I've been working with JasperReports on JasperServer recently. After reading their documentation, they say that any report on the JasperServer repository can be accessed via a direct URL. With a couple of name value pairs in the URL (GET), such as reportName, output, username and password, a particular report can be retrieved.
My question is, how would one allow people to access reports via direct URLs without people seeing all of the info (especially username and password) in the address bar? It seems like this is very unsafe.
There are some smart people at JasperSoft, so I must be missing something.
How would I still use direct URLs without showing all of the parameters for others to erase and fill in? Some of you might answer saying just to change the form submission to a POST, but I wouldn't even know where to begin to change that code on JasperServer.
P.S. I will be handling network security at least with SSL.
Any explanation would be very helpful.
seems you're not the 1.st one dealing with this issue, see: http://jasperforge.org/plugins/espforum/view.php?group_id=112&forumid=102&topicid=58522
however one of the suggested links seems to be the official way: http://community.jaspersoft.com/wiki/jasperreports-server-authentication-reference
after you follow the steps suggested on wiki, the authentication seem to be working the way mentioned there:
This configuration forces form-based authentication. Unauthenticated users will be forced to go to /login.html to enter their credentials. When they enter this, the authenticationProcessingFilter will be invoked.