Protect BIRT's report

Question

I can prevent users opening BIRT report from website that I built. But considering the report\'s link still in browser\'s history, any user from this computer still able to

Answer 1

Unless the whole session is encrypted using https, letting the use enter a password in the browser and submit it to the server as suggested by James is a security risk.

The short answer is: Don't use the BIRT servlet directly.

You could use the commercial iHub which probably has an infrastructure for user access control.

If you are using open source BIRT, generate the BIRT Report on the server side as a file (or OutputStream), then return that file to the client under control of your application.

For more details, search the internet for "Integrating BIRT".

If your application isn't written in Java or you don't have enough control/knowledge to do it directly in the application, you could use a "one-time token" approach like this:

Within the application,

• generate a random and unique token (it must not be predictable by knowing other tokens)
• generate the BIRT report as a file (say, PDF), where the file Name contains the token.
• return a "download link" to the user, which links to a simple servlet (see below), giving the token as part of the URL (e.g. ?token=xxxx)

The servlet:

• checks if a token is given in the URL
• checks to see if a PDF-file with the filename matching the token exists
• if the file exists, return it to the client in the HTTP body and then delete it.

That way, the token is used a one-time key: You can download the BIRT report exactly once if you know the token. This is all done directly from the browser and the token is consumed and therefore useless afterwards