Skip to main content

Qlik

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Woohoo! Qlik Community has won “Best in Class Community” in the 2024 Khoros Kudos awards!
Announcements
Nov. 20th, Qlik Insider - Lakehouses: Driving the Future of Data & AI - PICK A SESSION
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
julruiz123
Partner - Creator
Partner - Creator
‎2015-08-31 03:25 PM

Hide server information access

Hello!!

In a current customer did us a test of the security of the platform.

They found us two vulnerabilities:

- When the user access to the "access point" it's possible see critical information, like the name of the server, that can be used to possible attacks. How hide the server information access ??

img.png

- Once the user authenticates, the browser save the session, so if other user get acces to the computer he can access to the "acces point". They want that each time that the user open the browser the system ask the user name and password. Is there a way to erase the session variable ?.

Thanks for the help!!

Have a good day!!

1,469 Views
0 Likes
8 Replies
Peter_Cammaert
Partner - Champion III
Partner - Champion III
‎2015-09-01 06:04 AM

Hmm, I'm not sure if I can answer these questions to satisfaction but I'll try my best to shed some light on the issues at hand.

  • Server name: to connect to a server, you have to know its name. You can remove these details from the access point, but any user only has to enable the address bar in his/her browser to see the server name. I'm not sure how you want to avoid that...

  • Log in: actually, authentication is done outside of QlikView, usually by AD. If a user with an enterprise PC logs in into his/her machine, the login for QlikView has already happened though QlikView has not yet been called upon.

I guess you could intercept this kind of blanket authentication by assigning/programming a custom login page to the QlikView AccessPoint and force it to timeout after a certain period of inactivity.

Peter

1,168 Views
qlikviewwizard
Master II
Master II
‎2015-09-01 10:17 PM

Hi Bill,

How it will work. Could you please elaborate? Thank you.

1,168 Views
0 Likes
Bill_Britt
Former Employee
Former Employee
‎2015-09-02 04:18 PM

In response to qlikviewwizard

HI QlikView Wizard,

I deleted my post. When I am working on the Community at times I have several windows open at the same time. I put that here by mistake.

Bill

Bill - Principal Technical Support Engineer at Qlik
To help users find verified answers, please don't forget to use the "Accept as Solution" button on any posts that helped you resolve your problem or question.
1,168 Views
0 Likes
qlikviewwizard
Master II
Master II
‎2015-09-02 11:50 PM

In response to Bill_Britt

Okay (y)

1,168 Views
0 Likes
julruiz123
Partner - Creator
Partner - Creator
‎2015-09-04 03:32 PM
Author

In response to Peter_Cammaert

Hi Peter!!!

I enabled the alternative login page, but when i open the explorer the first time it tries to authenticate.

loginFailed.png

Once the user is authenticated and sign out the session, it shows the custom login page. Is there a way that when the user opens the browser is not automatically authenticate ?.

What I want is that the user to authenticate twice in the computer and the access point.


Another question. I tried to authenticate with a user that exists in the domain , but doesn't have an assigned license. I need to restrict access to the access point , if the user doesn't have a license assigned.


Thanks in advanced!!!

1,168 Views
0 Likes
Peter_Cammaert
Partner - Champion III
Partner - Champion III
‎2015-09-07 04:54 AM

In response to julruiz123
  • Funny, that doesn't happen on my machine. I'm using IE11 and Google Chrome and both show the login page immediately. Whether I enable Integrated Windows Authentication or not. Can you clear the browser cache and try again? Windows also caches authentication information somewhere else but I'm not sure whether this has any impact on web sites.
  • Not with standard QlikView Server techniques. Remember that QVS also has a feature called Dynamic CAL assignment. That feature would be useless if people without a CAL aren't allowed to visit the AccessPoint, as licenses are only dynamically assigned when they click on a thumbnail and open a QlikView document.
    You can however customize the code for your own QlikView login page, so that it uses the QMS API to check whether this person actually has a license before letting him/her enter the AP.

Best,

Peter

1,168 Views
0 Likes
qlikviewwizard
Master II
Master II
‎2015-09-11 10:45 PM

Hi julruiz123

Just curious. Did you able to resolve this? Please share the solution. Thanks in advance.

1,168 Views
0 Likes
julruiz123
Partner - Creator
Partner - Creator
‎2015-09-14 04:57 PM
Author

Hi!!!

Respect with the two situations:

"Once the user is authenticated and sign out the session, it shows the custom login page. Is there a way that when the user opens the browser is not automatically authenticate ?."


R/ If i include the complete address "qlikview/FormLogin.htm" it works fine. But with this address "/qlikview/index.htm" it tries to authenticate.



"I tried to authenticate with a user that exists in the domain , but doesn't have an assigned license. I need to restrict access to the access point , if the user doesn't have a license assigned.


R/ I haven't resolved yet. Do you have any example how customize the login page ?


1,168 Views
0 Likes