Focal Point Banner


As of December 1, 2020, Focal Point is retired and repurposed as a reference repository. We value the wealth of knowledge that's been shared here over the years. You'll continue to have access to this treasure trove of knowledge, for search purposes only.

Join the TIBCO Community
TIBCO Community is a collaborative space for users to share knowledge and support one another in making the best use of TIBCO products and services. There are several TIBCO WebFOCUS resources in the community.

  • From the Home page, select Predict: WebFOCUS to view articles, questions, and trending articles.
  • Select Products from the top navigation bar, scroll, and then select the TIBCO WebFOCUS product page to view product overview, articles, and discussions.
  • Request access to the private WebFOCUS User Group (login required) to network with fellow members.

Former myibi community members should have received an email on 8/3/22 to activate their user accounts to join the community. Check your Spam folder for the email. Please get in touch with us at community@tibco.com for further assistance. Reference the community FAQ to learn more about the community.


Focal Point    Focal Point Forums  Hop To Forum Categories  WebFOCUS/FOCUS Forum on Focal Point     [SOLVED] Launching to self-service reports from extranet portal built using JSP page

Read-Only Read-Only Topic
Go
Search
Notify
Tools
[SOLVED] Launching to self-service reports from extranet portal built using JSP page
 Login/Join
 
<Joseph>
posted
What would be the best approach to having users that get authenticated through our extranet portal site built using JSP, to launch self-service reports written on the data server. Currently the client has a public dashboard and it launches a HTML page created by "layout painter", then launches the appropriate focexex based on the selected parameters. Currently the WF Server is unsecured, but we will secure it, so this probably means that we will have to pass credentials to the WF server.

One other thing is that the JSP page will need to pass the associated "id" from the user that logged into the extranet portal site and this "id" will need to be passed to the report running on the WF Server probably by making a call to the Servlet container with the appropriate parameters. Do you think this is the most efficient way?

This message has been edited. Last edited by: Kerry,
 
Report This Post
Darin Lee
Virtuoso
posted Hide Post
We run several report in a similar fashion, but to secure them properly, all of the parameter selection is handled by the JSP page. The URL is formed behind the scenes with all the appropriate parameter values along with a static set of credentials (set up to allow our "internet" users to access reports from our secure server). I would (obviously) suggest that those credentials be completely hidden from the users, but we also hide all parameter calues from the user as well so they cannot read the URL (via view source or some other way) and modify them to run for some other values that are not alowed for that user.

That would basically eliminate them from using the HTML page from layout painter because that could be easily viewed before submitting the form.


Regards,

Darin


In FOCUS since 1991
WF Server: 7.7.04 on Linux and Z/OS, ReportCaster, Self-Service, MRE, Java, Flex
Data: DB2/UDB, Adabas, SQL Server Output: HTML,PDF,EXL2K/07, PS, AHTML, Flex
WF Client: 77 on Linux w/Tomcat
 
Posts: 2298 | Location: Salt Lake City, Utah | Registered: February 02, 2007Report This Post
dhagen
Virtuoso
posted Hide Post
There are so many ways to do this. Before I suggest anything however, can you please tell me if your external portal is JSR 168 compliant?


"There is no limit to what you can achieve ... if you don’t care who gets the credit." Roger Abbott
 
Posts: 1102 | Location: Toronto, Ontario | Registered: May 26, 2004Report This Post
<Joseph>
posted
Thanks Dhagen,

I will find out this morning and respond back as soon as I can.

Do you agree with the above two posts?
 
Report This Post
dhagen
Virtuoso
posted Hide Post
Yes and no. Darin's comment is kind of vague, so it is really hard to tell what he is typing (for me anyway). My ears always perk up when people go on about hiding the URL. I don't really see the benefit of hiding it! If your security can be compromised by knowing a URL, or a view source, or something as simple as that, then maybe it is time to re-architect your security model.


"There is no limit to what you can achieve ... if you don’t care who gets the credit." Roger Abbott
 
Posts: 1102 | Location: Toronto, Ontario | Registered: May 26, 2004Report This Post
<Joseph>
posted
The question I got from my JAVA guy is what part needs to be JSR 168 compliant?



quote:
Originally posted by dhagen:
There are so many ways to do this. Before I suggest anything however, can you please tell me if your external portal is JSR 168 compliant?
 
