In liferay, Administrator of any Organization is able to delete, update or change user details of any other organization which is not secure to organizations. User Details of any other organization should not display to any other organization admin.

To avoid the above scenario, it is required to change permissions and role for organizations admin.

Role Keywords

Administrator:   Administrator can create organization, assign or add users to organization, update or remove user, organization. It means Poweruser has all the authority of liferay portal.

Organization Administrator: Organisaton Administrator is able to see organization pages, he can edit organization page, but he is not able to edit his private and public pages.


How can we change Role of organization admin

  1. Login as Admin (Administrator role).
  2. Go to Control Panel.
  3. Select User and Organization menu from portal panel of left side to window.

Liferay user and role management


4. Select Organization in which you want to change the role of admin.
E.g. Selecting New York Organization

Liferay user and role managment

Liferay user and role managment

We can see there are 2 user in New York Organization, NYC (Admin) and NY1USER (organization User). Here NYC is Administrator for this organization.

5.Click Actions (NYC in this example) -> Edit

liferay user and role management

liferay user and role management

6. Select Roles tab from User Information under Admin menu [NYC Admin] which is a right side of window

liferay 4

7. We can see Current role of this user in Regular Roles. (Current is Administrator)

liferay 5

8. Remove Administrator from Regular Role and assign New Role from “+Select” option. When we click on Select Hyperlink, pop-up window appears. From this window, we can see 2 Roles- Administrator and Power User. [It is not that only above mentioned roles can be seen, there are chances of seeing other regular roles too]

liferay 6

9. Select Power User.


10. Now, from Organization Roles view. Click on “Select” Hyperlink and select organizations role from pop-up window.

liferay 7

11. Select Organization Administrator.

liferay 8

Now, we can see we have two roles for Organization Administrator, Power User and Organization Administrator

12. Click Save.

Now, when same organization admin logins into his/her account user can’t get access to any other organization details from control panel.


Before applying changes to organization administrator role.

liferay 9

After applying changes to organization administrator role.

liferay 10

He is not able to see any organization except his organization.

Finally we have secured Organization’s details from any other organization’s admin.

Steps to migrate oracle with pentaho

Step 1:-

Run script as DB admin.

Script is available in location:- biserver-ce\data\oracle10g.

Modify configuration file:-




original code:-






Modified code:-






  1. hibernate-settings.xml

Location:- pentaho-solutions\system\hibernate\hibernate-settings.xml.

Original code


Modified code:-




pentaho-solutions\system\hibernate\ oracle10g.hibernate.cfg.xml

Do not need to change any code in this file.. Just need to check everything is perfect or not


   <!– Oracle 10g Configuration –>

<property name=”connection.driver_class”>oracle.jdbc.driver.OracleDriver</property>

<property name=”connection.url”>jdbc:oracle:thin:@localhost:1521/sysdba


<property name=”dialect”>org.hibernate.dialect.Oracle10gDialect</property>

<property name=”connection.username”>hibuser</property>

<property name=”connection.password”>password</property>

<property name=”connection.pool_size”>10</property>

<property name=”show_sql”>false</property>

<property name=”hibernate.jdbc.use_streams_for_binary”>true</property>

<!– replaces DefinitionVersionManager –>

<property name=””>update</property>

<!– load resource from classpath –>

<mapping resource=”hibernate/oracle10g.hbm.xml” />





Original Code

org.quartz.jobStore.driverDelegateClass = org.quartz.impl.jdbcjobstore.PostgreSQLDelegate

