OLAP Server User Guide
Configuring icCube
Running icCube
Migrating icCube
Security
Creating Schemas/Cubes
Working with icCube
Reporting Tools Integration
Embedding icCube
Plugins/Extensions
Web Reporting
Installation
Local Settings
Visualization Library
Tutorials
Demos
MDX Documentation
MDX Tutorial (Gentle Introduction)
MDX Functions Reference
MDX Language Reference
Reference
icCube Client Library
XMLA Client Library

Authentication

icCube is basically deployed as a standard J2EE web application. It is exposing a set of servlets both for its user interface and XMLA purposes. Accesses to these servlets are authenticated using the standard servlet filter mechanism as defined in icCube.xml configuration file. This section details the default configuration. For more information about ad-hoc configurations please consult our forum. Configuring icCube behind the Apache Web Server is explained here. Amongst others, it explains how to setup the different servlet filters for that specific use case.

Authentication Service

The authentication service used by the icCube server is configurable. Once setup it will be used by the servlet filters described below. The class of the authentication service is configured as following: 

<icCubeAuthenticationService>
    <service-class>crazydev.iccube.server.authentication.IcCubeAuthenticationService</service-class>
</icCubeAuthenticationService>

Filter Configuration

The filterConfiguration section defines the filters being referenced later in each component configuration.

icCube WEB User Interface (servlet)

Users log into icCube using their user-name and password. Once logged in, users are authorized to access data and application according to their default role. To log with a specific role, users can log using their user-name and role simply replacing their "user-name" by "user-name/role-name". The user interface is using the HTTP Form Authentication that is configured in the icCube.xml file as following: 

<gwtServiceComponentConfiguration>
        <filter>GWT Authentication</filter>
</gwtServiceComponentConfiguration>

<filterConfiguration>
        <filter>
            <filter-name>GWT Authentication</filter-name>
            <filter-class>crazydev.iccube.server.authentication.IcCubeGwtAuthenticationServletFilter</filter-class>
            <init-param>
                <param-name>anonymousLogon</param-name>
                <param-value>true</param-value>
            </init-param>
        </filter>
</filterConfiguration>

Out-of-the-box this filter is using the user definitions as contained in the file icCubeUsers.icc-users available in the application users directory. The original content of this file is sourced from the file available in the bin directory of the icCube installation directory.

XMLA Interface (servlet)

Similarly to the user interface, users can be authenticated using a specific role : "user-name/role-name". The XMLA interface is authenticated using HTTP Basic Authentication and out-the-box is using the same user definitions as for the UI services as described previously.. 

<xmlaComponentConfiguration>
        <filter>HTTP Basic Authentication</filter>
</xmlaComponentConfiguration>

<filterConfiguration>
        <filter>
            <filter-name>HTTP Basic Authentication</filter-name>
            <filter-class>crazydev.iccube.server.authentication.IcCubeBasicAuthenticationServletFilter</filter-class>
            <init-param>
                <param-name>realm</param-name>
                <param-value>icCube</param-value>
            </init-param>
            <init-param>
                <param-name>anonymousLogon</param-name>
                <param-value>true</param-value>
            </init-param>
        </filter>
</filterConfiguration>

Windows SSO / XMLA Interface (servlet)

Windows SSO (single sign-on) is supported for the XMLA interface using the following configuration: 

<xmlaComponentConfiguration>
        <filter>Windows SSO (waffle)</filter>
        <filter>Windows SSO (adapter)</filter>
</xmlaComponentConfiguration>
        
<filterConfiguration>
    <filter>
        <filter-name>Windows SSO (waffle)</filter-name>
        <filter-class>waffle.servlet.NegotiateSecurityFilter</filter-class>
        <init-param>
            <param-name>principalFormat</param-name>
            <param-value>fqn</param-value>
        </init-param>
        <init-param>
            <param-name>roleFormat</param-name>
            <param-value>both</param-value>
        </init-param>
        <init-param>
            <param-name>allowGuestLogin</param-name>
            <param-value>false</param-value>
        </init-param>
        <init-param>
            <param-name>securityFilterProviders</param-name>
            <param-value>waffle.servlet.spi.NegotiateSecurityFilterProvider</param-value>
        </init-param>
        <init-param>
            <param-name>waffle.servlet.spi.NegotiateSecurityFilterProvider/protocols</param-name>
            <param-value>Negotiate NTLM</param-value>
        </init-param>
    </filter>
    <filter>
        <filter-name>Windows SSO (adapter)</filter-name>
        <filter-class>crazydev.iccube.server.authentication.IcCubeWindowsSSOAuthenticationServletFilter</filter-class>
        <init-param>
            <param-name>ignoreDomainInPrincipal</param-name>
            <param-value>true</param-value>
        </init-param>
        <init-param>
            <param-name>domainPrincipalSplitter</param-name>
            <param-value>\\</param-value>
        </init-param>
    </filter>
</filterConfiguration>

Google Visualization Interface (servlet)

Two filters are being used: the first one is extracting the username/password from the GVI requests and the second one is handling logout requests. 

<gviComponentConfiguration>

    <url>/icCube/gvi</url>

    <filter>GVI Request Authentication</filter>
    <filter>GVI Authentication (logout)</filter>

</gviComponentConfiguration>

<filterConfiguration>
        <filter>
            <filter-name>GVI Request Authentication</filter-name>
            <filter-class>crazydev.iccube.server.authentication.IcCubeGviRequestAuthenticationServletFilter</filter-class>
            <init-param>
                <param-name>anonymousLogon</param-name>
                <param-value>false</param-value>
            </init-param>
        </filter>
        <filter>
            <filter-name>GVI Authentication (logout)</filter-name>
            <filter-class>crazydev.iccube.server.authentication.IcCubeGviLogoutAuthenticationServletFilter</filter-class>
        </filter>
</filterConfiguration>

Anonymous Usage

Note that for the sake of simplicity, anonymous usage of icCube (both for the user interface and XMLA) is available (see anonymousLogon property in the icCube.xml configuration file). This setup is not recommended for a production environment.

Next chapter : Authorization is describing how to configure the authorization service.