Qlik Community

QlikView Security & Governance

Discussion Board for collaboration on QlikView Security and Governance.

Announcements

Breathe easy -- you now have more time to plan your next steps with Qlik!
QlikView 11.2 Extended Support is now valid through December 31, 2020. Click here for more information.

julruiz123
Not applicable

Hide server information access

Hello!!

In a current customer did us a test of the security of the platform.

They found us two vulnerabilities:

- When the user access to the "access point" it's possible see critical information, like the name of the server, that can be used to possible attacks. How hide the server information access ??

img.png

- Once the user authenticates, the browser save the session, so if other user get acces to the computer he can access to the "acces point". They want that each time that the user open the browser the system ask the user name and password. Is there a way to erase the session variable ?.

Thanks for the help!!

Have a good day!!

8 Replies
Peter_Cammaert
Not applicable

Re: Hide server information access

Hmm, I'm not sure if I can answer these questions to satisfaction but I'll try my best to shed some light on the issues at hand.

  • Server name: to connect to a server, you have to know its name. You can remove these details from the access point, but any user only has to enable the address bar in his/her browser to see the server name. I'm not sure how you want to avoid that...

  • Log in: actually, authentication is done outside of QlikView, usually by AD. If a user with an enterprise PC logs in into his/her machine, the login for QlikView has already happened though QlikView has not yet been called upon.

I guess you could intercept this kind of blanket authentication by assigning/programming a custom login page to the QlikView AccessPoint and force it to timeout after a certain period of inactivity.

Peter

Arjunarao
Not applicable

Re: Hide server information access

Hi Bill,

How it will work. Could you please elaborate? Thank you.

Support
Support

Re: Hide server information access

HI QlikView Wizard,

I deleted my post. When I am working on the Community at times I have several windows open at the same time. I put that here by mistake.

Bill

Bill - Designated Support Engineer at Qlik
If a post helps to resolve your issue, please mark the appropriate replies as CORRECT.
Arjunarao
Not applicable

Re: Hide server information access

Okay (y)

julruiz123
Not applicable

Re: Hide server information access

Hi Peter!!!

I enabled the alternative login page, but when i open the explorer the first time it tries to authenticate.

loginFailed.png

Once the user is authenticated and sign out the session, it shows the custom login page. Is there a way that when the user opens the browser is not automatically authenticate ?.

What I want is that the user to authenticate twice in the computer and the access point.


Another question. I tried to authenticate with a user that exists in the domain , but doesn't have an assigned license. I need to restrict access to the access point , if the user doesn't have a license assigned.


Thanks in advanced!!!

Peter_Cammaert
Not applicable

Re: Hide server information access

  • Funny, that doesn't happen on my machine. I'm using IE11 and Google Chrome and both show the login page immediately. Whether I enable Integrated Windows Authentication or not. Can you clear the browser cache and try again? Windows also caches authentication information somewhere else but I'm not sure whether this has any impact on web sites.
  • Not with standard QlikView Server techniques. Remember that QVS also has a feature called Dynamic CAL assignment. That feature would be useless if people without a CAL aren't allowed to visit the AccessPoint, as licenses are only dynamically assigned when they click on a thumbnail and open a QlikView document.
    You can however customize the code for your own QlikView login page, so that it uses the QMS API to check whether this person actually has a license before letting him/her enter the AP.

Best,

Peter

Arjunarao
Not applicable

Re: Hide server information access

Hi julruiz123

Just curious. Did you able to resolve this? Please share the solution. Thanks in advance.

julruiz123
Not applicable

Re: Hide server information access

Hi!!!

Respect with the two situations:

"Once the user is authenticated and sign out the session, it shows the custom login page. Is there a way that when the user opens the browser is not automatically authenticate ?."


R/ If i include the complete address "qlikview/FormLogin.htm" it works fine. But with this address "/qlikview/index.htm" it tries to authenticate.



"I tried to authenticate with a user that exists in the domain , but doesn't have an assigned license. I need to restrict access to the access point , if the user doesn't have a license assigned.


R/ I haven't resolved yet. Do you have any example how customize the login page ?