Encrypting Passwords in URLs

One advantage of having the JasperReports Server is being able to share reports with other users. You can easily share the URL to access a report, even with people who do not have a username. For embedding the web app, it’s often necessary to include a link to a page without logging in, for example:

http://example.com:8080/jasperserver/flow.html?_flowId=homeFlow&j_userna...

However, you must take special precautions to avoid revealing a password in plain text. The server provides a mechanism to encrypt any password that appears in a URL:

1. Configure login encryption as described in the JasperReports Server Administrator Guide. Specify static key encryption by setting encryption.dynamic.key to false and configure the keystore as described.
2. Once the server is restarted, log into the server to generate the static key.
3. Open the following URL: http://example.com:8080/jasperserver/encrypt.html.
4. Enter the password that you want to encrypt, for example joeuser, then click Encrypt. The script on this page will use the public key to encrypt the password.
5. Paste the encrypted password into the URL instead of the plain text password (log out of the server to test this):

http://example.com:8080/jasperserver/flow.html?_flowId=homeFlow&j_userna...

6. Use the URL with the encrypted password to share a report.

For complex web applications that are generating report URLs on the fly, you can also encrypt the password programmatically. Your JavaScript should perform the same operations as the encrypt.js script that is used by the encrypt.html page at the URL indicated above. Using the encryptData() function in encrypt.js, your JavaScript can generate the encrypted password and use it to create the URL.

Static key encryption is very insecure and is recommended only for intranet server installation where the network traffic is more protected. Anyone who sees the username and encrypted password can use them to log into JasperReports Server. Therefore, Jaspersoft recommends creating user IDs with very specific permissions to control access from URLs.

The only advantage of encrypting passwords in URLs is that passwords cannot be deciphered and used to attack other systems where users might have the same password.

Version: 
Feedback
randomness