Discussions
Categories
Groups
Community Home
Categories
INTERNAL ENABLEMENT
POPULAR
THRUST SERVICES & TOOLS
CLOUD EDITIONS
Quick Links
MY LINKS
HELPFUL TIPS
Back to website
Home
Intelligence (Analytics)
Securing BIRT Reports
DreamCoder
Hello All,
I am using BIRT with a Flex/Coldfusion front end, mysql backend, and deployed to JBoss. Currently a user logs into the web application (Flex), gets authenticated (Flex-Coldfusion), and then can select reports, and which phone numbers to run reports on. Each number has an ID, and this is all passed in a URL call to the Birt-viewer.
Currently, if a user were to save that URL, they could effectively run that same report whether or not they have been logged in. They could also make changes to the parameters and run it for a number they may not have access to.
So here is my question, which is really two part:
1. How can I lock down my BIRT viewer so that only authenticated users can run reports.
2. How can I prevent people from running reports on objects they do not have access to.
Question number 2 I have an idea for already, I'm just looking to see what other people are doing. I figure I could do a join on the permissions table for the report and user (once I know who that user is -- currently there is no user since birt isn't using any security).
If you know of any documents or examples that would be awesome. Any and all suggestions welcome and of course appreciated.
Thanks,
Amanda
Find more posts tagged with
Comments
DreamCoder
I've been thinking about possiblities...I establish an authenticated session using coldfusion...does anyone know of a way to get my hands on that session from inside birt? I imagine i should be able to do it using java...I'm just not sure how. If I could get a hold of the session information i would be able to get permission type stuff, as well as verify this is an authenticated request.
Thanks,
Amanda
DreamCoder
Just in case anyone is ever looking for ideas, I figured I would post my solution to my problem:
Once a user has logged into my application and is authenticated, I store a MD5 hash 'login_key' in flex user model. This key is created by coldfusion and saved into a table that logs the association of user_id to that key.
When the user runs a report, I pass their login_key in the URL parameters. I have a j2ee filter that grabs it, runs a query first to see if it's valid, and then to verify the user_id associated with that key actually has access to the report parameters it is requesting (just in case some users make some changes to the url string). I added my new filter jar file (aptly named BirtSecurityProject.jar) to /usr/jboss/latest/server/default/, and then updated the web.xml file found in /usr/jboss/latest/server/deploy/birt-viewer.war/WEB-INF with the following:
<filter>
<filter-name>ViewerFilter</filter-name>
<filter-class>org.eclipse.birt.report.filter.ViewerFilter</filter-class>
</filter>
<filter>
<filter-name>SecurityFilter</filter-name>
<filter-class>com.mycompany.security.BirtSecurityFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>ViewerFilter</filter-name>
<servlet-name>ViewerServlet</servlet-name>
</filter-mapping>
<filter-mapping>
<filter-name>SecurityFilter</filter-name>
<servlet-name>ViewerServlet</servlet-name>
</filter-mapping>
As long as the user is authenticated and passes the check, then reports run fine, otherwise they get a nice "you fail" message
Thanks,
Amanda