Modified Code:-

org.quartz.jobStore.driverDelegateClass =




Original Code

<Resource name=”jdbc/Hibernate” auth=”Container” type=”javax.sql.DataSource”

factory=”org.apache.commons.dbcp.BasicDataSourceFactory” maxActive=”20″ maxIdle=”5″

maxWait=”10000″ username=”hibuser” password=”password”

driverClassName=”org.hsqldb.jdbcDriver” url=”jdbc:hsqldb:hsql://localhost/hibernate

validationQuery=”select count(*) from INFORMATION_SCHEMA.SYSTEM_SEQUENCES” />


<Resource name=”jdbc/Quartz” auth=”Container” type=”javax.sql.DataSource”

factory=”org.apache.commons.dbcp.BasicDataSourceFactory” maxActive=”20″ maxIdle=”5″

maxWait=”10000″ username=”pentaho_user” password=”password”

driverClassName=”org.hsqldb.jdbcDriver” url=”jdbc:hsqldb:hsql://localhost/quartz

validationQuery=”select count(*) from INFORMATION_SCHEMA.SYSTEM_SEQUENCES”/>


Modified Code:-

<Resource validationQuery=”select 1 from dual”

url=” jdbc:oracle:thin:@localhost:1521/sysdba

driverClassName=”oracle.jdbc.OracleDriver” password=”password”

username=”hibuser” maxWait=”10000″ maxIdle=”5″ maxActive=”20″


type=”javax.sql.DataSource” auth=”Container” name=”jdbc/Hibernate”/>


<Resource validationQuery=”select 1 from dual”

url=” jdbc:oracle:thin:@localhost:1521/sysdba

driverClassName=”oracle.jdbc.OracleDriver” password=”password”

username=”quartz” maxWait=”10000″ maxIdle=”5″ maxActive=”20″


type=”javax.sql.DataSource” auth=”Container” name=”jdbc/Quartz”/>

6. repository.xml

Location of the file: pentaho-solutions\system\jackrabbit\repository.xml.

Comment this code means (<! – – every thing here – -> )

Active means: Remove comment

i)                    FileSystem part

Comment this code

<FileSystem class=”org.apache.jackrabbit.core.fs.local.LocalFileSystem”>

     <param name=”path” value=”${rep.home}/repository”/>


Active this code:-

<FileSystem class=”org.apache.jackrabbit.core.fs.db.OracleFileSystem”>

   <param name=”url” value=”jdbc:oracle:thin:@localhost:1521“/>

   <param name=”user” value=”jcr_user”/>

   <param name=”password” value=”password”/>

   <param name=”schemaObjectPrefix” value=”fs_repos_”/>

   <param name=”tablespace” value=”pentaho_tablespace”/>


ii)                  DataStore part

Comment this code

<DataStore class=””/>

Active this code:-

<DataStore class=””>

<param name=”url” value=”jdbc:oracle:thin:@localhost:1521/sysdba”/>

<param name=”driver” value=”oracle.jdbc.OracleDriver”/>

<param name=”user” value=”jcr_user”/>

<param name=”password” value=”password”/>

<param name=”databaseType” value=”oracle”/>

<param name=”minRecordLength” value=”1024″/>

<param name=”maxConnections” value=”3″/>

<param name=”copyWhenReading” value=”true”/>

<param name=”tablePrefix” value=””/>

<param name=”schemaObjectPrefix” value=”ds_repos_”/>


iii)                Security part in the FileSystem Workspace part

Comment this code:-

<FileSystem class=”org.apache.jackrabbit.core.fs.local.LocalFileSystem”>

<param name=”path” value=”${wsp.home}”/>


Active this code:-

<FileSystem class=”org.apache.jackrabbit.core.fs.db.OracleFileSystem”>

<param name=”url” value=”jdbc:oracle:[email protected]:1521/sysdba”/>

<param name=”user” value=”jcr_user”/>

<param name=”password” value=”password”/>

<param name=”schemaObjectPrefix” value=”fs_ws_”/>

<param name=”tablespace” value=”pentaho_tablespace”/>


iv)       PersistenceManager part

Comment this code:-

<PersistenceManager class=”org.apache.jackrabbit.core.persistence.pool.H2PersistenceManager”>

<param name=”url” value=”jdbc:h2:${wsp.home}/db”/>

<param name=”schemaObjectPrefix” value=”${}_”/>


Active This Code:-

<PersistenceManager class=”org.apache.jackrabbit.core.persistence.bundle.OraclePersistenceManager”>

