Focal Point
Passing values securely to WF Report Server

This topic can be found at:
https://forums.informationbuilders.com/eve/forums/a/tpc/f/7971057331/m/2871030071

May 31, 2006, 08:36 AM
EJL
Passing values securely to WF Report Server
This seems like the most basic of things to want to do but so far IBI still hasn't given me an answer (case opened 5/22). I'm just trying to pass information securely from my Tomcat application to a WF Server.

We have an existing application running on Tomcat that authenticates the user and stores information about them as session variables. We want to add reporting to this application which will require securely passing these values from the session to the WF Report server.

While I can freely access the session values within my application, session information is limited to the context it was created in so it's unavailable to the WF Servlet as that runs under a different context.

I know I can't be the only one doing this so what am I missing?

WF Server 7.1, WF Client installed on Tomcat as per the IBI instructions. No other IBI tools.
May 31, 2006, 04:27 PM
Tony A
A shot in the dark, but, any chance of using ASP or JSP etc. to pull out the session variables?

T



In FOCUS
since 1986
WebFOCUS Server 8.2.01M, thru 8.2.07 on Windows Svr 2008 R2  
WebFOCUS App Studio 8.2.06 standalone on Windows 10 
June 01, 2006, 08:27 AM
EJL
Thanks for the reply Tony.

Pulling the session variables out is easy - as long as you stay within the same application. Once you cross over to another application, the session variables are no longer available to the new app.

IBI has the WF Servlet designed to be installed as its own application separate from the customer's app. So I can't pull the session variables in the IBI Servlet app.

I can pull them in my app but I need some way to securely pass them to the WF Servlet. "Secure" meaning in a way that the HTML request cannot be spoofed by the user passing altered parameters.
June 01, 2006, 09:40 AM
Tony A
A rock and a hard place comes to mind Frowner



In FOCUS
since 1986
WebFOCUS Server 8.2.01M, thru 8.2.07 on Windows Svr 2008 R2  
WebFOCUS App Studio 8.2.06 standalone on Windows 10 
June 01, 2006, 09:55 AM
EJL
It feels that way. IBI is getting back to me today and they say they have a solution. I'll post it back here if it works so others can benefit.

What bugs me is this is such a basic thing. I can see where this isn't a problem if you are using the other IBI tools (which are out of our price range) but anyone doing a self-service app or trying to integrate WF into an existing application must have the same issue.
June 05, 2006, 10:43 PM
dhagen
EJL, This may sound simple, but this is actually hard to do. What you are asking is for a web application to inherit authentication that has already been done from another web application. This is so hard - in fact - that a lot of companies have made lots of money solving just this problem (e.g. ClearTrust, Siteminder, Entrust to name a few).

From where I stand, you have two choices:
- Look into session sharing if both web apps are on the same server - I haven't done this, but I've talked to people that say it is possible.
- Build your own personal two form authentication process (you really should do two form if you want to avoid spoofing). I have done this a couple of times with web focus.

Either way, you are going to have to develop some Java code, because you cannot do this with focus code.


"There is no limit to what you can achieve ... if you don’t care who gets the credit." Roger Abbott
June 06, 2006, 09:54 AM
EJL
I really hoped IBI would have given me a way to bring the IBI servlet functionality into the current application, thereby removing all the cross application security issues. That would have been easy for me.

Instead the solution seems to be leaning towards cookies. I'm still waiting on IBI documentation to see how secure we can actually make it. I think a a non-persistent, encrypted cookie, sent with a digital signature would do the trick.

I agree this isn't going to be in Focus code but I'm fine with that. We've got a lot of development options in our "toolbox".
June 06, 2006, 01:55 PM
dhagen
If all you are using is the WFServlet, then why not try bringing it in to you current app? If you deconstruct the web.xml, you should be able to pull all relavent content into your existing app.

Another option is to use the webfocus API. That way, you can call the webfocus app as Java functions from your existing app.

Just a couple of thoughts.


"There is no limit to what you can achieve ... if you don’t care who gets the credit." Roger Abbott
June 06, 2006, 03:27 PM
EJL
I didn't look into it myself but our lead developer investigated bringing in the WF Servlet and thought there would be issues so we decided to not go down that road thinking IBI had to have a cleaner way.

I've never heard of the WebFocus API but the overview I just read looks very promising. Is this a separate product? I wonder why IBI support didn't mention it as an option.

Almost forgot - Thanks a lot for the information. You've definitely given me some good stuff to research.
June 06, 2006, 05:30 PM
dhagen
To the best of my knowledge, the API is not a separate product. There is even a sample API app installed with the product. Look into:
.\ibi\WebFOCUSxx\samples\webapps for a simple example.


"There is no limit to what you can achieve ... if you don’t care who gets the credit." Roger Abbott
June 14, 2006, 10:34 AM
KevinG
EJL,

The WFAPI is documented in \ibi\WebFOCUSxx\ibi_html\javadoc

Hope this helps...
Kevin


WF 7.6.10 / WIN-AIX