I am looking for a way to secure a Public View in Dashboard. I have looked into using the existing security in Dashboard but it doesnt protect the public view at all. It would be nice if i could just have like an asp page that i could set to run before displaying any dashboard pages. Can anyone think of a solution? If you need more info just let me know. BTW We are running version 5 3 3.

nobody has any information at all?

MrT,

How secure are you looking for?
What security model do you have in place?
Is this for internal or external users?
Do you have a PKI or SSO environment you are trying to take advantage of?

I've got a few intallations with things like this, but I need something to go on to give you a proper recommendation.

Regards

Well first off, we have an oracle web app that is already doing authentication for us. We would like to just allow the users to access Dashboard if they have already been authenticated by the oracle web app. Otherwise toss them back to the sign on page. not sure what PKI is (Personal Key Identification? - just a wild guess).

So i guess we are just looking for it being as secure as the oracle web app security is. One issue we have is that the oracle web app is on a different web server than the Dashboard is on.

Let me know if you have any ideas or more questions.

oops forgot to add that the dashboard is used for internal and external users.

MrT,

Sorry for the delay, but I didn't want to lead you in a wrong direction.

First thing I would do, is contact your local IBI consulting staff. They have a lot of experience in dealing with different security engagements.

In the mean time (and knowing very little about your implementation), I feel the easiest way to do this is to write a WebFOCUS security plug-in. Building a plug-in is documented in the security manual from doc services. In the plug-in, you could re-authenticate the user against your oracle web app before displaying the public pages. Credentials can be passed to the webfocus app via encrypted http headers or cookies (or both).

If your intention is to use .asp, you might want to look into having your .Net app append a http header or cookie to the initial call to webfocus and the public pages. You can then check the content of the http header or cookie to determine if the user has be already authenticated by the web app. Using a header or cookie is not as secure as a plug-in, so you might want to consider encrypting the header or cookie using the webfocus.api from the .Net side, and de-crypt it at the webfocus side.

I realize that this doesn't directly answer your question, but experience has taught me that no two security implementations are the same. What worked on one site may not work on another. For this reason, I would suggest the IBI consulting route.

Regards

Greetings,

You can view and/or download the WebFOCUS Security and Administration manual (version 7.1: DN4500704.0905 or version 5.3: DN4500599.1204) from the Technical Documentation Library.

If you have an InfoResponse ID, login on the Tech Support web site and then access the Library. By logging in first, you can download the PDF file and/or view the HTMLHelp version.

You can access the Technical Documentation Library via the following Web sites:

• http://techsupport.informationbuilders.com
  (From the top navigation bar, click Publications. Then select Tech Library Home.)
  

• www.informationbuilders.com
  (From the top navigation bar, click Services & Support. Then select Documentation.)
  

• www.iwaysoftware.com
  (From the top navigation bar, click Services & Support. Then select Bookstore.)
  

Hope this helps.

Regards,
Jennifer

dhagen,

Thanks for the suggestions. I have already talked to the ibi tech support people. I specifically asked them if it was possible to secure a public view and they said "no". Then later I asked if it was possible to allow or deny access to a public view using a plugin or cgi exit and they said "Maybe". So I am getting a bit frustrated. It seems like something that should be really simple. I dont see why they dont have a public password that protects the public view. Meh... anyway, now that I know it is possible to use a plug in I will have to look into that further. We may end up just using site minder to take care of it though. If you have any other suggestions or questions about our set up let me know.

MrT,

What you want to do can be done. I have a customer here in Texas that uses the Public View of the dashboard. There Entire WebFOCUS environment is secured by the Central Authentication Server (CAS). To get to WebFOCUS you must first login to CAS. Then most of the users only have access to the public view of the dashboard because they are not defined in the UAS Repository. Depending on what variables the Oracle Application Server sets (HTTP Headers, Cookies, etc...). And if those variable are shared across the entire domain or if they can be passed to WebFOCUS. A Security Exit will more then likely be the way to go. PS the exit must be written in JAVA because the Dashboard requires the WebFOCUS Servlet and the Exit must be compatible with it. Please open a case with NY and try again with you local branch.

Hope this Info helps

MrT,

If you decide to use Siteminder, ask doc services for Tech Memo: 4539, DN4500608.0905. This is specifically for Siteminder for WebFOCUS versions 5.3 and 7.1. It will walk you through everything you need to do to implement.

MrT,

dhagen's suggestion is a perfect guide to implementing Siteminder. You can view or download Technical Memo 4539: Netegrity SiteMinder Integration with WebFOCUS 7.1 from the Technical Documentation Library.

You can follow the steps for accessing the Library in my previous post in this string.

Regards,
Jennifer

Thanks, I will look into those suggestions.