<param name=”url” value=”jdbc:oracle:thin:@localhost:1521/sysdba”/>

<param name=”driver” value=”oracle.jdbc.OracleDriver”/>

<param name=”user” value=”jcr_user”/>

<param name=”password” value=”password”/>

<param name=”schema” value=”oracle”/>

<param name=”schemaObjectPrefix” value=”${}_pm_ws_”/>

<param name=”tablespace” value=”pentaho_tablespace”/>


v)       FileSystem Versioning part

Comment This Code:-

<FileSystem class=”org.apache.jackrabbit.core.fs.local.LocalFileSystem”>

<param name=”path” value=”${rep.home}/version” />


Active This Code:-

<PersistenceManager class=”org.apache.jackrabbit.core.persistence.bundle.OraclePersistenceManager”>

<param name=”url” value=”jdbc:oracle:thin:@localhost:1521/sysdba”/>

<param name=”driver” value=”oracle.jdbc.OracleDriver”/>

<param name=”user” value=”jcr_user”/>

<param name=”password” value=”password”/>

<param name=”schema” value=”oracle”/>

<param name=”schemaObjectPrefix” value=”pm_ver_”/>

<param name=”tablespace” value=”pentaho_tablespace”/>




Stopping HSQL db start up

In web.xml file

Comment or delete this code (Commenting is preferable)




<param-value>[email protected]/../data/hsqldb/sampledata,[email protected]/../data/hsqldb/hibernate,[email protected]/../data/hsqldb/quartz</param-value>




Also comment this code






You have done with integrating pentaho 5.0.1 CE with Oracle

Now login to the Pentaho server .

URL:  http://localhost:8080/pentaho

Username/Password : Admin/password

Anonymous Authentication in Pentaho

This blog will be talking about anonymous authentication in Pentaho. You can bypass the built-in security on the BA Server by giving all permissions to anonymous users. An “anonymousUser” is any user, either existing or newly created, that you specify as an all-permissions, no-login user, and to whom you grant the Anonymous role. The procedure below will grant full BA Server access to the Anonymous role and never require a login.

1. Stop the BA Server.
2. Open the /pentaho/server/biserver-ee/pentaho-solutions/system/applicationContext-spring-security.xml file and ensure that a default anonymous role is defined. Match your bean definition and property value to the example below.

<bean id=”anonymousProcessingFilter” class=””>

<!– omitted –>

   <property name=”userAttribute” value=”anonymousUser,Anonymous” />



3. Find these two beans in the same file .
o filterSecurityInterceptor
o filterInvocationInterceptorForWS
Locate the objectDefinitionSource properties inside the beans and match the contents to this code example.

<bean id=”filterInvocationInterceptor” class=””>
    <property name=”authenticationManager”>
        <ref local=”authenticationManager” />
    <property name=”accessDecisionManager”>
        <ref local=”httpRequestAccessDecisionManager” />
    <property name=”objectDefinitionSource”>
\A/.*\Z=Anonymous,Authenticated ]]> </value>


4. Save the file, then open pentaho.xml in the same directory.
5. Find the anonymous-authentication lines of the pentaho-system section, and define the anonymous user and role.

<!– omitted –>
    </anonymous-authentication> <!– omitted –>

6. Open the file in the same directory.

a) Find the singleTenantAdminUserName and replace the value with the anonymousUser name.
b) Find the singleTenantAdminAuthorityName and replace the value with Anonymous.
c) Save the file.

Open the pentahoObjects.spring.xml file.
Find all references to the bean id=”Mondrian-UserRoleMapper” and make sure that the only one that is uncommented (active) is this one:

<bean id=”Mondrian-UserRoleMapper”
    <property name=”sessionProperty” value=”MondrianUserRoles” /> </bean>

Save pentahoObjects.spring.xml and close the file.
Restart BA Server.
Enter http://localhost:8080/pentaho in browser address field. You will find that the pentaho home page opens without requiring login.

