Protect BIRT's report

Question

I can prevent users opening BIRT report from website that I built. But considering the report\'s link still in browser\'s history, any user from this computer still able to

Answer 1

The easiest way to use a password parameter.

select <feilds>


Where 'password' = ?

Use a text box parameter, and when the user runs the report they enter "password" in the text box or the SQL does not return results.

SQL is not case sensitive so, your password would not be case sensitive. Also this is a very low security measure. It is only appropriate to prevent casual access.

JavaScript is case sensitive, so you could write something (like a filter on the query) where your Pa$$worD is in a JavaScrip variable and compare to that for case sensitivity.

Open source BIRT is not intended to provide "Secure" access to data. If you must provide real security of the data, you need to do it before the client has access to BIRT.

Answer 2

Unless the whole session is encrypted using https, letting the use enter a password in the browser and submit it to the server as suggested by James is a security risk.

The short answer is: Don't use the BIRT servlet directly.

You could use the commercial iHub which probably has an infrastructure for user access control.

If you are using open source BIRT, generate the BIRT Report on the server side as a file (or OutputStream), then return that file to the client under control of your application.

For more details, search the internet for "Integrating BIRT".

If your application isn't written in Java or you don't have enough control/knowledge to do it directly in the application, you could use a "one-time token" approach like this:

Within the application,

• generate a random and unique token (it must not be predictable by knowing other tokens)
• generate the BIRT report as a file (say, PDF), where the file Name contains the token.
• return a "download link" to the user, which links to a simple servlet (see below), giving the token as part of the URL (e.g. ?token=xxxx)

The servlet:

• checks if a token is given in the URL
• checks to see if a PDF-file with the filename matching the token exists
• if the file exists, return it to the client in the HTTP body and then delete it.

That way, the token is used a one-time key: You can download the BIRT report exactly once if you know the token. This is all done directly from the browser and the token is consumed and therefore useless afterwards