[BACKLOG-48179]-Enable browser based authentication for connecting to repository from PDI

[SahithiKommagani6]

BACKLOG-48179-Enable browser based authentication for connecting to repository from PDI

[Copilot]

Pull request overview

Enables browser-based (SSO) authentication for connecting to Pentaho Enterprise Repository (PUR) from PDI by capturing a browser session (JSESSIONID), persisting it per server, and reusing it across repository/web-service clients with improved session-expiry detection and retry flows.

Changes:

• Add session/auth infrastructure (SpoonSessionManager, AuthenticationContext, session strategy + factory) and a local HTTP callback flow (BrowserAuthenticationService) to capture JSESSIONID via the user’s browser.
• Integrate browser-auth and session-expiry recovery into repository connection UI flows and PUR web-service clients (cookie-based auth, retries, reconnect UX).
• Add/extend tests across UI and plugin modules for auth/session behaviors and the new helper utilities.

Reviewed changes

Copilot reviewed 50 out of 50 changed files in this pull request and generated 9 comments.

Show a summary per file

File	Description
ui/src/test/java/org/pentaho/di/ui/spoon/session/SpoonSessionManagerTest.java	Tests singleton + per-server auth-context caching and default-port keying.
ui/src/test/java/org/pentaho/di/ui/spoon/session/SessionBasedAuthStrategyTest.java	Tests session credential storage/lookup, markers, and keying.
ui/src/test/java/org/pentaho/di/ui/spoon/session/AuthenticationStrategyFactoryTest.java	Tests strategy registry, normalization, and defaults.
ui/src/test/java/org/pentaho/di/ui/repository/repositoryexplorer/controllers/MainControllerTest.java	Tests session-expiry routing logic in repository explorer controller.
ui/src/test/java/org/pentaho/di/ui/repository/repositoryexplorer/controllers/LazilyInitializedControllerTest.java	Tests lazy-init behavior with session-expiry handling and retry/UX paths.
ui/src/test/java/org/pentaho/di/ui/repository/exception/RepositoryExceptionUtilsTest.java	Tests centralized session-expiry detection heuristics and recursion guards.
ui/src/test/java/org/pentaho/di/ui/repo/service/BrowserAuthenticationServiceTest.java	Tests callback server/browser-auth flow, parsing, and error handling.
ui/src/main/java/org/pentaho/di/ui/spoon/session/SpoonSessionManager.java	Singleton manager for per-server AuthenticationContext caching.
ui/src/main/java/org/pentaho/di/ui/spoon/session/SessionBasedAuthStrategy.java	Stores JSESSIONID + marker per server (strategy implementation).
ui/src/main/java/org/pentaho/di/ui/spoon/session/AuthenticationStrategyFactory.java	Registry/factory for authentication strategies (default SESSION).
ui/src/main/java/org/pentaho/di/ui/spoon/session/AuthenticationStrategy.java	Strategy interface for auth implementations.
ui/src/main/java/org/pentaho/di/ui/spoon/session/AuthenticationContext.java	High-level API for auth ops + session validation/cleanup helpers.
ui/src/main/java/org/pentaho/di/ui/spoon/dialog/SaveProgressDialog.java	Adds repository directory recovery attempt before saving after reconnect.
ui/src/main/java/org/pentaho/di/ui/spoon/delegates/SpoonDBDelegate.java	Hardens variable initialization and adds DB dialog reset hook for recovery.
ui/src/main/java/org/pentaho/di/ui/repository/repositoryexplorer/controllers/SecurityController.java	Refactors lost-repo handling to retry initialization after session recovery.
ui/src/main/java/org/pentaho/di/ui/repository/repositoryexplorer/controllers/MainController.java	Adds session-expiry handling path (relogin + retry) and centralized detection.
ui/src/main/java/org/pentaho/di/ui/repository/repositoryexplorer/controllers/LazilyInitializedController.java	Adds session-expiry detection and delegation to MainController.
ui/src/main/java/org/pentaho/di/ui/repository/exception/RepositoryExceptionUtils.java	New utility to detect session-expiry/auth-failure across exception types/causes.
ui/src/main/java/org/pentaho/di/ui/repository/controllers/RepositoriesController.java	Adds browser-auth login flow for PUR SSO repos (via callback service).
ui/src/main/java/org/pentaho/di/ui/repository/RepositorySecurityUI.java	Avoids showing security error dialog for session-expiry exceptions.
