Skip to Content
author's profile photo Former Member
Former Member

Session problem

Hi,

I'm trying to implement some BO's features in a java program. We are using Bo Xi Sp2 R2, with jdk 1.4.2.

Currently, i create a session the first time the user query for a report using openDocument.jsp. I then pass a token String as a parameter to bypass the logon screen.

My problem is that i want to keep the number of open sessions as low as possible. So when the same user request for another document, i want him to use the same session. But i could not find in the sdk a method on the object IEnterpriseSession that allow me to test the session validity.

Could someone help me on this topic ? Maybe i'm doing things the wrong way :

-> Get a session manager

-> Get a session (IEnterpriseSession)

-> Get a default token and pass it on params for openDocument.jsp

-> Try to reuse the opened session if another document is requested.

Thanks by advance.

David.

Add a comment
10|10000 characters needed characters exceeded

Related questions

4 Answers

  • Best Answer
    author's profile photo Former Member
    Former Member
    Posted on Jul 29, 2008 at 03:00 PM

    One way to do this is to store the EnterpriseSession object in an HTTPSession. This will allow you to check and see if it is a valid session; if it is, reuse it, if not, recreate it.

    As well, there is a way to do this by storing the logon token in a cookie and then attempting to reuse it if it is still valid.

    I have attached a sample that shows how to do this.

    Add a comment
    10|10000 characters needed characters exceeded

    • Former Member Former Member

      As requested....... this is the example I was referring to.

      <%

      /*===================================================================

      AUTHOR - Rob H., Cristian V.

      CREATED - Feb 9, 2004

      PURPOSE - To demonstrate how to log on to the Crystal Enteprise System

      using an logon token.

      ==================================================================*/

      %>

      <%@ page import = "com.crystaldecisions.sdk.framework.*,

      com.crystaldecisions.sdk.exception.*,

      com.crystaldecisions.sdk.occa.infostore.*,

      com.crystaldecisions.sdk.occa.security.*"

      %>

      <%

      SDKException failure = null;

      IEnterpriseSession es = null;

      IInfoStore iStore = null;

      String user = request.getParameter("username");

      String password = request.getParameter("password");

      String CMSName = request.getParameter("cmsname");

      String cmsAuthType = request.getParameter("authType");

      String token="";

      //Check if the session object does exists

      if (session.getAttribute("CE_Session")==null)

      {

      Cookie[] cookies = request.getCookies();

      String tokenName = "LogonToken";

      //cycle through the cookies linked to this Domain to see if there is a LogonToken

      if (cookies != null)

      {

      for (int i=0; i < cookies.length; i++)

      {

      if (tokenName.equals(cookies<i>.getName()))

      {

      token = cookies<i>.getValue();

      //token = java.net.URLEncoder.encode(token);

      }

      }

      }

      //check if the token variable gets populated

      if (token != "")

      {

      //if there is a Logon Token on the client machine then try to logon with it

      try

      {

      es = CrystalEnterprise.getSessionMgr().logonWithToken(token);

      // out.println("Logged on with Cookie <br>");

      }

      catch (SDKException e)

      {

      failure = e;

      }

      }

      //if there was no token or if the logon errored using the token

      if (token.equals("") || failure !=null)

      {

      failure = null; //reset the SDKException object

      try

      {

      es = CrystalEnterprise.getSessionMgr().logon( user, password,CMSName,cmsAuthType);

      // out.println("Logged on with logon info <br>");

      //create the Logon Token to pass via URL

      ILogonTokenMgr tokenMgr = es.getLogonTokenMgr();

      token = tokenMgr.createLogonToken("",1440,100);

      //Create a cookie to hold the token

      Cookie newCook = new Cookie("LogonToken",token);

      newCook.setMaxAge(3600);

      response.addCookie(newCook);

      }

      catch (SDKException e)

      {

      failure = e;

      }

      }

      //if either of the above procedures worked then create the session object to hold the

      //EnterpriseSession object

      if (failure == null)

      {

      session.setAttribute("CE_Session", es);

      }

      else

      {

      out.println(failure.getMessage());

      }

      }

      else

      {

      //use the same Session object

      es = (IEnterpriseSession)session.getAttribute("CE_Session");

      //out.println("Logged on with Session <br>");

      //create the Logon Token to pass via URL

      ILogonTokenMgr tokenMgr = es.getLogonTokenMgr();

      token = tokenMgr.createLogonToken("",1440,100);

      //Create a cookie to hold the token

      Cookie newCook = new Cookie("LogonToken",token);

      newCook.setMaxAge(3600);

      response.addCookie(newCook);

      }

      iStore = (IInfoStore) es.getService("", "InfoStore" );

      %>

  • author's profile photo Former Member
    Former Member
    Posted on Aug 14, 2008 at 09:33 PM

    Merry,

    Thank you for your posting, it was enlightening. Based on your post we have developed the following code and save as "call-bo-doc.asp":

    <!@LANGUAGE=VBScript%>
    <%
    dim UserID, Password, CMS, Authorization
    dim SessionManager, entSession, ClientMachineName
    dim ClienMachineName, ValidMinutes, NumofLogons
    dim LogonTokenMgr, LogonToken
    dim ReportID
    
