10 Replies Latest reply: Mar 2, 2011 10:34 AM by davide1982 RSS

    Data filtering based on .NET user session token

    rchav

      Hi, I have a .NET website in which we authenticate users using Forms authentication, which basically means there's no NTLM authentication. Forms authentication relies on a session cookie in the browser to indetify the user throughout the session lifespan.

      I've also managed to embedd a QlikView document inside one of the aspx pages by using an inline frame (iFrame) html element (using AJAX ZFC), and setting the QV server and access point to allow anonymous access (in the background of course the NTLM user is user is the Anonymous account setup by the AccessPoint).

      Now the problem: I want to be able to filter data based on the user who is currenlty logged on into the website. Since the logon is managed by .NET, I don't really have an NTLM user that I can use with the NT variable in the Session Access, nor I want the users to fill in a User/Passw popup.

      Is there a way to accomplish this selective filtering with the setup I described? I tried to pass parameters to the QV object in the URL but I don't know if there is a way to retrieve them.

      By the way I'm also trying the workbench but the same problem happens when I load the document through the datasource, I don't have a way to pass the QV document a parameter that will allow me to filter data based on a Section Access.

       

      Any pointers, ideas, documentation wpould be hightly aprecciated.

       

       

        • Data filtering based on .NET user session token

          Hi,

          What you could consider is to configure the QVS in DMS mode. Add the users to for example the custom directory.

          Before you open the Ajax QVW in the frame, first request a ticket from QVS for the particular user that you authenticated in the .NET app.

          QlikView will return a ticket that you can append to the document URL (http://server/qvajaxzfc/opendoc.htm?document=xxx&ticket=xxx

          The userid that you passed in for the ticket will be available in the NTNAME field in the QVW file. This you can further use in section access to reduce the data for a particular user.

          Example code to request a ticket in .NET using QvsNetRemote.DLL:

           

           


          using QlikTech.NetClient;

          //
          // GetTicket
          //
          private string GetTicket(string userId)
          {
          string request;

          QvClient client = new QvClient("localhost", QvClient.Mode.Admin);

          request = "<Global method=\"GetTicket\">";
          request += " <UserId>" + userId + "</UserId>";
          request += "</Global>";

          string response = client.Execute(request);

          XmlDocument result = new XmlDocument();
          result.LoadXml(response);

          return result.InnerText;
          }



           

            • Data filtering based on .NET user session token

              Additional point: for security reasons only a member of the "Qlikview Administrator" Group on your QVS (in DMS-Mode) is allowed to retrieve such a ticket.

              So if your webportal is run by some other serviceuser, you might not be able to retrieve the ticket directly from the QVS. I normally use a webservice to proxy the ticketrequest.

                • Data filtering based on .NET user session token

                  A webservice could be a good alternative for that. You could also consider the "normal" impersonifciation features in .NET to make the request in the name of a user that is part of QlikView Administrators

                  • Data filtering based on .NET user session token

                    Here is an example to request a ticket through qvsviewclient (HTTP based). The example uses impersonification. This means you can specify in the name of which user you want to do the request. Make sure this user is a member of QlikView Administrators on the QVS.

                    You can use this in situations where you work with a separate webserver that is out of domain or for example when you can not change the identity of an IIS application pool.

                     


                    private string GetTicket(string qlikviewserver, string username)
                    {
                    string postData = "<Global method=\"GetTicket\"><UserId>" + username + "</UserId></Global>";
                    byte[] buffer = System.Text.Encoding.ASCII.GetBytes(postData);
                    System.Net.WebRequest request = System.Net.HttpWebRequest.Create(qlikviewserver + "/qvajaxzfc/qvsviewclient.asp?admin=");
                    request.ContentType = "text/xml";
                    request.Method = "POST";
                    request.ContentLength = postData.Length;
                    request.Credentials = new NetworkCredential("USERNAME", "PASSWORD");
                    System.IO.Stream st = request.GetRequestStream();
                    st.Write(buffer, 0, buffer.Length);
                    st.Flush();
                    st.Close();
                    WebResponse res = request.GetResponse();
                    StreamReader sr = new StreamReader(res.GetResponseStream());
                    System.Xml.XmlDocument doc = new System.Xml.XmlDocument();
                    try
                    {
                    doc.LoadXml(sr.ReadToEnd());
                    if (doc.InnerText.Length > 0)
                    {
                    return doc.InnerText;
                    }
                    throw new Exception("Could not get ticket");
                    }
                    catch
                    {
                    throw new Exception("Could not get ticket, invalid response");
                    }
                    return "";
                    }


                     

                  • Data filtering based on .NET user session token

                    Hi All,

                    i'm tring to make an example with workbench. I successfully tested the access to qv documents from objects in a workbench asp page.

