Wednesday, July 31, 2013

IIS 8 Odd Compression, Is It Intended?

I just encountered odd compression behaviour in IIS 8 when I did testing for MaxLogistix. I don't know whether it's intended by the maker but I think it's not right. In IIS 7 when I enable static content compression, .css files are compressed but .js (javascript) files are not. I've read this article and still don't understand why Microsoft think that javascript is NOT static content (but css is static content, I've tried to change javacript MIME type to text/javascript but the result is same) so that I must enable dynamic content compression to make javascript files compressed in IIS. But right now in IIS 8, I'm shocked! Both of them (.css and .js) are TREATED as DYNAMIC content!

This is what I've done and I've found:
IIS version: 8


I added a new website
Add new site

Compression was disabled
No compression

And yes, transfer size = file size, nothing wrong
Working perfectly

Then I enabled static content compression
Enable static content compression

But still had same result, no matter how I tried to restart IIS server, restart application pool, restart site, and clear browser cache.
Static compression not working

Temporary folder used to store compressed files still empty
Empty temp folder

I tried enabling dynamic content compression
Enabling dynamic content compression

After restart IIS, restart application pool, restart site, and clear browser cache, tada... it's working!
Dynamic content compression is working

And temporary folder was as clean as before
Still empty temp folder

Monday, July 29, 2013

Fordiso in Google Maps

Today I received a post card from Google addressed to Fordiso (I'm working there at CTO). Actually I received two letters because I made a mistake and deleted previous location. From this experience, it seems that Google automates the sending letter process and doesn't bother about small details like this.

Letter from Google

I received this card because about two weeks ago I changed Fordiso office location in Google Maps. We have moved our office from Kebon Jeruk, Jakarta to Alam Sutera, Tangerang a year ago but we forgot to also change its location in Google Maps. When I changed its location, Google sent a verification card to our new location. The instruction to verified the changes is written on that card.

Google Maps instruction

Now I'm waiting Google for reviewing the changes and making the changes happened (several more weeks according to Google).

Pending map

Friday, July 26, 2013

MaxLogistix Blog (the story)

Finally my company (Fordiso) launched MaxLogistix Blog. This blog will be used for sharing anything about MaxLogistix. It's been 4 years since the first version of MaxLogistix (now it's the third version) created by my team with support from our founder: Mr. Benjamin Bunawidjaja (IMS group) and his co-founder: Mr. Untung Kurniawan (Surfgold). 4 years ago I also had a plan to share what we've done in MaxLogistix and what MaxLogistix can do for increasing the efficiency of warehousing business, but in that time we were to busy with technical things and the time goes on and we still had no blog at all. Now we have more people in our team and finally we made the plan from 4 years ago comes true (yeah!).

Thanks to Wordpress and it's tons of plugins, we can make a nice designed blog. We use a responsive theme, a social media plugin, a recaptcha plugin, and a SEO plugin. For me this is a new thing I love to explore. One thing I found about Wordpress and Blogger: Blogger has more mobile friendly view than the theme we used in Wordpress, but Wordpress has advantage in term of feature (thanks to tons of plugins). You can compare my blog and MaxLogistix blog. Please feel free to add some comments in those two blogs.

Thursday, July 25, 2013

Pentaho Single Sign On (SSO) using CAS (tutorial)

In previous story I share about my journey in +MaxLogistix project to implement SSO in Pentaho using CAS. In this article I share completely, step by step how to implement Single Sign On/Out (SSO) using CAS. In this tutorial I use Windows, D:\pentaho\biserver-ce\tomcat\ as my tomcat folder, and D:\pentaho\biserver-ce\pentaho-solutions\ as my pentaho solutions folder.
  1. Download CAS Server. Choose the latest version (3.5.2) and extract cas-server-webapp-3.5.2.war from modules folder. Rename it to cas.war and copy that file to D:\pentaho\biserver-ce\tomcat\webapps\. When Tomcat is running, it will extract that file to new folder named cas.

    Also extract cas-server-support-jdbc-3.5.2.jar from modules folder and copy that file to D:\pentaho\biserver-ce\tomcat\webapps\cas\WEB-INF\lib\.

