I have an issue while implementing Section Access with SHA1 passwords hashes. Actually, my Section Access is based on a SQL query which retrieve user IDs, passwords and the profile corresponding (Oracle 10g). Passwords take the form of a SHA1 hash in the database... so do the passwords in the Section Access then !
My question is, is there any way to make the authentication to the QlikView application possible, entering the user ID and the non-SHA1 hash password (the human readable one) ? Can a process be made right after the authentication step (using macro for example) to generate a SHA1 hash of the password and making the link with Section Access ?
I first thought of a stored procedure which could be called in the SQL query to "decode" the hash, but apparently a SHA1 hash is not reversible...
I'd do something different since QlikView cannot convert plain text passwords (as the values used in section access) to any other hash or format. You probably need the opposite path, which is using some kind of login web page where you do can hash your plain text passwords into SHA1, compare them to the one in Oracle, and pass on to QlikView the original plain text ones only in the case that this web authorization successes.
Section access is built in so I'm afraid you cannot do anything just after being prompted. QlikView takes the input from the user and compares it with the values stored in the document, with any intermediate step in between.
Thanks for your answer. The idea is nice and it would be a quite simple solution to implement indeed (except that I would have to pass not the original plain text passwords but the SHA-1 hashes, as in my QlikView document, Section Access can only retrieve encrypted passwords from the database).
But how can this be done from the QlikView server access point ? Can I modify the standard behavior of QlikView Server so that an intermediate step appears (our own login web page + SHA-1 hash) when opening a QV app from the access point ? And then, if the credentials with SHA-1 hashed password match with the data in Oracle, pass it to the Section Access authentication step ?
Or do I have to build a new and specific access point portal ?
What I'd think of is creating some kind of Single Sign On, so you user is asked once for credentials (or if you are deploying IIS, even Windows logon credentials) and these credentials are passed on from page to page. Note that in the QlikView app you will need to have your passwords in plain text either in your database or in the script itself. Those passwords can be different fields associated to the actual ciphered ones.
You can think of doing the authentication (checking whether the user has or has not access to see the dashboards) against Oracle instead of the Active Directory. I'm just thinking out loud, and it may make no sense at all or result a very complex solution.
Perhaps the easiest way is to create a new field in your Oracle database with a less sensitive, plain text stored password, that is the one QlikView eventually uses when it loads the section access.