Data filtering based on .NET user session token - Qlik Community

Permalink · ‎2010-01-15

Hi, I have a .NET website in which we authenticate users using Forms authentication, which basically means there's no NTLM authentication. Forms authentication relies on a session cookie in the browser to indetify the user throughout the session lifespan.

I've also managed to embedd a QlikView document inside one of the aspx pages by using an inline frame (iFrame) html element (using AJAX ZFC), and setting the QV server and access point to allow anonymous access (in the background of course the NTLM user is user is the Anonymous account setup by the AccessPoint).

Now the problem: I want to be able to filter data based on the user who is currenlty logged on into the website. Since the logon is managed by .NET, I don't really have an NTLM user that I can use with the NT variable in the Session Access, nor I want the users to fill in a User/Passw popup.

Is there a way to accomplish this selective filtering with the setup I described? I tried to pass parameters to the QV object in the URL but I don't know if there is a way to retrieve them.

By the way I'm also trying the workbench but the same problem happens when I load the document through the datasource, I don't have a way to pass the QV document a parameter that will allow me to filter data based on a Section Access.

Any pointers, ideas, documentation wpould be hightly aprecciated.

Permalink · ‎2010-03-04

Hi,

What you could consider is to configure the QVS in DMS mode. Add the users to for example the custom directory.

Before you open the Ajax QVW in the frame, first request a ticket from QVS for the particular user that you authenticated in the .NET app.

QlikView will return a ticket that you can append to the document URL (http://server/qvajaxzfc/opendoc.htm?document=xxx&ticket=xxx

The userid that you passed in for the ticket will be available in the NTNAME field in the QVW file. This you can further use in section access to reduce the data for a particular user.

Example code to request a ticket in .NET using QvsNetRemote.DLL:


 using QlikTech.NetClient;

 //
 // GetTicket
 //
 private string GetTicket(string userId)
 {
 string request;

 QvClient client = new QvClient("localhost", QvClient.Mode.Admin);

 request = "<Global method=\"GetTicket\">";
 request += " <UserId>" + userId + "</UserId>";
 request += "</Global>";

 string response = client.Execute(request);

 XmlDocument result = new XmlDocument();
 result.LoadXml(response);

 return result.InnerText;
 }

Permalink · ‎2010-03-04

You can hand over selections in the AJAX-url in QVS9SR2. It's not really save solution, but maybe a startingpoint.

The example selects "germany" in Listbox "LB1462" and "2007" in Listbox "LB1446"

http://demo.qlik.com/QvAJAXZfc/opendoc.htm?document=QT%20Sales%20demo%20YTD.qvw&select=LB1462,German...

Rules:

· Separate selections with "&"
Separate text to select with ","
White spaces matters
Case sensitive
Selections in the url always clears any other selections in the list box

Additionally use the qva-Javascript object to Lock the listboxes to make it a little more secure:

// qva.Set("Document.LB1462.LOC", "action", "", true);

For a safe solution you really should go for Ticketing in DMS-Mode of QVS! Then you can utilize the NTNAME-column in your SectionAccess-Table within the .qvw! Retrieve a ticket from the QVS for the logged in username! With this ticket in the URL you can have a singlesignon into qlikview and can restrict data as defined in section access --> Ping me if you need an example for this..

U

Permalink · ‎2010-03-04

Additional point: for security reasons only a member of the "Qlikview Administrator" Group on your QVS (in DMS-Mode) is allowed to retrieve such a ticket.

So if your webportal is run by some other serviceuser, you might not be able to retrieve the ticket directly from the QVS. I normally use a webservice to proxy the ticketrequest.

Permalink · ‎2010-03-04

A webservice could be a good alternative for that. You could also consider the "normal" impersonifciation features in .NET to make the request in the name of a user that is part of QlikView Administrators

Permalink · ‎2010-03-10

Here is an example to request a ticket through qvsviewclient (HTTP based). The example uses impersonification. This means you can specify in the name of which user you want to do the request. Make sure this user is a member of QlikView Administrators on the QVS.

You can use this in situations where you work with a separate webserver that is out of domain or for example when you can not change the identity of an IIS application pool.


 private string GetTicket(string qlikviewserver, string username)
 {
 string postData = "<Global method=\"GetTicket\"><UserId>" + username + "</UserId></Global>";
 byte[] buffer = System.Text.Encoding.ASCII.GetBytes(postData);
 System.Net.WebRequest request = System.Net.HttpWebRequest.Create(qlikviewserver + "/qvajaxzfc/qvsviewclient.asp?admin=");
 request.ContentType = "text/xml";
 request.Method = "POST";
 request.ContentLength = postData.Length;
 request.Credentials = new NetworkCredential("USERNAME", "PASSWORD");
 System.IO.Stream st = request.GetRequestStream();
 st.Write(buffer, 0, buffer.Length);
 st.Flush();
 st.Close();
 WebResponse res = request.GetResponse();
 StreamReader sr = new StreamReader(res.GetResponseStream());
 System.Xml.XmlDocument doc = new System.Xml.XmlDocument();
 try
 {
 doc.LoadXml(sr.ReadToEnd());
 if (doc.InnerText.Length > 0)
 {
 return doc.InnerText;
 }
 throw new Exception("Could not get ticket");
 }
 catch
 {
 throw new Exception("Could not get ticket, invalid response");
 }
 return "";
 }

chriscammers · ‎2010-05-21

Regarding the Hyperlink with selections.

When I try the link on my server I am getting an error saying that I don't have access to the document. When I open through Access point then I don't see the message.

I assume that I have to grant access to the opendoc.htm but I'm not sure who to grant the rights to and what privileges are needed

I am using the Qlikview web server and not IIS if that makes a difference

Permalink · ‎2011-02-16

Hi All,

i'm tring to make an example with workbench. I successfully tested the access to qv documents from objects in a workbench asp page.

Now i would access to a document with section access: i writed a page for requesting ticket, passed ticket throw GET to workbench asp page that include objects of protected qv document.

I put the tiket into browser querystring:

http://localIPofServer/folder1/Default.aspx?ticket=XXX

When i try to open asp page, i receive next error message: "Failed to open document, You don't have access to this document." (ones for all objects of the documents).

It appear as a credential error but if i use the same username and password for open the same document in qv server, all works fine.

Any idea for help me?

Thanks,

Davide.

Permalink · ‎2011-02-24

Hi all,

i have a new: i set the security to anonymous access (IQVS_*) for folder that contains document data source.

Now i can view a single object of protected document with workbanch. But, if i put some objects of the same documents, the first object is also readable but other are not. None errors are displayed.

Is there a way for putting some objects of a protected document in a single workbech page?

Thanks,

Davide.

Permalink · ‎2011-02-28

Hello Davide,

Please check that the identity the aspx page is running under is a member of the QlikView Administrators group. Otherwise you can will receive an "invalid" ticket.

Regards,

Erik