[Mondrian] Re: xmla security header processing

Michele Rossi michele.rossi at gmail.com
Wed Apr 20 13:52:25 EDT 2011

as far as I know Axis is not a container but a library to create SOAP web services.

There is nothing a container can do with that security information as it's not transferred in a standard http way.

The username and password that you type in Excel when you create a new SimbaO2x connection are sent to the server in the request header xml element that I copied below.

So we either modify the xmla servlet or create an xmla callback with the same features.

Do you agree on the general principle that the client (excel) credentials should be used to open the olap4j connection?

And that the session id should be used to retrieve existing connections?
You certainly can't delegate any of these two features to the container.


Sent from my iPhone

On 20 Apr 2011, at 18:19, "Julian Hyde" <jhyde at pentaho.com> wrote:

> I'm not an expert on the HTTP/SOAP stuff. But the general goal should be to let the container (e.g. tomcat or apache axis) manage as much of this stuff as possible. Maybe you can see how people have made authentication work elsewhere in the XMLA servlet.
> Julian
> From: Michele Rossi [mailto:michele.rossi at gmail.com] 
> Sent: Wednesday, April 20, 2011 8:00 AM
> To: Mondrian developer mailing list
> Cc: jhyde at pentaho.com
> Subject: xmla security header processing
> Hi,
> I am writing some code to handle the xmla security header:
> <Header>
>                        <Security xmlns="http://schemas.xmlsoap.org/ws/2002/04/secext">
>                            <UsernameToken>
>                                <Username>MICHELE</Username>
>                                <Password Type="PasswordText">ROSSI</Password>
>                            </UsernameToken>
>                        </Security>
>                        <BeginSession mustUnderstand="1" xmlns="urn:schemas-microsoft-com:xml-analysis" />
>   </Header>
> Such header is sent out by XMLA clients such as SimbaO2X (Excel plugin).
> My idea is to pass user credentials down to the connection manager and use them to create new connections.
> I also think that connections should be associated with sessions.
> I am thinking of a Map that associates session IDs with OlapConnection objects.
> I can put all this logic directly in DefaultXmlaServlet or (probably) in a "XmlaRequestCallback" class.
> Which option do we want to go for?
> I also have in mind another more specific bit of functionality: hiding username / password in the session ID returned to the xmla client.
> This can be useful especially in the case of a server going down and forgetting a particular session id.
> (Your user leaves Excel open for a couple of days and when he tries to    use the Pivot again he gets an error if the server has been bounced in the meantime).
> The other use case could be http load balancers.
> As Excel does not send any cookies most load balancers would fail to apply the "sticky session" policy and could redirect different xmla requests to different cluster members.
> Only one of those members would know about the specified session ID (in other words only one of those servers would have an OlapConnection object stored under the given session id) but the others could re-obtain the credentials by de-crypting the session id.
> I can make the encrypted session ID very secure - even to "clear text"    attacks.
> I will discuss the details only if we think it's a feature worth having.
> Michele
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.pentaho.org/pipermail/mondrian/attachments/20110420/fc20756c/attachment.html 

More information about the Mondrian mailing list