Running activities outside of Server Admin
Due to a fix for a security vulnerability, the manner in which applications or activities can be started outside Interviewer Server Administration has changed. Server Admin authenticated a user without first invalidating the existing session, thereby continuing to use the session already associated with the user. An attacker could force a known session identifier on a user so that, once the user authenticated, the attacker had access to the authenticated session.
The Server Admin login page now resets any existing session identifier prior to authenticating the user. As a consequence, session data that is set in applicationinit.aspx is lost if the application needs to redirect to the login page before starting. Because of this, the login must now occur before submitting a form that points to the applicationinit.aspx page.
To make activities available in this way, create a form that points to the applicationinit.aspx file for the activity and posts the information that is normally provided by Server Admin into that file. The example shown below shows a form definition that allows users to run UNICOM Intelligence Reporter outside Server Admin. The example works as follows:
1 An Ajax request is made to Server Admin to determine whether the user is already authenticated.
2 If the user is already authenticated, the form submits directly to applicationinit.aspx.
3 If not already authenticated, the form submits to the login page to authenticate the user. Once authenticated, the login page redirects back to the sample page.
4 If the referrer is the login page, the form submits directly to the applicationinit.aspx.
<html xmlns="http://www.w3.org/1999/xhtml" >
<head>
<title>Projects List</title>
<script type="text/javascript">
function OpenReporter(projectName) {
var proj = document.getElementById("projName");
proj.value = projectName;
var myForm = document.getElementById("myForm");
myForm.onsubmit = SubmitForm();
myForm.submit();
}
function IsLoginPageReferrer() {
var ferer = document.referrer;
if (ferer.toLowerCase().indexOf("login/default.aspx") >= 0) {
return true;
}
else {
return false;
}
}
function SubmitForm() {
var xhr = new XMLHttpRequest();
xhr.open("GET", "http://[Server Address]/spssmr/dimensionnet/default.aspx", false)
xhr.onreadystatechange = function (e) {
if (xhr.readyState == 4) {
var form = document.getElementById("myForm");
var text = xhr.responseText;
if (xhr.statusText == "Unauthorized" || text.search(/login.css/i) > 0) {
var projName = document.getElementById("projName");
var proid = projName.value;
form.action = "http://[Server Address]/spssmr/dimensionnet/login/default.aspx?returnurl=http://[project List Address]/ProjectList.htm?projid=" + proid;
}
else {
form.action = "http://[Server Address]/spssmr/mrtables/frontend/global/applicationinit.aspx";
}
form.submit();
}
}
// Send the ajax request
xhr.send();
}
window.onload = function () {
var referer = IsLoginPageReferrer();
if (referer) {
var projName = document.getElementById("projName");
projName.value = getParameterByName("projid");
if (projName.value == undefined || projName == "") {
return;
}
var myForm = document.getElementById("myForm");
myForm.onsubmit = SubmitForm();
myForm.submit();
}
}
function getParameterByName(name) {
name = name.replace(/[\[]/, "\\[").replace(/[\]]/, "\\]");
var regex = new RegExp("[\\?&]" + name + "=([^&#]*)"),
results = regex.exec(location.search);
return results === null ? "" : decodeURIComponent(results[1].replace(/\+/g, " "));
}
</script>
</head>
<body>
<form id="myForm" method="post" >
<div style="font-size:larger">Projects</div>
<table>
<thead>
<tr>
<td>Name</td>
</tr>
</thead>
<tbody>
<tr>
<td>demo</td>
<td><a target="_self" href="javascript:OpenReporter('demo')">Open in Survey Reporter</a></td>
</tr>
</tbody>
</table>
<div>
<input name="ProjectName" id="projName" type="hidden" size="20" />
<input name="launcherstarturl" type="hidden" value="http://[project List Address]/ProjectList.htm" />
</div>
</form>
</body>
</html>
If you want to use Windows authentication and do not want users to see the Server Admin login page, you need to ensure that the Survey Tabulation front-endWeb.config file uses Windows authentication and sets SPSS_AllowNTNameMappingto True.
See also