External Authentication with Jasper Server

External Authentication with Jasper Server

Jasper Server by default uses its internal authentication process, where any users,roles, organizations created from Jasper Server reside in its internal repository. It utilizes the Spring Security architecture to allow external authentication of users.
Authorization (repository access permissions, access to various modules of Jasper) cannot be externally defined but has to be done through JasperServer itself.

External Authentication mechanisms supported by Jasper Server

1. LDAP Authentication

JasperServer can be configured to perform external authentication with LDAP. Whenever a user request is made to the JasperServer configured with LDAP, the credentials are sent to LDAP server for authentication and authenticated user’s roles (user groups), organization are also retrieved. As a part of the authentication, JasperServer synchronizes the user information such as roles, organization from LDAP into its own user database. Such users are marked as external users in the Jasper’s internal user repo.
The LDAP Authentication can also be customized to map user’s full name, email information or profile attributes that may exist in LDAP Server into Jasper Server.
If any roles, organization, attributes for a user change on LDAP, the same will be synchronized each time the user logs into Jasper.
With this we can also use Microsoft Active Directory as external authentication mechanism.
LDAP authentication does not provide single sign-on (SSO) functionality. You must implement additional mechanisms and configure their use within JasperReports Server to enable SSO with LDAP

2. CAS Authentication

Central Authentication Service (CAS) is an open source, Java-based authentication server that includes a mechanism for single sign-on (SSO) across web applications. JasperServer can be configured with the CAS Server.
With the CAS protocol, the client application (such as JasperReports Server) never receives or transmits the user’s password. As a result, the client application does not need to apply any encryption to protect passwords. However, unlike LDAP, CAS does not provide any user context, such as roles or organizations, that can be mapped to JasperReports Server. Instead, you can configure and organization and static roles that apply to every CAS-authenticated user, or pull user details from an external data source.

3. External Database Authentication
JasperReports Server can be configured to perform external authentication and authorization using tables in an external database. This external DB will be queried to check if the user credentials received are valid. JasperReports Server maps the username to a predefined set of roles and an organization ID. The username, roles, and organization are also synchronized with the internal database, where the user account is marked as an external user.
Again this is not a SSO implemention, but means of externally authenticating a user.

4. Token based Authentication
If you have an application or portal you want to use with JasperReports Server, but do not have an existing single sign-on environment, you can use the Jaspersoft token-based authentication.
Basically, You authenticate the end user according to the standards of your environment or application. Then construct and optionally encrypt a token based on the authenticated user values within your application or process. The token values can include username, tenant (if multi-tenancy is enabled), roles, and profile attributes. You can configure the token based on your needs for reporting and analysis within the JasperReports Server.If the token is successfully parsed, use the information in the token to create and update the external user within JasperReports Server automatically.

All the above can be extended further by adding custom classes like creating custom processors to implement some additional behavior post user authentication etc.

Shraddha Tambe | Helical IT Solutions


Jasper Server External Database Authentication

                                                                 JasperServer External Database Authentication

Jasper Report Server can be configured to perform authentication and authorization using external table.

This kind of authentication can be used when an application is using any other database to store users, roles and organization data, and if it wants jasper server to sync-up data and create same users, roles and organization information what it has stored in database. It also can be used to set up environment for SSO.
We need to configure jasper server to use this authentication process.

Steps to configure Jasper server

Copy <JS_INSTALL>/samples/externalAuth-sample-config/sample-applicationContext-externalAuth-db.xml to /WEB-INF directory.

Rename copied file to applicationContext-externalAuth-db-mt.xml.
Now, edit and configure beans of applicationContext-externalAuth-db-mt.xml.

Find below mentioned bean tag and configure according to your requirement. This tag is used for database parameters. Here, I am using mysql for external database authentication.

<bean id=”externalDataSource” class=”org.springframework.jdbc.datasource.DriverManagerDataSource”>

        <property name=”driverClassName” value=”com.mysql.jdbc.Driver”/>

        <property name=”url” value=”jdbc:mysql://localhost:3306/jasper_external”/>

        <property name=”username” value=”user”/>

        <property name=”password” value=”****”/>

NOTE: For testing purpose, you can create same database structure as jasper server use for authentication.

Find “externalUserTenantDetailsService” bean tag and configure: E.g.

<bean id=”externalUserTenantDetailsService”    class=”com.jaspersoft.jasperserver.multipleTenancy.security.externalAuth.db.MTExternalJDBCUserDetailsService”>

        <property name=”dataSource” ref=”externalDataSource”/>

        <property name=”usersByUsernameAndTenantNameQuery” value=”SELECT u.username, u.password, t.org_name FROM h_users u LEFT JOIN organization t ON u.org_id = t.id WHERE username =?”/>

        <property name=”authoritiesByUsernameQuery” value=”SELECT u.username, r.role_name FROM h_users u, user_role ur, role r WHERE u.id = ur.user_id and ur.role_id=r.id and u.username = ?”/>

        <property name=”multiTenancyConfiguration”><ref bean=”multiTenancyConfiguration”/></property>


NOTE: You can change table name, column names but sequence of column should not be changed in written query. Here, you can see I am using h_users table (custom table) instead jiuser (which is used by jasperserver) and column names are also different e.g. role_name.
This bean is responsible for queries which will be executed by jasperserver to use authentication.

Retrieving roles from database:
Configure “mtExternalUserSetupProcessor” bean to map the external information to roles in jasperserver.
• defaultInternalRoles property – A list of internal roles assigned to the external user by default.
• organizationRoleMap property – A list of key/value pairs that maps external role names to internal ones.

For commercial JasperReports Server deployments, you need to choose the level at which the role is assigned:

• To map to an internal role at the organization level, append |* to the name of the internal role, for example, ROLE_EXTERNAL_USER|*. Roles mapped at the organization level do not have administrative privileges.
• To map to an internal role at the system (null) level, do not modify the internal role name, for example, ROLE_EXTERNAL_ADMINISTRATOR. Roles at the system level are usually reserved for special users such as the system administrator and allow access to the repository folder of all other organizations.

The following example shows how to configure organizationrolemap:

<property name=”organizationRoleMap”>
    <map>                <entry>                                <key>                                                <value>ROLE_ADMIN</value>






Restart Jasper server.