Want to log into web reports without requiring logon screen?

BenKus · October 26, 2007, 9:22am

I was recently asked how you might log into web reports without requiring the user go through a logon page. The idea is that if you aren’t concerned about the security of the data in web reports, you can send someone a link with the username/password embedded so they don’t need to go through the logon screen.

Here is how you would do that:

If your username/password is ben/bigfixrulez, you could use a url like this:

http://webreportsurl/webreports?Username=ben&Password=bigfixrulez&page=StoredReport – This will give you the specific page, but won’t allow you to go to other pages (they would require login)

http://webreportsurl/webreports?page=LoggingIn&fwdpage=&Username=ben&Password=bigfixrulez – This will log the user into web reports and show them the overview page (and they will be able to access any web reports page from there).

http://webreportsurl/webreports?Username=ben&Password=bigfixrulez&page=LoggingIn&fwdpage=StoredReport – This will log them in and forward them to a specific page (and they will be able to any web reports page from there).

When you visit web reports urls, you can see other parameters in the url and you build off of the examples I gave you to auto-login or to simply direct to a webpage…

It should hopefully be clear that this completely compromises the security of web reports because anyone who sees the url can easily figure out how to login to web reports… but some people seem not to mind this fact so these are your options…

Ben

system · October 29, 2007, 10:29pm

(imported comment written by Leland_Jobe)

You may also place a file in the root directory of the BES Web Reports Server directory to do an automatic redirect and perform the logon automatically, here are the steps…

Place an html file in the web reports root directory (default is C:\Program Files\BigFix Enterprise\BES Server\BESReportsServer\wwwroot ) with a name that you would like for the auto-login page (e.g. “autologin.html”). The html file will contain the following HTML, replace and with the Username / Password combination for the shared user account.

Then simply point your browser to the URL, http://bigfixserver/autologin.html

If you want to have a default page to auto login the user without having to know the name of the file (i.e. autologin.html), then you can host the redirect page on a an apache, iis or other web server.

Leland

system · June 10, 2009, 5:47am

(imported comment written by Ashwin.D91)

Hi,

Sorry to pick this up again, but is there anyway to do the forwarding using the autologin.html without the password being displayed on the URL?

Thanks,

Ashwin