Hello All,
I am using BIRT with a Flex/Coldfusion front end, mysql backend, and deployed to JBoss. Currently a user logs into the web application (Flex), gets authenticated (Flex-Coldfusion), and then can select reports, and which phone numbers to run reports on. Each number has an ID, and this is all passed in a URL call to the Birt-viewer.
Currently, if a user were to save that URL, they could effectively run that same report whether or not they have been logged in. They could also make changes to the parameters and run it for a number they may not have access to.
So here is my question, which is really two part:
1. How can I lock down my BIRT viewer so that only authenticated users can run reports.
2. How can I prevent people from running reports on objects they do not have access to.
Question number 2 I have an idea for already, I'm just looking to see what other people are doing. I figure I could do a join on the permissions table for the report and user (once I know who that user is -- currently there is no user since birt isn't using any security).
If you know of any documents or examples that would be awesome. Any and all suggestions welcome and of course appreciated.
Thanks,
Amanda
Page 1 of 1
Securing BIRT Reports
Rate Topic:
MultiQuote
#2
- Member
-
- Group: Members
- Posts: 45
- Joined: 30-April 09
Posted 26 June 2009 - 11:50 AM
I've been thinking about possiblities...I establish an authenticated session using coldfusion...does anyone know of a way to get my hands on that session from inside birt? I imagine i should be able to do it using java...I'm just not sure how. If I could get a hold of the session information i would be able to get permission type stuff, as well as verify this is an authenticated request.
Thanks,
Amanda
Thanks,
Amanda
#3
- Member
-
- Group: Members
- Posts: 45
- Joined: 30-April 09
Posted 21 July 2009 - 02:08 PM
Just in case anyone is ever looking for ideas, I figured I would post my solution to my problem:
Once a user has logged into my application and is authenticated, I store a MD5 hash 'login_key' in flex user model. This key is created by coldfusion and saved into a table that logs the association of user_id to that key.
When the user runs a report, I pass their login_key in the URL parameters. I have a j2ee filter that grabs it, runs a query first to see if it's valid, and then to verify the user_id associated with that key actually has access to the report parameters it is requesting (just in case some users make some changes to the url string). I added my new filter jar file (aptly named BirtSecurityProject.jar) to /usr/jboss/latest/server/default/, and then updated the web.xml file found in /usr/jboss/latest/server/deploy/birt-viewer.war/WEB-INF with the following:
ViewerFilter
org.eclipse.birt.report.filter.ViewerFilter
SecurityFilter
com.mycompany.security.BirtSecurityFilter
ViewerFilter
ViewerServlet
SecurityFilter
ViewerServlet
As long as the user is authenticated and passes the check, then reports run fine, otherwise they get a nice "you fail" message :)
Thanks,
Amanda
Once a user has logged into my application and is authenticated, I store a MD5 hash 'login_key' in flex user model. This key is created by coldfusion and saved into a table that logs the association of user_id to that key.
When the user runs a report, I pass their login_key in the URL parameters. I have a j2ee filter that grabs it, runs a query first to see if it's valid, and then to verify the user_id associated with that key actually has access to the report parameters it is requesting (just in case some users make some changes to the url string). I added my new filter jar file (aptly named BirtSecurityProject.jar) to /usr/jboss/latest/server/default/, and then updated the web.xml file found in /usr/jboss/latest/server/deploy/birt-viewer.war/WEB-INF with the following:
As long as the user is authenticated and passes the check, then reports run fine, otherwise they get a nice "you fail" message :)
Thanks,
Amanda
Page 1 of 1