Report This Post
dhagen
Virtuoso
posted Hide Post
There really isn't a part, it either is or is not. My guess here is that this is a custom built portal that was purpose built, with no real concerns or requirements for open technology concepts. That's still ok, it just limits what you can do.

So, if you want to pass the user in a secured way, I would recommend building your own multi-factor authentication. You could then use proxy accounts to connect to the WFRS. The steps would be as follows:

1. Have the portal write the following to a database table:
- Userid, DateTime Stamp, Unique Id, User's remote ip address.
2. When the call is made to WF, you would then pass the Unique Id to the request.
3. Build a Java Filter that you should implement in the WF web application that will:
- grab the Unique Id with the request.
- Query the table from step 1 and retrieve the Userid, DateTime Stamp, and Remote IP address.
- The filter would then verify:
- The Time is less then 2 seconds old.
- The Remote IP's are the same.
- if all is ok, then the Userid should be written to the java session (that way the next request will not have to repeat the query).
- Wrap the HttpRequest and override the getRemoteUser() method and have it return the new Userid.

Now you can configure the WF client to trusted mode with the remote user as the valid userid.

If this sounds like too much, you might want to pass it to your Java guy. He will be able to make sense of what I just typed.
-

This message has been edited. Last edited by: dhagen,


"There is no limit to what you can achieve ... if you don’t care who gets the credit." Roger Abbott
 
Posts: 1102 | Location: Toronto, Ontario | Registered: May 26, 2004Report This Post
<Joseph>
posted
Thanks Dhagen,

I spoke with our Java guy and he made a proposal to pass the variables (session id {key}, user id, datatime stamp) to a proxy. I guess that is what you stated in #3, building a java filter. It would seem that we can run this java servlet in the same tomcat container as a servlet and would do the options that you stated in #3.

However, I'm still a little unclear as to how the HTML parameter page will need to change. Do we have to modify the HTML page or because the java filter will handle the authentication of the user and session and then could probably launch to the HTML page via a POST.

Then would we be secure after that point? Would the user be able to copy that URL of the parameter page and launch to another report via scraping the URL.



quote:
Originally posted by dhagen:
There really isn't a part, it either is or is not. My guess here is that this is a custom built portal that was purpose built, with no real concerns or requirements for open technology concepts. That's still ok, it just limits what you can do.

So, if you want to pass the user in a secured way, I would recommend building your own multi-factor authentication. You could then use proxy accounts to connect to the WFRS. The steps would be as follows:

1. Have the portal write the following to a database table:
- Userid, DateTime Stamp, Unique Id, User's remote ip address.
2. When the call is made to WF, you would then pass the Unique Id to the request.
3. Build a Java Filter that you should implement in the WF web application that will:
- grab the Unique Id with the request.
- Query the table from step 1 and retrieve the Userid, DateTime Stamp, and Remote IP address.
- The filter would then verify:
- The Time is less then 2 seconds old.
- The Remote IP's are the same.
- if all is ok, then the Userid should be written to the java session (that way the next request will not have to repeat the query).
- Wrap the HttpRequest and override the getRemoteUser() method and have it return the new Userid.

Now you can configure the WF client to trusted mode with the remote user as the valid userid.

If this sounds like too much, you might want to pass it to your Java guy. He will be able to make sense of what I just typed.
-
 
Report This Post
dhagen
Virtuoso
posted Hide Post
quote:
Originally posted by Joseph:
However, I'm still a little unclear as to how the HTML parameter page will need to change. Do we have to modify the HTML page or because the java filter will handle the authentication of the user and session and then could probably launch to the HTML page via a POST.


Your assumptions are correct in that you should not have to modify the HTML page at all, as the filter will handle the authentication. Secondly, I would always recommend that you use a POST process where ever you can.


"There is no limit to what you can achieve ... if you don’t care who gets the credit." Roger Abbott
 
Posts: 1102 | Location: Toronto, Ontario | Registered: May 26, 2004Report This Post
  Powered by Social Strata  

Read-Only Read-Only Topic

Focal Point    Focal Point Forums  Hop To Forum Categories  WebFOCUS/FOCUS Forum on Focal Point     [SOLVED] Launching to self-service reports from extranet portal built using JSP page

Copyright © 1996-2020 Information Builders