Is this practice recommended in production?

The case is as follows:

The company has a web portal in which Jasper reports are currently generated, for certain reasons it has been decided to use JasperReports Server (8.0.0 community edition) to generate reports, so as not to make an abrupt change between the web portal and JasperReports Server It has been decided to establish a joint work, that is, in the web portal the parameters or input controls of the report will be entered, then this information is sent to Jasper Server to subsequently generate the pdf or excel, the way in which we send the information is through a URL like the following:


What we do is build the url dynamically, we successfully bring the report in question with the correct information, we still look for a way to hide the username and password.

The problem lies in making the user's session close immediately after the report is executed because the user remains in the session after executing the report, for this we have not found a solution in this regard, so we have thought of 2 alternatives, the first is shorten the time of inactivity of a user on the server, so that, for example, if 2 minutes pass after executing the report, it will be later removed from the server, and the second is to maintain one user per area for an indefinite time, that is, each area in the company will have a username and password, so that the users belonging to each area when generating the reports will use the credentials of their respective area .

How good are these solutions?

erikmarbad's picture
Joined: Feb 2 2022 - 5:31pm
Last seen: 1 day 14 hours ago

1 Answer:

I have two ideas.
However, I am not sure if they can meet your requirements.
I would be happy to give you some ideas.


1. Log in with REST_API in advance.
   --> The login Service
  After this, you should be able to output PDF using only this URL.



2. Use Token-based Authentication.
  In this method, passwords are not required in the request because pre-authentication is assumed.
  The user can be passed in the request header and will not appear in the URL.
  The simplest parameter is 'pp=u=user', where ' user' specifies the JRS login user.


Logout can also be done via the REST_API. However, the method of firing may be problematic.
    --> Logout


After that, there seems to be a way to not have user IDs in the first place.


yama818's picture
Joined: Aug 17 2018 - 3:48pm
Last seen: 2 days 9 hours ago