# Spring (authentication providers) security

Spring security is a cascading security implementation that moves down through a list of authentication providers. If the first provider fails to authenticate, then the application looks to the next provider in the list to authenticate. If you are using multiple **AuthenticationProviders** at the same time, you must add each security provider to the `applicationContext.spring.security.xml` file. You must also add provider name values to the **activeUserDetailsService** beans in the `pentahoObjects.spring.xml` file. We recommend that you make a backup of these files before altering them.

## ApplicationContext

Perform the following steps to add security providers to the **ApplicationContext**:

1. Stop the Pentaho Server and the solution repository.
2. Navigate to the `/pentaho-solutions/system` directory and open the `applicationContext-­spring-security.xml` file with any text editor.
3. Locate the following `authenticationManager` bean tags:

   ```xml

   <bean id="authenticationManager" class="org.springframework.security.authentication.ProviderManager">
       <constructor-arg>
         <util:list>
         </util:list>
       <constructor-arg>
   </bean>

   ```
4. Add your **AuthenticationProvider** information below the list tag. The example below adds the `jackrabbit`provider:

   ```xml

   <pen:bean class="org.springframework.security.authentication.AuthenticationProvider">
       <pen:attributes>
       <pen:attr key="providerName" value="jackrabbit"/>
       </pen:attributes>
   </pen:bean> 

   ```
5. Then, add providerName information right beneath the `jackrabbit` information. `LDAP` is used in this example. You can add as many providers as needed:

   ```xml

   <pen:bean class="org.springframework.security.authentication.AuthenticationProvider">
       <pen:attributes>
       <pen:attr key="providerName" value="ldap"/>
       </pen:attributes>
   </pen:bean> 

   ```
6. After you are finished adding **AuthenticationProvider** information, save and close the file.

The following code block is a more complete example of the `authenticationManager` portion of the `applicationContext-­spring-security.xml` file:

```

<!-- ======================== AUTHENTICATION ======================= -->
<bean id="authenticationManager" class="org.springframework.security.authentication.ProviderManager">
    <constructor-arg>
      <util:list>
        <pen:bean class="org.springframework.security.authentication.AuthenticationProvider">
            <pen:attributes>
              <pen:attr key="providerName" value="jackrabbit"/>
            </pen:attributes>
        </pen:bean>
        <pen:bean class="org.springframework.security.authentication.AuthenticationProvider">
            <pen:attributes>
              <pen:attr key="providerName" value="ldap"/>
            </pen:attributes>
        </pen:bean>
      </util:list>
    </constructor-arg>
    <property name="authenticationEventPublisher">
      <ref bean="defaultAuthenticationEventPublisher" />
    </property>
</bean>

```

## Add the Jackrabbit provider

The Jackrabbit provider is required in the `activeUserDetailsService` bean, even if you configure another provider. Perform the following steps to add the Jackrabbit provider to the `activeUserDetailsService` bean:

1. Navigate to the `/pentaho-solutions/system` directory and open the `pentahoObjects.spring.xml` file with any text editor.
2. Locate the `activeUserDetailsService` bean tag:

   ```xml

   <!-- Reference to a bean in one of the applicationContext-pentaho-security-*.xml; selected by configured provider-->
     <pen:bean id="activeUserDetailsService" class="org.springframework.security.core.userdetails.UserDetailsService">
        <pen:attributes>
           <pen:attr key="providerName" value="${security.provider}"/>
        </pen:attributes>
     </pen:bean>

   ```
3. Replace **${security.provider}** with the `jackrabbit` provider value. For example:

   ```xml

   <pen:attr key="providerName" value="jackrabbit"/>

   ```

## Add another provider

Perform the following steps to add more provider names:

1. Duplicate the `activeUserDetailsService` bean shown in Substep 2 of the **Add the Jackrabbit Provider** section.
2. Rename the bean ID, for example: `bean id="activeUserDetailsService2"`
3. Replace the `jackrabbit` value with the new provider value. For example:

   ```xml

   <pen:attr key="providerName" value="ldap"/>

   ```
4. Locate the following `UserDetailsService` bean tags:

   ```xml

   <!-- A composite bean composed of the activeUserDetailsService and systemUserDetailsService -->
     <bean id="UserDetailsService" class="org.pentaho.platform.plugin.services.security.userrole.ChainedUserDetailsService">
       <constructor-arg>
           <list>
             <ref bean="activeUserDetailsService"/>
             <ref bean="systemUserDetailsService"/>
           </list>
       </constructor-arg>
     </bean>

   ```
5. Add your bean ID to the list element. For example:

   ```xml

   <!-- A composite bean composed of the activeUserDetailsService and systemUserDetailsService -->
     <bean id="UserDetailsService" class="org.pentaho.platform.plugin.services.security.userrole.ChainedUserDetailsService">
        <constructor-arg>
            <list>
               <ref bean="activeUserDetailsService"/>
               <ref bean="activeUserDetailsService2"/>
               <ref bean="systemUserDetailsService"/>
            </list>
        </constructor-arg>
    </bean>

   ```
6. Restart the Pentaho Server and solution repository.

## Configure authentication

To configure Web resource authentication to correspond with your user roles in the Pentaho Server, perform the following instructions.

1. Ensure that the Pentaho Server is not currently running; if it is, run the `stop-pentaho` script.
2. Open a Terminal or Command Prompt window and navigate to the `.../pentaho-solutions/system/` directory.
3. Edit the `applicationContext-spring-security.xml` file with a text editor.
4. Find and examine the following property: **\<property name="objectDefinitionSource">**
5. Modify the regex patterns to include your roles.

   The **objectDefinitionSource** property associates URL patterns with roles. **RoleVoter** specifies that if any role on the right hand side of the equals sign is granted to the user, the user may view any page that matches that URL pattern. The default roles in this file are not required. You can replace, delete, or change them in any way that suits you.

You should now have coarse-grained permissions established for user roles.

## Authentication provider examples

| Provider Name | Short Description                                        | Application Context for AuthenticationProvider      |
| ------------- | -------------------------------------------------------- | --------------------------------------------------- |
| Jackrabbit    | Default Pentaho security.                                | `applicationContext-spring-security-jackrabbit.xml` |
| LDAP          | LDAP security                                            | `applicationContext-spring-security-ldap.xml`       |
| JDBC          | JDBC security allows you to use your own security tables | `applicationContext-spring-security-jdbc.xml`       |
| Memory        | In memory authentication                                 | `applicationContext-spring-security-memory.xml`     |