Hi everyone,
I am very new to WebFOCUS and was assigned a important and challenging task-securing our reports. If anyone can give me some help, that will be very very appreciated. Here is the situration.

we have a standalone java web application, using WebFOCUS 5.3( will update to v7.6 soon) as reporting tool. The reports will be in reporing server. The users of this applicaiton will be public external users. Different user only have authority to view whatever reports he has paid for. The java application has a logon page asking user id and password and then polulate a dropdown list with all the reports the user has authority to view. Finally, the java application display report by redirect to WebFOCUS client using a link, for example http://Servername/ibi_apps/WFServlet?IBIF_ex=report.fex...=value1¶2=value2. Obviously, there is a big security with this solution. Anyone can just copy the report URL and paste in IE addre box and view the report, bypassing the java application logon page.

I did lot of research and document reading. The easiest solution I can think of is using hidden field in the java page to store reporting name and parameters, instend of puting everything in the URL. But this solution doesn't solve the problem completely because people can still find some clue from "View Source". My second solution is to write a fexexec (for example Main.Fex). In Main.Fex, call a java class( check usr's access in this class), and based on the return of this java class, either EXIT or continue display real report).

I am wondering if I am in right direction? Does anyone has similiay situration like this and how do you solve the problem.

Regards.

Alu

This message has been edited. Last edited by: Kerry,

Alu,

How did you get in the Forum without updating your signature with your products, releases, and platforms? It would be easier to answer your question if we knew that information.

WebFOCUS has a security manual that you might want to check out. Also, you can use the Search tab and search for other posts on this same issue.

But once we know your configuration, we'll be able to give you better answers.

Hi Ginny,

That's my question too? I did put my signature when I register. Why it didn't show up. Would you please let me know how to make it show up?

I did read the security manual and use the Search tab and found some very valuable information. That's how I learn WebFOCUS so far. But I couldn't figure out a good sulution. May be it is because I am lack of practical expericence. I would like very much to get some suggest regarding this.

Thanks

Alu

As Ginny mentions. it's hard to give specifics without info on your operating environment, but here's a general answer. We do something similar, but the user is never able to see the link. The link is generated dynamically within the Java app after the user selects the report and the URL is never displayed. I'm not the Java guy so I don't have specifics, but it works.

Second item - do you have security turned on for your WF server? Sounds like you may not, in which case you're begging for security violations. There are ways to handled this authentication via your URL methodology, but that information also needs to be secured.

Third item - no offense to you, but assigning WF security to someone who is very new to WebFOCUS doen't sound like a very sound business decision. We all have to start somewhere, I know, but security is a pretty advanced topic that shouldn't be tackled without a thorough reading of the WF security documentation and hopefully a little training.

Good luck with it. If you have more questions, maybe I can get some details from our Java developers.

Create a separate security table with these users ids in there. You could use the &WF_Remote_user and have your fex check against the remote_user in the beginning of the program. If these individuals are not in the table redirect them to a nodata page.

quote:

Different user only have authority to view whatever reports he has paid for

First thing that I would actually do is make sure that you are correctly licensed to offer WebFocus reporting
as a subscription service.

A standard license does not allow the operation of a bureau service to external customers.

quote:

Different user only have authority to view whatever reports he has paid for

Hi JG,

I think I just used a wrong sentence to express the importance of secure the report. What I meant was that different uses should only see report he was supposed to see. For example financial data should only open to very limited people.

Now that we know that you are on a Unix platform, that clarifies the situation a bit.

As Darin asked, we still need to know whether you have operating security turned on in your reporting server.

Maybe you could do something like this assuming reporting server security is on. Secure all the subdirectories and files in ibi/apps to a single application id. If you could have the hidden field in the java page as you mentioned get passed to the WebFOCUS client, then you could check that field in the client node profile (which you can encrypt) for the reporting server. If the value is good, populate the IBIC_user and IBIC_pass variables with the application id and password.

If someone swipes the URL, they wouldn't have access to the hidden parm value, wouldn't know the application id, and would fail on credentials.

Hi Darin,

I think I have read some past posts by you regarding this issue last night. I am interested in the way how your java developers call the report. Could you please get more detail from the java guys.

Regarding your third item. Thank you for your concern. I totally agree with you. That is why I said I was assigned an important and challenge task. I will take your advise and get necessary WebFOCUS training. Also I am going to read the WF security document at least three times.

Regards

Alu

Thanks everybody for the kindly suggestions. I will try them one by one.

Regards,

Alu

Alu,

It seems to me that your problem is compounded by the structure of your Java application which uses the link in which both the fexname and the parameters are 'in clear'.

When we create self-service, higly parameterized applications for our users, we use our product WrapApp which has very stiff security built-in. It will display only those reports that the user is allowed to see (client security) and then will also check on the server if this user is allowed to run such a report. In this way, even if somebody has "stolen" the URL, unless that person has also logged on with a user-id that has permission to run that specific report, the report will not run.