All of the report resources that are published to JReport Server are protected by the JReport Server security system. This system is based on maintaining a registered set of users and setting permissions on each resource for each user.
The User data model defines users, as well as their membership in groups and roles. By having groups and roles, the system can apply permissions for a set of users with one transaction.
Resources are objects in resource trees or version tables, such as folders, resources and archive versions. The permission settings control capability for a given user on the resource - if the resource is visibile, if it can be read, written, deleted, executed, scheduled, and have its status updated.
JReport Server supports two ways to apply permissions to the the set of users. One is the default system of setting permissions for users, groups and roles. The other is role-based definition, in which permissions are defined on roles only, and users and groups are mapped to roles.
When JReport Server is performing runtime security checking for a given user, it will respect the permissions settings and follow the access control rules when processing the service requests.
The JReport Server runtime security checking system is implemented based on a standard set of Security Service method calls. The default implementation provided in JReport Server is based on the data set of users and resources that is stored in JReport Server.
For integration with an existing application that already has a system for managing users and permissions, JReport Server defines the Security Service as a Java interface and allows for an application developer to supply a customized version to replace the default implementation. This allows an existing application to provide a custom version of the Security Service that supports JReport Server runtime security checking based on user data and permissions that are stored outside of JReport Server. In this configuration, the JReport Server admin section for managing users and permissions is not used.
JReport Server also can integrate with an existing application that uses an LDAP system for managing user and group information. JReport Server can be configured to interact with the LDAP system so that edit of information about users and groups can be done only in the LDAP system. Informaton about permissions for resources is not part of the LDAP data model. That information continues to be maintained by JReport Server.
Accessing user and permission data by database lookup on each service request may result in many time-consuming IO operations. As a result, the performance of the server security system may be lowered. In order to promote performance, a cache system exists just above the Security Service. The cache system is used to store security objects including users, groups, roles and access control lists obtained from making calls to the Security Service. This cached data will be used when the same information is needed later.
The following is a diagram of the JReport Server security system structure:
Go through the following topics for details about the server security system: