Pentaho

Hi,

If I understood correctly your current architecture, you are using a back-end to send POST request to Pentaho web app which in turn returns a jsession cookie which is then forwarded by your application browser so that the request are successfully authenticated?

Try to send the "session-expiry" cookie with the session expiry date and time after in milliseconds after epoch.

This cookie is supposed to be sent by the server in a set-cookie header when you do the authentication from your back-end along with "server-time" and "client-time-offset" cookie. You should include all those cookies in your authenticated requests to make sure that the intended behavior of the Pentaho platform is correct.

As a side note, don't put passwords or cookies in the URL as it raises security vulnerabilities like session fixation or MITM attack, assuming that HTTPS is used... and even worst vulnerabilites if only HTTP is used, like network sniffing.

Best regards

Yes,Your understanding was correctly.Could you please provide me any reference document and example for the same that will really help me to resolve the issue.

Hi,

You can take this two links for a reference:

Authentication from Third-Party Applications - BI Platform - Pentaho Wiki

REST API Reference - Pentaho Documentation

Calls to the server through the http protocol should adhere to RFC 6265 (https://www.ietf.org/rfc/rfc6265.txt) which means, roughly speaking, that Set-Cookie headers sent in a response from the server should be sent as cookies in a Cookie header element in subsequent requests sent to the server.

Best regards

PS: Not sure if this was what you were asking?

Hi I have done back-end authentication and able to authenticate with response_code =302 and location =Pentaho/home.

after this I am accessing pentaho dashboard from browser and getting login popup window.Please help me how can I set the authentication cookies in browser so that I can access dashboard. Please note I am using Iframe to access pentaho dashboard.

below is my authentication code in back-end.

String loginUrl = pantahoBridgePath+"/pentaho/j_spring_security_check";

HttpClient client = new HttpClient();

HttpMethod method = new PostMethod(loginUrl);

NameValuePair[] nameValuePair = new NameValuePair[2];

nameValuePair[0] = new NameValuePair("j_username",dashboardUsername);

nameValuePair[1] = new NameValuePair("j_password",dashboardPassword);

method.setRequestHeader("Content-Type", "x-www-form-urlencoded");

System.out.println("dashboardUsername----------------"+dashboardUsername);

System.out.println("dashboardPassword----------------"+dashboardPassword);

method.setQueryString(nameValuePair);

int responseCode = client.executeMethod(method);

for(Header header: method.getResponseHeaders()){

System.out.println("Header: "+header.getName()+"==="+header.getValue());

}

String locationHeader = method.getResponseHeader("Location").getValue();

String setCookie = method.getResponseHeader("Set-Cookie").getValue();

System.out.println("Response Code=====>"+responseCode);  -------------302

System.out.println("locationHeader=====>"+locationHeader);-----------------Pentaho/home

Please let me know how to set cookies of above authentication in browser .is there any specific format for cookies to set in cookie. Please provide any example .

Have you tried doing all of this in something like Postman -  Postman - Chrome Web Store

I used the browser debugger (network tab) and Postman until getting the calls right, then replicated this in code (Python for me), Java for you.

If possible could you please share your python code for setting authentication cookies in the browser that will help me to better understand and write the similar kind of code in the Java so that i can resolve my issue.

When you do a call to <domain>/pentaho/j_spring_security_check

set XMLHttpRequest.withCredentials to true

Hi, i have similar question around sending parallel api rests in one session and close them once successful....further in detail i am making an api call to an x application and trying to close the session by another api but the session doesnt close...any help!? Can we create a session and making apis calls using that particular session only?​