    And copy commons-dbcp-1.4.jar and commons-pool-1.5.7.jar from D:\pentaho\biserver-ce\tomcat\webapps\pentaho\WEB-INF\lib\ to D:\pentaho\biserver-ce\tomcat\webapps\cas\WEB-INF\lib\

  2. Download CAS Client. Choose latest version (cas-client-core-3.2.1.jar) and copy that file to D:\pentaho\biserver-ce\tomcat\webapps\pentaho\WEB-INF\lib\

  3. Download Spring Security CAS Client version 2.0.5. Place that file in D:\pentaho\biserver-ce\tomcat\webapps\pentaho\WEB-INF\lib\

  4. Create security certificate.
  5. Run as administrator this command in command prompt (cmd).

     "%JAVA_HOME%"\bin\keytool -delete -alias tomcat -keypass changeit  
     "%JAVA_HOME%"\bin\keytool -genkey -alias tomcat -keypass changeit -keyalg RSA  
     "%JAVA_HOME%"\bin\keytool -export -alias tomcat -keypass changeit -file server.crt  
     "%JAVA_HOME%"\bin\keytool -import –alias tomcat -file server.crt -keypass changeit -keystore "%JAVA_HOME%"\jre\lib\security\cacerts  

  6. Edit server.xml in D:\pentaho\biserver-ce\tomcat\conf\

  7. Add this part

     <Connector URIEncoding="UTF-8" port="8443"  
       protocol="org.apache.coyote.http11.Http11Protocol" SSLEnabled="true"  
       maxThreads="150" scheme="https" secure="true"keystoreFile="D:/Fabian/.keystore"  
       keyAlias="tomcat" keystorePass="changeit"  
       truststoreFile="C:/Program Files/Java/jdk1.7.0_10/jre/lib/security/cacerts" clientAuth="false"  
       sslProtocol="TLS" />  

    Before this part

     <!-- Define an AJP 1.3 Connector on port 8009 -->  
     <Connector URIEncoding="UTF-8" port="8009" protocol="AJP/1.3" redirectPort="8443" />  

    Change yellow highlighted part according to user profile and JDK path.

  8. Edit in D:\pentaho\biserver-ce\tomcat\webapps\cas\WEB-INF

  9. Change this part  

    With this part  

  10. Edit cas.servlet.xml in D:\pentaho\biserver-ce\tomcat\webapps\cas\WEB-INF

  11. Comment this part

       <webflow:listener ref="terminateWebSessionListener" />   

    Become this

       <webflow:listener ref="terminateWebSessionListener" />   

  12. Edit deployerConfigContext.xml in D:\pentaho\biserver-ce\tomcat\webapps\cas\WEB-INF

  13. Replace or comment this part

     <bean class="" />  

    With this part

     <bean class="org.jasig.cas.adaptors.jdbc.SearchModeSearchDatabaseAuthenticationHandler">  
       <property name="tableUsers"><value>Users</value></property>  
       <property name="fieldUser"><value>user_name</value></property>  
       <property name="fieldPassword"><value>pwdhash</value></property>  
       <property name="dataSource" ref="dataSource"/>  
       <property name="passwordEncoder">  
         <bean class="org.jasig.cas.authentication.handler.DefaultPasswordEncoder" p:characterEncoding="UTF-16LE" >  
           <constructor-arg index="0" value="SHA1" />  

    Highlighted part is database table setting used for authentication. For this tutorial I use Users table with users_name as user id field and pwdhash as password field. Password encoded by SHA1 method. Encoding UTF-16LE used by Microsoft SQL Server (yes, it's not UTF-16 like in other database engine).

    Still in the same file, add this part

     <bean id="dataSource" class="org.apache.commons.dbcp.BasicDataSource">  
       <property name="driverClassName">  
       <property name="url">  
       <property name="username"><value>authentication</value></property>  
       <property name="password"><value>test123</value></property>  

    Before this part (last line)


    It is database configuration. I use SQL Server with jtds driver and authentication and test123 as database username and password and MainDB as database name. Copy jtds-1.3.1.jar from D:\pentaho\biserver-ce\tomcat\lib\ to D:\pentaho\biserver-ce\tomcat\webapps\cas\WEB-INF\lib\

  14. Create new file named applicationContext-spring-security-cas.xml in D:\pentaho\biserver-ce\pentaho-solutions\system\ and copy paste this code to that file.