Archana Verma
Helical IT Solutions

Enable CAS in Different Applications

This blog talks about how to Enable CAS in Different Applications

What is CAS

The Central Authentication Service (CAS) is a single sign-on protocol for the web. It’s purpose is to permit a user to access multiple applications while providing their credentials (such as userid and password) only once. It also allows web applications to authenticate users without gaining access to a user’s security credentials, such as a password. The name CAS also refers to a software package that implements this protocol.

The CAS protocol involves at least three parties: a client web browser, the web application requesting authentication, and the CAS server. It may also involve a back-end service, such as a database server, that does not have its own HTTP interface but communicates with a web application.

When the client visits an application desiring to authenticate it, the application redirects it to CAS. CAS validates the client’s authenticity, usually by checking a username and password against a database (such as Kerberos or Active Directory).

If the authentication succeeds, CAS returns the client to the application, passing along a security ticket. The application then validates the ticket by contacting CAS over a secure connection and providing its own service identifier and the ticket. CAS then gives the application trusted information about whether a particular user has successfully authenticated.

CAS allows multi-tier authentication via proxy address. A cooperating back-end service, like a database or mail server, can participate in CAS, validating the authenticity of users via information it receives from web applications. Thus, a webmail client and a webmail server can all implement CAS.

How CAS Works


  1. A user, via a web browser, requests a resource from a particular web application/service.
  2. The web application/service (via the application’s security mechanism) determines if the user has already been authenticated and authorized to use the application. How the web application does this it up to the web application itself. This is not part of CAS, but it is an important part of web application security. It should be noted that all applications should implement local sessions for managing the interaction between the application and the user. In other words, the application should not interact with CAS for every request made to the application. This would be an inappropriate use of the CAS service. Of course, if a user comes to the web application and the application does not know who the user is, then the application should redirect the user to CAS.

If the user has a local session (authN and authZ) then the user can have access to the resource which was requested.

  1. If the user does not have a local session, then the web application should check to see if the URL contains a CAS ticket. If the URL does not contain a CAS ticket (e.g., …? ticket= QQIMux0k2Em), then the web application needs to redirect the browser to CAS so that the user can get a ticket.
  2. Once the user’s browser gets to CAS, CAS looks to see if the user has already authenticated with CAS. It does this by looking to see if the browser sent a CAS cookie with the request. If the user does not have a cookie, i.e., they have not already authenticated, and then CAS displays the user with the login screen.

Upon successful authentication, CAS will look up the user in the LDAP Directory and store the user’s UID in its memory for future reference. After it has done this, it will set a CAS cookie in the user’s browser (this is called a Ticket Granting Cookie), and then redirects the user back to the original service with a ticket.

This ticket is only valid for the service to which CAS redirects the browser, and can only be used once. Also, the ticket is tied to the UID mentioned above.

  1. Once back at the application, the security component of the web application goes through steps 2 and 3 again. This time, however, on step 3, the web application sees that the URL has a ticket. At this point, the web application needs to take that ticket and verify with CAS that it is a legitimate ticket.

Here, the web application makes an https request to CAS (no browser is involved in this transaction). (Note, this can only happen over SSL.)

  1. When CAS receives this request, it validates the ticket with the following two tests:


  1. Is this the first time this ticket is being presented back to CAS?
  2. Is the ticket actually valid for the service listed in the URL?


If both tests are true, then CAS looks up the UID that is associated with the ticket (this was set in step 4) and responds back to the application with a success response and includes the UID of the user.

If either 1 or 2 are false, CAS responds back to the application with a failure response.

As mentioned in step 4, a ticket is only valid for a particular service, and is only valid once. For instance, you would get the failure message above if you took a ticket and asked CAS twice if it is valid. On the first attempt it would be valid – because it was the first time CAS was presented with the ticket – however, on the second attempt, it would not be valid because it was already used. This is done for security reasons.


