Ok i dont know very much about java but i do know other languages that are similar. Anyway, I need to be able to tell webfocus to either redirect the user to a different page (if they do not have a session variable set to what i specify) or to allow them to pass through (if they do have the session variable set to what i specify). I have built sort of a test run servlet, but webfocus doesnt like it when i add the servlet stuff to the site.wfs file.

The samples in the security and administration manual do not give me enough information to do much of anything because they do not show a full example. I am really clueless as to what i need in the site.wfs file. Does anyone have any clue how i would do this?

here is my test code:
-------------------------------------------------


package Dashboard.Security;

import java.io.*;

import javax.servlet.*;
import javax.servlet.http.*;


public class DashSecure extends HttpServlet
{
public HttpServletRequest req;
public HttpServletResponse res;
private static final long serialVersionUID = 1L;
public DashSecure()
{
super();
}
public boolean check()
{
try
{
doGet(req,res);
}
catch (ServletException e)
{
// TODO Auto-generated catch block
e.printStackTrace();
}
catch (IOException e)
{
// TODO Auto-generated catch block
e.printStackTrace();
}
if (req.getParameter("Loggedin") != "TRUE")
{
try
{
res.sendRedirect("http://www.google.com");
}
catch (IOException e)
{
// TODO Auto-generated catch block
e.printStackTrace();
}
}
else
{
try
{
res.sendRedirect("http://www.yahoo.com");
}
catch (IOException e)
{
// TODO Auto-generated catch block
e.printStackTrace();
}
}
return true;
}
}

DHAGEN (on the FocalPoint forum) is the best person to try to contact - he's a security genius.

MrT,

As you already have guessed, you cannot call a Servlet from within a Servlet. You can call a Servlet from another Server. However, that requires funky session sharing (and I don�t really know how to do that).

I feel that your best bet would be to build a Java Filter. Filters are contained within the web application, and are called prior to the Servlet action, and therefore allow you to create sessions, or redirect user requests etc.

I can give you advice on what to do and how to do it, but I would really like to know a little more about your environment and what you are trying to do first.

1. What release of WF?
2. Is this: Self Service app, or BID, or MRE?
3. Will you be using Dev Studio after your process is in place?
4. Could you please explain the process of what should happen and why.

I've implemented Filters at multiple sites to facilitate some very funky security requirements. All of them required some sort of redirect action. When all is said and done, it will be easier on you if this can be implemented as a plug-in, if only because there is far fewer actions that you have to account for.

Regards.

MrT,

It is important to state what version of WebFOCUS you are using, If you are using UAS/MRE, Servlet/CGI, and If you have Report Caster to worry about as all the above must me considered when using a security filter and or security exit. If you are just wanting to check to see of a session variable exist you might be able to use the CopySessionVarToWFVar. I think this will work. You may have to play with it some I do not know what it would retrun of the session variable does not exist. A side not the session variable must be a on same box where the WebFOCUS Application server is, and you must be using Servlet. I do not recall exaclty what release of WebFOCUS the CopySessionVarToWFVar became available. Good Luck.

Hope this helps.

ok here is what we have: We are running webfocus version 5 3 3. The part that we are trying to protect is the public view of the dashboard. We are running reportcaster, BI dashboard, and MRE. I believe that only dashboard has public user access.

Our current security is based upon oracle applications. We have a web application, on oracle, that the public users log into. our oracle instance is on a different machine than our copy of webfocus. They also both use different web servers.

Here is what we have so far: The user logs into the oracle web application. From here they can navigate to the dashboard link. when they click this link to dashboard (a link to the public view) they will be redirected to an asp page on the webserver that has webfocus on it. This redirection has a few variables in the query string. The asp page takes the variables and calls a database procedure to check if the user is ok or not in the database. If they are ok then the asp page sets a session variable and redirects them to the dashboard public view. if they are not ok then the asp page redirects them to the oracle web application login page.

Here is what we need: We need a way to stop people from directly accessing the dashboard public view without logging into the oracle web application. We have been told by IBI that this is possible by using a servlet plug-in. So what I am trying to get this plug-in to do is look at the session variable. if the variable is not set or is set to something other than "TRUE" then i want the servlet to redirect the user to where ever i decide to send them.


I hope this all helps. Let me know if you need more specific information.

Mrt.

As a Systems Engineer for Information Builders, I take customer needs and concerns very serious especially when I comes to security. While it is possible to implement what you want to do without IBI's direct involvement, I am concerned with the impact to the additional products. If at all possible I would suggest you get with your local branch and see about getting our Security Team involved. I just don't what you over looking something that might come back to bite you. Sorry I can't be of more help.

MrT,

A tomcat filter would do the trick. I posted an example of a filter to the list a while ago.

https://forums.informationbuilders.com/eve/forums/a/...681008331#4681008331

Good luck.
-James

Oh, and if you ever get a security exit to work with Webfocus 5.3.3 please post the code. We were unable to get one working as the poor poor documentation contained errors, bugs, etc. Wasted quite a bit of time trying to get the servlet callable exit working. Eventually gave up and started using tomcat filters.
-James

MrT

A simpler way would be like this. However, I am not an expert and still recommend getting the security team involved.

Step 1. Edit the site.wfs file and put this in there.

