Focal Point Banner


As of December 1, 2020, Focal Point is retired and repurposed as a reference repository. We value the wealth of knowledge that's been shared here over the years. You'll continue to have access to this treasure trove of knowledge, for search purposes only.

Join the TIBCO Community
TIBCO Community is a collaborative space for users to share knowledge and support one another in making the best use of TIBCO products and services. There are several TIBCO WebFOCUS resources in the community.

  • From the Home page, select Predict: WebFOCUS to view articles, questions, and trending articles.
  • Select Products from the top navigation bar, scroll, and then select the TIBCO WebFOCUS product page to view product overview, articles, and discussions.
  • Request access to the private WebFOCUS User Group (login required) to network with fellow members.

Former myibi community members should have received an email on 8/3/22 to activate their user accounts to join the community. Check your Spam folder for the email. Please get in touch with us at community@tibco.com for further assistance. Reference the community FAQ to learn more about the community.


Focal Point    Focal Point Forums  Hop To Forum Categories  WebFOCUS/FOCUS Forum on Focal Point     custom security exits (servlets)

Read-Only Read-Only Topic
Go
Search
Notify
Tools
custom security exits (servlets)
 Login/Join
 
Member
posted
Ok i dont know very much about java but i do know other languages that are similar. Anyway, I need to be able to tell webfocus to either redirect the user to a different page (if they do not have a session variable set to what i specify) or to allow them to pass through (if they do have the session variable set to what i specify). I have built sort of a test run servlet, but webfocus doesnt like it when i add the servlet stuff to the site.wfs file.

The samples in the security and administration manual do not give me enough information to do much of anything because they do not show a full example. I am really clueless as to what i need in the site.wfs file. Does anyone have any clue how i would do this?

here is my test code:
-------------------------------------------------


package Dashboard.Security;

import java.io.*;

import javax.servlet.*;
import javax.servlet.http.*;


public class DashSecure extends HttpServlet
{
public HttpServletRequest req;
public HttpServletResponse res;
private static final long serialVersionUID = 1L;
public DashSecure()
{
super();
}
public boolean check()
{
try
{
doGet(req,res);
}
catch (ServletException e)
{
// TODO Auto-generated catch block
e.printStackTrace();
}
catch (IOException e)
{
// TODO Auto-generated catch block
e.printStackTrace();
}
if (req.getParameter("Loggedin") != "TRUE")
{
try
{
res.sendRedirect("http://www.google.com");
}
catch (IOException e)
{
// TODO Auto-generated catch block
e.printStackTrace();
}
}
else
{
try
{
res.sendRedirect("http://www.yahoo.com");
}
catch (IOException e)
{
// TODO Auto-generated catch block
e.printStackTrace();
}
}
return true;
}
}
 
Posts: 16 | Location: Portland | Registered: October 13, 2005Report This Post
Expert
posted Hide Post
DHAGEN (on the FocalPoint forum) is the best person to try to contact - he's a security genius.
 
Posts: 10577 | Location: Toronto, Ontario, Canada | Registered: April 27, 2005Report This Post
Virtuoso
posted Hide Post
MrT,

As you already have guessed, you cannot call a Servlet from within a Servlet. You can call a Servlet from another Server. However, that requires funky session sharing (and I don�t really know how to do that).

I feel that your best bet would be to build a Java Filter. Filters are contained within the web application, and are called prior to the Servlet action, and therefore allow you to create sessions, or redirect user requests etc.

I can give you advice on what to do and how to do it, but I would really like to know a little more about your environment and what you are trying to do first.

1. What release of WF?
2. Is this: Self Service app, or BID, or MRE?
3. Will you be using Dev Studio after your process is in place?
4. Could you please explain the process of what should happen and why.

I've implemented Filters at multiple sites to facilitate some very funky security requirements. All of them required some sort of redirect action. When all is said and done, it will be easier on you if this can be implemented as a plug-in, if only because there is far fewer actions that you have to account for.

Regards.
 
Posts: 1102 | Location: Toronto, Ontario | Registered: May 26, 2004Report This Post
Master
posted Hide Post
MrT,

It is important to state what version of WebFOCUS you are using, If you are using UAS/MRE, Servlet/CGI, and If you have Report Caster to worry about as all the above must me considered when using a security filter and or security exit. If you are just wanting to check to see of a session variable exist you might be able to use the CopySessionVarToWFVar. I think this will work. You may have to play with it some I do not know what it would retrun of the session variable does not exist. A side not the session variable must be a on same box where the WebFOCUS Application server is, and you must be using Servlet. I do not recall exaclty what release of WebFOCUS the CopySessionVarToWFVar became available. Good Luck.

Hope this helps.
 
Posts: 865 | Registered: May 24, 2004Report This Post
Member
posted Hide Post
ok here is what we have: We are running webfocus version 5 3 3. The part that we are trying to protect is the public view of the dashboard. We are running reportcaster, BI dashboard, and MRE. I believe that only dashboard has public user access.