                    Now i would access to a document with section access: i writed a page for requesting ticket, passed ticket throw GET to workbench asp page that include objects of protected qv document.

                    I put the tiket into browser querystring:

                    http://localIPofServer/folder1/Default.aspx?ticket=XXX

                    When i try to open asp page, i receive next error message: "Failed to open document, You don't have access to this document." (ones for all objects of the documents).

                    It appear as a credential error but if i use the same username and password for open the same document in qv server, all works fine.

                    Any idea for help me?

                     

                    Thanks,

                    Davide.

                      • Data filtering based on .NET user session token

                        Hi all,

                        i have a new: i set the security to anonymous access (IQVS_*) for folder that contains document data source.

                        Now i can view a single object of protected document with workbanch. But, if i put some objects of the same documents, the first object is also readable but other are not. None errors are displayed.

                        Is there a way for putting some objects of a protected document in a single workbech page?

                        Thanks,

                        Davide.

                        • Data filtering based on .NET user session token

                          Hello Davide,

                          Please check that the identity the aspx page is running under is a member of the QlikView Administrators group. Otherwise you can will receive an "invalid" ticket.

                          Regards,

                          Erik

                            • Data filtering based on .NET user session token

                              Hi Erik,

                              thank you for your attention. I'm doing a lot of tests and i found next conclusion:

                              - some objects that have more than 10 columns are not displayed (or, in general, all the objects with long width columns). I try to adjust properties of QV objects (width and height) with no effect.

                              It appears as a problem of rendering, infact i can see the object if i cut a column at time in the original object and try to display it in aspx page. is there a guideline for the correct setting of qv workbench object?

                              Another similar problem is the next: if i access to the aspx page with my credential, i can see all the objects that i insert, and some other users-credential can. But two users can't see one particular object in the page: first i think about a problem of browser but it isn't the cause becouse if i test the same page with my usual browser with there credential i can't see the object too.

                               

                              Bye,

                              Davide.

                        • Data filtering based on .NET user session token

                          You can hand over selections in the AJAX-url in QVS9SR2. It's not really save solution, but maybe a startingpoint.


                          The example selects "germany" in Listbox "LB1462" and "2007" in Listbox "LB1446"

                          http://demo.qlik.com/QvAJAXZfc/opendoc.htm?document=QT%20Sales%20demo%20YTD.qvw&select=LB1462,Germany,USA&select=LB1446,2007


                           

                          Rules:

                          · Separate selections with "&"
                          Separate text to select with ","
                          White spaces matters
                          Case sensitive
                          Selections in the url always clears any other selections in the list box


                          Additionally use the qva-Javascript object to Lock the listboxes to make it a little more secure:

                           

                          // qva.Set("Document.LB1462.LOC", "action", "", true);

                          For a safe solution you really should go for Ticketing in DMS-Mode of QVS! Then you can utilize the NTNAME-column in your SectionAccess-Table within the .qvw! Retrieve a ticket from the QVS for the logged in username! With this ticket in the URL you can have a singlesignon into qlikview and can restrict data as defined in section access --> Ping me if you need an example for this..

                           

                           

                           

                           



                           

                           

                           

                          U

                           

                          U


                           

                            • Data filtering based on .NET user session token
                              Chris Cammers

                              Regarding the Hyperlink with selections.

                              When I try the link on my server I am getting an error saying that I don't have access to the document. When I open through Access point then I don't see the message.

                              I assume that I have to grant access to the opendoc.htm but I'm not sure who to grant the rights to and what privileges are needed

                               

                              I am using the Qlikview web server and not IIS if that makes a difference