13 Replies Latest reply: Jul 31, 2014 3:12 AM by Erik Gustafsson RSS

    Windows Security Warning on extension object?

      I have an extension object that is calling a web service. The first time I bring up QlikView and open the QVW I get the following popup thrown at me.

       

      Capture.JPG.jpg

      Once I accept it though I never get it again no matter how many times I refresh the QVW, or even close the QVW and re-open it. It is only when I close and re-open QlikView that the warning pops up again.

       

      Here is the code I am using the call the web service, along with the .js file that contains the SOAP code. Any ideas what I am going wrong, or rather how to get rid of the warning dialog?

       

      Example call:

       

      var url = "http://localhost:88/WSWebSvc/";

      var pSetUser = new SOAPClientParameters();

      pSetUser.add("bstrUser", "Admin");

      pSetUser.add("bstrPwd", "");    

      var userToken = SOAPClient.invoke(url + "WSReptSvc.dll", "SetUser", pSetUser, false, null);

       

        • Re: Windows Security Warning on extension object?

          Anybody? Trying to solve this and can't seem to find any help on it.

          • Re: Windows Security Warning on extension object?

            UPDATE: I found a partial solution to this, or at least the cause. It is a cross domain scripting issue. Even though I am calling a //localhost site it is still considered another domain since I am calling it from a directory and not another //localhost site.To get rid of the warning message I had to enable the "Access data sources across domains" setting in IE security settings.

             

            Capture.JPG.jpg

            Of course, as you can see on my machine that setting is locked down by our IT department, as I am assuming it will be on a number of our clients machines. So this isn't a real solution.

             

            Now in a typical javascript situation you would be running the javascript in a web page on a web server and this solution would be one of two things:

             

            1. If you really were calling a web service on the same domain then the message would go away by itself because you were no longer calling from the windows file system into the server you would be going from server to server.

             

            2. If you really did need to call a web service on another domain then you would create a proxy, using php or some other technology, on the same domain, to do the cross domain call, taking cross domain out of your javascript equation and thus getting rid of the warning message.

             

            Of course neither of these apply in the case of QlikView since we are always going from the windows file system to some web server.

             

            Are there any solution you all can think of to this?

            • Re: Windows Security Warning on extension object?
              Erik Gustafsson

              Hi James,

               

              Could it have something to do with HTTPS to the end user from the QlikView Server, but the extensions connects externally via HTTP, meaning it is not secure anymore?

               

              Regards,

              Erik

                • Re: Windows Security Warning on extension object?

                  I'm not sure. I've not been able to find many examples of web services in extension object. The ones that I have found are mostly jQuery but they all have the following line to get around such things:

                   

                  jQuery.support.cors = true;

                   

                  I am thinking about trying the usual php work around but I am not sure that would work either, and it would just be adding one more technology to our product.

                    • Re: Windows Security Warning on extension object?
                      Erik Gustafsson

                      Hi James,

                       

                      Indeed jQuery is very much used in the extensions, along with ASP. I am a PHP fan myself but it would probably make a hassle to involve more types of languges and feature support. I would download a few other extensions and see how they got it to work, there are plenty of them around here on the community.

                       

                      Good luck. Regards,

                      Erik

                        • Re: Windows Security Warning on extension object?

                          I have played around with some but they all seem to follow this basic structure and I always get error code 0 from trying this (which typically mean access denied or cross domain issue).

                                              jQuery.support.cors = true;
                                          $.ajax({
                                              type: "GET",
                                              url: "http://localhost:88/WSWebSvc/WSChrtSvc.dll?Handler=GenWSChrtSvcWSDL",
                                              data: {},
                                              contentType: "text/xml; charset=utf-8",
                                              dataType: "text/xml",
                                              success: function (msg) {

                                                  hideLoadingPanel();
                                                  alert(msg.d.StatusMessage);

                                                  //Todo: Handle return msg

                                              },
                                              error: function (xhr, ajaxOptions, thrownError) {