Our current security is based upon oracle applications. We have a web application, on oracle, that the public users log into. our oracle instance is on a different machine than our copy of webfocus. They also both use different web servers.

Here is what we have so far: The user logs into the oracle web application. From here they can navigate to the dashboard link. when they click this link to dashboard (a link to the public view) they will be redirected to an asp page on the webserver that has webfocus on it. This redirection has a few variables in the query string. The asp page takes the variables and calls a database procedure to check if the user is ok or not in the database. If they are ok then the asp page sets a session variable and redirects them to the dashboard public view. if they are not ok then the asp page redirects them to the oracle web application login page.

Here is what we need: We need a way to stop people from directly accessing the dashboard public view without logging into the oracle web application. We have been told by IBI that this is possible by using a servlet plug-in. So what I am trying to get this plug-in to do is look at the session variable. if the variable is not set or is set to something other than "TRUE" then i want the servlet to redirect the user to where ever i decide to send them.


I hope this all helps. Let me know if you need more specific information.
 
Posts: 16 | Location: Portland | Registered: October 13, 2005Report This Post
Master
posted Hide Post
Mrt.

As a Systems Engineer for Information Builders, I take customer needs and concerns very serious especially when I comes to security. While it is possible to implement what you want to do without IBI's direct involvement, I am concerned with the impact to the additional products. If at all possible I would suggest you get with your local branch and see about getting our Security Team involved. I just don't what you over looking something that might come back to bite you. Sorry I can't be of more help.




Scott

 
Posts: 865 | Registered: May 24, 2004Report This Post
Gold member
posted Hide Post
MrT,

A tomcat filter would do the trick. I posted an example of a filter to the list a while ago.

https://forums.informationbuilders.com/eve/forums/a/...681008331#4681008331

Good luck.
-James


WF 7.1.6 moving to WF 7.7, Solaris 10, HTML,PDF,XL
 
Posts: 83 | Location: Dartmouth Hitchcock Medical Center | Registered: April 17, 2003Report This Post
Gold member
posted Hide Post
Oh, and if you ever get a security exit to work with Webfocus 5.3.3 please post the code. We were unable to get one working as the poor poor documentation contained errors, bugs, etc. Wasted quite a bit of time trying to get the servlet callable exit working. Eventually gave up and started using tomcat filters.
-James


WF 7.1.6 moving to WF 7.7, Solaris 10, HTML,PDF,XL
 
Posts: 83 | Location: Dartmouth Hitchcock Medical Center | Registered: April 17, 2003Report This Post
Master
posted Hide Post
MrT

A simpler way would be like this. However, I am not an expert and still recommend getting the security team involved.

Step 1. Edit the site.wfs file and put this in there.

 
<if> IBIMR_action EQ "MR_SIGNON" AND IBIMR_user.upper EQ "PUBLIC"
	httpsessionvar = mysessionvariable
	wfvar = MYVAR
	<call> CopySessionVarToWFVar(httpsessionvar,wfvar)
	<if> MYVAR NE "TRUE"
		<HTMLFORM> wfexterr.htm
		<EXIT>
	<endif>
<endif>

Step 2 create your own wfexterr.htm file and put it in the webfocus client web cgi directory.

PS Replace mysessionvar with the name of your session variable and then replace the TRUE with what ever value your http session variable should be.

Good Luck hope this helps, let us know!

This message has been edited. Last edited by: TexasStingray,




Scott

 
Posts: 865 | Registered: May 24, 2004Report This Post
Member
posted Hide Post
is there something i need to do to get the copysessionvartowfvar() function to work? I put that code in my site.wfs file and restarted IIS and it comes back with an error. I tried setting the variable to "TRUE" and it still gave the same error. here is the error:

quote:
An HTTP 500 error has been returned when attempting to communicate with the WebFOCUS web components. The application server log contains information on why this error has occurred. Contact your WebFOCUS Administrator or Information Builders Customer Support Services for further assistance.


I got this same error when trying to put any of the custom servlet calls in the site.wfs file too.
 
Posts: 16 | Location: Portland | Registered: October 13, 2005Report This Post
Member
posted Hide Post
ok scratch that... i forgot to change the setting in the console back to ibi.webfoc.WFEXTDefault
 
Posts: 16 | Location: Portland | Registered: October 13, 2005Report This Post
Member
posted Hide Post
Ok the error I posted earlier appears to be happening whenever is used. I was unsure as to why I kept getting errors, so I tried putting just the line in the site.wfs. Is there a problem with testing it this way? Is there something i need to set up for the redirection to work?
 
Posts: 16 | Location: Portland | Registered: October 13, 2005Report This Post
Master
posted Hide Post
It is case sensitive. The error page that you create must do the rediredt for you. You might try just calling the function and see if that works. Then add the other code.

