I have a Java class extending ibi.webfoc.WFEXTDefault that I'm trying to use to implement a custom security model.

All report requests come into WebFOCUS via a proxy on my public access-controlled site. If the request comes from an authenticated user my site generates a token (encrypted role name and expiry time) which it appends to the request URL. My servlet decrypts the token to check if the request came from a valid user.

Ideally I'd like the servlet to use an external resource (e.g. text file or db query, but haven't got there yet) to lookup which procedures can and can't be called by the requesting user's role. If the role is insufficient for the requested procedure I'd like to return an HTTP 403 response, but I would also settle for a 200 response and a document reporting insufficient privileges.

Unfortunately I can't see how my servlet might influence the response. WebFOCUS calls a function with the following signature

  public long callMe(String[] NewVars, HttpServletRequest req)

I've looked at the HttpServletRequest class and can't see any way to get to the HttpServletResponse via context or session. It seems like all my servlet can do is pass variables (see NewVars) to the procedure requested by the user. This is OK but it means I have to manage security on a report-basis, changing a report's output based on the values in NewVars. If I forget to secure a report then it's unsecure by default.

Using WebFOCUS's security model is not an option (users must not need to authenticate in a second system and the system's authentication model is not compatible with LDAP or other standards).

Can anyone suggest how I might influence the response, or simply reject the request, from within my servlet? Any thoughts much appreciated!

This message has been edited. Last edited by: <Kathryn Henning>,

Have you considered putting a call to a focexec in the server's profile that validates the users authorizations prior to continuing on to the requested focexec? Query a data table for authorizations, if not found the default behavior is to return a formatted result indicating lack of authority.

This would be beyond the back edge of your of your servlet. You'd add material on to the wfservlet call that provides the information necessary to determine authorizations in the profile call.

J.

That sounds interesting thanks. Could you possibly expand a bit more on what you mean by "in the server's profile"? I only spend a small amount of my time in the IBI world and often find the documentation inadequate or inaccurate.

My main reservation with the approach is that it means relying on conditional logic in a procedure. Based on my experience to date the FOCEXEC language is something to be avoided or minimised wherever possible. Also I anticipate some difficulties passing the original parameters from this filter procedure to the target procedure once authorisation is confirmed.

It's likely way easier than you think. There's a file called edasprof.prf that is appended onto the front of every single request to the server. I have a focexec that does just what you're looking to do -- provide authorization depending on userid that I run for all calls. It executes as the first step in the server profile.

Mine is based upon the Managed Reporting ID that the user logs onto WebFOCUS with but there's no reason that has to be the case. It could be based on any other variable sent to the server. Your connection to the outside world will have it in an encrypted cookie (or pull a NIC address from the request, or IP address, whatever) but once it gets back inside your servlet you can crack it open and use it as you wish.

If all calls go through your own servlet call, you can take the request, crack open your own secure session cookie, extract your variables and add them to the call to wfservlet. Your servlet can gin up its own call to wfservlet with all the variables the user originally sent, PLUS the variables you add. Upon arrival at the reporting server the server profile (edasprof.prf) runs, utilizes the variables you've attached in the authorization focexec and makes the decision to continue or shut down the request.

By the way FOCUS logic can be razor-sharp with just a little care. I wouldn't be concerned at all about its dependability.

J.

quote:

Originally posted by TomC:
I've looked at the HttpServletRequest class and can't see any way to get to the HttpServletResponse via context or session. It seems like all my servlet can do is pass variables (see NewVars) to the procedure requested by the user. This is OK but it means I have to manage security on a report-basis, changing a report's output based on the values in NewVars. If I forget to secure a report then it's unsecure by default.

Using WebFOCUS's security model is not an option (users must not need to authenticate in a second system and the system's authentication model is not compatible with LDAP or other standards).

Can anyone suggest how I might influence the response, or simply reject the request, from within my servlet? Any thoughts much appreciated!

Implement this using a Java Filter. With a filter, you can validate everything you need, then allow the request to forward to the servlet - as per normal - or do the 403 redirect.

/*
 * Created on Mar 13, 2010
 *
 * TODO To change the template for this generated file go to
 * Window - Preferences - Java - Code Style - Code Templates
 */
package com.ibi.filters;

import javax.servlet.*;
import javax.servlet.http.*;

/**
 * @author dhagen
 *
 * TODO To change the template for this generated type comment go to
 * Window - Preferences - Java - Code Style - Code Templates
 */
public class SampleFilter implements Filter {
	/*
	 * Stores the Filter Configuration
	 */
	private FilterConfig filterConfig;

	public void init(FilterConfig _config) throws ServletException {
		this.filterConfig = _config;
	}
	
	public void destroy() {
		filterConfig = null;
	}

	// Execution code for the filter.
	public void doFilter(ServletRequest _request, ServletResponse _response, FilterChain _chain) 
	throws IOException, ServletException 
	{
		HttpServletRequest request = (HttpServletRequest) _request;
		HttpServletResponse response = (HttpServletResponse) _response;
		HttpSession session = request.getSession();
		boolean isValidRequset = false;
		
		/*
		   Do something here to validate the request .... 
		*/
		
		if (isValidRequst) {
			_chain.doFilter(_request, _response); // continues to the servlet call
		} else {
			response.sendError(403);  // stop everything
		}
		return;
	}
}

  

This message has been edited. Last edited by: dhagen,

dhagen this looks like what I want, thanks!

This page seems to outline the process, but gives no information or links to how to implement the filter.

Should I write a class that implements com.ibi.filters.Filter, and drop it into WEB-INF/classes/my/namespace/SampleFilter.class?

What other configuration do I need to add to site.wfs, web.xml, or elsewhere for this to be loaded? My searches for documentation are being hindered by other uses of the Filter concept across WebFOCUS.

If you keep the just the class, then your location is correct. I prefer to export to a JAR and put the JAR in the WEB-INF/lib directory.

You need to modify your web.xml to define the filter and the filter-mapping. Open the existing web.xml to see examples. Order is important here, and you should add the filter tag with the other filter tags, and add the filter-mapping tag with the other filter-mapping tags.

Remember that if your url-pattern is /*, then it will be activated for every request that hits the web application. You will have to look at the attributes to determine if you want to validate the user or just forward the request. Typically there should be a couple of key attributes that you should be able to narrow down to. Example web.xml entires:

    <filter>
        <filter-name>MySampleFilter</filter-name>
        <filter-class>my.namespace.SampleFilter</filter-class>
   </filter>

 ... 
   <filter-mapping>
        <filter-name>MySampleFilter</filter-name>
        <url-pattern>/*</url-pattern>
   </filter-mapping>
  

Whenever you change the web.xml, you have to reload the web application ... or restart your application server. If you are using a server where you deploy a WAR or EAR file, then you must rebuild the WAR or EAR and then re-deploy the application.

Sorry, one last point: The filter is a standard pattern that is part of every web application server, and you will be able to implement it based on the JARs you already have available in your development environment. Just add the implements Filter to your class and ensure you have the minimum 3 methods as in my example (init, destroy, doFilter). The "com.ibi.filters" is just my package name and has nothing to do with the implementation of a filter.

This message has been edited. Last edited by: dhagen,

Simple overview as this is web application specific and not IB specific.

dhagen thanks a bunch, I'm pretty confident I should be able to get up and running with the comprehensive info you've provided.

I'll post back and hopefully mark the thread solved when I've put these pieces in place.

I don't know why this thread is marked closed, but I just came back to mark it solved.

dhagen's suggestion worked wonderfully and I now have a filter managing report authentication and authorisation, returning a 403 response when a request is made from a client with insufficient privileges.