in Saiku Analytics

Using Saiku with x509 certificates authentication

So in our company we use eToken authentication (eToken PRO). It works well on Linux and Windows systems (of course for Linux is needed additional settings, but it not so hard) and used widely in our company for authentication in web services.

In Saiku user account is determined automatically according to data from certificate fetched from headers which is sent from the user browser to server. As you know Saiku based on Spring framework, and all things that can be used in Spring can be used in Saiku – x509 certificates support is standard feature of Spring framework. Our configuration is almost the same with a little exceptions.

So in our jboss configuration it’s

Don’t use standard AprLifecycleListener because problems will be with authentication – in some moment it works in some not. When you take away your token from computer TLS session recreates to server with null’ed credentials and when you insert token browser don’t recreates the session. Despite on inserted token in computer TLS session has nulled user because session is not recreated.

It’s a common bug of Firefox and Google Chrome, another browsers we don’t use and I don’t know how it works for them. But it very bad bug, and we should use that configuration of Connector in jboss config.

org.apache.coyote.http11.Http11Protocol has no connection polling for users, and it’s why eToken correctly works with browsers. You can see that table here, comparison of connectorsScreenshot from 2015-03-31 11:51:01

Important to note, that your CA certificates should be in keystore passed in connector configuration because user certificates is checked according to CA certs.

So in saiku configuration there is needed

which should be added to applicationContext-saiku-webapp.xml

And the next thing is setting user storage – we use jdbc, and our configuration is

So as you see it not so hard to use etoken’s and saiku 🙂 When we was used pentaho I also configured it to use etokens, and it works well.

Leave a Reply