ui/src/main/java/org/pentaho/di/ui/repository/RepositoriesHelper.java	Connect path recognizes the session-auth password marker.
ui/src/main/java/org/pentaho/di/ui/repo/service/BrowserAuthenticationService.java	Implements browser open + local HTTP callback server capturing session info.
plugins/repositories/core/src/test/java/org/pentaho/di/ui/repo/util/PurRepositoryUtilsTest.java	Tests new PUR utility functions (type checks + URL extraction).
plugins/repositories/core/src/test/java/org/pentaho/di/ui/repo/timeout/SessionTimeoutHandlerTest.java	Extends timeout handler tests for session-expiry UX paths.
plugins/repositories/core/src/test/java/org/pentaho/di/ui/repo/menu/RepositoryConnectMenuTest.java	Tests SSO branch selection and callback-driven repository connect flow.
plugins/repositories/core/src/main/java/org/pentaho/di/ui/repo/util/PurRepositoryUtils.java	New helper for PUR identification + reflection-based server URL extraction.
plugins/repositories/core/src/main/java/org/pentaho/di/ui/repo/timeout/SessionTimeoutHandler.java	Adds session-expiry reconnect UX + optional browser re-auth before fallback login.
plugins/repositories/core/src/main/java/org/pentaho/di/ui/repo/timeout/RepositorySessionTimeoutHandler.java	Adds explicit session-expiry interception and reconnect-with-retry logic.
plugins/repositories/core/src/main/java/org/pentaho/di/ui/repo/menu/RepositoryConnectMenu.java	Adds auth-method-based connect (SSO vs username/password) and browser-auth flow.
plugins/repositories/core/src/main/java/org/pentaho/di/ui/repo/dialog/RepositoryManagerDialog.java	Adds context menu + connect logic for browser login where supported.
plugins/repositories/core/src/main/java/org/pentaho/di/ui/repo/dialog/PentahoEnterpriseRepoFormComposite.java	Adds UI to configure auth method (SSO vs username/password) in repo metadata.
plugins/repositories/core/src/main/java/org/pentaho/di/ui/repo/controller/RepositoryConnectController.java	Adjusts reconnect behavior to avoid prompts/closures during relogin.
plugins/pur/core/src/test/java/org/pentaho/di/repository/pur/PurRepositoryMetaTest.java	Adds coverage for new authMethod persistence/serialization.
plugins/pur/core/src/test/java/org/pentaho/di/repository/pur/PurRepositoryConnectorTest.java	Adds coverage for session-auth connect behavior using stored JSESSIONID.
plugins/pur/core/src/test/java/com/pentaho/di/purge/RepositoryCleanupUtilTest.java	Adds coverage for session-auth HTTP client setup via JSESSIONID cookie.
plugins/pur/core/src/main/java/org/pentaho/di/repository/pur/WebServiceManager.java	Adds cookie-based auth (JSESSIONID) for SOAP/REST clients when available.
plugins/pur/core/src/main/java/org/pentaho/di/repository/pur/UserRoleDelegate.java	Uses cookie auth when available for managed/unmanaged checks.
plugins/pur/core/src/main/java/org/pentaho/di/repository/pur/UnifiedRepositoryInvocationHandler.java	Prioritizes auth/session-expiry detection and throws auth exception early.
plugins/pur/core/src/main/java/org/pentaho/di/repository/pur/PurRepositoryMeta.java	Adds authMethod field persisted to XML/JSON and populated from UI properties.
plugins/pur/core/src/main/java/org/pentaho/di/repository/pur/PurRepositoryConnector.java	Adds session-auth branch: uses stored JSESSIONID, avoids password decrypt, skips username fetch.
plugins/pur/core/src/main/java/org/pentaho/di/repository/pur/PurRepository.java	Re-throws KettleAuthenticationException to preserve session-expiry signaling.
plugins/pur/core/src/main/java/com/pentaho/di/purge/RepositoryCleanupUtil.java	Adds session-auth support by registering a cookie request filter when enabled.
plugins/engine-configuration/impl/src/test/java/org/pentaho/di/engine/ui/RunConfigurationDelegateTest.java	Adds tests for session-expiry retry handling in run configuration operations.
plugins/engine-configuration/impl/src/main/java/org/pentaho/di/engine/ui/RunConfigurationPopupMenuExtension.java	Routes actions through session-aware loadAnd* helpers.
plugins/engine-configuration/impl/src/main/java/org/pentaho/di/engine/ui/RunConfigurationDelegate.java	Adds generic “execute with session retry” wrapper + session-expiry UI handling.
plugins/engine-configuration/impl/src/main/java/org/pentaho/di/engine/configuration/impl/pentaho/scheduler/SchedulerRequest.java	Adds cookie-based session auth header for scheduler requests when applicable.

