Focal Point
Third-party authentication

This topic can be found at:
https://forums.informationbuilders.com/eve/forums/a/tpc/f/7971057331/m/7921096781

September 26, 2006, 03:42 AM
sathyanveshi
Third-party authentication
Hi,

I have stored usernames and passwords in Sybase database. This database and user details are used across multiple web applications across the enterprise. We have recently started exploring WebFOCUS for our reporting purposes.

We would like to use the user details available in the Sybase database for our authentication purposes.

How can I use this database for authenticating WebFOCUS end-users? Are there any in-built (out-of-the-box) features available in WebFOCUS which can be leveraged?

Please suggest some good alternative solutions as well.

Thanks...

Cheers,
Mohan
September 26, 2006, 03:26 PM
Moogle
Hi Mohan,

You asked for "out of the box" which WF offers in a basic format using the business intelligence dashboard (BID) module and a seperate user list managed via the managed reporting environment (MRE). You can switch to an external directory for authentication and use the MRE for domain authorization, or use an external directory for both functions.

Unfortunately WF 7.x does not have a predefined configuration for Sybase as an external authentication directory. I am not sure if you can add to the list, or if it is hard-coded.

That being said, there's no reason you couldn't use use a custom solution; jsp (if your web server is Tomcat) or asp (if your web server is IIS). You would write a login page that connects to your sybase db via jdbc/odbc and authenticates the user. You could set a variable (ie. Authenticated Y/N) and each report launch page would do an include that checks for this variable's status.

Hope this helps a bit.

Cheers,

Joey


-WebFOCUS 8.2.01 on Windows
September 28, 2006, 10:20 AM
TexasStingray
MRE/UAS/Dashboard Provides some intergration for Authentication / Authorization. However, It does not authenticate a user to a row/column in a database it authenticates it by seeing if that userid/password combonation can connect to the database. If you are trying to Authenticate WebFOCUS and not MRE/UAS/Dashboard an option would be to create a WebFOCUS Exit. The Exit can then do what ever it needs to do to authenticate the user, such as a jdbc connection to a database and and run a SQL Select Statement and return to WebFOCUS a value that would then be validated. Check out the WebFOCUS Security Administration Manual.

Scott




Scott

September 28, 2006, 10:44 AM
EJL
Just remember that anything being passed in plain text from an HTML page on the end user's browser to the WF Servlet can be spoofed. This includes "hidden" fields in the HTML.
September 28, 2006, 11:10 AM
TexasStingray
EJL is correct about spoofing, that is a big concern if the application is an internet application. It can still be a concern if the application is an intranet application. If there is a concern the always ues an SSL Certificate.




Scott

September 28, 2006, 12:03 PM
EJL
Even an encrypted session won't prevent someone from looking at the HTML page source in a browser and seeing the necessary hidden values. It's not hard to guess what change to make if you see "authenticated=N"

How locked down you have your application, and how your servers are configured will determine whether seeing these values allows them to successfully throw a spoofed request back to your servers.

It can be overkill to worry about some of this or it can be exactly what you should be concerned about. It all depends on the situation.
September 28, 2006, 02:48 PM
TexasStingray
OK, Here is how I would do it, that is if I had to authenticate to a database table row/column. First I would ensure that my html page that I used to have the users enter there ID/Passwords what using SSL so that when that page is sent back to the server the information being sent is encrypted. I would not care if someone looked that the source code. Second I would create a WebFOCUS Exit that I would call and pass the parameters to ID/Password. The Exit would just authenticate and return true (valid) false (invalid). Then I would check that value if it was true I would create java session variables this why nothing is sent/stored on the client side (spoofing could not access it). If it was false I would redirect them to some other page. This is just a high level explaination of the flow of things. For details on each step see the WebFOCUS Security Administration Manual.

Hope this helps




Scott