Login from VB is insecure

[datavalue]

We are using Crystal Enterprise 8.5 and a VB WebBrowser application to access unmanaged reports.

To access the reports we use the url
: //someserver/somedir/somereport.rpt?somepromptexparms&User0=someuser&Password0=somepwd&CMD=Export&EXPORT_FMT=U2FPDF:0

The problem is this is insecure - it is possible for users to view the user's history using Internet Explorer and see the password and userid the application has used to access the reports.

What other ways are there of connecting?

Am I right in thinking that if I use managed reports I need to call the server and pass the PWD and USER and then the server will return an APSLOGON token. And if we wanted to do it this way we would need to release to each client the CE Infostore and Framework DLLs?

Any help/examples/better methods gratefully appreciated.

Someone must have a more secure method of using Crystal Enterprise from VB??

 

[r1ch]

It depends whether your problem is just the history list or not - if it is then you can avoid URLs being added to the history list of a WebBrowser control using the BrowserNavConstants enum (see

http://msdn.microsoft.com/library/d...wser/reference/enums/browsernavconstants.asp)

This would still leave the username and password in the URL however, so it would still show up in webserver logs etc.

The other option would be to post (using the postData argument of WebBrowser.navigate) the items instead of putting them in the URL. The username and password would still go across the network as plain text (if you're not using https) but they wouldn't be visible in the URL. I'm pretty sure that Crystal Enterprise can accept the values this way, so you could use something like:-

WebBrowser1.navigate "someserver/somedir/somereport.rpt", BrowserNavConstants.navNoHistory, "_SELF", "somepromptexparms&User0=someuser&Password0=somepwd&CMD=Export&EXPORT_FMT=U2FPDF:0
"

Alternatively, like you said, you could create a logontoken that was only valid for a single use and then use that to view the report. You could do this with a CSP page but the username and password would still have to cross the network as clear text or, if the Crystal Enterprise SDK DLLs are available on the machine you could do this from within VB and just send the logontoken up instead.

 

[datavalue]

I tried your idea of the POST method but I couldn't get it to work. Crystal Enterprise did not want to accept the Post method. I don't know if it was due to the version of IE (IE5.00.3314), the version of Crystal we are using or a coding error. It's most probably the IE version as I can't stop the history from being added to either.

In the end I did a bit of thinking and now I have got it all to work using managed reports.

We set up the login string to be &apsuser=&apslogin=&apsauthtype=secWindowsNT
NB. not bothering with any apstoken or session.

In this way my code should pass a security audit as I don't expose the userid and password as it uses NT authentication. All we need to is ensure the user's wanting to produce the reports have their NT user id added to the Crystal Enterprise Servers list of user id's.

We now have to populate a database with the report id's of the managed reports now. Unless I can use the report name and user directory?
But if I did use the name, what would the path to the report be?

Currently my report path is : //someserver/crystal/enterprise/admin/en/viewrpt.cwr?id=31464&init=java:connect&apsuser=&apspassword=&apsauthtype=secWindowsNT