Comments suppressed due to low confidence (1)

plugins/engine-configuration/impl/src/main/java/org/pentaho/di/engine/configuration/impl/pentaho/scheduler/SchedulerRequest.java:100

• isSessionAuth is treated as true when the repository password is null/empty. That can result in sending neither a session cookie nor a Basic auth header (and silently continuing), changing behavior for cases where an empty password is valid/expected or where basic auth should still be attempted. Consider restricting session-auth behavior to the explicit SESSION_AUTH_PASSWORD marker and otherwise falling back to Basic auth only when both username and password are present.

      boolean isSessionAuth = AuthenticationContext.SESSION_AUTH_PASSWORD.equals( password )
                              || ( password == null || password.isEmpty() );

      if ( isSessionAuth ) {
        try {
          AuthenticationContext authContext =
            SpoonSessionManager.getInstance().getAuthenticationContext( baseUrl );

          String jsessionId = authContext.getJSessionId();
          if ( jsessionId != null && !jsessionId.trim().isEmpty() ) {
            httpPost.setHeader( "Cookie", "JSESSIONID=" + jsessionId );
          }
        } catch ( Exception e ) {
          LogChannel.GENERAL.logError( "Error setting session auth header", e );
        }
      } else if ( username != null ) {
        byte[] encoding;
        try {
          String userPass = username + ":" + password;
          encoding = Base64.getEncoder().encode( userPass.getBytes( UTF_8 ) );
          httpPost.setHeader( AUTHORIZATION, "Basic " + new String( encoding ) );
        } catch ( UnsupportedEncodingException e ) {

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 50 out of 50 changed files in this pull request and generated 11 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[hitachivantarasonarqube]

Quality Gate failed

• B Reliability Rating on New Code (is worse than A)
• 39.80% Coverage on New Code (is less than 80.00%)
• 8 New Issues (is greater than 0)

Project ID: org.pentaho.di:pdi

View in SonarQube

[buildguy]

📦 Vulnerable Dependencies

✍️ Summary

SEVERITY	DIRECT DEPENDENCIES	IMPACTED DEPENDENCY	FIXED VERSIONS	CVES
Critical	com.tinkerpop:frames:2.5.0	org.codehaus.groovy:groovy 1.8.9	[2.4.8]	CVE-2016-6814
Critical	com.tinkerpop:frames:2.5.0	org.codehaus.groovy:groovy 1.8.9	[2.4.4]	CVE-2015-3253
High	org.apache.activemq:activemq-mqtt:5.18.7	org.apache.activemq:activemq-mqtt 5.18.7	[5.19.2] [6.1.9] [6.2.1]	CVE-2025-66168

🔬 Research Details

[ CVE-2016-6814 ] org.codehaus.groovy:groovy 1.8.9

Description:
When an application with unsupported Codehaus versions of Groovy from 1.7.0 to 2.4.3, Apache Groovy 2.4.4 to 2.4.7 on classpath uses standard Java serialization mechanisms, e.g. to communicate between servers or to store local data, it was possible for an attacker to bake a special serialized object that will execute code directly when deserialized. All applications which rely on serialization and do not isolate the code which deserializes objects were subject to this vulnerability.

