Jump to content

Visualize.js Security Problem?


Recommended Posts

I want to know what other users in Tibco Jaspersoft community think about this because Tibco Jaspersoft Support is telling me it's not their problem.

The problem is this, If I login to JRS and open a new tab with a Visualize.js page that is accessing JRS report using a different user/password then what I've logged in, the logged in user changes to the user that is used to access the Visualize.js page.

To reproduce:
1. Login to JRS with superuser account
2. Open a new tab on web browser
3. Open a page with Visualize.js that access JRS report using a different user account
4. Go back to the JRS superuser page. The user is changed to those used by Visualize.js

That is, I'll be able to be logged in as an user used by Visualize.js just by viewing a Visualize.js page.

I think other services on the Internet is avoiding this issue by having login site url be different from the web api url or having different login (user used only for web browser login site and user only to be used when accessing via web api).

As of now, it may be better to deny regular users direct access to JasperReports Server so they won't be able to login or create a role to be used by Visualize.js and modify JasperReports Server to deny login for that role.

Link to comment
Share on other sites

  • 5 months later...
  • Replies 2
  • Created
  • Last Reply

Top Posters In This Topic

Top Posters In This Topic

  • 2 months later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Create New...