  15.  <?xml version="1.0" encoding="UTF-8"?>  
     <!DOCTYPE beans PUBLIC "-//SPRING//DTD BEAN//EN" "">  
     <beans default-autowire="no" default-dependency-check="none" default-lazy-init="false">  
          <bean id="filterChainProxy" class="" autowire="default" dependency-check="default" lazy-init="default">  
               <property name="filterInvocationDefinitionSource">  
          <bean id="serviceProperties" class="" autowire="default" dependency-check="default" lazy-init="default">  
               <property name="service" value="http://localhost:8080/pentaho/j_spring_cas_security_check"/>  
               <property name="sendRenew" value="false"/>  
          <bean id="casProcessingFilter" class="" autowire="default" dependency-check="default" lazy-init="default">  
               <property name="authenticationManager">  
                    <ref bean="authenticationManager"/>  
               <property name="authenticationFailureUrl" value="/public/casFailed"/>  
               <property name="defaultTargetUrl" value="/"/>  
               <property name="filterProcessesUrl" value="/j_spring_cas_security_check"/>  
          <bean id="casSingleSignOutFilter" class="org.jasig.cas.client.session.SingleSignOutFilter" />  
          <bean id="casSingleSignOutHttpSessionListener" class="org.jasig.cas.client.session.SingleSignOutHttpSessionListener" />  
          <bean id="exceptionTranslationFilter" class="" autowire="default" dependency-check="default" lazy-init="default">  
               <property name="authenticationEntryPoint">  
                    <ref local="casProcessingFilterEntryPoint"/>  
               <property name="accessDeniedHandler">  
                    <bean class="" />  
          <bean id="casProcessingFilterEntryPoint" class="" autowire="default" dependency-check="default" lazy-init="default">  
               <property name="loginUrl" value="https://localhost:8443/cas/login"/>  
               <property name="serviceProperties">  
                    <ref local="serviceProperties"/>  
          <bean id="authenticationManager" class="" autowire="default" dependency-check="default" lazy-init="default">  
               <property name="providers">  
                         <ref bean="anonymousAuthenticationProvider"/>  
                         <ref bean="casAuthenticationProvider"/>  
          <bean id="casAuthenticationProvider" class="">  
               <property name="userDetailsService">  
                    <ref bean="userDetailsService"/>  
               <property name="serviceProperties">  
                    <ref local="serviceProperties"/>  
               <property name="ticketValidator">  
                    <ref local="ticketValidator"/>  
               <property name="key" value="my_password_for_this_auth_provider_only"/>  
          <bean id="ticketValidator" class="org.jasig.cas.client.validation.Cas20ServiceTicketValidator" autowire="default" dependency-check="default" lazy-init="default">  
               <constructor-arg index="0" value="https://localhost:8443/cas"/>  
          <bean id="logoutFilter" class="" autowire="default" dependency-check="default" lazy-init="default">  
               <constructor-arg value="https://localhost:8443/cas/logout"/>  
                         <bean class=""/>  
                         <bean class=""/>  
               <property name="filterProcessesUrl" value="/Logout"/>  
          <bean id="loggerListener" class="" />  
          <bean id="basicProcessingFilter" class="">  
               <property name="authenticationManager">  
                    <ref local="authenticationManager" />  
               <property name="authenticationEntryPoint">  
                    <ref local="basicProcessingFilterEntryPoint" />  
          <bean id="basicProcessingFilterEntryPoint" class="">  
               <property name="realmName" value="Pentaho Realm" />  
          <bean id="requestParameterProcessingFilter" class="">  
               <property name="authenticationManager">  
                    <ref local="authenticationManager" />  
               <property name="authenticationEntryPoint">  
                    <ref local="requestParameterProcessingFilterEntryPoint" />  
          <bean id="requestParameterProcessingFilterEntryPoint" class="" />  
          <bean id="pentahoSecurityStartupFilter" class="">  
               <property name="injectAnonymous" value="true" />  
          <bean id="anonymousProcessingFilter" class="">  
               <property name="key" value="foobar" />  
               <property name="userAttribute" value="anonymousUser,Anonymous" />  
          <bean id="anonymousAuthenticationProvider" class="">  
               <property name="key" value="foobar" />  
          <bean id="httpSessionContextIntegrationFilter" class="" />  
          <bean id="securityContextHolderAwareRequestFilter" class="" />  
          <bean id="httpSessionReuseDetectionFilter" class="">  
               <property name="filterProcessesUrl" value="/j_spring_security_check" />  
               <property name="sessionReuseDetectedUrl" value="/Login?login_error=2" />  
          <bean id="httpRequestAccessDecisionManager" class="">  
               <property name="allowIfAllAbstainDecisions" value="false" />  
               <property name="decisionVoters">  
                         <ref bean="roleVoter" />  
          <bean id="filterInvocationInterceptor" class="">  
               <property name="authenticationManager">  
                    <ref local="authenticationManager" />  
               <property name="accessDecisionManager">  
                    <ref local="httpRequestAccessDecisionManager" />  
               <property name="objectDefinitionSource">  

