Focal Point
Bypass security check for self-service page

This topic can be found at:
https://forums.informationbuilders.com/eve/forums/a/tpc/f/7971057331/m/1161055462

January 04, 2008, 06:35 PM
DKWAN
Bypass security check for self-service page
Our reporting server is secured, and a signon page will be poped when any self-service page is executed.
However, there is a new page that we would like to allow public to see.
I'm told by the help line to hard-coded a userid/pw in the html page, or fex. this method is not the best because a VIEW SOURCE will see the id/pw by the world, so he suggested me to seek help here.

Do you have any idea that I can accomplish the OPENup of a html page to the world? thanks so much.



Prod: WebFOCUS 7.1.1 CGI - Self Service - Report Caster,Win2000/IIS
Output: HTML, Excel 2000 and PDF
January 04, 2008, 08:32 PM
dhagen
You could use a JSP page as the action of your form. That JSP page can then forward the request to the WFServlet including the required IBIC_user IBIC_pass and IBIF_ex parms. I suggest puting the IBIF_ex in the JSP so that it can only be used to execute that one report and not be a security problem.


"There is no limit to what you can achieve ... if you don’t care who gets the credit." Roger Abbott
January 05, 2008, 03:19 PM
dhagen
Example of JSP to do this. Note: this has to be part of the web focus web application. This example assumes it is part of the root directory of the web application.

bypass.jsp 
<jsp:directive.page language="java" import="java.util.*" />
<jsp:scriptlet>

     /**
      * check to see if someone is trying to run another IBIF_ex.
      * We are doing this because we cannot prevent a parameter from
      * being sent to the forwarded servlet call.  We want to prevent
      * a user from passing their own value of IBIF_ex.
      */
     String userId;
     String passWord;
     
	if (request.getParameter("IBIF_ex") == null) {
	     /* put good userid and password here */
		userId = "good-userid";
	     passWord = "good-password";
	} else {
	     /* put bad userid and password here */
		userId = "bad-userid";
	     passWord = "bad-password";
	}
	
</jsp:scriptlet>
<jsp:forward page="/WFServlet" >
     <jsp:param name="IBIF_ex"   value="carinst" />
     <jsp:param name="IBIC_user" value="<%= userId %>" />
     <jsp:param name="IBIC_pass" value="<%= passWord %>" />
     <jsp:param name="WF_AUTOSIGNON" value="NO" />
</jsp:forward>


Url examples:
 
 /ibi_apps/bypass.jsp
 /ibi_apps/bypass.jsp?COUNTRY=ENGLAND



"There is no limit to what you can achieve ... if you don’t care who gets the credit." Roger Abbott
January 07, 2008, 05:47 PM
DKWAN
Thanks. Since I have not much jsp, java experience, I'llpass the code to another group to review.
thanks agian



Prod: WebFOCUS 7.1.1 CGI - Self Service - Report Caster,Win2000/IIS
Output: HTML, Excel 2000 and PDF