Step 10: Update the security file

The default configuration of the Pentaho suite includes an extra layer of protection which prevents certain types of session fixation vulnerabilities. This feature can only be enabled on application servers which support the Java Servlet standard 3.1 and later. Because versions of the JBoss web application server prior to JBoss 7.0 do not support this standard, the following changes are required.In the applicationContext-spring-security.xml file, remove the following beans so Pentaho starts correctly.

Navigate to the pentaho-server/pentaho-solution/system folder and open the applicationContext-spring-security.xml file with a text editor.
Find and remove all occurrences of the following string (including the comma):
```
sessionMgmtFilter,
```

Find and remove the following code:

<bean id="sas" class="org.springframework.security.web.authentication.session.ChangeSessionIdAuthenticationStrategy" />

Find and remove the following code:


<property name="sessionAuthenticationStrategy" ref="sas" />

Find and remove the following code:

<bean id="httpSessionSecurityContextRepository" class="org.springframework.security.web.context.HttpSessionSecurityContextRepository"/>

Find and remove the following block of code:

<bean id="sessionMgmtFilter" class="org.springframework.security.web.session.SessionManagementFilter"> 
<constructor-arg ref="httpSessionSecurityContextRepository"/> 
<constructor-arg ref="sas"/> 
</bean>

Save and close the file.

PreviousStep 9: Enable JBoss classloader to load classes from Sun JDK NextPrepare JBoss web application servers

Last updated 8 months ago

Was this helpful?