Authentication Using the URL API

Users have to be authenticated before accessing functionality in MicroStrategy Web. Using the URL API, there are three ways for MicroStrategy Web to obtain the information needed to authenticate a user.

Opening the login page to gather user for credentials
Bypassing the login page by providing credentials in the URL
Bypassing the login page by providing the session state in the URL

A detailed explanation of each method for obtaining the authentication information is provided below.

Opening the login page to gather user for credentials

If the URL attempts to access a MicroStrategy Web page that requires login and no credentials or session state are provided in the URL, the user is redirected to the login page.

If login is successful, the user is redirected to the specified page.

The sample URL shown below executes a report without providing authenticating information. Since the Report Execution page requires login, the user is redirected to the login page to be authenticated before the report is run.

J2EE environment:

http://webserver/MicroStrategy/servlet/mstrWeb?
Server=localhost
&Project=MicroStrategy+Tutorial
&Port=0
&evt=4001
&src=mstrWeb.4001
&reportID=EB3CD5D14F4C8C77782AC0882C986B8D

.NET environment:

http://webserver/MicroStrategy/asp/Main.aspx?
Server=localhost
&Project=MicroStrategy+Tutorial
&Port=0
&evt=4001
&src=Main.aspx.4001
&reportID=EB3CD5D14F4C8C77782AC0882C986B8D

Sample values are used for parameters in the sample URLS, such as "localhost" for Intelligence Server or "MicroStrategy+Tutorial" for the project.

Bypassing the login page by providing credentials in the URL

If the URL attempts to access a MicroStrategy Web page that requires login and user credentials are provided in the URL, the login page is bypassed. If the credentials provided are valid, a session is created and the user is redirected to the specified page.

The sample URL shown below executes a report and provides a user name and password to be used for authentication. Since the Report Execution page requires login, the credentials are authenticated before the report is run. In addition to the information necessary to execute the action, the URL contains the uid (user name) and pwd (password) parameters, as shown in bold in the sample URL below.

J2EE environment:

http://webserver/MicroStrategy/servlet/mstrWeb?
Server=localhost
&Project=MicroStrategy+Tutorial
&Port=0
&evt=4001
&src=mstrWeb.4001
&reportID=EB3CD5D14F4C8C77782AC0882C986B8D
&uid=asmith
&pwd=as445888

.NET environment:

http://webserver/MicroStrategy/asp/Main.aspx?
Server=localhost
&Project=MicroStrategy+Tutorial
&Port=0
&evt=4001
&src=Main.aspx.4001				&reportID=EB3CD5D14F4C8C77782AC0882C986B8D
&uid=asmith
&pwd=as445888

For security reasons, this authentication approach is not recommended.

When you pass credentials in the URL, they can be mapped to other credentials before the session is created. In a non-portal environment, a custom External Security Module (ESM) can be used to map the login credentials to MicroStrategy credentials and then pass these mapped credentials to Intelligence Server for user authentication and session creation. In a portal environment, user credentials are mapped by a custom credential mapper class specified as a property of the MicroStrategy portlet, rather than by a custom ESM.

Sample values are used for parameters in the sample URLs, such as "localhost" for Intelligence Server or "MicroStrategy+Tutorial" for the project.

Bypassing the login page by providing the session state in the URL

If the URL attempts to access a MicroStrategy Web page that requires login and the state of the session is provided in the URL, the login page is bypassed. If the session state is a valid state, the user is taken directly to the specified page.

The sample URL shown below executes a report and provides an existing session state to be used for authentication. Since the Report Execution page requires login, the credentials are authenticated before the report is run. In addition to the information necessary to execute the action, the URL contains the usrSmgr (session state) parameter, as shown in bold in the sample URL below.

J2EE environment:

http://webserver/MicroStrategy/servlet/mstrWeb?
Server=localhost
&Project=MicroStrategy+Tutorial
&Port=0
&evt=4001
&src=mstrWeb.4001
&reportID=EB3CD5D14F4C8C77782AC0882C986B8D
&usrSmgr=l.1.2.0.e.1033.1033.0.1.0.e.0.1.0.1.1.0.1.3.1.16.6.e.1.00000000e8bbb72f11860fe7b2fd062ba59fc24d328683594c768f25209a639e9cfacdb08abeb0400fd8ccc6eb3568cc53aad4647b17be92812146175d751f4db8b834e40fa39a8545849d74f0ee1b95b4f467c30c6f4c7a5dff5cb39f989c689c129c5b22a32718577dcce1189e93f8f49075f3e688eef0.1033.1.2.0.upp*_1*_pl*_1*_upl*_1*_sp*_1*_upriv*_1*_ul*_1*_pp*_1*_up*_1*_wp*_1.0.1.1.2.0.3.3.1.16.6.54F3D26011D2896560009A8E67019608.Administrator.8704.4.America%2FNew*_York..MicroStrategy+Tutorial.127*.0*.0*

.NET environment:

http://webserver/MicroStrategy/asp/Main.aspx?
Server=localhost
&Project=MicroStrategy+Tutorial
&Port=0
&evt=4001
&src=Main.aspx.4001
&reportID=EB3CD5D14F4C8C77782AC0882C986B8D
&usrSmgr=l.1.2.0.e.1033.1033.0.1.0.e.0.1.0.1.1.0.1.3.1.16.6.e.1.00000000e8bbb72f11860fe7b2fd062ba59fc24d328683594c768f25209a639e9cfacdb08abeb0400fd8ccc6eb3568cc53aad4647b17be92812146175d751f4db8b834e40fa39a8545849d74f0ee1b95b4f467c30c6f4c7a5dff5cb39f989c689c129c5b22a32718577dcce1189e93f8f49075f3e688eef0.1033.1.2.0.upp*_1*_pl*_1*_upl*_1*_sp*_1*_upriv*_1*_ul*_1*_pp*_1*_up*_1*_wp*_1.0.1.1.2.0.3.3.1.16.6.54F3D26011D2896560009A8E67019608.Administrator.8704.4.America%2FNew*_York..MicroStrategy+Tutorial.127*.0*.0*

This is the recommended seamless authentication approach because it is the most secure.

Sample values are used for parameters in the sample URLS, such as "localhost" for Intelligence Server or "MicroStrategy+Tutorial" for the project.

Click here to see sample code to reuse an existing session. This is the code that you use in a J2EE environment.

Click here to see sample code to create a new session. This is the code you use in a .NET environment.