- All Implemented Interfaces:
- org.springframework.security.providers.AuthenticationProvider
public class AuthTokenAuthenticationProvider
extends Object
implements org.springframework.security.providers.AuthenticationProvider
Implements the AuthenticationProvider interface from the Spring Framework Security specification
to enable proxy authentication of a user to JasperReports Server by a client service using
AuthTokens. This provider will analyze AuthTokenAuthentication objects to determine if they
contain a valid AuthToken credential. Validation is accomplished by generating am HMAC from the
name, isPI flag, a timestamp, and a nonce contained in the AuthToken credential. The HMAC is
calculated using a secret key shared with the client service at configuration time. If the
generated HMAC equals the hash contained in the AuthToken the token is deemed valid.
The login name used for the authenticated user can be obtained in two ways: 1) If the
'singleUser' variable is set, the login will happen under that user name. This permits all logins
to happen under a special utility account. The Spring Framework will recognize that user by
calling AuthTokenAuthentication.getName(). But the user can still be differentiated for report
generation purposed by by consulting the AuthToken.getName() method. 2) Otherwise, an option
'externalUserProvider' can be registered which will consult an external resource to resolve that
the name supplied is valid. In this case every user will log in under their own account name.
That account must exist in JasperServer. Both AuthToken.getName() and
AuthTokenAuthentication.getName() will return that same value.
The roles ("GrantedAuthorities") applied to the logged in user similarly can be configured by
setting the 'singleUserAuthorities' array, or by registering an 'externalUserProvider'. In both
cases the role names which are supplied must match roles that are defined in the JasperServer.
Tokens will have a timestamp which can be used to expire tokens after some elapsed number of
milliseconds. Any token which is older than 'timeout' milliseconds will be considered invalid.