Hitachi Vantara Pentaho Community Wiki
Skip to end of metadata
Go to start of metadata

Useful Information

Starting in version 1.6, security is a feature of the Pentaho BI Platform. Prior to this version, security was only available in the Pentaho Professional BI Platform (now called the Subscription Edition).

Furthermore, this document is relevant only to the Pentaho Professional BI Platform version 1.2.1 or later or the Pentaho BI Platform version 1.6 or later. See the Pentaho Professional BI Platform version 1.2.0 security documentation if you're using Pentaho Professional BI Platform version 1.2.0. (You can find the version you are running in several ways: (1) look at the log when the Pentaho BI Platform starts or (2) look at the bottom right of any page within the Pentaho BI Platform.)


Technologies Used

Acegi Security

In the Pentaho BI Platform, security is based on the infrastructure provided by the Acegi Security System for Spring. Because the platform builds on top of Acegi Security, it is highly recommended that readers consult the Acegi Security documentation, specifically the Tutorial Sample.


The online documentation for Acegi Security is for the latest version of Acegi Security. At the time of this writing, the latest version was 1.0.3 while the Pentaho BI Platform is based on 1.0.2. These versions have significant differences and it is not recommended that you use the online documentation. Instead, go to the Acegi Security downloads page and download which when expanded creates a doc directory. Opening index.html with your browser then allows for local browsing of the correct version of Acegi Security.

Spring Framework

Acegi Security is written to take advantage of the Spring Framework so, following that example, the platform leverages the Spring Framework's "dependency injection" capabilities to declaratively configure security. Spring is a huge framework, covering many aspects--including data access objects, MVC, and dependency injection. The platform only directly takes advantage of dependency injection (a.k.a. inversion of control). Essentially, this allows an application deployer to "inject" objects on which the system depends. Because the platform builds on top of Spring, it is highly recommended that readers consult the Spring documentation, specifically the Spring beans XML DTD.


While the Pentaho BI Platform uses Spring 2.0, it does not take advantage of any Spring 2.0-features. Specifically, the Spring bean XML files adhere to the Spring 1.x DTD. This is noted to steer new-to-Spring readers away from XML Schema-based configuration which the platform does not use.

Security Breakdown

In order to deliver the documentation on security within the platform in manageable chunks, security has been broken down into the areas listed in the table below.

Useful Information

Note that the areas listed below are not necessarily how security is partitioned in terms of configuration files.



Security data access objects

Security data includes usernames, passwords, granted authorities, web resource (URL) protection data, and ACLs for domain objects.


This area is concerned with processing interactive login information (e.g. username and password) and comparing it with data retrieved from the security datastore.

Web resource (URL) authorization

Protecting URLs is a matter of answering for each user, whether or not they can access each URL (web page). Note that access here is Yes or No--there is no Read or Write granularity. Given an authenticated user, it is the responsibility of web resource authorization to decide whether to allow the page to be accessed.

Domain object authorization

Currently, the only domain objects protected by the platform are solution repository objects (e.g. action sequences). Given an authenticated user, it is the responsibility of domain object authorization to decide whether to allow the requested operation.

Core Security Types

The word "types," as used here, means Java interfaces or classes. Below, the core security types are described. These types are used throughout the platform including the areas of web resource authorization and domain object authorization.


org.acegisecurity.Authentication instances represent authentication requests. When passed to an AuthenticationManager, the request, in the form of an Authentication instance, will be authenticated. If the authentication is successful, a fully populated Authentication instance (including granted authorities) will be returned. If the authentication is unsuccessful, an AuthenticationException will be thrown. For a web-based application, the Authentication is stored between requests in the HTTP session (because the connection is stateless). While processing a request, the Authentication is stored in a SecurityContextHolder.


Each org.acegisecurity.GrantedAuthority instance represents a permission that has been granted to an authenticated user. It can also refer to a role of which the user is a member. That role can then be associated with permissions such as those specified by an ACL.


Many of the functions that the ACL voter implementations rely on are provided in the class. Specifically, the getAuthentication() method is extremely important because it's used to get the Acegi Security Authentication object that should be bound to the user's session.

  • No labels