                                                  switch (xhr.status.toString()) {
                                                      case "404":
                                                          alert('Error 404 posting the data to the webservice!\n\nCould not find webservice at Url ' + _this.WebserviceUrl);
                                                          break;

                                                      default:
                                                          alert('Error posting the data to the webservice:\n\n' + 'Error Status: ' + xhr.status + '\nError Status: ' + xhr.statusText);
                                                          break;
                                                  }
                                                  hideLoadingPanel();

                                                }
                                          });

                            • Re: Windows Security Warning on extension object?
                              Erik Gustafsson

                              Hi James,

                               

                              Are you not being able to use the computername or something else than localhost? Sometimes it is even needed to add "localhost" in "Trusted Sites" zone in IE.

                               

                              Regards,

                              Erik

                                • Re: Windows Security Warning on extension object?

                                  It comes up whether I use localhost or my computername. Both are added to my intranet sites in IE.

                                   

                                  I have both added to my trusted sites as well but of course with trusted sites they have to start with https and I am accessing it (for now) using http. I haven't tried it using https though, as I figured it would just be more security loops holes to jump through and I still need to get that up on my machine.

                                    • Re: Windows Security Warning on extension object?
                                      Erik Gustafsson

                                      Indeed, that might cause even more pop-ups.

                                      Perhaps use a tool like Fiddler to see where and why this issue pops up.

                                       

                                      Regards,

                                      Erik

                                        • Re: Windows Security Warning on extension object?


                                          Thanks. I'll test out Fiddler. I plan on trying some other extension objects to see how they do it. I also found this one that does the called through Macros, which might be a way to do some of the stuff I need.

                                           

                                          One question you might know. This link talks about extension objects and lists one of the uses of extension objects as "A communication from within the client with external processes or web services is desired". Do you know how to make it talk to external processes? Because all the web services I have trying to use also have local APIs off dlls on the same machine as QlikView. I would prefer to use those, but I could never find a way to access those APIs through the JavaScript. Is there a way?

                                            • Re: Windows Security Warning on extension object?
                                              Erik Gustafsson

                                              Hi James.

                                               

                                              For JavaScript you should be able to find most of the information at JsDoc Reference - Getting Started . For loading JavaScript files, you can use:

                                              Qva.LoadScript(template_path + 'jquery.js', extension_Done);

                                              This is mentioned here: Extension Object Basics.doc .

                                               

                                              Or why not schedule a task triggering external programs?

                                              Management API can start tasks, programs and similar, and there is an extension to start those tasks: Reloading QlikView Documents using the Ajax-/Mobile-Client (Triggering EDX Tasks by using a QlikView Extension) (QlikTip… . Perhaps you can use the extension directly to trigger other processes or let the QMC start other processes (task: Supporting Tasks > External Programs).

                                               

                                              One can also use Macro to start actual applications (although then you use IE plugin).

                                               

                                              Regards,

                                              Erik

                                                • Re: Windows Security Warning on extension object?

                                                  Ok. The two main areas my extension objects are centered around are some charts and reports. The charts are returned as a link to an image on the web server, and the reports are returned as raw HTML. So it isn't a matter of simply starting a process, it's more a retrieve of stuff I need to display. So, based on that functionality it seems like I have these options:

                                                   

                                                  1. JavaScript -  WARNING MESSAGE unless turning enabling access data sources across domains

                                                   

                                                  2. jQuery - WARNING MESSAGE unless turning enabling access data sources across domains

                                                   

                                                  3. Macro - get the images/html reports/lists/object from my web services and then spit them into an extension object when necessary. Mainly this would be for the HTML reports, as I don't believe there is a way in a native QlikView object to view HTML, you have to do it via extension object (PLEASE correct me if I'm wrong).

                                                   

                                                  4. Plug-ins - The downfall here being a separate plug-in for each browser the client might be using, correct?

                                                   

                                                  Any I am missing? This is all in the proof of concept right now so I just need to get the list and let people higher up the chain decide. To me options 1 and 2 seem the best. A one time click on opening the QVW and then done