Re: Windows Security Warning on extension object? - Qlik Community

Report Inappropriate Content · ‎2014-07-16

I have an extension object that is calling a web service. The first time I bring up QlikView and open the QVW I get the following popup thrown at me.

Once I accept it though I never get it again no matter how many times I refresh the QVW, or even close the QVW and re-open it. It is only when I close and re-open QlikView that the warning pops up again.

Here is the code I am using the call the web service, along with the .js file that contains the SOAP code. Any ideas what I am going wrong, or rather how to get rid of the warning dialog?

Example call:

var url = "http://localhost:88/WSWebSvc/";

var pSetUser = new SOAPClientParameters();

pSetUser.add("bstrUser", "Admin");

pSetUser.add("bstrPwd", "");

var userToken = SOAPClient.invoke(url + "WSReptSvc.dll", "SetUser", pSetUser, false, null);

Report Inappropriate Content · ‎2014-07-21

Anybody? Trying to solve this and can't seem to find any help on it.

Report Inappropriate Content · ‎2014-07-23

UPDATE: I found a partial solution to this, or at least the cause. It is a cross domain scripting issue. Even though I am calling a //localhost site it is still considered another domain since I am calling it from a directory and not another //localhost site.To get rid of the warning message I had to enable the "Access data sources across domains" setting in IE security settings.

Of course, as you can see on my machine that setting is locked down by our IT department, as I am assuming it will be on a number of our clients machines. So this isn't a real solution.

Now in a typical javascript situation you would be running the javascript in a web page on a web server and this solution would be one of two things:

1. If you really were calling a web service on the same domain then the message would go away by itself because you were no longer calling from the windows file system into the server you would be going from server to server.

2. If you really did need to call a web service on another domain then you would create a proxy, using php or some other technology, on the same domain, to do the cross domain call, taking cross domain out of your javascript equation and thus getting rid of the warning message.

Of course neither of these apply in the case of QlikView since we are always going from the windows file system to some web server.

Are there any solution you all can think of to this?

ergustafsson · ‎2014-07-24

Hi James,

Could it have something to do with HTTPS to the end user from the QlikView Server, but the extensions connects externally via HTTP, meaning it is not secure anymore?

Regards,

Erik

Report Inappropriate Content · ‎2014-07-24

I'm not sure. I've not been able to find many examples of web services in extension object. The ones that I have found are mostly jQuery but they all have the following line to get around such things:

jQuery.support.cors = true;

I am thinking about trying the usual php work around but I am not sure that would work either, and it would just be adding one more technology to our product.

ergustafsson · ‎2014-07-25

Hi James,

Indeed jQuery is very much used in the extensions, along with ASP. I am a PHP fan myself but it would probably make a hassle to involve more types of languges and feature support. I would download a few other extensions and see how they got it to work, there are plenty of them around here on the community.

Good luck. Regards,

Erik

Report Inappropriate Content · ‎2014-07-25

I have played around with some but they all seem to follow this basic structure and I always get error code 0 from trying this (which typically mean access denied or cross domain issue).

                    jQuery.support.cors = true;
                $.ajax({
                    type: "GET",
                    url: "http://localhost:88/WSWebSvc/WSChrtSvc.dll?Handler=GenWSChrtSvcWSDL",
                    data: {},
                    contentType: "text/xml; charset=utf-8",
                    dataType: "text/xml",
                    success: function (msg) {

hideLoadingPanel();
alert(msg.d.StatusMessage);

//Todo: Handle return msg

},
error: function (xhr, ajaxOptions, thrownError) {

                        switch (xhr.status.toString()) {
                            case "404":
                                alert('Error 404 posting the data to the webservice!\n\nCould not find webservice at Url ' + _this.WebserviceUrl);
                                break;

                            default:
                                alert('Error posting the data to the webservice:\n\n' + 'Error Status: ' + xhr.status + '\nError Status: ' + xhr.statusText);
                                break;
                        }
                        hideLoadingPanel();

}
});

ergustafsson · ‎2014-07-28

Hi James,

Are you not being able to use the computername or something else than localhost? Sometimes it is even needed to add "localhost" in "Trusted Sites" zone in IE.

Regards,

Erik

Report Inappropriate Content · ‎2014-07-28

It comes up whether I use localhost or my computername. Both are added to my intranet sites in IE.

I have both added to my trusted sites as well but of course with trusted sites they have to start with https and I am accessing it (for now) using http. I haven't tried it using https though, as I figured it would just be more security loops holes to jump through and I still need to get that up on my machine.

ergustafsson · ‎2014-07-29

Indeed, that might cause even more pop-ups.

Perhaps use a tool like Fiddler to see where and why this issue pops up.

Regards,

Erik