cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Session problem

Go to solution
Former Member

on ‎07-29-2008 2:46 PM

0 Kudos

Hi,

I'm trying to implement some BO's features in a java program. We are using Bo Xi Sp2 R2, with jdk 1.4.2.

Currently, i create a session the first time the user query for a report using openDocument.jsp. I then pass a token String as a parameter to bypass the logon screen.

My problem is that i want to keep the number of open sessions as low as possible. So when the same user request for another document, i want him to use the same session. But i could not find in the sdk a method on the object IEnterpriseSession that allow me to test the session validity.

Could someone help me on this topic ? Maybe i'm doing things the wrong way :

-> Get a session manager

-> Get a session (IEnterpriseSession)

-> Get a default token and pass it on params for openDocument.jsp

-> Try to reuse the opened session if another document is requested.

Thanks by advance.

David.

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎07-29-2008 4:00 PM
0 Kudos

One way to do this is to store the EnterpriseSession object in an HTTPSession. This will allow you to check and see if it is a valid session; if it is, reuse it, if not, recreate it.

As well, there is a way to do this by storing the logon token in a cookie and then attempting to reuse it if it is still valid.

I have attached a sample that shows how to do this.

Show replies
Show replies
Former Member
‎07-29-2008 4:09 PM
0 Kudos

Thank you for the fast response.

PS : your .zip is empty

Former Member
‎07-29-2008 4:14 PM
0 Kudos

Sometimes the attachments take a bit to replicate externally..... I checked it and was able to successfully download the file myself through a guest account.

Former Member
‎07-29-2008 7:23 PM
0 Kudos

Merry,

PS : your .zip is still empty

I'm not sure if the problem is on your end or mine (I'm using IE 7). I've noticed that zip files posted last week by another moderator also didn't work the first go around (I think it was Tim), so he wound up pasting the script into another note, thus foregoing the zip process....

Thanks,

John

Former Member
‎07-29-2008 8:17 PM
0 Kudos

As requested....... this is the example I was referring to.

<%

/*===================================================================

AUTHOR - Rob H., Cristian V.

CREATED - Feb 9, 2004

PURPOSE - To demonstrate how to log on to the Crystal Enteprise System

using an logon token.

==================================================================*/

%>

<%@ page import = "com.crystaldecisions.sdk.framework.*,

com.crystaldecisions.sdk.exception.*,

com.crystaldecisions.sdk.occa.infostore.*,

com.crystaldecisions.sdk.occa.security.*"

%>

<%

SDKException failure = null;

IEnterpriseSession es = null;

IInfoStore iStore = null;

String user = request.getParameter("username");

String password = request.getParameter("password");

String CMSName = request.getParameter("cmsname");

String cmsAuthType = request.getParameter("authType");

String token="";

//Check if the session object does exists

if (session.getAttribute("CE_Session")==null)

{

Cookie[] cookies = request.getCookies();

String tokenName = "LogonToken";

//cycle through the cookies linked to this Domain to see if there is a LogonToken

if (cookies != null)

{

for (int i=0; i < cookies.length; i++)

{

if (tokenName.equals(cookies<i>.getName()))

{

token = cookies<i>.getValue();

//token = java.net.URLEncoder.encode(token);

}

}

}

//check if the token variable gets populated

if (token != "")

{

//if there is a Logon Token on the client machine then try to logon with it

try

{

es = CrystalEnterprise.getSessionMgr().logonWithToken(token);

// out.println("Logged on with Cookie <br>");

}

catch (SDKException e)

{

failure = e;

}

}

//if there was no token or if the logon errored using the token

if (token.equals("") || failure !=null)

{

failure = null; //reset the SDKException object

try

{

es = CrystalEnterprise.getSessionMgr().logon( user, password,CMSName,cmsAuthType);

// out.println("Logged on with logon info <br>");

//create the Logon Token to pass via URL

ILogonTokenMgr tokenMgr = es.getLogonTokenMgr();

token = tokenMgr.createLogonToken("",1440,100);

//Create a cookie to hold the token

Cookie newCook = new Cookie("LogonToken",token);

newCook.setMaxAge(3600);

response.addCookie(newCook);

}

catch (SDKException e)

{

failure = e;

}

}

//if either of the above procedures worked then create the session object to hold the

//EnterpriseSession object

if (failure == null)

{

session.setAttribute("CE_Session", es);

}

else

{

out.println(failure.getMessage());

}

}

else

{

//use the same Session object

es = (IEnterpriseSession)session.getAttribute("CE_Session");

//out.println("Logged on with Session <br>");

//create the Logon Token to pass via URL

ILogonTokenMgr tokenMgr = es.getLogonTokenMgr();

token = tokenMgr.createLogonToken("",1440,100);

//Create a cookie to hold the token

Cookie newCook = new Cookie("LogonToken",token);

newCook.setMaxAge(3600);

response.addCookie(newCook);

}

iStore = (IInfoStore) es.getService("", "InfoStore" );

%>

Answers (3)

Answers (3)

Former Member
‎08-15-2008 5:42 PM
0 Kudos

Ted,

Thank you for your response and explaining how it is that the cookie is what enables the session to stay alive until the user logs off (or kills the browser session, whichever comes first). We will take your comments in hand as we move forward with our deployment.

