XML/A Security

XML/A Security

The default configuration uses HTTP Basic authentication to challenge requests for the /xmla path. If the client doesn’t have a valid JasperReports Server user name and password in its XML/A connection source, the connection will fail, unless the user name and password are left blank; in this case, the credentials of the logged in user are passed by the client application to the remote server.

Put another way, when creating an XML/A connection, you can either specify a user name and password for all users to share, or you can leave user name and password blank, so that the connection passes the current user’s name and password to the server.

With HTTP Basic authentication, clear-text passwords are transmitted in the header of an HTTP request unless you have configured JasperReports Server to use encrypted passwords. For more information, refer to the TIBCO JasperReports Server Security Guide.

Regardless of the authentication method you use, clear-text passwords are also transmitted in the body of the XML/A request. Because of the security risk inherent in this approach, Jaspersoft recommends that you always specify a user name and password when defining an XML/A connection in order to prevent your users’ passwords from being transmitted. Do not use the superuser account. For more information, see section Working with XML/A Connections.