[ CVE-2015-3253 ] org.codehaus.groovy:groovy 1.8.9

Description:
The MethodClosure class in runtime/MethodClosure.java in Apache Groovy 1.7.0 through 2.4.3 allows remote attackers to execute arbitrary code or cause a denial of service via a crafted serialized object.

[ CVE-2025-66168 ] org.apache.activemq:activemq-mqtt 5.18.7

Description:
Apache ActiveMQ does not properly validate the remaining length field which may lead to an overflow during the decoding of malformed packets. When this integer overflow occurs, ActiveMQ may incorrectly compute the total Remaining Length and subsequently misinterpret the payload as multiple MQTT control packets which makes the broker susceptible to unexpected behavior when interacting with non-compliant clients. This behavior violates the MQTT v3.1.1 specification, which restricts Remaining Length to a maximum of 4 bytes. The scenario occurs on established connections after the authentication process. Brokers that are not enabling mqtt transport connectors are not impacted.

This issue affects Apache ActiveMQ: before 5.19.2, 6.0.0 to 6.1.8, and 6.2.0

Users are recommended to upgrade to version 5.19.2, 6.1.9, or 6.2.1, which fixes the issue.

Note:

---

Frogbot also supports Contextual Analysis, Secret Detection, IaC and SAST Vulnerabilities Scanning. This features are included as part of the JFrog Advanced Security package, which isn't enabled on your system.

---

🐸 JFrog Frogbot

[buildguy]

❌ Build failed in 1h 6m 55s

Build command:

mvn clean verify -B -e -Daudit -Djs.no.sandbox -pl \
plugins/engine-configuration/impl,plugins/pur/core,plugins/repositories/core,ui

---

⛔ Failed Tests

⛈️ 2 test(s) failed:

org.pentaho.di.ui.repo.menu.RepositoryConnectMenuTest.testOpenBrowserLogin_Timeout_ShowsTimeoutMessage (click to expand)

Argument(s) are different! Wanted:
messageBox.setText(
    "Authentication Error"
);
-> at org.eclipse.swt.widgets.Dialog.setText(Dialog.java:271)
Actual invocations have different arguments:
messageBox.setText(
    "Authentication Failed"
);
-> at org.pentaho.di.ui.repo.menu.RepositoryConnectMenu.showErrorDialog(RepositoryConnectMenu.java:328)
messageBox.setMessage(
    "Sign-in did not complete in time.

Please try again and finish authentication in your browser.
If the browser did not open, open it manually and check your network connection."
);
-> at org.pentaho.di.ui.repo.menu.RepositoryConnectMenu.showErrorDialog(RepositoryConnectMenu.java:329)
messageBox.open(
    
);
-> at org.pentaho.di.ui.repo.menu.RepositoryConnectMenu.showErrorDialog(RepositoryConnectMenu.java:330)

org.pentaho.di.ui.repo.menu.RepositoryConnectMenuTest.testOpenBrowserLogin_AuthFails_ShowsError (click to expand)

Argument(s) are different! Wanted:
messageBox.setText(
    "Authentication Error"
);
-> at org.eclipse.swt.widgets.Dialog.setText(Dialog.java:271)
Actual invocations have different arguments:
messageBox.setText(
    "Authentication Failed"
);
-> at org.pentaho.di.ui.repo.menu.RepositoryConnectMenu.showErrorDialog(RepositoryConnectMenu.java:328)
messageBox.setMessage(
    "Unable to complete browser sign-in.

Details: Server unreachable"
);
-> at org.pentaho.di.ui.repo.menu.RepositoryConnectMenu.showErrorDialog(RepositoryConnectMenu.java:329)
messageBox.open(
    
);
-> at org.pentaho.di.ui.repo.menu.RepositoryConnectMenu.showErrorDialog(RepositoryConnectMenu.java:330)

Tests run: 1056, Failures: 2, Skipped: 1    Test Results

---

ℹ️ This is an automatic message