Thanks,

John

Show replies
Show replies
ted_ueda
Employee
Employee
‎08-15-2008 6:00 PM
0 Kudos

The failover token comes into play only if you don't explicitly "Logoff" the session.

You can log off the session in InfoView, but there's no way to Logoff a URL reporting view of the report.

Sincerely,

Ted Ueda

Former Member
‎10-08-2008 8:27 PM
0 Kudos

There is another security hole we discovered using the Session and Token solution. If a user opens Infoview they aren't prompted for the login since the session from the Web application is still active. How do we force quit the session and remove the token once the report is displayed without having to close the browser?

Former Member
‎08-15-2008 5:00 PM
0 Kudos

Dear All,

I've been able to perform a little of bit more research on the auto logon feature and found article #1201982 (How to create a logon token using the .NET SDK) on the SAP search site.

The example given in this article for the sessionMgr is as follows:

ceToken = ceSession.LogonTokenMgr.CreateLogonTokenEx("", 30, 100)

From other sources I've been able to determine that the three arguments are workstation_ID (most always set to ""), TimeToLive, and MaxConnections (set to 30 and 100 respectively in the example).

My bottom line objective is to allow a user to hit the report and not permit the session to live (ie. if the user was to manipulate the URL from "http://<myserver>/businessobjects/enterprise115/InfoView/scripts/documentXML.aspx?token=<myserver>@153062Je3svSnarwXGPwpq153060JalQXoP85I14R6R8&cmdP1=untitled220220***&cmd=askView&cmdBlock=all&cmdP2=" to ""http://<myserver>/businessobjects/enterprise115/InfoView" thus permitting him to masquerade as an "authentic" user when all I wanted was him to run a report and be out of there (i.e. end of session).

If I was to set the TimeToLive and MaxConnections to perhaps 2 and 1 would I be effective, or could such a low setting introduce other ill effects that I'm not aware of?

Thanks,

John

Show replies
Show replies
ted_ueda
Employee
Employee
‎08-15-2008 5:14 PM
0 Kudos

Hello John,

I wouldn't recommend restricting the number and lifetime of the token validity solely to ensure security - the fundamental security model with Enterprise is that the logon token is used by a User that has the rights to view a report.

For example, in the concern you raised above - that the user may manipulate the URL to look at a different report - is still attainable even if you set the token generation argument to "", 2, 1. The sample code is doing a client-side redirect, i.e., the URL is being sent to the client web browser. A savvy user can always trap that client-side redirect request before the redirect happens, manipulate the URL, and get any report that the logon token allows.

You shouldn't generate a token under one User credential, and send it to another User. That will always break security.

Another issue - when you view reports, default behavior is to set a client-side HTTP Cookie with failover token. A failover token will remain valid till the Enterprise Session is logged off.

Sincerely,

Ted Ueda

Former Member
‎08-14-2008 10:33 PM
0 Kudos

Merry,

Thank you for your posting, it was enlightening. Based on your post we have developed the following code and save as "call-bo-doc.asp":

<!@LANGUAGE=VBScript%>
<%
dim UserID, Password, CMS, Authorization
dim SessionManager, entSession, ClientMachineName
dim ClienMachineName, ValidMinutes, NumofLogons
dim LogonTokenMgr, LogonToken
dim ReportID

'Assign logon variables
UserID = "BO_USER"
Password = "PWD123"
CMS = "THE_CMS"
Authorization = "secEnterprise"

if len(Request.QueryString("ReportID")) > 0 then
	ReportID = Request.QueryString("reportid")
else
	ReportID = 0
end if

'Load Crystal Enterprise Session Manager and logon to the Enterprise CMS
set SessionManager = Server.CreateObject("CrystalEnterprise.SessionMgr")
set entSession = SessionManager.Logon(UserID,Password,CMS,Authorization)

'Retrieve LogonTokenManager and create LogonToken
ClientMachineName = ""
ValidMinutes = 30
NumofLogons = 100

set LogonTokenMgr = entSession.LogonTokenMgr
LogonToken = LogonTokenMgr.CreateLogonTokenEx(ClienMachineName, ValidMinutes, NumofLogons)

Response.Redirect "http://<myserver>/businessobjects/enterprise115/InfoView/scripts/openDocument.aspx?token=" & LogonToken & "&iDocID=" & ReportID
%>

We call this code by putting a hyperlink on a page formatted as thus:

http://<myserver>/call-bo-doc.asp?ReportID=22022

This works well and permits a user to view a report (in this case DocID number 22022). My question is how would we go about allowing a user to run it once and only once and invalidate the session so that no further "trickery" is occuring. For instance, after the report runs, the long, drawn out URL appears in the URL window of the browser and our crafter Joe user reaches up there and following the address of http://<myserver>/businessobjects/enterprise115/InfoView/ portion only, deleting the remaing stuff, hits enter, voila, they are now in a session that I don't want them to experience. However, the SessionMgr has done such a great job getting the person in, I now want him or her out after just one "hit". How can I best manage this aspect? I tried researching the ValidMinutes feature but came up empty, what do you say?

Thanks,

John

Show replies
Show replies
Ask a Question