaultXmlaServlet.handleSoapBody I can see this
            // use context variable `role' as this request's XML/A role
            XmlaRequest xmlaReq = new DefaultXmlaRequest(xmlaReqElem,

However, I do not see where this context is filled besides in
handleSoapHeader. handleSoapHeader function only puts this keys:

I think you're right. Whoever wrote DefaultXmlaServlet put in a hook to
use the sugested role if it is present... but it is up to the XMLA
client to set it as an attribute in the HTTP header.

One question more: If security is not implemented I would do it. I have
read XMLA 1.1 spec and I could not see where to define the role in the
SOAP message. Should it be defined as a restriction? 

The XMLA request should specify the user (probably has part of the HTTP
header, NOT par of the XML). I know Pentaho Spreadsheet Services does
this, for example.
The XmlaHandler should then resolve the user to a role (to be precise,
the user and the schema resolve to a role -- a user might run under
different roles in different schemas). We have discussed extending
XmlaHandler to use a plugin user-to-role resolver running off JNDI or
JAAS or extra information we might add extra fields to datasources.xml
to define authentication and access-control lists.
(I can't find that discussion right now... anyone??)
Mondrian mailing list
Mondrian at pentaho.org


LLama Gratis a cualquier PC del Mundo.
Llamadas a fijos y móviles desde 1 céntimo por minuto.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.pentaho.org/pipermail/mondrian/attachments/20070228/fe4d633e/attachment.html 

More information about the Mondrian mailing list