    'Assign logon variables
    UserID = "BO_USER"
    Password = "PWD123"
    CMS = "THE_CMS"
    Authorization = "secEnterprise"
    
    if len(Request.QueryString("ReportID")) > 0 then
    	ReportID = Request.QueryString("reportid")
    else
    	ReportID = 0
    end if
    
    'Load Crystal Enterprise Session Manager and logon to the Enterprise CMS
    set SessionManager = Server.CreateObject("CrystalEnterprise.SessionMgr")
    set entSession = SessionManager.Logon(UserID,Password,CMS,Authorization)
    
    'Retrieve LogonTokenManager and create LogonToken
    ClientMachineName = ""
    ValidMinutes = 30
    NumofLogons = 100
    
    set LogonTokenMgr = entSession.LogonTokenMgr
    LogonToken = LogonTokenMgr.CreateLogonTokenEx(ClienMachineName, ValidMinutes, NumofLogons)
    
    Response.Redirect "http://<myserver>/businessobjects/enterprise115/InfoView/scripts/openDocument.aspx?token=" & LogonToken & "&iDocID=" & ReportID
    %>

    We call this code by putting a hyperlink on a page formatted as thus:

    http://<myserver>/call-bo-doc.asp?ReportID=22022

    This works well and permits a user to view a report (in this case DocID number 22022). My question is how would we go about allowing a user to run it once and only once and invalidate the session so that no further "trickery" is occuring. For instance, after the report runs, the long, drawn out URL appears in the URL window of the browser and our crafter Joe user reaches up there and following the address of http://<myserver>/businessobjects/enterprise115/InfoView/ portion only, deleting the remaing stuff, hits enter, voila, they are now in a session that I don't want them to experience. However, the SessionMgr has done such a great job getting the person in, I now want him or her out after just one "hit". How can I best manage this aspect? I tried researching the ValidMinutes feature but came up empty, what do you say?

    Thanks,

    John

    Add a comment
    10|10000 characters needed characters exceeded

  • author's profile photo Former Member
    Former Member
    Posted on Aug 15, 2008 at 04:00 PM

    Dear All,

    I've been able to perform a little of bit more research on the auto logon feature and found article #1201982 (How to create a logon token using the .NET SDK) on the SAP search site.

    The example given in this article for the sessionMgr is as follows:

    ceToken = ceSession.LogonTokenMgr.CreateLogonTokenEx("", 30, 100)

    From other sources I've been able to determine that the three arguments are workstation_ID (most always set to ""), TimeToLive, and MaxConnections (set to 30 and 100 respectively in the example).

    My bottom line objective is to allow a user to hit the report and not permit the session to live (ie. if the user was to manipulate the URL from "http://<myserver>/businessobjects/enterprise115/InfoView/scripts/documentXML.aspx?token=<myserver>@153062Je3svSnarwXGPwpq153060JalQXoP85I14R6R8&cmdP1=untitled220220***&cmd=askView&cmdBlock=all&cmdP2=" to ""http://<myserver>/businessobjects/enterprise115/InfoView" thus permitting him to masquerade as an "authentic" user when all I wanted was him to run a report and be out of there (i.e. end of session).

    If I was to set the TimeToLive and MaxConnections to perhaps 2 and 1 would I be effective, or could such a low setting introduce other ill effects that I'm not aware of?

    Thanks,

    John

    Add a comment
    10|10000 characters needed characters exceeded

    • Hello John,

      I wouldn't recommend restricting the number and lifetime of the token validity solely to ensure security - the fundamental security model with Enterprise is that the logon token is used by a User that has the rights to view a report.

      For example, in the concern you raised above - that the user may manipulate the URL to look at a different report - is still attainable even if you set the token generation argument to "", 2, 1. The sample code is doing a client-side redirect, i.e., the URL is being sent to the client web browser. A savvy user can always trap that client-side redirect request before the redirect happens, manipulate the URL, and get any report that the logon token allows.

      You shouldn't generate a token under one User credential, and send it to another User. That will always break security.

      Another issue - when you view reports, default behavior is to set a client-side HTTP Cookie with failover token. A failover token will remain valid till the Enterprise Session is logged off.

      Sincerely,

      Ted Ueda

  • author's profile photo Former Member
    Former Member
    Posted on Aug 15, 2008 at 04:42 PM

    Ted,

    Thank you for your response and explaining how it is that the cookie is what enables the session to stay alive until the user logs off (or kills the browser session, whichever comes first). We will take your comments in hand as we move forward with our deployment.

    Thanks,

    John

    Add a comment
    10|10000 characters needed characters exceeded

    • Former Member Ted Ueda

      There is another security hole we discovered using the Session and Token solution. If a user opens Infoview they aren't prompted for the login since the session from the Web application is still active. How do we force quit the session and remove the token once the report is displayed without having to close the browser?

Before answering

You should only submit an answer when you are proposing a solution to the poster's problem. If you want the poster to clarify the question or provide more information, please leave a comment instead, requesting additional details. When answering, please include specifics, such as step-by-step instructions, context for the solution, and links to useful resources. Also, please make sure that you answer complies with our Rules of Engagement.
You must be Logged in to submit an answer.

Up to 10 attachments (including images) can be used with a maximum of 1.0 MB each and 10.5 MB total.