As of December 1, 2020, Focal Point is retired and repurposed as a reference repository. We value the wealth of knowledge that's been shared here over the years. You'll continue to have access to this treasure trove of knowledge, for search purposes only.
New TIBCO Community Coming Soon
In early summer, TIBCO plans to launch a new community—with a new user experience, enhanced search, and expanded capabilities for member engagement with answers and discussions! In advance of that, the current myibi community will be retired on April 30. We will continue to provide updates here on both the retirement of myibi and the new community launch.
What You Need to Know about Our New Community
We value the wealth of knowledge and engagement shared by community members and hope the new community will continue cultivating networking, knowledge sharing, and discussion.
During the transition period, from April 20th until the new community is launched this summer, myibi users should access the TIBCO WebFOCUS page to engage.
I have stored usernames and passwords in Sybase database. This database and user details are used across multiple web applications across the enterprise. We have recently started exploring WebFOCUS for our reporting purposes.
We would like to use the user details available in the Sybase database for our authentication purposes.
How can I use this database for authenticating WebFOCUS end-users? Are there any in-built (out-of-the-box) features available in WebFOCUS which can be leveraged?
Please suggest some good alternative solutions as well.
You asked for "out of the box" which WF offers in a basic format using the business intelligence dashboard (BID) module and a seperate user list managed via the managed reporting environment (MRE). You can switch to an external directory for authentication and use the MRE for domain authorization, or use an external directory for both functions.
Unfortunately WF 7.x does not have a predefined configuration for Sybase as an external authentication directory. I am not sure if you can add to the list, or if it is hard-coded.
That being said, there's no reason you couldn't use use a custom solution; jsp (if your web server is Tomcat) or asp (if your web server is IIS). You would write a login page that connects to your sybase db via jdbc/odbc and authenticates the user. You could set a variable (ie. Authenticated Y/N) and each report launch page would do an include that checks for this variable's status.
Hope this helps a bit.
-WebFOCUS 8.2.01 on Windows
Posts: 318 | Location: Los Angeles, CA | Registered: November 15, 2005
MRE/UAS/Dashboard Provides some intergration for Authentication / Authorization. However, It does not authenticate a user to a row/column in a database it authenticates it by seeing if that userid/password combonation can connect to the database. If you are trying to Authenticate WebFOCUS and not MRE/UAS/Dashboard an option would be to create a WebFOCUS Exit. The Exit can then do what ever it needs to do to authenticate the user, such as a jdbc connection to a database and and run a SQL Select Statement and return to WebFOCUS a value that would then be validated. Check out the WebFOCUS Security Administration Manual.
EJL is correct about spoofing, that is a big concern if the application is an internet application. It can still be a concern if the application is an intranet application. If there is a concern the always ues an SSL Certificate.
Even an encrypted session won't prevent someone from looking at the HTML page source in a browser and seeing the necessary hidden values. It's not hard to guess what change to make if you see "authenticated=N"
How locked down you have your application, and how your servers are configured will determine whether seeing these values allows them to successfully throw a spoofed request back to your servers.
It can be overkill to worry about some of this or it can be exactly what you should be concerned about. It all depends on the situation.
OK, Here is how I would do it, that is if I had to authenticate to a database table row/column. First I would ensure that my html page that I used to have the users enter there ID/Passwords what using SSL so that when that page is sent back to the server the information being sent is encrypted. I would not care if someone looked that the source code. Second I would create a WebFOCUS Exit that I would call and pass the parameters to ID/Password. The Exit would just authenticate and return true (valid) false (invalid). Then I would check that value if it was true I would create java session variables this why nothing is sent/stored on the client side (spoofing could not access it). If it was false I would redirect them to some other page. This is just a high level explaination of the flow of things. For details on each step see the WebFOCUS Security Administration Manual.