Use case: When a client is integrating Helical Insight then you may want to make sure that the user should only be able to view the reports and dashboards which are integrated within your application. Even if a person is able to inspect and find the Helical Insight BI URL even then he should not be able to access any page whatsoever.
In the below we have clarified how the same can be achieved. This is one of the best practices to be followed while integrating as it gives enhanced level of security.
Step 1:- We will be creating a new role and any user who is assigned to that role will only be able to access the reports dashboards and will be denied access to any other kind of page. Let us call this new role as (ROLE_VIEWER) and add this role to all users to whom access needs to be restricted. This can be done in spring_security.xml
- Open spring_security.xml file present at location “..\hi\apache-tomcat-7\webapps\hi-ee\WEB-INF\classes”
- You will see a list of html pages. For all the pages where you want to restrict access, add ROLE_VIEWER in the access attribute.
For your reference you can download the spring-security.xml file from spring-security.zip here.
- Save the file.
Step 2:- Next step is to create the id for HTML access denied page in tiles-definitions.html
- Open tiles-definition.html present at location location \hi\apache-tomcat-7\webapps\hi-ee\WEB-INF\classes
- In this file, we need to define a new template. Access Denied error page is already present in location “/hi/apache-tomcat-7/webapps/hi-ee/WEB-INF/jsp/errorPages/accessdenied.jsp”
- The template definition should refer to this file. The name of the template can be anything of your choice. However, this name shall appear in the URL of the access denied page.
- Save the file. For your reference we are also sharing the tiles-definition.xml file as well. From tiles-definitions.zip you can download XML file.
Step 3:- Define the condition for invoking the error page in landing.jsp
- Path of landing.jsp file is “…hi-ee/WEB-INF/pages/sections”/ The landing.jsp page defines the landing page whenever a user logs in.
- In this page, we shall define the condition when the access denied page should be displayed. In this case, whenever role of the user is ROLE_VIEWER and he tries to access any page other than report/dashboard, he should get access denied page. Even if a user is having multiple roles but if one of the role is ROLE_VIEWER he would be denied access.
- Whenever any report/dashboard is opened it always contains parameter of file name in the URL as “&file=”. We shall check the presence or absence of this condition to decide whether access denied page should be displayed.
- Save the file. For reference the landing.jsp file is also shared here in landing.zip file.
Step 4:- Restart the HelicalInsight service
Step 5:- Define users that will have ROLE_VIEWER as one of their roles. If you are using SSO, then pass ROLE_VIEWER as one of the role parameters within the token.
Now, if any user with role=ROLE_VIEWER tries to access the report using the URL, he will see this page:
When he tries to login to hi.html page or absolutely any other page directly, he will get the following error. For changing the look and feel of this error page (shown below) which is being displayed you can make changes in the file “accessDenied.html”