问题
I can prevent users opening BIRT report from website that I built. But considering the report's link still in browser's history, any user from this computer still able to open the report by calling the link from history, for instance.
How to prevent the link of BIRT's report stays in the browser, after user close the report? So the only way to open the report is from the website.
Or maybe someone has other better method to achieve the same goal? Like showing a user name and password in BIRT, before user can use the report parameter?
回答1:
The easiest way to use a password parameter.
select <feilds>
Where 'password' = ?
Use a text box parameter, and when the user runs the report they enter "password" in the text box or the SQL does not return results.
SQL is not case sensitive so, your password would not be case sensitive. Also this is a very low security measure. It is only appropriate to prevent casual access.
JavaScript is case sensitive, so you could write something (like a filter on the query) where your Pa$$worD is in a JavaScrip variable and compare to that for case sensitivity.
Open source BIRT is not intended to provide "Secure" access to data. If you must provide real security of the data, you need to do it before the client has access to BIRT.
回答2:
Unless the whole session is encrypted using https, letting the use enter a password in the browser and submit it to the server as suggested by James is a security risk.
The short answer is: Don't use the BIRT servlet directly.
You could use the commercial iHub which probably has an infrastructure for user access control.
If you are using open source BIRT, generate the BIRT Report on the server side as a file (or OutputStream), then return that file to the client under control of your application.
For more details, search the internet for "Integrating BIRT".
If your application isn't written in Java or you don't have enough control/knowledge to do it directly in the application, you could use a "one-time token" approach like this:
Within the application,
- generate a random and unique token (it must not be predictable by knowing other tokens)
- generate the BIRT report as a file (say, PDF), where the file Name contains the token.
- return a "download link" to the user, which links to a simple servlet (see below), giving the token as part of the URL (e.g. ?token=xxxx)
The servlet:
- checks if a token is given in the URL
- checks to see if a PDF-file with the filename matching the token exists
- if the file exists, return it to the client in the HTTP body and then delete it.
That way, the token is used a one-time key: You can download the BIRT report exactly once if you know the token. This is all done directly from the browser and the token is consumed and therefore useless afterwards
来源:https://stackoverflow.com/questions/21472724/protect-birts-report