  16. Edit pentaho-spring-beans.xml in D:\pentaho\biserver-ce\pentaho-solutions\system\

  17. Change this part

     <import resource="applicationContext-spring-security.xml" />  

    Become this part

     <import resource="applicationContext-spring-security-cas.xml" />  

  18. Edit web.xml in D:\pentaho\biserver-ce\tomcat\webapps\pentaho\WEB-INF

  19. Add this part

       <filter-name>CAS Single Sign Out Filter</filter-name>  

    Before this part

     <filter> <!-- This must be the first filter listed in the web.xml -->  
       <filter-name>Set Character Encoding Filter</filter-name>  

    Add this part

       <filter-name>CAS Single Sign Out Filter</filter-name>  

    Before this part

       <filter-name>Set Character Encoding Filter</filter-name>  

    Add this part


    After this part


  20. Restart tomcat and open http://localhost:8080/pentaho, we will be redirected to https://localhost:8443/cas/login?service=http%3A%2F%2Flocalhost%3A8080%2Fpentaho%2Fj_spring_cas_security_check. Now when you log in/out from CAS, you will be logged in/out from all application you integrated with CAS.

  21. Let's have a drink and party! ;)

Wednesday, July 24, 2013

Pentaho Single Sign On (SSO) using CAS (story)

I wrote in previous post that passing username and password via parameter in Pentaho to show report viewer is a bad thing. Why? It's obvious that technique is not secure because anybody can read clearly username and password and can use it to get any information from your Pentaho BI Server. So, how if I want to integrate Pentaho to my application but I don't want to do double login: one login for my application and another login for Pentaho? We can use a technique called Single Sign On so that ANY application can be accessed only from one time login. I'm using this technique for developing +MaxLogistix: a low cost cloud warehouse management system.

I have read these 2 articles as my reference:
Those articles are good and very informative but... I found that these articles are not complete enough because there is some lost informations in one of them that given in another. So that I followed instructions in those articles and tried by myself which part is working and which part is not. The result is finally I can login to Pentaho using CAS.

So... is the problem solved? Sadly... not yet! There is one problem has not been solved by those articles. The problem is I can login to Pentaho using CAS and when I logged out from Pentaho, CAS status is also logged out, but.... Pentaho status still logged in eventhough I logged out from CAS. So the new problem I encountered is also SSO, not Single Sign ON but Single Sign OUT!

Well then I spent about a month trying to figure out what's wrong with my configuration. I read Pentaho forum, wiki, and any articles that explains about SSO. Even I was trying to replace spring-security library with the new one, but it didn't work because new spring-security library needs new version of spring library. And when I was trying to replace spring library in Pentaho with the new one, I just knew that I must refactor and recompile ALL Pentaho module with that new library. For me it's very frustating and I almost gave up.

