Visualize.js Security Problem?

[hozawa]

I want to know what other users in Tibco Jaspersoft community think about this because Tibco Jaspersoft Support is telling me it's not their problem.

The problem is this, If I login to JRS and open a new tab with a Visualize.js page that is accessing JRS report using a different user/password then what I've logged in, the logged in user changes to the user that is used to access the Visualize.js page.

To reproduce:
1. Login to JRS with superuser account
2. Open a new tab on web browser
3. Open a page with Visualize.js that access JRS report using a different user account
4. Go back to the JRS superuser page. The user is changed to those used by Visualize.js

That is, I'll be able to be logged in as an user used by Visualize.js just by viewing a Visualize.js page.

I think other services on the Internet is avoiding this issue by having login site url be different from the web api url or having different login (user used only for web browser login site and user only to be used when accessing via web api).

As of now, it may be better to deny regular users direct access to JasperReports Server so they won't be able to login or create a role to be used by Visualize.js and modify JasperReports Server to deny login for that role.

[srang]

I have seen this same thing happen

[vivek.suyampu]

Same issue..