Try This:

MYVAR1 = MrT
httpsessionvar = MySessionVar1
wfvar = MYVAR1
<call> CopyWFVarToSessionVar(wfvar,httpsessionvar)

httpsessionvar = MySessionVar1
wfvar = MYVAR
<call> CopySessionVarToWFVar(httpsessionvar,wfvar)
<SET> MYVAR (pass)


Then in a focexec put
-TYPE &MYVAR

When you run te focexec it should display MrT

This will tell you if the 's are working

Scott

This message has been edited. Last edited by: TexasStingray,




Scott

 
Posts: 865 | Registered: May 24, 2004Report This Post
Member
posted Hide Post
Ok i will give that a go. The other issue i just found out yesterday is that the session variable that webfocus pulls is application specific not server specific; at least when using new atlanta it is. Are there other application servers that would allow me to pull from IIS session variables, or is there a way to do it with new atlanta?
 
Posts: 16 | Location: Portland | Registered: October 13, 2005Report This Post
Master
posted Hide Post
That I do not know. Generally when I here about session variable I think of Application Server Session Variable (like New Atlanta, Tomcat, WebLogic, etc..). You might check and see of IIS session variable are automaticlly passes to a web application. if they are then you may be able to check for the existance of the variable. This is another reason to get IBI involved. Good Luck.




Scott

 
Posts: 865 | Registered: May 24, 2004Report This Post
Member
posted Hide Post
do you happen to know if there is a way to do the asp logic within a fex. By this I mean: Am I able to directly link to a fex with my variables in the query string. Have the fex pull these variables from the query string and call a procedure within an oracle database to check for validation. If the user is valid then set application server session variables saying they are ok. If they are not valid then send them to a URL of my choice. Is this functionality available in a fex?
 
Posts: 16 | Location: Portland | Registered: October 13, 2005Report This Post
Master
posted Hide Post
By default all parameters that are part of a query string (methods get and post) are automaticlly passes to webfocus. Now if I understand you correctly. I think this is what you are saying.

1. You want to have a focexe that queries oracle and the procedure needs to accept parameters (say: id, token).

2. You want to have the focexec execute when a users runs a report.

YES, you can have a site_profile set up in the site.wfs to that your focexec executes for every request before the actual request runs.

I don't think this is going to give you what you really want.




Scott

 
Posts: 865 | Registered: May 24, 2004Report This Post
Member
posted Hide Post
im thinking more of having it run only when session variables are not set. To simplify what i am thinking of i will write it out in steps.

1) user logs into oracle web app.
2) user clicks the link to dashboard with data needed to authenticate in the query string.
3) when the user is sent to dashboard, site.wfs checks for a session variable to be set.
4) if the session variable is not set, it checks if the query string has the items in it needed to authenticate.
5) if session variables are not set and the items are not in the query string then redirect the user to the oracle web application log in.
6) if the session variables are not set but the items are present in the query string then the focexec is called to authenticate against the database.
7) if the user is authenticated then the focexec sets session variables and returns the user to the dashboard.
8) if the user is not authenticated then the focexec redirects them to the oracle web application log in page.
 
Posts: 16 | Location: Portland | Registered: October 13, 2005Report This Post
Master
posted Hide Post
In that case you will need to create and exit to do the autentication against Oracle.




Scott

 
Posts: 865 | Registered: May 24, 2004Report This Post
Member
posted Hide Post
dang....The exit part is where I had the trouble to begin with. The documentation on those is horrible. I cant even get the sample to work.
 
Posts: 16 | Location: Portland | Registered: October 13, 2005Report This Post
Platinum Member
posted Hide Post
MrT

Your best bet is to BUG IBI about this via Customer Support web site or on the phone. We gave up long ago trying to get this to work.

Documentation for this kind of thing should not contain typos! It's tricky enough as it is!

Good luck with customer support and let us know how it turns out.

Suzy
 
Posts: 124 | Location: Lebanon, New Hampshire | Registered: April 24, 2003Report This Post
Master
posted Hide Post
Did you get the simple CopySessionVarToWFVar working as stated above.




Scott

 
Posts: 865 | Registered: May 24, 2004Report This Post
<Jim Thorstad - WF Product Mgt.>
posted
Unfortunately, FocalPoint is not the best place to have this level of dialog about a custom integration between your application and WebFOCUS.

I see some confusion in this thread... for example, it is not possible for a Java servlet executing inside of a servlet container to have access to an ASP session variable. It's also not possible for a servlet in one web app to see a Java session variable set in a different web app (though this is a complex topic and there may be a workaround in WebSphere).

It's also a bad idea to pass "authentication data" on a query string from one application to another unless cryptography is employed (and I don't mean SSL) though I may be misunderstanding what was meant in the thread on this point.

This sort of "loosely coupled" sign-on integration between different web-based applications is a complex topic which you should engage local IB consulting.

However because this dialog has been going on so long here, I'm going to ask customer support to reopen case 12512140 and contact you to arrange a con call. We can go over approaches we have seen customers take in this scenario. After all that is finished, you are welcome to post a summary on this thread for your fellow customers.
 
Report This Post
  Powered by Social Strata  

Read-Only Read-Only Topic

Focal Point    Focal Point Forums  Hop To Forum Categories  WebFOCUS/FOCUS Forum on Focal Point     custom security exits (servlets)

Copyright © 1996-2020 Information Builders