[DreamCoder]

Hello All,

I am using BIRT with a Flex/Coldfusion front end, mysql backend, and deployed to JBoss. Currently a user logs into the web application (Flex), gets authenticated (Flex-Coldfusion), and then can select reports, and which phone numbers to run reports on. Each number has an ID, and this is all passed in a URL call to the Birt-viewer.

Currently, if a user were to save that URL, they could effectively run that same report whether or not they have been logged in. They could also make changes to the parameters and run it for a number they may not have access to.

So here is my question, which is really two part:

1. How can I lock down my BIRT viewer so that only authenticated users can run reports.

2. How can I prevent people from running reports on objects they do not have access to.

Question number 2 I have an idea for already, I'm just looking to see what other people are doing. I figure I could do a join on the permissions table for the report and user (once I know who that user is -- currently there is no user since birt isn't using any security).

If you know of any documents or examples that would be awesome. Any and all suggestions welcome and of course appreciated.

Thanks,
Amanda