[Html2PdfConverter] PDF of non-Anonymous pages?

Forge Component
Published on 17 May (2 days ago) by Guilherme Pereira
58 votes
Published on 17 May (2 days ago) by Guilherme Pereira
All of our pages have the Anonymous role turned off, for (obvious) security reasons, the user has to be registered and allowed to be there and all.

And it appears that every time I try to generate a pdf, no matter how I pass the HtmlToPdfConverter action the URL, it generates a very nice pdf of our login screen.

Help? How do I direct the HtmlToPdfConverter action to a screen, with parameters, and have it generate a pdf of the actual screen instead of our login screen?
The only way I've seen this work is to have an Anonymous screen with what you want to show on the PDF.

Think about it, from outside, you are attempting to jump into the app and without the page being anonymous, you are getting directed to the log in page.
Hi Len,

The reason for that is because the request to the page that is going to be printed comes from the server and not from the user/session that it is active.

It's like having a complete different access to the page and for that the page has to be anonymous.

if you want to increase security what you can do is before the request you generate a token and store it on the database and you pass that as a parameter to the page. On the page preparation you then validate that token and if not valid you throw an exception to prevent the page from rendering.

Hope it helps


try the following (I haven't test it)

1. Create a WebFlow with Internal Access Only and limit this to
2. Inside this WebFlow create a Web Page with same query string parameters you have on the page you need to print
3 .Inside the preparations of this page you just created do a User_Login
4. At the end of the Preparation do a Server Redirect to the page you need to print passing the parameters
5. Call to the GeneratePDF with the page you have just created

This way you do not need to set your page as Anonymous bypassing the Platform security by creating tokens.
If you can set Internal Network to you can the create a token to the page that redirects. If this token is not fixed and generated for each request (like a GUID) you can even store it in the database and have the Anonymouns WebPage created on 2. validate the request. This will make it virtual impossible for someone to guess the token.... I think...

António Braz
Hi Antonio,

Have you tested this? I'm almost certain it won't work. The executable behind the component uses webkit and launches a headless browser within a separate process that will always be a new anonymous session.

The only way I was able to do a secure access to a page by using this component in the past years is by using the token generation/validation I described earlier.