January 04, 2008, 06:35 PM
DKWANBypass security check for self-service page
Our reporting server is secured, and a signon page will be poped when any self-service page is executed.
However, there is a new page that we would like to allow public to see.
I'm told by the help line to hard-coded a userid/pw in the html page, or fex. this method is not the best because a VIEW SOURCE will see the id/pw by the world, so he suggested me to seek help here.
Do you have any idea that I can accomplish the OPENup of a html page to the world? thanks so much.
January 04, 2008, 08:32 PM
dhagenYou could use a JSP page as the action of your form. That JSP page can then forward the request to the WFServlet including the required IBIC_user IBIC_pass and IBIF_ex parms. I suggest puting the IBIF_ex in the JSP so that it can only be used to execute that one report and not be a security problem.
January 05, 2008, 03:19 PM
dhagenExample of JSP to do this. Note: this has to be part of the web focus web application. This example assumes it is part of the root directory of the web application.
bypass.jsp
<jsp:directive.page language="java" import="java.util.*" />
<jsp:scriptlet>
/**
* check to see if someone is trying to run another IBIF_ex.
* We are doing this because we cannot prevent a parameter from
* being sent to the forwarded servlet call. We want to prevent
* a user from passing their own value of IBIF_ex.
*/
String userId;
String passWord;
if (request.getParameter("IBIF_ex") == null) {
/* put good userid and password here */
userId = "good-userid";
passWord = "good-password";
} else {
/* put bad userid and password here */
userId = "bad-userid";
passWord = "bad-password";
}
</jsp:scriptlet>
<jsp:forward page="/WFServlet" >
<jsp:param name="IBIF_ex" value="carinst" />
<jsp:param name="IBIC_user" value="<%= userId %>" />
<jsp:param name="IBIC_pass" value="<%= passWord %>" />
<jsp:param name="WF_AUTOSIGNON" value="NO" />
</jsp:forward>
Url examples:
/ibi_apps/bypass.jsp
/ibi_apps/bypass.jsp?COUNTRY=ENGLAND
January 07, 2008, 05:47 PM
DKWANThanks. Since I have not much jsp, java experience, I'llpass the code to another group to review.
thanks agian