[#3948] - JasperReports Server user changes after viewing Visualize.js page

Category:
Bug report
Priority:
Normal
Status:
New
Project: Severity:
Major
Resolution:
Open
Component: Reproducibility:
Always
Assigned to:
0

I want to know what other users in Tibco Jaspersoft community think about this because Tibco Jaspersoft Support is telling me it's not their problem.

The problem is this, If I login to JRS and open a new tab with a Visualize.js page that is accessing JRS report using a different user/password then what I've logged in, the logged in user changes to the user that is used to access the Visualize.js page. To reproduce: 1. Login to JRS with superuser account 2. Open a new tab on web browser 3. Open a page with Visualize.js that access JRS report using a different user account 4. Go back to the JRS superuser page. The user is changed to those used by Visualize.js

That is, I'll be able to be logged in as an user used by Visualize.js just by viewing a Visualize.js page.

I think other services on the Internet is avoiding this issue by having login site url be different from the web api url or having different login (user used only for web browser login site and user only to be used when accessing via web api).

As of now, it may be better to deny regular users direct access to JasperReports Server so they won't be able to login or create a role to be used by Visualize.js and modify JasperReports Server to deny login for that role.

v5.6
hozawa's picture
77572
Joined: Apr 24 2010 - 4:31pm
Last seen: 2 years 5 months ago

1 Comment:

#1
  • Assigned:nobody»

I think that the best suggestion, for a workaround, is to create specific internal user(s) that have access restricted to what is needed to access reports through Visualize.js. If a user winds up in JRS as that user, they just need to logout and then log back in to get to their real login credentials. A bit of a pain, but not a security problem. The biggest security problem is setting up all of the Visualize instances using 'superuser' as the authentication username. Then, if you get logged in as superuser, you could do some real damage.

Feedback