Integrate CAS With Applications

Install JA-SIG CAS

  1. Download the CAS server distribution. All the (recent) downloads are available here)either zip or tar)

  1. Exploding that tar.gz, I grabbed the cas-server-3.4.5/modules/cas-server-webapp-3.4.5.war
  2. Rename the file to cas-web.war.
  3. Copy the war file and paste it to the Tomcat webapps directory.
  4. Hit http://localhost:8080/cas-web in browser. You will see CAS Login screen.


Integrate CAS with Liferay

  1. Open Liferay Portal.
  2. Login as Admin user.
  3. Select Go To à Control Panel.
  4. Select Portal Settings in Portal panel from your left side menu.
  5. Select Configuration à Authentication from your right side menu.
  6. Select CAS tab.
  7. Fill the required information:

CAS configuration

  1. Save.
  2. Logout from Liferay. You will see CAS logout screen.
  3. Enter Liferay server url (Click on Sign-in if you don’t see CAS login Screen). Enter username and password.

NOTE: This CAS Server is running on “5080” port and using “username=password” technique. So when you go through this process you have to enter your password same as username. Otherwise, if you need, you can change your CAS login algorithm or you can authenticate against LDAP also.


In my previous blog, I shared how to install liferay on existing tomcat using liferay source code. You can found my previous blog here

This blog will be talking about how to install liferay on Tomcat using WAR (existing Tomcat)

For this Section, I will refer to your tomcat’s installation folder as $TOMCAT_HOME. Before you begin, make sure that you have downloaded Liferay latest war file. If you haven’t downloaded, you can download from (Find “Download Wars” section And portal dependencies files from “Dependencies” section).

After downloading, you will get a liferay-portal-6.1.x-<date>.war and liferay-portal-dependencies-6.1.x-<date>.zip.

If you have liferay in your machine, you don’t need to download liferay-portal-dependencies. You can use same Liferay global library as your portal-dependencies files.

Follow these steps, to install Liferay war in Tomcat:


Create folder $TOMCAT_HOME/lib/ext.


Extract the Liferay dependencies file to $TOMCAT_HOME/lib/ext.

The best way to get the appropriate versions of these files is, If you have liferay in your machine, then copy all .jar from $LIFERAY_HOME/lib/ext to $TOMCAT_HOME/lib/ext  (If you are going through this step, ignore Step-3 and Step-4)


Download the Liferay source code and get them from there. Once you have downloaded the Liferay source, unzip the source into a temporary folder and Copy the following jars from $LIFERAY_SOURCE/lib/development to $TOMCAT_HOME/lib/ext











Make sure the JDBC driver for your database is accessible by Tomcat. Copy JDBC driver for your version of the database server to $TOMCAT_HOME/lib/ext.



Liferay requires an additional jar to manage transactions. You may find this .jar here:


Now, Edit $TOMCAT_HOME/conf/ file. Change this line





Create setenv.bat in $TOMCAT_HOME/bin folder and add these lines:

if exist “%CATALINA_HOME%/[email protected]@/win” (

    if not “%JAVA_HOME%” == “” (

       set JAVA_HOME=



    set “JRE_HOME=%CATALINA_HOME%/[email protected]@/win”



set “JAVA_OPTS=%JAVA_OPTS% -Dfile.encoding=UTF8 -Dorg.apache.catalina.loader.WebappClassLoader.ENABLE_CLEAR_REFERENCES=false -Duser.timezone=GMT -Xmx1024m -XX:MaxPermSize=256m”



I am deploying liferay in $TOMCAT_HOME/webapps/ROOT folder. So we need to Create the directory $TOMCAT_HOME/conf/Catalina/localhost and create a ROOT.xml file in it. Edit this file and populate it with the following contents to set up a portal web application:

<Context path="" crossContext="true">

    <!-- JAAS -->
    Uncomment the following to disable persistent sessions across reboots.
    <!--<Manager pathname="" />-->
    Uncomment the following to not use sessions. See the property
    "session.disabled" in
    <!--<Manager className="" />-->




Now, Deploy Liferay.

