Transact

⌘K
  1. Home
  2. Transact
  3. System Configuration
  4. Security Configuration
  5. Security: Restricting access to certain Ephesoft Web Pages

Security: Restricting access to certain Ephesoft Web Pages

Applies to: v3.0.x to v4.0.2.0
Administrators can authorize access to these URLs using group/role names defined in Tomcat, LDAP and MS Active Directory. Web.xml can be found here: *{EPHESOFT_ROOT_DIR}\Application\WEB_INF\web.xml By Default all URLs authorized by all groups by using “*” in the auth-constrain node:

<auth-constraint>

                <role-name>*</role-name>

</auth-constraint>

To authorize a specific security role, LDAP container), administrators should modify the role-name node.

 

Examples:

1) to allow a role to access BatchInstanceManagement.html(role taken here admin):

   <security-constraint>

         <web-resource-collection>

               <web-resource-name>batch instance management</web-resource-name>

               <url-pattern>/BatchInstanceManagement.html</url-pattern>

               <http-method>GET</http-method>

               <http-method>POST</http-method>

         </web-resource-collection>

         <auth-constraint>

               <role-name>admin</role-name>

         </auth-constraint>

   </security-constraint>

Here we have allowed the role by mentioning it in the auth-constraint tag.

2) To allow multiple roles to access BatchInstanceManagement.html do the following configuration(roles taken here are role2 and admin):

 

<security-constraint>

         <web-resource-collection>

               <web-resource-name>batch instance management</web-resource-name>

               <url-pattern>/BatchInstanceManagement.html</url-pattern>

               <http-method>GET</http-method>

               <http-method>POST</http-method>

         </web-resource-collection>

         <auth-constraint>

               <role-name>role2</role-name>

               <role-name>admin</role-name>

         </auth-constraint>

   </security-constraint>

Here the <Security-role> tag need not to be modified. It can remain as it is with a single entry (*) allowing all groups. However it may give warnings if security-role tag is not mapped to groups individually. These warnings can be eliminated by providing mapping for roles in <security-role> tag.

<security-role>

            <role-name>*</role-name>

 </security-role>

 

Active Directory Example:

Say I want to restrict:
BatchClassManagement.html

The AD group Distinguished Names from jexplorer i want access to this page are:
CN=GSTIRAAdmin,OU=Identifi,DC=ts2000,DC=com
CN=GSTIRAPowerUsers,OU=Identifi,DC=ts2000,DC=com
CN=GSTIRAUsers,OU=Identifi,DC=ts2000,DC=com

For example, for the roles above…the entry would like like:

<security-constraint>

         <web-resource-collection>

               <web-resource-name>batch instance management</web-resource-name>

               <url-pattern>/BatchInstanceManagement.html</url-pattern>

               <http-method>GET</http-method>

               <http-method>POST</http-method>

         </web-resource-collection>

         <auth-constraint>

               <role-name>GSTIRAAdmin</role-name>

               <role-name>GSTIRAPowerUsers</role-name>
              <role-name>GSTIRAUsers</role-name>

         </auth-constraint>

   </security-constraint>