Maximo Open Forum

 View Only

 Help Needed: Forcing Authentication Before Downloading Maximo Attachments via BIRT Report URLs

Jump to  Best Answer
  • Administration
  • Architecture
  • Infrastructure
  • Reporting
  • Security
Gagan Deep Bansal's profile image
Gagan Deep Bansal posted 05-15-2025 14:35

Hello Community,

We’re currently embedding attachment file URLs in our BIRT reports to allow users to directly download Maximo attachments from the generated PDF—without needing to navigate to the specific record in Maximo. For example, a URL embedded in the report might look like this:

https://maximo.xyz/attachments/filename.txt

This link works as expected—it directly downloads the file when clicked.

Our requirement:
We’d like to prompt the user to log in (if not already authenticated) before the file is downloaded. Basically, instead of the download happening immediately, we'd like the Maximo login page to appear first (if needed).

Questions:

  • Is there a way to force authentication for such direct download links?
  • Are we perhaps using the wrong type of URL in the report?
  • Any recommended configuration or custom setup to meet this requirement?

Relevant system property settings:

mxe.doclink.doctypes.defpath = /apps/IBM/doclinks/default
mxe.doclink.doctypes.topLevelPaths = /apps/IBM/doclinks
mxe.doclink.path01 = /apps/IBM/doclinks=https://maximo.xyz.com
mxe.doclink.securedAttachment = true

Any guidance or suggestions would be greatly appreciated!

Thanks in advance,
Gagan

Steven Shull's profile image
Steven Shull posted 05-20-2025 18:37  Best Answer

If you're using LDAP for your Maximo authentication, you should be able to secure this virtual directory via the web server using the same LDAP credentials. For example, if you are using IBM HTTP Server, you should be able to use this: Authenticating with LDAP on IBM HTTP Server using mod_ldap - IBM Documentation

If you want to use Maximo itself and are on a relatively recent patch of 7.6.1.3 or higher, there are two ways you might be able to achieve this. The first is the doczip API that was built for Maximo Mobile. It's not documented but essentially creates a way to build & download a zip of attachments. I'll be honest, I haven't used it outside of Maximo Mobile so I'd have to review it to determine how to use it. And if I remember correctly, it depends on some data downloaded from the REST API which might not make it a good option for the report approach where you are not interacting with the REST API.

The second is you can create an automation script to fetch the attachments that gets invoked using the REST API (IBM Maximo Autoscripting Guide – Invoking script through Automation Script Handler). We didn't always let the script set the content-type header (it was hardcoded to a JSON response) but we fixed that in a 7.6.1.3 IFIX. If you set the response body to the file contents & the response header sets the content-type, you can make it so it downloads a file. Since this would be using the Maximo REST API, it would require the user to be authenticated to use it. If necessary, you can even further restrict access to only those with certain permissions.

Prashant Sharma's profile image
Prashant Sharma posted 05-17-2025 10:00

Hi Gagan - What kind of authentication is setup at Maximo- Native/LDAP/SAML? In case of LDAP/SAML is SSO enabled?

Gagan Deep Bansal's profile image
Gagan Deep Bansal posted 05-17-2025 10:21

Hi Prashant, we have LDAP authentication enabled in PROD with integration to Microsoft Active Directory. We don't have SSO enabled.

Gagan Deep Bansal's profile image
Gagan Deep Bansal posted 05-20-2025 23:51

Thank you very much Steven for providing a detailed solution.

We are using LDAP authentication with IBM HTTP Server so the link you shared (Authenticating with LDAP on IBM HTTP Server using mod_ldap - IBM Documentation) looks to be providing a solution. I will give it try and let you know how it goes. 

Truly appreciate your help!

Gagan Deep Bansal's profile image
Gagan Deep Bansal posted 05-30-2025 12:55

Hi @Steven Shull,

Looking for further help on this.

We tried implementing the solution proposed in the link  Authenticating with LDAP on IBM HTTP Server using mod_ldap - IBM Documentation but its not working. 

While the configuration prompts for credentials as expected, we encounter a 500 Internal Server Error immediately after submitting them. Please see below screenshot for reference.

Your guidance on resolving this issue would be greatly appreciated.

Its not showing any errors in the error log. Below is the HTTP Server error log trace:

10.1.46.143 - - [29/May/2025:21:33:26 -0600] "HEAD /zipfiles HTTP/1.1" 401 - 236 +

10.1.46.143 - gagan.bansal [29/May/2025:21:33:27 -0600] "GET /attachments/systeminfo.png HTTP/1.1" 500 603 769004 -

10.1.46.143 - - [29/May/2025:21:33:35 -0600] "HEAD /maximo-x HTTP/1.1" 302 - 2382 +

We have made the below updates to the httpd.conf file to enable LDAP authentication. Please find attached httpd_conf.txt file for the full code in the httpd.conf file.

LoadModule ldap_module modules/mod_ldap.so
LoadModule authnz_ldap_module modules/mod_authnz_ldap.so

DocumentRoot "/apps/IBM/doclinks"

<Directory "/apps/IBM/doclinks">

LogLevel authnz_ldap:debug ldap:debug

LDAPTrustedGlobalCert CMS_KEYFILE /apps/IBM/HTTPServer/conf/ldap.kdb password

<Directory "/apps/IBM/doclinks">
    AuthType Basic
    AuthName "AD Protected Area"
 
    AuthBasicProvider ldap
    AuthLDAPURL "ldaps://adserver.company.com:636/OU=Accounts,DC=test,DC=local?sAMAccountName?sub"
    AuthLDAPBindDN "CN=ldapaccount,OU=Accounts,DC=test,DC=local"
    AuthLDAPBindPassword "password"
 
    Require valid-user
</Directory>

Attachment  View in library
httpd_conf.txt 32 KB
Steven Shull's profile image
Steven Shull posted 05-30-2025 16:54

Unfortunately, we haven't used IBM HTTP Server in over a decade. I don't have an environment where I could attempt to test this.

Related Content