Focal Point Banner


As of December 1, 2020, Focal Point is retired and repurposed as a reference repository. We value the wealth of knowledge that's been shared here over the years. You'll continue to have access to this treasure trove of knowledge, for search purposes only.

Join the TIBCO Community
TIBCO Community is a collaborative space for users to share knowledge and support one another in making the best use of TIBCO products and services. There are several TIBCO WebFOCUS resources in the community.

  • From the Home page, select Predict: WebFOCUS to view articles, questions, and trending articles.
  • Select Products from the top navigation bar, scroll, and then select the TIBCO WebFOCUS product page to view product overview, articles, and discussions.
  • Request access to the private WebFOCUS User Group (login required) to network with fellow members.

Former myibi community members should have received an email on 8/3/22 to activate their user accounts to join the community. Check your Spam folder for the email. Please get in touch with us at community@tibco.com for further assistance. Reference the community FAQ to learn more about the community.


Focal Point    Focal Point Forums  Hop To Forum Categories  WebFOCUS/FOCUS Forum on Focal Point     [SOLVED] report level security

Read-Only Read-Only Topic
Go
Search
Notify
Tools
[SOLVED] report level security
 Login/Join
 
Member
posted
Hi everyone,
I am very new to WebFOCUS and was assigned a important and challenging task-securing our reports. If anyone can give me some help, that will be very very appreciated. Here is the situration.

we have a standalone java web application, using WebFOCUS 5.3( will update to v7.6 soon) as reporting tool. The reports will be in reporing server. The users of this applicaiton will be public external users. Different user only have authority to view whatever reports he has paid for. The java application has a logon page asking user id and password and then polulate a dropdown list with all the reports the user has authority to view. Finally, the java application display report by redirect to WebFOCUS client using a link, for example http://Servername/ibi_apps/WFServlet?IBIF_ex=report.fex...=value1¶2=value2. Obviously, there is a big security with this solution. Anyone can just copy the report URL and paste in IE addre box and view the report, bypassing the java application logon page.

I did lot of research and document reading. The easiest solution I can think of is using hidden field in the java page to store reporting name and parameters, instend of puting everything in the URL. But this solution doesn't solve the problem completely because people can still find some clue from "View Source". My second solution is to write a fexexec (for example Main.Fex). In Main.Fex, call a java class( check usr's access in this class), and based on the return of this java class, either EXIT or continue display real report).

I am wondering if I am in right direction? Does anyone has similiay situration like this and how do you solve the problem.

Regards.

Alu

This message has been edited. Last edited by: Kerry,


WF Server: 5.3.2, 7.1.6 on Unix, ReportCaster, Self-Service, MRE, Java
Output: HTML,PDF,Excel
WF Client: Tomcat, Servlet
 
Posts: 17 | Registered: November 03, 2008Report This Post
Expert
posted Hide Post
Alu,

How did you get in the Forum without updating your signature with your products, releases, and platforms? Smiler It would be easier to answer your question if we knew that information.

WebFOCUS has a security manual that you might want to check out. Also, you can use the Search tab and search for other posts on this same issue.

But once we know your configuration, we'll be able to give you better answers.


Ginny
---------------------------------
Prod: WF 7.7.01 Dev: WF 7.6.9-11
Admin, MRE,self-service; adapters: Teradata, DB2, Oracle, SQL Server, Essbase, ESRI, FlexEnable, Google
 
Posts: 2723 | Location: Ann Arbor, MI | Registered: April 05, 2006Report This Post
Member
posted Hide Post
Hi Ginny,

That's my question too? I did put my signature when I register. Why it didn't show up. Would you please let me know how to make it show up?

I did read the security manual and use the Search tab and found some very valuable information. That's how I learn WebFOCUS so far. But I couldn't figure out a good sulution. May be it is because I am lack of practical expericence. I would like very much to get some suggest regarding this.

Thanks

Alu


WF Server: 5.3.2, 7.1.6 on Unix, ReportCaster, Self-Service, MRE, Java
Output: HTML,PDF,Excel
WF Client: Tomcat, Servlet
 
Posts: 17 | Registered: November 03, 2008Report This Post
Virtuoso
posted Hide Post
As Ginny mentions. it's hard to give specifics without info on your operating environment, but here's a general answer. We do something similar, but the user is never able to see the link. The link is generated dynamically within the Java app after the user selects the report and the URL is never displayed. I'm not the Java guy so I don't have specifics, but it works.

Second item - do you have security turned on for your WF server? Sounds like you may not, in which case you're begging for security violations. There are ways to handled this authentication via your URL methodology, but that information also needs to be secured.

Third item - no offense to you, but assigning WF security to someone who is very new to WebFOCUS doen't sound like a very sound business decision. We all have to start somewhere, I know, but security is a pretty advanced topic that shouldn't be tackled without a thorough reading of the WF security documentation and hopefully a little training.

