Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
1.9k views
in Technique[技术] by (71.8m points)

security - Protect BIRT's report

I can prevent users opening BIRT report from website that I built. But considering the report's link still in browser's history, any user from this computer still able to open the report by calling the link from history, for instance.

How to prevent the link of BIRT's report stays in the browser, after user close the report? So the only way to open the report is from the website.

Or maybe someone has other better method to achieve the same goal? Like showing a user name and password in BIRT, before user can use the report parameter?

See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Reply

0 votes
by (71.8m points)

Unless the whole session is encrypted using https, letting the use enter a password in the browser and submit it to the server as suggested by James is a security risk.

The short answer is: Don't use the BIRT servlet directly.

You could use the commercial iHub which probably has an infrastructure for user access control.

If you are using open source BIRT, generate the BIRT Report on the server side as a file (or OutputStream), then return that file to the client under control of your application.

For more details, search the internet for "Integrating BIRT".

If your application isn't written in Java or you don't have enough control/knowledge to do it directly in the application, you could use a "one-time token" approach like this:

Within the application,

  • generate a random and unique token (it must not be predictable by knowing other tokens)
  • generate the BIRT report as a file (say, PDF), where the file Name contains the token.
  • return a "download link" to the user, which links to a simple servlet (see below), giving the token as part of the URL (e.g. ?token=xxxx)

The servlet:

  • checks if a token is given in the URL
  • checks to see if a PDF-file with the filename matching the token exists
  • if the file exists, return it to the client in the HTTP body and then delete it.

That way, the token is used a one-time key: You can download the BIRT report exactly once if you know the token. This is all done directly from the browser and the token is consumed and therefore useless afterwards


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
OGeek|极客中国-欢迎来到极客的世界,一个免费开放的程序员编程交流平台!开放,进步,分享!让技术改变生活,让极客改变未来! Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...