use jsapi secure

bcmp

<p>Really appreciate, if some one could share the ways to use jspai securely. What really meant is, for actuate.intialize(url, request options, username, password, callback) when the password is supplied it is visible by viewing the source.</p>
<p> </p>
<p>By the way, the application has its own login mechanism and do understand single sign on needs to be implemented.</p>
<p> </p>
<p>But anyways when the password field is supplied, it will be visible in the source of the page.</p>
<p> </p>
<p>Are there any ways to keep the password secured. Also are there any other ways to integrate birt reports into web applications apart from jsapi.</p>
<p> </p>
<p> </p>

Clement Wong

<p>Ideally, you should be using SSO and implement the Information Console Security Extension (ICSE).  This way you would be able to pass null for the username and password in the JSAPI .initialize or .authenticate call.<br><br>
If you had to do it without SSO, there some alternatives of not passing the actual password value in the JSAPI .initialize or .authenticate call.  The password is a JavaScript string so it can be replaced with a JavaScript variable or evaluation such as form.input_password.value.  <br><br>
HTML5 has a feature called web storage (<a data-ipb='nomediaparse' href='; One of your application pages (after your application login) can set the password in a session storage. <br><br><span style="font-family:'courier new', courier, monospace;">if(typeof(Storage) !== "undefined") {<br>
    sessionStorage.password = "password";<br>
} else {<br>
    // Sorry! No Web Storage support..<br>
}</span><br><br>
Then in your JSAPI page, you can:<br><br><span style="font-family:'courier new', courier, monospace;">    actuate.authenticate(url, reqOps, sessionStorage.username, sessionStorage.password, null, JSAPI_Loaded, JSAPI_NotLoaded);</span><br><br>
    <br>
To include BIRT content in an application without SSO, it is not necessary to use JSAPI.  It is possible to use another mechanism to log in using the Login Servlet (/loginservlet) in an AJAX call.  Then you can use JSAPI passing in null as the username and password because the user has been logged into Information Console.  Instead of embedding via JSAPI, you can just call reports or dashboard via URL.  For example, via /executereport.do, /iv, or /dashboard.  These items could open in a new tab/window or in an iframe.<br><br>
Example:<br><br><br><span style="font-family:'courier new', courier, monospace;"><!DOCTYPE html><br>
<html><br>
<body><br>
<h2>Loginservlet AJAX example</h2><br><br>
<form name="myform"><br>
        Username: <input type="text" size="25" id="userid"><br><br>
    Password: <input type="password" size="25" id="password"><br><br><br>
    <input type="button" value="Login" onClick="doLogin();"><br>
</form><br><br>
<script><br>
function doLogin() {<br>
  var xhttp = new XMLHttpRequest();<br>
  xhttp.onreadystatechange = function() {<br>
    if (xhttp.readyState == 4 && xhttp.status == 200) {<br>
      status = xhttp.responseXML.getElementsByTagName("Status")[0].childNodes[0].nodeValue;<br>
      if (status == "Succeeded")<br>
        {<br>
            alert ('Succeeded');<br>
        }<br>
        else<br>
        {<br>
            alert ('Failed');<br>
        }<br>
    }<br>
  };<br><br>
  xhttp.open("POST", "<a href="http://yourserver:8700/iportal/loginservlet?">http://yourserver:8700/iportal/loginservlet?",</a>true); <br>
  xhttp.setRequestHeader("Content-type", "application/x-www-form-urlencoded");<br>
  debugger;<br>
  xhttp.send("userid=" + document.forms["myform"]["userid"].value + "&password=" + document.forms["myform"]["password"].value );<br>
}<br>
</script><br><br>
</body><br>
</html></span><br><br>
 </p>