Skip to main content
Announcements
Have questions about Qlik Connect? Join us live on April 10th, at 11 AM ET: SIGN UP NOW
cancel
Showing results for 
Search instead for 
Did you mean: 
julruiz123
Partner - Creator
Partner - Creator

Hide server information access

Hello!!

In a current customer did us a test of the security of the platform.

They found us two vulnerabilities:

- When the user access to the "access point" it's possible see critical information, like the name of the server, that can be used to possible attacks. How hide the server information access ??

img.png

- Once the user authenticates, the browser save the session, so if other user get acces to the computer he can access to the "acces point". They want that each time that the user open the browser the system ask the user name and password. Is there a way to erase the session variable ?.

Thanks for the help!!

Have a good day!!

8 Replies
Peter_Cammaert
Partner - Champion III
Partner - Champion III

Hmm, I'm not sure if I can answer these questions to satisfaction but I'll try my best to shed some light on the issues at hand.

  • Server name: to connect to a server, you have to know its name. You can remove these details from the access point, but any user only has to enable the address bar in his/her browser to see the server name. I'm not sure how you want to avoid that...

  • Log in: actually, authentication is done outside of QlikView, usually by AD. If a user with an enterprise PC logs in into his/her machine, the login for QlikView has already happened though QlikView has not yet been called upon.

I guess you could intercept this kind of blanket authentication by assigning/programming a custom login page to the QlikView AccessPoint and force it to timeout after a certain period of inactivity.

Peter

qlikviewwizard
Master II
Master II

Hi Bill,

How it will work. Could you please elaborate? Thank you.

Bill_Britt
Former Employee
Former Employee

HI QlikView Wizard,

I deleted my post. When I am working on the Community at times I have several windows open at the same time. I put that here by mistake.

Bill

Bill - Principal Technical Support Engineer at Qlik
To help users find verified answers, please don't forget to use the "Accept as Solution" button on any posts that helped you resolve your problem or question.
qlikviewwizard
Master II
Master II

Okay (y)

julruiz123
Partner - Creator
Partner - Creator
Author

Hi Peter!!!

I enabled the alternative login page, but when i open the explorer the first time it tries to authenticate.

loginFailed.png

Once the user is authenticated and sign out the session, it shows the custom login page. Is there a way that when the user opens the browser is not automatically authenticate ?.

What I want is that the user to authenticate twice in the computer and the access point.


Another question. I tried to authenticate with a user that exists in the domain , but doesn't have an assigned license. I need to restrict access to the access point , if the user doesn't have a license assigned.


Thanks in advanced!!!

Peter_Cammaert
Partner - Champion III
Partner - Champion III

  • Funny, that doesn't happen on my machine. I'm using IE11 and Google Chrome and both show the login page immediately. Whether I enable Integrated Windows Authentication or not. Can you clear the browser cache and try again? Windows also caches authentication information somewhere else but I'm not sure whether this has any impact on web sites.
  • Not with standard QlikView Server techniques. Remember that QVS also has a feature called Dynamic CAL assignment. That feature would be useless if people without a CAL aren't allowed to visit the AccessPoint, as licenses are only dynamically assigned when they click on a thumbnail and open a QlikView document.
    You can however customize the code for your own QlikView login page, so that it uses the QMS API to check whether this person actually has a license before letting him/her enter the AP.

Best,

Peter

qlikviewwizard
Master II
Master II

Hi julruiz123

Just curious. Did you able to resolve this? Please share the solution. Thanks in advance.

julruiz123
Partner - Creator
Partner - Creator
Author

Hi!!!

Respect with the two situations:

"Once the user is authenticated and sign out the session, it shows the custom login page. Is there a way that when the user opens the browser is not automatically authenticate ?."


R/ If i include the complete address "qlikview/FormLogin.htm" it works fine. But with this address "/qlikview/index.htm" it tries to authenticate.



"I tried to authenticate with a user that exists in the domain , but doesn't have an assigned license. I need to restrict access to the access point , if the user doesn't have a license assigned.


R/ I haven't resolved yet. Do you have any example how customize the login page ?