Log Output Analysis
The information you need to look for in pentaho.log in order to troubleshoot security configuration problems should be fairly self-evident. If you are having trouble, consult the examples below.
When you request a page that is protected but you are not yet logged in, you should see an exception in the log which looks like this:
DEBUG [ExceptionTranslationFilter] Access is denied (user is anonymous); redirecting to authentication entry point org.springframework.security.AccessDeniedException: Access is denied
When the user name and/or password doesn't match what's stored in the back end, you should see a log message like this:
WARN [LoggerListener] Authentication event AuthenticationFailureBadCredentialsEvent: suzy; details: org.springframework.security.ui.WebAuthenticationDetails@fffd148a: RemoteIpAddress: 127.0.0.1; SessionId: 976C95033136070E0200D6DA26CB0277; exception: Bad credentials
When the user name and password match, you should see a log message that looks like the example below. After the InteractiveAuthenticationSuccessEvent, one of the filters will show the roles fetched for the authenticated user. Compare these roles to the page-role mapping found in the filterInvocationInterceptor bean in applicationContext-spring-security.xml.
WARN [LoggerListener] Authentication event InteractiveAuthenticationSuccessEvent: suzy; details: org.springframework.security.ui.WebAuthenticationDetails@fffd148a: RemoteIpAddress: 127.0.0.1; SessionId: 976C95033136070E0200D6DA26CB0277 DEBUG [HttpSessionContextIntegrationFilter] SecurityContext stored to HttpSession: 'org.springframework.security.context.SecurityContextImpl@2b86afeb: Authentication: org.springframework.security.providers.UsernamePasswordAuthenticationToken@2b86afeb: Username: org.springframework.security.userdetails.ldap.LdapUserDetailsImpl@d7f51e; Password: [PROTECTED]; Authenticated: true; Details: org.springframework.security.ui.WebAuthenticationDetails@fffd148a: RemoteIpAddress: 127.0.0.1; SessionId: 976C95033136070E0200D6DA26CB0277; Granted Authorities: ROLE_CTO, ROLE_IS, ROLE_AUTHENTICATED'
If you are troubleshooting LDAP problems, look for log output similar to this:
DEBUG [DirMgrBindAuthenticator] (LoggingInterceptor) Return value: LdapUserInfo: org.springframework.security.providers.ldap.LdapUserInfo@1f31c64[dn=uid=suzy,ou=users,ou=system,attributes={mail=mail: suzy.pentaho@pentaho.org, uid=uid: suzy, userpassword=userpassword: [B@e17c9c, businesscategory=businesscategory: cn=cto,ou=roles,ou=system, cn=is,ou=roles,ou=system, objectclass=objectClass: organizationalPerson, person, groupOfUniqueNames, inetOrgPerson, top, uniquemember=uniquemember: cn=cto, ou=roles, cn = is , ou = roles, sn=sn: Pentaho, cn=cn: suzy}]