Good luck with it. If you have more questions, maybe I can get some details from our Java developers.


Regards,

Darin



In FOCUS since 1991
WF Server: 7.7.04 on Linux and Z/OS, ReportCaster, Self-Service, MRE, Java, Flex
Data: DB2/UDB, Adabas, SQL Server Output: HTML,PDF,EXL2K/07, PS, AHTML, Flex
WF Client: 77 on Linux w/Tomcat
 
Posts: 2298 | Location: Salt Lake City, Utah | Registered: February 02, 2007Report This Post
Gold member
posted Hide Post
Create a separate security table with these users ids in there. You could use the &WF_Remote_user and have your fex check against the remote_user in the beginning of the program. If these individuals are not in the table redirect them to a nodata page.


WF 7.6.10 /IIS 6/ JBoss Enterprise 4.3
Windows XP SP 2/Windows 2003 Server
MVS 7.3.3
 
Posts: 76 | Location: Hartford, CT | Registered: August 30, 2005Report This Post
<JG>
posted
quote:
Different user only have authority to view whatever reports he has paid for

First thing that I would actually do is make sure that you are correctly licensed to offer WebFocus reporting
as a subscription service.

A standard license does not allow the operation of a bureau service to external customers.
 
Report This Post
Member
posted Hide Post
quote:
Different user only have authority to view whatever reports he has paid for


Hi JG,

I think I just used a wrong sentence to express the importance of secure the report. What I meant was that different uses should only see report he was supposed to see. For example financial data should only open to very limited people.


WF Server: 5.3.2, 7.1.6 on Unix, ReportCaster, Self-Service, MRE, Java
Output: HTML,PDF,Excel
WF Client: Tomcat, Servlet
 
Posts: 17 | Registered: November 03, 2008Report This Post
Expert
posted Hide Post
Now that we know that you are on a Unix platform, that clarifies the situation a bit.

As Darin asked, we still need to know whether you have operating security turned on in your reporting server.

Maybe you could do something like this assuming reporting server security is on. Secure all the subdirectories and files in ibi/apps to a single application id. If you could have the hidden field in the java page as you mentioned get passed to the WebFOCUS client, then you could check that field in the client node profile (which you can encrypt) for the reporting server. If the value is good, populate the IBIC_user and IBIC_pass variables with the application id and password.

If someone swipes the URL, they wouldn't have access to the hidden parm value, wouldn't know the application id, and would fail on credentials.


Ginny
---------------------------------
Prod: WF 7.7.01 Dev: WF 7.6.9-11
Admin, MRE,self-service; adapters: Teradata, DB2, Oracle, SQL Server, Essbase, ESRI, FlexEnable, Google
 
Posts: 2723 | Location: Ann Arbor, MI | Registered: April 05, 2006Report This Post
Member
posted Hide Post
Hi Darin,

I think I have read some past posts by you regarding this issue last night. I am interested in the way how your java developers call the report. Could you please get more detail from the java guys.

Regarding your third item. Thank you for your concern. I totally agree with you. That is why I said I was assigned an important and challenge task. I will take your advise and get necessary WebFOCUS training. Also I am going to read the WF security document at least three times.

Regards

Alu


WF Server: 5.3.2, 7.1.6 on Unix, ReportCaster, Self-Service, MRE, Java
Output: HTML,PDF,Excel
WF Client: Tomcat, Servlet
 
Posts: 17 | Registered: November 03, 2008Report This Post
Member
posted Hide Post
Thanks everybody for the kindly suggestions. I will try them one by one.

Regards,

Alu


WF Server: 5.3.2, 7.1.6 on Unix, ReportCaster, Self-Service, MRE, Java
Output: HTML,PDF,Excel
WF Client: Tomcat, Servlet
 
Posts: 17 | Registered: November 03, 2008Report This Post
Virtuoso
posted Hide Post
Alu,

It seems to me that your problem is compounded by the structure of your Java application which uses the link in which both the fexname and the parameters are 'in clear'.

When we create self-service, higly parameterized applications for our users, we use our product WrapApp which has very stiff security built-in. It will display only those reports that the user is allowed to see (client security) and then will also check on the server if this user is allowed to run such a report. In this way, even if somebody has "stolen" the URL, unless that person has also logged on with a user-id that has permission to run that specific report, the report will not run.


Daniel
In Focus since 1982
wf 8.202M/Win10/IIS/SSA - WrapApp Front End for WF

 
Posts: 1980 | Location: Tel Aviv, Israel | Registered: March 23, 2006Report This Post
  Powered by Social Strata  

Read-Only Read-Only Topic

Focal Point    Focal Point Forums  Hop To Forum Categories  WebFOCUS/FOCUS Forum on Focal Point     [SOLVED] report level security

Copyright © 1996-2020 Information Builders