If you are manually installing Liferay on a clean Tomcat server, delete the contents of the $TOMCAT_HOME/webapps/ROOT directory. This undeploys the default Tomcat home page. Then extract the liferay-portal-6.1.x-<date>.war file to $TOMCAT_HOME/webapps/ROOT.


Start Tomcat by executing $TOMCAT_HOME/bin/

Congratulations on successfully installing and deploying Liferay on Tomcat!

For any confusion, please get in touch with us at Helical IT Solutions

SCD Type 1 Implementation on Pentaho Data Integrator

This blog will talk about SCD Type 1 Implementation on Pentaho Data Integrator

Slowly Changing Dimension Type 1 does not preserve any historical versions of the data .
This methodology overwrites old data with new data, and therefore stores only the most current information. In this article let’s discuss the step by step implementation of SCD Type 1 using Pentaho.
The number of records we store in SCD Type 1 does not increase exponentially as this methodology overwrites old data with new data
Create table in Database for source and target and Create connections for database.

Table Input Step:

SCD Penthao

Drag and Drop the table input in spoon workspace and give the connection, then click on get select statement.

Then Click on ok.

Database Lookup:-

Drag And Drop The Database Lookup. Double Click on Database Lookup And Set The Following properties  and then click on ok.:-

SCD Penthao 2

Filter Rows:-

Set The following properties  of filter rows and click on ok.

SCD Penthao 3

Select Values:-

Before you work on select values, connect the table output and specify all the database field on to the output step.

SCD Penthao 4

Table Output :-

SCD Penthao 5


Set The Following On Update  and click on ok.

SCD Penthao 6

Program should Like the Following Figure :-

SCD Penthao 7


For any other query related to Pentaho Data Integrator, get in touch with us at Helical IT Solutions

Bidyut Kumar

Helical IT Solutions

Change Liferay Database

This blog will talk about how to change liferay database.

Liferay comes with a default database called “HSQL” or “Hypersonic”. This is not meant for production use however! You might need to switch to a real database to use Liferay. This page documents how to change the default database system.

Database configuration in 6.0, 6.1 is the same as 5.2.

If you need to change the database of liferay, you can choose any database e.g MySQL, PostgreSQL etc. You can change database of liferay in two ways

1. If you are installing liferay change database at that time.

2. If you have already installed liferay, you will have to make some changes.

Change Database:

If you have installed LFR, take backup of your LFR data (called Data Migration).  If you want to take backup of stored LFR data follow these steps:

1. Create a database lportal (or any name) in your database.

2. Login as administrator in LFR.

3. Select Go To –> Control Panel.

4. Select Server –> Server Administration.

Liferay change database

5. Select Data Migration Tab

Liferay change database 2

6. Fill all the details (JDBC Driver Class Name, JDBC URL, JDBC User Name, JDBC Password) in text boxes.

Liferay change database 3

(For Postgres SQL DB)


7. Select Execute

See the LFR server console, You can see the process of data migration. When the process is completed, restart the LFR Server.

As you can see in lportal database, there is lots of tables which contains LFR data.


Connect LFR to database:

Now, we have to connect LFR to database. The configuration of the database is set in a single file, To store the configuration of database, follow these steps:

1. Open new text file.

2. Write configuration of database, e.g

For PostgreSQL:



[email protected]@@@


For MySQL:



jdbc.default.username= @@@@

jdbc.default.password= $$$$$


3. Save as in {liferay-home}\{tomcat}\webapps\ROOT\WEB-INF\classes

4. Restart Liferay Server.

Now, LFR database has been changed.


NOTE:   If you are going through Data Migration Process, then JDBC URL ( jdbc:mysql://localhost:3306/lportal  in this example) should be same at both place, when you are doing Data Migration & when you are writing Configuration in


Sharad Sinha

[email protected]

Helical IT Solutions