17 Replies Latest reply: Mar 8, 2013 4:50 AM by Andreas Karlsson RSS

    Users with a WebTicket are asked for credentials but are let in if cancelled

    Andreas Karlsson

      Hi folks,

      I'm into integrating Qlikview with an Linux-based Java webportal.

      Running QV 11 SR2 with QVWS.

      On server system-security tab in QMC:

           Anonymous users prohibited

           DMS authorization selected

      On QVWS authentication-tab

           Always

           Ntlm

           Default login page

       

      I have some Named CALs and some Session Cals as well as some Usage Cals.

      Users log in to the portal and the MySQL-DB associated with the portal holds two tables, one for entities and one for groups as stated in the help of 'Configurable ODBC'  DSC

       

      Not very documented is that the two tables/ views shall look like

      entityid     name     descr     email

      1               Gunnar     Gunnar     Gunnar@company1.com

      2               user2     user1     user2@company1.com

      3               group1   group1    

      4               user3     user1     user3@company1.com

       

      groupid     memberid

      3                  1

      3                  2

      3                  4

       

      Anyway that stuff seems to work since I'm able to distribute documets to the users in that table.

       

      Then the Java-code on the Linux-machine asks for a WebTicket from the QV-server.

      http://QvServer/QVAJAXZfc/GetWebTicket.aspx?cmd=<Global method='GetWebTicket'><UserId>TWT_test\Gunnar</UserId></Global>

       

      The QVS then asks for the credentials of a user on the QV-windows server that is member of the Qlikview Administrators group.

      That users credentials are passed in from the Java-code with the use of cURL

       

      The response is a ticket:

      <Global>

      <_retval_>331+WjqpV2WLGgn1etnoLYLRQ4FvsqsAl7em8Muh</_retval_>

      </Global>

       

       

      That ticket is used in a URL to let the user in.

      In my case I perform the above links in Chrome signing in with my standard user when asked so being a member of the "Qlikview Adminsitrators" group.

      Then to avoid the browser sending my standard credentials behind the scene when using the link below I test this by using an incognito window in Chrome:

       

      I can point the user with the WebTicket to the AccessPoint

      http://QVServer/QVAJAXZfc/Authenticate.aspx?type=html&webticket=331+WjqpV2WLGgn1etnoLYLRQ4FvsqsAl7em8Muh&try=http://QVServer/qlikview/&back=http://www.yahoo.com

       

      The user can see the QV-documents he is allowed to see on the server and in the upper right corner I can see "Welcome Gunnar"

      BUT BUT BUT when he select a document a LOGIN-prompt is fired.

      Now comes the funny thing. If I cancel the LOGIN-prompt the document will show up!

       

      The LOGIN-prompt is also there if I point the URL directly to a document:

      http://QVServer/QVAJAXZfc/Authenticate.aspx?type=html&webticket=331+WjqpV2WLGgn1etnoLYLRQ4FvsqsAl7em8Muh&try=http://QVServer/QVAJAXZfc/opendoc.htm?document=Development/QVSystemMonitor_v4.qvw&host=QVS@softhouse7&back=http://www.google.com

       

      Any hints on what to do to get rid of the annoying useless LOGIN-prompt?

      /Andy