An example of the integrated JReport security solution

Since JReport provides an embedded solution, customer usage scenarios will vary. However, there are two general basic types. Now let's take a look at a detailed example:

Here, there are two WebSphere Servers that have integrated JReport RMI server instances and DHTML JSP and Servlets in the WAR. Outside of the Web Application, there are two JReport Stand-alone servers clustered in two separate machines.

In order to make sure that the customer's end user will not be asked to login twice, they implemented External Authorized interface to return the JReport user ID of the session (if the user logs into their portal). Here's how this interface has been implemented:

public class JMAuthorizer implements HttpExternalAuthorized
{ 
public String getExternalAuthorizedUser(String s, HttpServletRequest httpservletrequest)
{
HttpSession httpSession = httpservletrequest.getSession();
String userid = (String)httpSession.getAttribute("authenticated_user");
return userid;
}
//Redirect login window
public boolean handleUnAuthenticatedRequest
(HttpServletRequest httpservletrequest, HttpServletResponse httpservletresponse,
String s, String s1)
{
try{
httpservletresponse.setContentType("text/html");
PrintWriter printwriter = ServerUtil.getResponseWriter(httpservletresponse);
printwriter.write("\n\t<script language=\"JavaScript\">");
printwriter.write("window.top.location.replace
('http://localhost:8888/login/index.htm');");
printwriter.write("\n\t</script>");
printwriter.close();
}catch(IOException e){
e.printStackTrace();
}return false;
}
public boolean askInvalidate(UserSession usersession)
{
return true;
}
public String getExternalAuthorizedUser(String s, Object obj)
{
System.out.println("getExternalAuthorizedUser(String s, Object obj)>>>");
if(obj instanceof HttpServletRequest)
return getExternalAuthorizedUser(s, (HttpServletRequest)obj);
else
return null;
}
public void notifyLogout(UserSession usersession)
{
}
}

From the implementation above, you can see that the method getExternalAuthorizedUser() is used to get the authentication information from the request. If it finds the authentication information, it will return the user ID accordingly. If the attribute is not in the session, then NULL will be returned, and JReport will not qualify the request. When NULL is returned, another method handleUnAuthenticatedRequst() is called. In this sample, the method handleUnAuthenticatedRequst() returns a different website, and false is returned to prevent the login dialog to be displayed.

Once the user ID is returned by the External Authorized instance, it will be passed to the Authentication Provider via RMI methods to the remote JReport Enterprise Server instance to check if the User ID is valid or not. Here is the way this authenticator provider interface has been implemented:

public class DemoAuthenticationProvider implements AuthenticationProvider {
public boolean isValidUser(String realmName, String userName, String password) 
{
return true;
} 
public boolean isAdminUser(String realmName, String userName) 
{
if (userName.equals("admin")) 
{
return true;
}
return false;
} 
public String changePassword
(String realmName, String implUserName, String userName, String oldPwd, String newPwd) 
{
return null;
}
}

The above implementation assumes that every user ID is valid, and only the user "admin" is the valid admin user. It works without security problems since the customer's end user will not be able to connect to the stand-alone server directly.