Can JRS authenticate HTTP API requests using the JSESSIONID cookie?

[mikewoinoski]

Is it possible to configure JRS to use the JSESSIONID cookie to authenticate HTTP API requests (e.g., embed a dashboard), in the same way JRS authenticates REST requests? I know we can include j_username and j_password parameters or use Basic Auth with HTTP API requests. However, both techniques require that we include the user’s password in every request to embed a resource. So we would need to keep the user’s password in memory or look it up for every request.

Here’s an example scenario of what I’d like to do:

1. User logs into our app
2. Our app sends a REST login request to JRS
3. JRS sends a response with Set-Cookie: JSESSIONID=…
4. Our app sends an HTTP API request to embed a dashboard to JRS. The request includes the JSESSIONID cookie from the login response
5. JRS authenticates the HTTP request using the session id

 

I tried this, and tcpmon shows that the JSESSIONID cookie is included with all requests, but requests to embed resources are redirected to the JRS login page. Does JRS support this scenario, or do I need to write a new security filter that explicit checks for the JSESSIONID?

[mikewoinoski]

I did more experimenting, and JRS actually uses JSESSIONID after a login from the console. For example, I embedded a dashboard in an iFrame in our app's home page. On the initial display of the page, JRS shows the login page. After logging in, the dashboard comes up, and later requests to embed other resources work without another login. My browser shows the JSESSIONID cookie in its collection of cookies.

 

So it looks like the same mechanism (JSESSIONID cookie) is used to authenticate both REST requests and HTTP API calls. But a REST login doesn't work when authenticating HTTP API calls. Maybe the HttpSession contents are different for a REST login and a console login. So maybe the intial login needs to use the same mechanism as a console login instead of a REST login. I'll keep hacking.

[tzaharia]

Hello!

Did you solve this? I have a similar issue.

[aaron.mcmullen]

Any progress on this one?

 

The Jasper Embedding Guide section 4.3.3 Logging Into JasperReports Server (below) seems to indicate this is possible but I can find no further docs on it or samples:

 

"Before displaying any page, JasperReports Server requires its users to log on with a username and password. There are several ways to enter the password before displaying a dashboard:

 

- In Kelly’s solution, the hybrid architecture using web services can be used to log in before displaying the dashboard. Because she is using web services to display lists of dashboards, she must send the user name and password as one of the first web service calls. Even in a solution that does not otherwise use web services, the API for logging in is simple and one of the most secure ways to authenticate users."