 
<if> IBIMR_action EQ "MR_SIGNON" AND IBIMR_user.upper EQ "PUBLIC"
	httpsessionvar = mysessionvariable
	wfvar = MYVAR
	<call> CopySessionVarToWFVar(httpsessionvar,wfvar)
	<if> MYVAR NE "TRUE"
		<HTMLFORM> wfexterr.htm
		<EXIT>
	<endif>
<endif>

Step 2 create your own wfexterr.htm file and put it in the webfocus client web cgi directory.

PS Replace mysessionvar with the name of your session variable and then replace the TRUE with what ever value your http session variable should be.

Good Luck hope this helps, let us know!

This message has been edited. Last edited by: TexasStingray,

is there something i need to do to get the copysessionvartowfvar() function to work? I put that code in my site.wfs file and restarted IIS and it comes back with an error. I tried setting the variable to "TRUE" and it still gave the same error. here is the error:

quote:

An HTTP 500 error has been returned when attempting to communicate with the WebFOCUS web components. The application server log contains information on why this error has occurred. Contact your WebFOCUS Administrator or Information Builders Customer Support Services for further assistance.

I got this same error when trying to put any of the custom servlet calls in the site.wfs file too.

ok scratch that... i forgot to change the setting in the console back to ibi.webfoc.WFEXTDefault

Ok the error I posted earlier appears to be happening whenever is used. I was unsure as to why I kept getting errors, so I tried putting just the line in the site.wfs. Is there a problem with testing it this way? Is there something i need to set up for the redirection to work?

It is case sensitive. The error page that you create must do the rediredt for you. You might try just calling the function and see if that works. Then add the other code.

Try This:

MYVAR1 = MrT
httpsessionvar = MySessionVar1
wfvar = MYVAR1
<call> CopyWFVarToSessionVar(wfvar,httpsessionvar)

httpsessionvar = MySessionVar1
wfvar = MYVAR
<call> CopySessionVarToWFVar(httpsessionvar,wfvar)
<SET> MYVAR (pass)

Then in a focexec put
-TYPE &MYVAR

When you run te focexec it should display MrT

This will tell you if the 's are working

Scott

This message has been edited. Last edited by: TexasStingray,

Scott

Ok i will give that a go. The other issue i just found out yesterday is that the session variable that webfocus pulls is application specific not server specific; at least when using new atlanta it is. Are there other application servers that would allow me to pull from IIS session variables, or is there a way to do it with new atlanta?

That I do not know. Generally when I here about session variable I think of Application Server Session Variable (like New Atlanta, Tomcat, WebLogic, etc..). You might check and see of IIS session variable are automaticlly passes to a web application. if they are then you may be able to check for the existance of the variable. This is another reason to get IBI involved. Good Luck.

do you happen to know if there is a way to do the asp logic within a fex. By this I mean: Am I able to directly link to a fex with my variables in the query string. Have the fex pull these variables from the query string and call a procedure within an oracle database to check for validation. If the user is valid then set application server session variables saying they are ok. If they are not valid then send them to a URL of my choice. Is this functionality available in a fex?

By default all parameters that are part of a query string (methods get and post) are automaticlly passes to webfocus. Now if I understand you correctly. I think this is what you are saying.

1. You want to have a focexe that queries oracle and the procedure needs to accept parameters (say: id, token).

2. You want to have the focexec execute when a users runs a report.

YES, you can have a site_profile set up in the site.wfs to that your focexec executes for every request before the actual request runs.

I don't think this is going to give you what you really want.

im thinking more of having it run only when session variables are not set. To simplify what i am thinking of i will write it out in steps.

1) user logs into oracle web app.
2) user clicks the link to dashboard with data needed to authenticate in the query string.
3) when the user is sent to dashboard, site.wfs checks for a session variable to be set.
4) if the session variable is not set, it checks if the query string has the items in it needed to authenticate.
5) if session variables are not set and the items are not in the query string then redirect the user to the oracle web application log in.
6) if the session variables are not set but the items are present in the query string then the focexec is called to authenticate against the database.
7) if the user is authenticated then the focexec sets session variables and returns the user to the dashboard.
8) if the user is not authenticated then the focexec redirects them to the oracle web application log in page.

In that case you will need to create and exit to do the autentication against Oracle.

dang....The exit part is where I had the trouble to begin with. The documentation on those is horrible. I cant even get the sample to work.

MrT

Your best bet is to BUG IBI about this via Customer Support web site or on the phone. We gave up long ago trying to get this to work.

Documentation for this kind of thing should not contain typos! It's tricky enough as it is!

Good luck with customer support and let us know how it turns out.

Suzy

Did you get the simple CopySessionVarToWFVar working as stated above.

Unfortunately, FocalPoint is not the best place to have this level of dialog about a custom integration between your application and WebFOCUS.

I see some confusion in this thread... for example, it is not possible for a Java servlet executing inside of a servlet container to have access to an ASP session variable. It's also not possible for a servlet in one web app to see a Java session variable set in a different web app (though this is a complex topic and there may be a workaround in WebSphere).

It's also a bad idea to pass "authentication data" on a query string from one application to another unless cryptography is employed (and I don't mean SSL) though I may be misunderstanding what was meant in the thread on this point.

This sort of "loosely coupled" sign-on integration between different web-based applications is a complex topic which you should engage local IB consulting.

However because this dialog has been going on so long here, I'm going to ask customer support to reopen case 12512140 and contact you to arrange a con call. We can go over approaches we have seen customers take in this scenario. After all that is finished, you are welcome to post a summary on this thread for your fellow customers.