As of December 1, 2020, Focal Point is retired and repurposed as a reference repository. We value the wealth of knowledge that's been shared here over the years. You'll continue to have access to this treasure trove of knowledge, for search purposes only.
Join the TIBCO Community TIBCO Community is a collaborative space for users to share knowledge and support one another in making the best use of TIBCO products and services. There are several TIBCO WebFOCUS resources in the community.
From the Home page, select Predict: WebFOCUS to view articles, questions, and trending articles.
Select Products from the top navigation bar, scroll, and then select the TIBCO WebFOCUS product page to view product overview, articles, and discussions.
Request access to the private WebFOCUS User Group (login required) to network with fellow members.
Former myibi community members should have received an email on 8/3/22 to activate their user accounts to join the community. Check your Spam folder for the email. Please get in touch with us at community@tibco.com for further assistance. Reference the community FAQ to learn more about the community.
I have stored usernames and passwords in Sybase database. This database and user details are used across multiple web applications across the enterprise. We have recently started exploring WebFOCUS for our reporting purposes.
We would like to use the user details available in the Sybase database for our authentication purposes.
How can I use this database for authenticating WebFOCUS end-users? Are there any in-built (out-of-the-box) features available in WebFOCUS which can be leveraged?
Please suggest some good alternative solutions as well.
You asked for "out of the box" which WF offers in a basic format using the business intelligence dashboard (BID) module and a seperate user list managed via the managed reporting environment (MRE). You can switch to an external directory for authentication and use the MRE for domain authorization, or use an external directory for both functions.
Unfortunately WF 7.x does not have a predefined configuration for Sybase as an external authentication directory. I am not sure if you can add to the list, or if it is hard-coded.
That being said, there's no reason you couldn't use use a custom solution; jsp (if your web server is Tomcat) or asp (if your web server is IIS). You would write a login page that connects to your sybase db via jdbc/odbc and authenticates the user. You could set a variable (ie. Authenticated Y/N) and each report launch page would do an include that checks for this variable's status.
Hope this helps a bit.
Cheers,
Joey
-WebFOCUS 8.2.01 on Windows
Posts: 318 | Location: Los Angeles, CA | Registered: November 15, 2005
MRE/UAS/Dashboard Provides some intergration for Authentication / Authorization. However, It does not authenticate a user to a row/column in a database it authenticates it by seeing if that userid/password combonation can connect to the database. If you are trying to Authenticate WebFOCUS and not MRE/UAS/Dashboard an option would be to create a WebFOCUS Exit. The Exit can then do what ever it needs to do to authenticate the user, such as a jdbc connection to a database and and run a SQL Select Statement and return to WebFOCUS a value that would then be validated. Check out the WebFOCUS Security Administration Manual.
Just remember that anything being passed in plain text from an HTML page on the end user's browser to the WF Servlet can be spoofed. This includes "hidden" fields in the HTML.
EJL is correct about spoofing, that is a big concern if the application is an internet application. It can still be a concern if the application is an intranet application. If there is a concern the always ues an SSL Certificate.
Even an encrypted session won't prevent someone from looking at the HTML page source in a browser and seeing the necessary hidden values. It's not hard to guess what change to make if you see "authenticated=N"
How locked down you have your application, and how your servers are configured will determine whether seeing these values allows them to successfully throw a spoofed request back to your servers.
It can be overkill to worry about some of this or it can be exactly what you should be concerned about. It all depends on the situation.
OK, Here is how I would do it, that is if I had to authenticate to a database table row/column. First I would ensure that my html page that I used to have the users enter there ID/Passwords what using SSL so that when that page is sent back to the server the information being sent is encrypted. I would not care if someone looked that the source code. Second I would create a WebFOCUS Exit that I would call and pass the parameters to ID/Password. The Exit would just authenticate and return true (valid) false (invalid). Then I would check that value if it was true I would create java session variables this why nothing is sent/stored on the client side (spoofing could not access it). If it was false I would redirect them to some other page. This is just a high level explaination of the flow of things. For details on each step see the WebFOCUS Security Administration Manual.