When authentication and authorization aren't behaving the way you'd like, the first step is turning on security-related debug output. This involves editing a Log4J configuration file.
There are two general settings in log4j.xml that can affect logging:
- Threshold: Each appender can have a Threshold param. "By setting the threshold value, only log messages matching the threshold setting or above will be logged."
- Root logger priority: "The most important logger you need to configure is the root logger. All loggers inherit their settings from the root logger."
- Make a backup copy of pentaho/WEB-INF/classes/log4j.xml.
- Open log4j.xml. Remove any Threshold param that occurs in all of the appenders (i.e. PENTAHOFILE or PENTAHOCONSOLE).
- Staying in the same file, find the root logger definition. Add or change the existing priority to WARN, ERROR, or FATAL. All loggers will inherit this level except where it is overridden (which is done in the next step).
- Staying in the same file, add the following loggers before the root element. This will enable debug-level output in security-related classes.
Note: When you add category elements, be sure to add them before the root element. Otherwise, you will violate the DTD for log4j.xml.
- Now open pentaho-solutions/system/applicationContext-spring-security-<back-end>.xml where <back-end> is one of memory, jdbc, ldap, or hibernate. Which one you open will depend on the type of security back-end you've configured in web.xml. Add a property called hideUserNotFoundExceptions with value false to the bean with id daoAuthenticationProvider. Your modified bean should look like the bean below. Note that existing properties and constructor-args elements for this bean should be left unmodified.
- Save the file and restart your servlet container or application server.
- When you request a page that is protected but you are not yet logged in, you should see an exception in the log which looks like this:
- When the username and/or password doesn't match what's in the back-end, you should see a log message which looks like this:
- When the username and password match, you should see a log message which looks like the following. After the InteractiveAuthenticationSuccessEvent, one of the filters will show the roles fetched for the authenticated user. Compare these roles to the page-role mapping found in the filterInvocationInterceptor bean in applicationContext-spring-security.xml.