icCube

Default Authentication

This page briefly details the default configuration as configured in the file icCube.xml. Please refer to this file for more details and up to date information.

Authentication Service

This service is using the user definitions as defined in the file icCubeUsers.icc-users available in the application users directory. When starting icCube for the very first time, the initial content of this file is sourced from the file available in the bin directory of the icCube installation directory.

<icCubeAuthenticationService>

    <service-class>crazydev.iccube.server.authentication.IcCubeAuthenticationService</service-class>

        <!--
          Optional parameter to specify whether or not the user names are case sensitive ( value: true | false ).
          Default value is : false.
        -->
        <!--
          <param>
            <name>caseInsensitive</name>
            <value>true</value>
          </param>
        -->

</icCubeAuthenticationService>
    

Anonymous Login

Anonymous login is controlled via a servlet filter init parameter (see below); for the sake of simplicity, it is enabled by default. For production, we strongly advise to disable it and delete the 'anonymous' role as well.

Servlet Filter Configuration

The <filterConfiguration> section defines the filters being referenced later in each component configuration (e.g. XMLA, GVI, etc...).

icCube Web Applications (e.g. IDE, Monitoring, ...)

Users log into icCube using their username and password. Once logged in, users are authorized to access data and applications according to their default role. To log with a specific role, users can log using their username and role simply replacing their "userName" by "userName/roleName". The user interface is using the HTTP Form Authentication that is configured in the icCube.xml file as follows:

<gwtServiceComponentConfiguration>
        <filter>GWT Authentication</filter>
</gwtServiceComponentConfiguration>

<filterConfiguration>
        <filter>
            <filter-name>GWT Authentication</filter-name>
            <filter-class>crazydev.iccube.server.authentication.IcCubeGwtAuthenticationServletFilter</filter-class>
            <init-param>
                <param-name>anonymousLogon</param-name>
                <param-value>true</param-value>
            </init-param>
        </filter>
</filterConfiguration>
    

XMLA

Similarly to the Web user interface, users can be authenticated using a specific role : "userName/roleName". The XMLA interface is authenticated using HTTP Basic Authentication.

<xmlaComponentConfiguration>
        <filter>HTTP Basic Authentication</filter>
</xmlaComponentConfiguration>

<filterConfiguration>
        <filter>
            <filter-name>HTTP Basic Authentication</filter-name>
            <filter-class>crazydev.iccube.server.authentication.IcCubeBasicAuthenticationServletFilter</filter-class>
            <init-param>
                <param-name>realm</param-name>
                <param-value>icCube</param-value>
            </init-param>
            <init-param>
                <param-name>anonymousLogon</param-name>
                <param-value>true</param-value>
            </init-param>
        </filter>
</filterConfiguration>
    

Google Visualization Interface (GVI)

Two filters are being used: the first one is extracting the username/password from the GVI requests and the second one is handling logout requests.

<gviComponentConfiguration>

    <url>/icCube/gvi</url>

    <filter>GVI Request Authentication</filter>
    <filter>GVI Authentication (logout)</filter>

</gviComponentConfiguration>

<filterConfiguration>
        <filter>
            <filter-name>GVI Request Authentication</filter-name>
            <filter-class>crazydev.iccube.server.authentication.IcCubeGviRequestAuthenticationServletFilter</filter-class>
            <init-param>
                <param-name>anonymousLogon</param-name>
                <param-value>false</param-value>
            </init-param>
        </filter>
        <filter>
            <filter-name>GVI Authentication (logout)</filter-name>
            <filter-class>crazydev.iccube.server.authentication.IcCubeGviLogoutAuthenticationServletFilter</filter-class>
        </filter>
</filterConfiguration>
    

Windows Single Sign-On (SSO)

Windows SSO is supported for the XMLA interface using the following configuration:

<xmlaComponentConfiguration>
        <filter>Windows SSO (waffle)</filter>
        <filter>Windows SSO (adapter)</filter>
</xmlaComponentConfiguration>
        
<filterConfiguration>
    <filter>
        <filter-name>Windows SSO (waffle)</filter-name>
        <filter-class>waffle.servlet.NegotiateSecurityFilter</filter-class>
        <init-param>
            <param-name>principalFormat</param-name>
            <param-value>fqn</param-value>
        </init-param>
        <init-param>
            <param-name>roleFormat</param-name>
            <param-value>both</param-value>
        </init-param>
        <init-param>
            <param-name>allowGuestLogin</param-name>
            <param-value>false</param-value>
        </init-param>
        <init-param>
            <param-name>securityFilterProviders</param-name>
            <param-value>waffle.servlet.spi.NegotiateSecurityFilterProvider</param-value>
        </init-param>
        <init-param>
            <param-name>waffle.servlet.spi.NegotiateSecurityFilterProvider/protocols</param-name>
            <param-value>Negotiate NTLM</param-value>
        </init-param>
    </filter>
    <filter>
        <filter-name>Windows SSO (adapter)</filter-name>
        <filter-class>crazydev.iccube.server.authentication.IcCubeWindowsSSOAuthenticationServletFilter</filter-class>
        <init-param>
            <param-name>ignoreDomainInPrincipal</param-name>
            <param-value>true</param-value>
        </init-param>
        <init-param>
            <param-name>domainPrincipalSplitter</param-name>
            <param-value>\\</param-value>
        </init-param>
    </filter>
</filterConfiguration>
    

Windows SSO is as well supported for the other interfaces; please see the icCube.xml for more details.

Latest Features / Servlet Filters

The icCube team is adding new filters based on the customers demand; so please have a look to the icCube.xml file for up-to-date information and/or contact our support should you have any question.



Next chapter : Keycloak Authentication describes keycloak authentication.