And suddenly I found the solution in these 2 articles provided by itself ( is an organization that manage CAS development)
The conclusion I got from those articles is... CAS Single Sign Out Filter must be in the first order to make Single Sign Out work perfectly. I will share a tutorial how to use CAS to implement SSO in Pentaho.

Tuesday, July 23, 2013

Embed Pentaho Report Viewer to Web Application using URL Rewrite

One thing that is very important for any web application is reporting module. Pentaho Community Edition has powerful capabilities to make any reports and we can just use it as reporting module in our web application. Of course we don't want to open a new window to show Pentaho Report Viewer, it makes users feel that reporting is a different web application, outside our application. We want to embed Pentaho Report Viewer in our web application so that users can easily access report from just one window. I do this in my project as a CTO in +Fordiso (a supply chain IT company based in Indonesia: +MaxLogistix, a low cost cloud warehouse management system.

The most common trick is using iframe and passing username and password parameter.
For example: I created test.html

 Hello, this page is showing Pentaho Report Viewer  
 <iframe width="1300" height="600"  
      src="http://localhost:8080/pentaho/content/reporting/reportviewer/report.html?solution=steel-wheels&path=%2Freports&name=Inventory.prpt&userid=joe&password=password" />  

And I tried to deploy test.html to localhost and open in Chrome, it works!

Pentaho Report Viewer in Chrome
But the problem is... when I opened that same page in Firefox, it shown blank iframe and I have encountered error in Firebug: Permission denied to access property 'mantle_initialized'.

Permission denied in Firefox
After spending several days to find out about this problem, I learned that Firefox doesn't allow cross domain scripting. Because test.html in localhost and Pentaho server in localhost:8080, technically they are placed in different domain so that scripting between these two domain is forbidden.

Now what? Can we just use Chrome and only Chrome? Of course not! I can't just force my users using Chrome. Web application is designed for running in all browser, not only one specific browser! So the journey began. I spent several days more to find the solution for this problem in Pentaho forum, wiki, stackoverflow, blogs, and in many sites I have found in Google. But I found no answer. I found only the very same question! LOL!

In my journey, I found a blog that suggests to directly show output of the report in a specific format (html, pdf, xls, etc):
I appreciate this suggestion but I didn't want to use that because it will make me create a module to show and export reports. Moreover, it doesn't solve paging issue that we will encounter using its suggestion.

I also found that there is a technique to inject iframe to page using div and javascript so that cross domain script can be run. One of that technique is EasyXDM. I tried that technique but... it didn't work for Pentaho Report Viewer. Yes, iframe has been injected to consumer div but the same problem still occured. I learned that Pentaho Report Viewer also uses iframe, maybe it's why easyXDM technique didn't work.

Finally, I read that cross domain scripting can be avoided by using proxy server or url rewrite. This technique is mapping another domain to same domain folder so that cross domain scripting can be converted to same domain scripting.

In Apache we can use mod_proxy, the detail can be read in
(I haven't tried this so that I can't give any comment)

In IIS we can use 4 IIS Extensions mentioned in

Then we enable Proxy Server in IIS explained in below pictures

2 final step to embed Pentaho Report Viewer:
1. Add rewrite rule in web.config.

 <?xml version="1.0" encoding="UTF-8"?>  
         <rule name="pentaho" stopProcessing="true">  
           <match url="^pentaho/(.*)" />  
           <action type="Rewrite" url="http://localhost:8080/pentaho/{R:1}" />  

2. Edit test.html so that iframe will load same domain URL.

 Hello, this page is showing Pentaho Report Viewer  
 <iframe width="1300" height="600"  
      src="http://localhost/pentaho/content/reporting/reportviewer/report.html?solution=steel-wheels&path=%2Freports&name=Inventory.prpt&userid=joe&password=password" />  

The result is.... voila! Now Pentaho Report Viewer can be embedded in our web application AND can be opened in any browser. Life is good... :)

Pentaho Report Viewer in Firefox
Finished? Not yet, because passing username and password without encryption is a bad thing. I want to implement Single Sign On (SSO) using CAS Server so that my web application and Pentaho will use same authentication. I will share the trick after I fix some problem I encountered with CAS ticket.

Thank you.